security analysis of mobile banking in pakistan
TRANSCRIPT
-
7/31/2019 Security analysis of mobile banking in Pakistan
1/5
Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03
ATFECM-50128036Asian-Transactions 13
AbstractOwing to huge success of mobile telecom in
the world and especially in Pakistan, the new business
avenues like branchless banking and mobile money
transfers are offering lot of opportunities. This paper
will introduce latest method used for transfer of money
in Pakistan along with security analysis of two major
branch less banking services as both of these services
are using SMS massaging system of GSM as basic
instrument to carry out their transactions. Comparison
of currently available mobile banking and money
transfer services is also presented in tabular form.
I. INTRODUCTIONThe world population is estimated 6.6
billion people and there are 4.6 billion mobile
phones, 1.8 billion bank accounts and 1.6 billion
credit cards [1]. These figures show that a vast
majority is not using services of financial institution.
Poor people exist in a cash world and they cannot
avail banking services because of their low earnings,
illiteracy, restricted access to banks in rural areas,
high rate of bank charges etc. All these factors have
made the life of the poor hard and in this situation,
keeping the cash becomes hazardous.
The ubiquity and deep penetration of mobilephone in Pakistan has opened up new venues for
providing services to the unbanked by offering
mobile banking services. The use of mobile
technology can guarantee timely, easily accessible
and secure financial services at lower costs. About 12
million Pakistanis are working abroad and around
17% of the population in Pakistan has bank accounts
but there are almost 100 million mobile subscribers
out of total population of 170 million, which clearly
signify the potential for mobile banking services in
Pakistan.
1 Manuscript date June 11, 2011
Aqeel Feroze, Born in Lahore on 22-08-1977. CompletedM.Sc, Computer Science from Punjab University and current doing
MS from Government College University, Lahore and is lecturer
at Virtual University of Pakistan, 54-Lawrence Road, Lahore
(phone: 0321-4409022; e-mail: [email protected])2 Asma Basharat, Born in Lahore. MS in Information Security
(NUST). Have worked on security analysis and optimization of
Interleave Division Multiple Access for the transmission of
multimedia. Currently working on deception techniques ofhoneypots and honeynets.is Lecturer at Department of Computer
Science, Government College University, Lahore, Pakistan (e-
mail: [email protected]).
Currently in Pakistan, four services are
available for mobile banking and money transfers.
Recently, Habib Bank Limited and Ufone jointly
started a mobile phone based banking services to
Ufone customers to have their bank accounts in HBL
which can be operated through mobile phones having
Ufone connections. The Mobilink in collaboration
with Pakistan Post has launched the facility of
Mobile Money Order (MMO) across Pakistan on 73
outlets in 37 cities providing instantaneous sending
and receiving of money orders. Western Union (WU)
has also become a partner in this service to expand
the money transfer services globally. Mobilink hasalso launched Mobilink Ginie in December 2007 as a
mobile commerce solution. The basic services
include utility bills payment, mobile bill payment or
recharge from the mobile phone and the payment was
to be made through credit/debit card.
Orion is a mobile wallet service initiated by
United Bank Limited to facilitate the mobile
commerce for its customers offering the services like
purchase of prepaid cards, payment of utility and
mobile bills, buying gifts and flowers, and share
money through SMS on any network. Orion is the
pioneer in mobile commerce solutions and is smart,
easy and convenient to use anytime anywhere on anyGSM network.
Telenor Pakistan through Tameer Micro Finance
Bank introduced the service of money transfer for the
lower segment of the economy. EasyPaisa service is a
most convenient and easy way to transfer money
across Pakistan and includes international remittance
facility from more than 80 countries withcollaboration with Xpress Money [2]. The service
was launched in October 2009 with 2,500 outlets but
now they have expanded their services to 12,000
mobile banking outlets. According to SPB statistics
for June 2010, total number of bank branches in
Pakistan is 9096[3] thus EP outlets have surpassed
total number of bank branches in Pakistan and are
now nearly surpassing the number of post offices in
Pakistan (Total post offices are 13,000 in Pakistan).
