Anda di halaman 1dari 5

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

Security Analysis of Mobile Banking Services in Pakistan


Aqeel Feroze1, Asma Basharat2

AbstractOwing to huge success of mobile telecom in the world and especially in Pakistan, the new business avenues like branchless banking and mobile money transfers are offering lot of opportunities. This paper will introduce latest method used for transfer of money in Pakistan along with security analysis of two major branch less banking services as both of these services are using SMS massaging system of GSM as basic instrument to carry out their transactions. Comparison of currently available mobile banking and money transfer services is also presented in tabular form.

I. INTRODUCTION The world population is estimated 6.6 billion people and there are 4.6 billion mobile phones, 1.8 billion bank accounts and 1.6 billion credit cards [1]. These figures show that a vast majority is not using services of financial institution. Poor people exist in a cash world and they cannot avail banking services because of their low earnings, illiteracy, restricted access to banks in rural areas, high rate of bank charges etc. All these factors have made the life of the poor hard and in this situation, keeping the cash becomes hazardous. The ubiquity and deep penetration of mobile phone in Pakistan has opened up new venues for providing services to the unbanked by offering mobile banking services. The use of mobile technology can guarantee timely, easily accessible and secure financial services at lower costs. About 12 million Pakistanis are working abroad and around 17% of the population in Pakistan has bank accounts but there are almost 100 million mobile subscribers out of total population of 170 million, which clearly signify the potential for mobile banking services in Pakistan.
1

Manuscript date June 11, 2011 Aqeel Feroze, Born in Lahore on 22-08-1977. Completed M.Sc, Computer Science from Punjab University and current doing MS from Government College University, Lahore and is lecturer at Virtual University of Pakistan, 54-Lawrence Road, Lahore (phone: 0321-4409022; e-mail: aqeelferoze@vu.edu.com) 2 Asma Basharat, Born in Lahore. MS in Information Security (NUST). Have worked on security analysis and optimization of Interleave Division Multiple Access for the transmission of multimedia. Currently working on deception techniques of honeypots and honeynets.is Lecturer at Department of Computer Science, Government College University, Lahore, Pakistan (email: asma.basharat@gcu.edu.pk).

Currently in Pakistan, four services are available for mobile banking and money transfers. Recently, Habib Bank Limited and Ufone jointly started a mobile phone based banking services to Ufone customers to have their bank accounts in HBL which can be operated through mobile phones having Ufone connections. The Mobilink in collaboration with Pakistan Post has launched the facility of Mobile Money Order (MMO) across Pakistan on 73 outlets in 37 cities providing instantaneous sending and receiving of money orders. Western Union (WU) has also become a partner in this service to expand the money transfer services globally. Mobilink has also launched Mobilink Ginie in December 2007 as a mobile commerce solution. The basic services include utility bills payment, mobile bill payment or recharge from the mobile phone and the payment was to be made through credit/debit card. Orion is a mobile wallet service initiated by United Bank Limited to facilitate the mobile commerce for its customers offering the services like purchase of prepaid cards, payment of utility and mobile bills, buying gifts and flowers, and share money through SMS on any network. Orion is the pioneer in mobile commerce solutions and is smart, easy and convenient to use anytime anywhere on any GSM network. Telenor Pakistan through Tameer Micro Finance Bank introduced the service of money transfer for the lower segment of the economy. EasyPaisa service is a most convenient and easy way to transfer money across Pakistan and includes international remittance facility from more than 80 countries with collaboration with Xpress Money [2]. The service was launched in October 2009 with 2,500 outlets but now they have expanded their services to 12,000 mobile banking outlets. According to SPB statistics for June 2010, total number of bank branches in Pakistan is 9096[3] thus EP outlets have surpassed total number of bank branches in Pakistan and are now nearly surpassing the number of post offices in Pakistan (Total post offices are 13,000 in Pakistan). The EP has added 1,000 outlets during the last quarter of FY2010-2011in urban and rural areas.[4] II. MOBILE BANKING MODELS The mobile banking model is designed to facilitate the users in fast and reliable mobile banking and money transfer services by hiding all the underlying
13

ATFECM-50128036Asian-Transactions

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

details. Easypaisa is using One-to-one (11) model of business where one financial institution usually a Bank in collaboration with mobile telecom company under the regulations and supervision of State Bank of Pakistan provide mobile banking services to its subscribers as well as general public.[5] Thus the simple block diagram of the mobile banking service is shown below:

Table 1: Showing comparison of services offered by mobile banking services.


