Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications

Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications. The paper should be able to identify the techniques associated with Man in the middle attacks during communication between a mobile device and a back end server and propose controls that will ensure that data theft does not occur during such sessions.

[1]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[2]  Ramez Elmasri,et al.  Fundamentals of Database Systems, 5th Edition , 2006 .

[3]  Meng Gao,et al.  Analysis and Research on HTTPS Hijacking Attacks , 2010, 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing.

[4]  Peter T. Davis,et al.  Hacking Wireless Networks For Dummies , 2005 .

[5]  Bo Yan,et al.  Robust Detection of Unauthorized Wireless Access Points , 2009, Mob. Networks Appl..

[6]  Raheem A. Beyah,et al.  Rogue-Access-Point Detection: Challenges, Solutions, and Future Directions , 2011, IEEE Security & Privacy.

[7]  Mike Bond,et al.  Phish and Chips , 2009, Security Protocols Workshop.

[8]  Valtteri Niemi,et al.  Man-in-the-Middle in Tunneled Authentication Protocols , 2002 .

[9]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[10]  Raheem A. Beyah,et al.  A Passive Approach to Rogue Access Point Detection , 2007, IEEE GLOBECOM 2007 - IEEE Global Telecommunications Conference.

[11]  Marta Z. Kwiatkowska,et al.  Probabilistic Model Checking of Deadline Properties in the IEEE 1394 FireWire Root Contention Protocol , 2003, Formal Aspects of Computing.

[12]  Abhijit S. Pandya,et al.  ATM Technology for Broadband Telecommunications Networks , 1998 .

[13]  Man Young Rhee,et al.  Internet Security: Cryptographic Principles, Algorithms and Protocols , 2003 .

[14]  William Stallings,et al.  Cryptography and network security , 1998 .

[15]  Franco Callegati,et al.  Man-in-the-Middle Attack to the HTTPS Protocol , 2009, IEEE Security & Privacy Magazine.

[16]  Cornelius Herstatt,et al.  Customer on the Move: Strategic Implications of Mobile Banking for Banks and Financial Enterprises , 2006, The 8th IEEE International Conference on E-Commerce Technology and The 3rd IEEE International Conference on Enterprise Computing, E-Commerce, and E-Services (CEC/EEE'06).

[17]  Tomas Koutny Detecting Unauthorized Modification of HTTP Communication with Steganography , 2010, 2010 Fifth International Conference on Internet and Web Applications and Services.

[18]  Uyless D. Black,et al.  Foundation for broadband networks , 1999 .

[19]  I-En Liao,et al.  Detecting rogue access points using client-side bottleneck bandwidth analysis , 2009, Comput. Secur..

[20]  Ralf Burger,et al.  Computer Viruses: A High-Tech Disease , 1988 .

[21]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[22]  Valtteri Niemi,et al.  Man-in-the-Middle in Tunnelled Authentication Protocols , 2003, Security Protocols Workshop.

[23]  L. J. Hoffman Rogue programs: viruses, worms and Trojan horses , 1990 .

[24]  Ross M. Greenberg Know thy viral enemy , 1989 .

[25]  Xinghui Li,et al.  A Study of Man-in-the-Middle Attack Based on SSL Certificate Interaction , 2011, 2011 First International Conference on Instrumentation, Measurement, Computer, Communication and Control.

[26]  C. Herstatt,et al.  Mobile Banking as Business Strategy: Impact of Mobile Technologies on Customer Behaviour and Its Implications for Banks , 2006, 2006 Technology Management for the Global Future - PICMET 2006 Conference.

[27]  Dennis Kügler,et al.  "Man in the Middle" Attacks on Bluetooth , 2003, Financial Cryptography.

[28]  Ke Ci,et al.  Hacking Exposed : Network Security Secrets and Solutions , 2013 .

[29]  William Stallings Computer Networking with Internet Protocols and Technology , 2003 .