The EP has added 1,000 outlets during the last
quarter of FY2010-2011in urban and rural areas.[4]
II. MOBILE BANKING MODELSThe mobile banking model is designed to facilitate
the users in fast and reliable mobile banking and
money transfer services by hiding all the underlying
Security Analysis of Mobile Banking Services in Pakistan
Aqeel Feroze1, Asma Basharat
2
-
7/31/2019 Security analysis of mobile banking in Pakistan
2/5
Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03
ATFECM-50128036Asian-Transactions 14
details. Easypaisa is using One-to-one (11) model of
business where one financial institution usually aBank in collaboration with mobile telecom company
under the regulations and supervision of State Bank
of Pakistan provide mobile banking services to its
subscribers as well as general public.[5] Thus the
simple block diagram of the mobile banking service
is shown below:
Figure 1: Showing mobile banking model
The second model is one to many (1- ) as in the
case of U-Payments, which used two financial
institutions which are Habib Bank Limited (HBL)
and Summit Bank.
The third and last implemented model is many to one
( - 1) in which many telecom companies are
offering services of one financial institution. The
examples are UBL Omni and MCB mobile banking
which are using all the five telecom companies
currently working in Pakistan.
A. List of services offered by mobile bankingservices
The list of services offered in Pakistan by two
major mobile banking services (Easypaisa and UBL)
is as under:[2]
i. Opening and maintaining a branchlessaccounts
ii. Money transfer using CNIC (person toperson transfer)
iii. Money transfer using accounts (account toaccount transfer)
iv. Utility bill paymentsv. Cash deposit and withdrawal
vi. Merchant payments (purchases etc.,)vii. International remittances
The detailed comparison of the mobile banking
services currently available in Pakistan is given in
Table 1.
Table 1: Showing comparison of services offered by
mobile banking services.
Particulars EasyPaisa UBL OmniMCBMobile
Banking
UPayments
Models used One to One
(1 -1)
Person to
Person(P2P) &
Business to
Consumer(B2C)
Many to One
( - 1)
Person to
Person(P2P) &
Government
to Persons(G2P)
Many to
One( - 1)
Person toPerson
(P2P)
One to
Many
(1 - )
Person toPerson
(P2P)
Telco Telenor Zong, Ufone,
Warid,Mobilink,
Zong
Zong,
Ufone,Warid,
Mobilink,
Zong
Ufone
Financialinstitute
Tameer
Micro
Finance
Bank
United Bank
Limited
(UBL)
MCB Habib Bank
Limited &
Summit
BankRetail
Network
EasyPaisa
Shops
(Franchised)
Omni
Dukaans
(Franchised)
No No
Service used SMS/USSD SMS/WAP GPRS USSD
Presence 660+
cities/towns
12000+ EP
outlets
580+
cities/towns
MCB
branches
only
HBL or
Summit
bank
branches
only
Launchedin
October
2009
April 2010 June
2009
December
2010
SERVICES OFFERED
Balance
Enquiry
Yes Yes Yes Yes
Mini
Statement
No No Yes Yes
Cash
Handling
Yes Yes No No
Money
Transfer(Domestic)
Yes Yes Only
inMCBaccounts
In
respectivebank
accounts
only
Remittances Yes No No No
Mobile Top
up
Yes Yes Yes Yes
Utility Bills
Payment
Yes Yes Yes Yes
Mcommerce
Support
Yes Yes No No
BranchlessBanking
Support
Yes Yes No No
WalkingCustomer
Support
Yes,
through EP
Shops
Yes, through
Omni
Dukaans
No No
Other
BusinessModels
B2C
Easy Pay (A
payroll
solution for
corporatesector)
G2P
Benazir
Income
Support
ProgramDisbursements
No No
SBP
Regulations
Financial
Institution
(Bank)
Mobile
Banking
Services
Mobile
Telecom
Company
-
7/31/2019 Security analysis of mobile banking in Pakistan
3/5
Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03
ATFECM-50128036Asian-Transactions 15
(BISPs) &
Watan Cards.
B. Minimum Legal RequirementsThe minimum security requirements by the State
Bank of Pakistan have been reproduced in thefollowing table:
Table 2: Showing minimum security requirements by
SBP in Branchless Banking Regulations.[5]
Account Level 1 2 3
Applicable Channels using
cellular mobile communication
system.
USSD,
SMS
SAT,
WAP
SAT,
WAP
Authentication of Client and
Service end.
Two-Factor Authentication.