Particulars Models used EasyPaisa One to One (1 -1) Person to Person (P2P) & Business to Consumer (B2C) Telenor UBL Omni Many to One ( - 1) Person to Person (P2P) & Government to Persons (G2P) Zong, Ufone, Warid, Mobilink, Zong United Bank Limited (UBL) Omni Dukaans (Franchised) SMS/WAP 580+ cities/towns MCB Mobile Banking Many to One ( - 1) Person to Person (P2P) UPayments One to Many (1 - ) Person to Person (P2P)

Mobile Telecom Company Mobile Banking Services

SBP Regulations Telco

Financial institute Financial Institution (Bank)

Retail Network

Tameer Micro Finance Bank EasyPaisa Shops (Franchised) SMS/USSD 660+ cities/towns 12000+ EP outlets October 2009 Yes No Yes Yes

Zong, Ufone, Warid, Mobilink, Zong MCB

Ufone

No

Habib Bank Limited & Summit Bank No

Service used

GPRS MCB branches only

USSD HBL or Summit bank branches only December 2010 Yes Yes No In respective bank accounts only No Yes Yes No No

Figure 1: Showing mobile banking model

Presence

The second model is one to many (1- ) as in the case of U-Payments, which used two financial institutions which are Habib Bank Limited (HBL) and Summit Bank. The third and last implemented model is many to one ( - 1) in which many telecom companies are offering services of one financial institution. The examples are UBL Omni and MCB mobile banking which are using all the five telecom companies currently working in Pakistan. A. List of services offered by mobile banking services The list of services offered in Pakistan by two major mobile banking services (Easypaisa and UBL) is as under:[2] i. Opening and maintaining a branchless accounts ii. Money transfer using CNIC (person to person transfer) iii. Money transfer using accounts (account to account transfer) iv. Utility bill payments v. Cash deposit and withdrawal vi. Merchant payments (purchases etc.,) vii. International remittances The detailed comparison of the mobile banking services currently available in Pakistan is given in Table 1.

Launched in Balance Enquiry Mini Statement Cash Handling Money Transfer (Domestic)

April 2010 SERVICES OFFERED Yes No Yes Yes

June 2009 Yes Yes No Only inMCB accounts

Remittances Mobile Top up Utility Bills Payment Mcommerce Support Branchless Banking Support Walking Customer Support Other Business Models

Yes Yes Yes Yes Yes

No Yes Yes Yes Yes

No Yes Yes No No

Yes, through EP Shops B2C Easy Pay (A payroll solution for corporate sector)

Yes, through Omni Dukaans G2P Benazir Income Support Program Disbursements

No

No

No

No

ATFECM-50128036Asian-Transactions

14

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

(BISPs) & Watan Cards.

the services to requirements.[6]

meet

all

international

B. Minimum Legal Requirements The minimum security requirements by the State Bank of Pakistan have been reproduced in the following table:
Table 2: Showing minimum security requirements by SBP in Branchless Banking Regulations.[5]
Account Level Applicable Channels using cellular mobile communication system. Authentication of Client and Service end. Message Encryption requirements at application level. 1 USSD, SMS 2 SAT, WAP 3 SAT, WAP