PIN (user knowledge) and
MSISDN
Message Encryption requirementsat application level.
Notrequired /
Not
applicable
Applicationlevel 128 bit
using known
symmetric
algorithms or
asymmetriclike PKI
(Public Key
infrastructure).
Accountability/Nonrepudiation All Financial and Non-Financial transaction logs
must be securely stored by
FI.
III. SECURITY ANALYSISA. Strengths:Following are the strengths of mobile banking
services in Pakistan:
1) Non-Repudiation and SubscriberAccountability: For evidence purpose during
auditing and forensic investigations, all
subscriber financial transactions are logged.
The logging also ensures non-repudiation which
means subscriber may not deny the transaction
which he/she has performed using EP account
on his/her mobile phone. [5]
2) Centralized Control of Accounts/Transactions:All the transactions are processed through one
main database of financial institution and SMS
is send to both parties. This provides ease ofadministration of the database server and
related backups. [2]
3) IS0 27001:2005certification:Only EasyPaisamobile banking service is ISO 27001:2005
certified for Information Security Management
System (ISMS). This certification is accredited
by United Kingdom Accreditation Services
(UKAS) and compliance is audited by Moody
International Certification Body for evaluating
the services to meet all international
requirements.[6]
B. WeaknessesThe SMS service within GSM system was
designed for non-sensitive messaging among
subscribers ignoring mutual authentication, data
confidentiality, end to end security and non-repudiation. The following weaknesses have been
observed while reviewing the mobile banking
services in Pakistan which inherited the security
vulnerabilities of GSM network.
1) SMS Spoofing: The originator/senderaddress is forged in sms message which
appears to be from a legitimate sender by an
adversary during a attack.[7] A
masquerading attack can be performed by an
adversary by changing the originators
address field in the SMS header to some
other alpha numeric string. The spoofing hasimpacted on the following:
i.) Confidentiality & Authentication:Authentication can be compromised by
SMS spoofing. To send SMS using
someone elses number without
permission instead of original address
of the sender is called SMS spoofing.
For example, any attacker can send
SMS using SMS format of EasyPaisa
and represent himself as sending SMS
from 3737 the EasyPaisa SMS
server address.[8] It is a severe threat
and chances of fraud exist.ii.) Forgeability & Integrity:The SMS bodytext can be changed using spoofed
SMS.
2) Message Encryption: Plaintext is the defaultdata format used in the SMS messages and
encryption is done only between cell phone
and the base transmission station which
shows that end to end encryption is not
available in GSM system giving chance to
insider and there also a chance for a hacker
to attack inside network. Also the encryption
using A5 algorithm is also vulnerable.[7]
3) SMS Service Centre Attack:Copies of SMSmessages stored in SMS centre server is also
vulnerable as the message is in plaintext and
any person having access to SMS center can
easily access sensitive information. By
providing the copies of SMS message to
users friend, two employees were fired by a
mobile phone operator. [9] This shows
insecurity and breaches can occur by
humans rather by vulnerabilities of system.
-
7/31/2019 Security analysis of mobile banking in Pakistan
4/5
Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03
ATFECM-50128036Asian-Transactions 16
4) DoS Attack: An entire GSM cell can bedisabled by a single attacker through a
Denial of Service (DoS) attack. In this attack
the CHANNEL REQUEST message is send
to BSC repeatedly without completing
protocol requesting another signaling
channel which is limited in number, thus
resulting in DoS attack. This is the most
economical attack as no charges deducted
for requesting signaling channel and can be
used for many practical situations like
terrorist attacks.[10]
5) SMS Integrity Protection: Althoughauthentication and confidentiality is present
in GSM security architecture but no
provision has been made for integrity
protection of information.[11]
Consequently, it cannot be verified that a
certain SMS message was not tampered
with.
6) Reply Attacks:The reply attack can becarried out by misusing the previously
exchanged messages between the subscriber
and network.[12]
7) Availability and Quality of Service (QoS)issue: Interruption in services of GSM
network owing to technological or any other
problem and non accessibility of any of
mobile banking service may affect flow of
financial transactions. Likewise, congestion
in network may become a bottle neck inproviding Quality of Service to mobile
banking user.[5]
IV. FUTURE PROSPECTSAccording to State Bank of Pakistan, Payment
Systems Quarterly Review (October December,
2010)[14] published on February 12, 2011 the total
number of registered users in Pakistan are:
Call Center banking 4,923,491 Mobile banking 817,507 Internet banking 752,275
These results shows that the number of mobile
banking users have surpassed internet banking users
thus the future of mobile banking in Pakistan is
glorious.