B. Weaknesses The SMS service within GSM system was designed for non-sensitive messaging among subscribers ignoring mutual authentication, data confidentiality, end to end security and nonrepudiation. The following weaknesses have been observed while reviewing the mobile banking services in Pakistan which inherited the security vulnerabilities of GSM network. 1) SMS Spoofing: The originator/sender address is forged in sms message which appears to be from a legitimate sender by an adversary during a attack.[7] A masquerading attack can be performed by an adversary by changing the originators address field in the SMS header to some other alpha numeric string. The spoofing has impacted on the following: i.) Confidentiality & Authentication: Authentication can be compromised by SMS spoofing. To send SMS using someone elses number without permission instead of original address of the sender is called SMS spoofing. For example, any attacker can send SMS using SMS format of EasyPaisa and represent himself as sending SMS from 3737 the EasyPaisa SMS server address.[8] It is a severe threat and chances of fraud exist. ii.) Forgeability & Integrity:The SMS body text can be changed using spoofed SMS. 2) Message Encryption: Plaintext is the default data format used in the SMS messages and encryption is done only between cell phone and the base transmission station which shows that end to end encryption is not available in GSM system giving chance to insider and there also a chance for a hacker to attack inside network. Also the encryption using A5 algorithm is also vulnerable.[7] 3) SMS Service Centre Attack:Copies of SMS messages stored in SMS centre server is also vulnerable as the message is in plaintext and any person having access to SMS center can easily access sensitive information. By providing the copies of SMS message to users friend, two employees were fired by a mobile phone operator. [9] This shows insecurity and breaches can occur by humans rather by vulnerabilities of system.
15

Accountability/Nonrepudiation

Two-Factor Authentication. PIN (user knowledge) and MSISDN Not Application required / level 128 bit Not using known applicable symmetric algorithms or asymmetric like PKI (Public Key infrastructure). All Financial and NonFinancial transaction logs must be securely stored by FI.

III. SECURITY ANALYSIS A. Strengths: Following are the strengths of mobile banking services in Pakistan: 1) Non-Repudiation and Subscriber Accountability: For evidence purpose during auditing and forensic investigations, all subscriber financial transactions are logged. The logging also ensures non-repudiation which means subscriber may not deny the transaction which he/she has performed using EP account on his/her mobile phone. [5] 2) Centralized Control of Accounts/Transactions: All the transactions are processed through one main database of financial institution and SMS is send to both parties. This provides ease of administration of the database server and related backups. [2] 3) IS0 27001:2005certification: Only EasyPaisa mobile banking service is ISO 27001:2005 certified for Information Security Management System (ISMS). This certification is accredited by United Kingdom Accreditation Services (UKAS) and compliance is audited by Moody International Certification Body for evaluating

ATFECM-50128036Asian-Transactions

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

4) DoS Attack: An entire GSM cell can be disabled by a single attacker through a Denial of Service (DoS) attack. In this attack the CHANNEL REQUEST message is send to BSC repeatedly without completing protocol requesting another signaling channel which is limited in number, thus resulting in DoS attack. This is the most economical attack as no charges deducted for requesting signaling channel and can be used for many practical situations like terrorist attacks.[10] 5) SMS Integrity Protection: Although authentication and confidentiality is present in GSM security architecture but no provision has been made for integrity protection of information.[11] Consequently, it cannot be verified that a certain SMS message was not tampered with. 6) Reply Attacks:The reply attack can be carried out by misusing the previously exchanged messages between the subscriber and network.[12] 7) Availability and Quality of Service (QoS) issue: Interruption in services of GSM network owing to technological or any other problem and non accessibility of any of mobile banking service may affect flow of financial transactions. Likewise, congestion in network may become a bottle neck in providing Quality of Service to mobile banking user.[5] IV. FUTURE PROSPECTS According to State Bank of Pakistan, Payment Systems Quarterly Review (October December, 2010)[14] published on February 12, 2011 the total number of registered users in Pakistan are: Call Center banking 4,923,491 Mobile banking 817,507 Internet banking 752,275 These results shows that the number of mobile banking users have surpassed internet banking users thus the future of mobile banking in Pakistan is glorious. The mobile banking and money transfer services are getting huge popularity among the lower and middle class of Pakistan as evident from the fact that using Telenor EasyPaisa seventeen billion rupees has been transferred in ten million transactions since the start of the service till December 2010. These transactions include utility bill payment and international remittances as well along with money transfer facility. [3] The growth in the use of these services is

compelling these companies to introduce G2P, C2B and B2C business models. The next studies can be carried out on the effectiveness and benefits of using these business models for the mobile banking and money transfer services in Pakistan. V. CONCLUSION & RECOMMENDATIONS Mobile telecom companies of Pakistan by launching the service of mobile banking and money transfer have connected the people of Pakistan with the most easily assessable and economical financial services which are the need of the hour. The figures show that branchless banking is 26% cheaper than banks. [15] These kinds of services will grow in future despite having the weaknesses as they cater the needs of the poor people. REFERENCES
[1] Teppo, Paavola. "Cash Goes Mobile." GSMA Mobile World Congress 15 - 18 February 2010. Barcelona: GSMA, 2010. EasyPaisa. http://www.easypaisa.com.pk (accessed Febraury 24, 2011). Dr. Azizullah Khattak. "Statistics on Scheduled Banks in Pakistan ." State Bank of Pakistan. June 30, 2010. http://www.sbp.org.pk/publications/schedule_banks/June2010/Title.pdf (accessed February 25, 2011). Daily Times. January 22, 2011. http://www.dailytimes.com.pk/default.asp?page=2011\01\22\ story_22-1-2011_pg5_2 (accessed Febraury 7, 2011). "Branchless Banking Regulations." State Bank of Pakistan. March 31, 2008. www.sbp.org.pk/bprd/2008/Annex_C2.pdf (accessed February 24, 2011). Telenor Pakistan becomes first Telecom Operator in Pakistan to be IS0 27001:2005 certified for easypaisa Mobile Banking Services. March 03, 2010. http://www.telenor.com.pk/pressCenter/pressrelease.php?rele ase=234&lang=en (accessed February 15, 2011). Lord, Steve. "Trouble at the Telco: When GSM Goes Bad Network." Network Security, no. 1 (2003): 10-12. Pankratov, Denis, and Dmitri Kramarenko. SMS spoofing Q&A with CCRC staff. August 19, 2004. http://www.crimeresearch.org/interviews/sms-spoofing-intro/ (accessed Ferbruary 23, 2011). Jones, Nick. Don't Use SMS for Confidential Communication . November 26, 2002. http://www.gartner.com/resources/111700/111720/111720.pd f (accessed February 23, 2011).

[2] [3]

[4]

[5]

[6]

[7]

[8]

[9]

[10] Bocan, V., and V. Cretu. "Mitigating Denial of Service Threats in GSM Networks." 1st IEEE International Conference on Availability, Reliability and Security (ARES'06). IEEE, April 2006. 6. [11] Chandra, Praphul. Bulletproof Wireless Security, GSM, UMTS, 802.11 and Ad hoc Security. Elsevier, 2005. [12] Toorani, Mohsen, and Ali Asghar Beheshti Shirazi. "Solutions to the GSM Security Weaknesses." Next Generation Mobile Applications, Services and Technologies,

ATFECM-50128036Asian-Transactions

16

Asian Transactions on Fundamentals of Electronics, Communication & Multimedia (ATFECM ISSN: 2221-4305) Volume 01 Issue 03

2008. NGMAST '08. The Second International Conference. Cardiff : IEEE, 2008. 576 - 581. [13] "Payment Systems Quarterly Review (October-December, 2010)." State Bank of Pakistan. February 12, 2011. www.sbp.org.pk/psd/reports/2010/Status_Report_Q_2-1211.pdf (accessed February 24, 2011). [14] Rasmussen, Stephen F. "Mobile Banking in 2020." CGAP Advancing financial access for the world's poor. http://www.cgap.org/p/site/c/home/, 2010.

ATFECM-50128036Asian-Transactions

17