The mobile banking and money transfer servicesare getting huge popularity among the lower and
middle class of Pakistan as evident from the fact that
using Telenor EasyPaisa seventeen billion rupees has
been transferred in ten million transactions since the
start of the service till December 2010. These
transactions include utility bill payment and
international remittances as well along with money
transfer facility. [3]
The growth in the use of these services is
compelling these companies to introduce G2P, C2B
and B2C business models. The next studies can be
carried out on the effectiveness and benefits of using
these business models for the mobile banking and
money transfer services in Pakistan.
V. CONCLUSION &RECOMMENDATIONSMobile telecom companies of Pakistan by launching
the service of mobile banking and money transfer
have connected the people of Pakistan with the most
easily assessable and economical financial services
which are the need of the hour. The figures show that
branchless banking is 26% cheaper than banks. [15]
These kinds of services will grow in future despite
having the weaknesses as they cater the needs of the
poor people.
REFERENCES
[1] Teppo, Paavola. "Cash Goes Mobile." GSMA Mobile WorldCongress 15 - 18 February 2010. Barcelona: GSMA, 2010.
[2] EasyPaisa. http://www.easypaisa.com.pk (accessed Febraury24, 2011).
[3] Dr. Azizullah Khattak. "Statistics on Scheduled Banks inPakistan ." State Bank of Pakistan. June 30, 2010.http://www.sbp.org.pk/publications/schedule_banks/June-
2010/Title.pdf (accessed February 25, 2011).[4] Daily Times. January 22, 2011.
http://www.dailytimes.com.pk/default.asp?page=2011\01\22\
story_22-1-2011_pg5_2 (accessed Febraury 7, 2011).
[5] "Branchless Banking Regulations." State Bank of Pakistan.March 31, 2008. www.sbp.org.pk/bprd/2008/Annex_C2.pdf
(accessed February 24, 2011).
[6] Telenor Pakistan becomes first Telecom Operator in Pakistanto be IS0 27001:2005 certified for easypaisa Mobile BankingServices. March 03, 2010.
http://www.telenor.com.pk/pressCenter/pressrelease.php?rele
ase=234&lang=en (accessed February 15, 2011).
[7] Lord, Steve. "Trouble at the Telco: When GSM Goes BadNetwork." Network Security, no. 1 (2003): 10-12.
[8] Pankratov, Denis, and Dmitri Kramarenko. SMS spoofing -Q&A with CCRC staff. August 19, 2004. http://www.crime-
research.org/interviews/sms-spoofing-intro/ (accessed
Ferbruary 23, 2011).
[9] Jones, Nick. Don't Use SMS for ConfidentialCommunication . November 26, 2002.
http://www.gartner.com/resources/111700/111720/111720.pdf (accessed February 23, 2011).
[10] Bocan, V., and V. Cretu. "Mitigating Denial of ServiceThreats in GSM Networks." 1st IEEE International
Conference on Availability, Reliability and Security
(ARES'06). IEEE, April 2006. 6.
[11] Chandra, Praphul. Bulletproof Wireless Security, GSM,UMTS, 802.11 and Ad hoc Security. Elsevier, 2005.
[12] Toorani, Mohsen, and Ali Asghar Beheshti Shirazi."Solutions to the GSM Security Weaknesses." Next
Generation Mobile Applications, Services and Technologies,
-
7/31/2019 Security analysis of mobile banking in Pakistan
5/5
Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03
ATFECM-50128036Asian-Transactions 17
2008. NGMAST '08. The Second International Conference.
Cardiff : IEEE, 2008. 576 - 581.[13] "Payment Systems Quarterly Review (October-December,
2010)." State Bank of Pakistan. February 12, 2011.
www.sbp.org.pk/psd/reports/2010/Status_Report_Q_2-12-11.pdf (accessed February 24, 2011).
[14] Rasmussen, Stephen F. "Mobile Banking in 2020." CGAPAdvancing financial access for the world's poor.
http://www.cgap.org/p/site/c/home/, 2010.