IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727Volume 7, Issue 3 (Nov. - Dec. 2012), PP 15-19 www.iosrjournals.

org

Preventing Spoofing Attacks in Mobile Banking Based on User Input Pattern - Based Authentication
1
1,2

K.Sujana, 2Md.Murtuza Ahmed Khan

Department of CSE, JNTU H, Lords Institute of Engineering and Technology Hyderabad, Andhra Pradesh, India

Abstract: Mobile banking has become very attractive and useful facility from customers and services provider
point of view. However, this domain has evidenced many security threats. Attackers target this domain for financial or other benefits. In spite of many security measures being taken by mobile service providers and application providers, still there are vulnerabilities that may be exploited by adversaries. The threats include intruding from a remote place and physical theft. This paper proposes a novel approach to prevent such threats. The new approach introduced by us analyzes users input patterns and also the level of finger pressure while giving input through mobile device. Input patterns such as the time taken for user to give input to mobile gadget are considered. By recording the genuine users input patterns and also finger pressure levels, our system can recognize the differences between the genuine users and attackers usage pattern. The empirical results revealed that the system is highly accurate and effective which can be used in real time systems. Keywords security, input patterns, biometric, mobile authentication.

I.

Introduction

Mobile communication technologies are improving in rapid pace. People all walks of life started using mobile devices as they provide convenient communication. Instant communication is at everyones reach due to the revolution in mobile technologies and the affordable mobile devices. It paved way for businesses to make use of the mobile banking domain as it is very attractive domain for expanding their business. With mobile communications, mobile banking and other financial services are being provided through mobile applications. Bankers are focusing more on effective, efficient and convenient mobile banking facility that can bring more customers to them and the existing customers feel comfortable with the facility as it enables to perform banking operations even when the customer is on transit. Nevertheless, this domain registered many security threats that are the cause of concern. Mobile security report provided by McAfee in 2009 revealed that the mobile banking domain is very vulnerable and cause of concern for manufacturing companies of mobile devices [1]. According to a report published in 2010, malware in mobile banking domain is around ten million and increasing rapidly every year. In mobile operating systems such as Android, iOS, and Symbian vulnerabilities continued to be found [2]. It is evident that hackers used MMS (Multimedia Messaging Service) for making phishing attacks in mobile banking domain [3]. Mobile banking domain uses small hand held devices including mobile phones that have limited resources such as energy, storage and processing power. This is also one of the reasons for their vulnerability. The security mechanisms that are used in PC world are not suitable to mobile world due to the difference in their capacity in having resources. This warrants having different security measures for mobile banking [4]. This paper proposed a new secure model for mobile authentication. Our approach is named as Input Pattern Based Authentication Method which is based on the concepts given in [1]. This makes use of biometric feature to ensure security in mobile transactions. It prevents financial frauds being witnessed in mobile banking domain. Tough screens are provided with many mobiles. Users use their fingers or a stylus pen for the purpose of giving input to the mobile device. In this context, we understood that it is possible to make use of users usage patterns in terms of giving input to the mobile device. Every user must be having different pattern in giving input. For example how much time it takes for a user to input to the mobile device through touch screen. The usage patterns can be measured to know the input duration, physical touch dimension on the touch screen and duration time and finger pressure level. We believed that these measurements are unique for each and every user and also consistent across the users. Thus these measures can be used to uniquely identify the users. This information is useful to detect un-authentication transactions from legal ones. This can provide more security than using conventional security mechanisms. For instance, a users password may be leaked and thus makes the systems vulnerable. Even when hacker gets sensitive information of a customer he cant involve in fraud incidents as our proposed system can detect such activities and by analyzing usage patterns genuine customer and the attacker. Biometrics technologies are widely used in systems authentication. It has become an attracted way of securing systems. The biometric features such as voice print, iris scanning, facial recognition, hand geometry and fingerprints are known for using in biometric authentication methods [5]. When a small hand held device is www.iosrjournals.org 15 | Page

Preventing Spoofing Attacks in Mobile Banking Based on User Input Pattern - Based Authentication
quipped with camera or touch screen or microphone, multimodal biometric authentication [6]. Biometric authentication methods have some drawbacks as they are vulnerable to biometric spoofing attacks. Attack methods such as plastic fingers were successfully used to break biometric security systems [7]. Other drawback is that these methods cause inconvenience to users. The third drawbacks are that the biometric authentication systems must have high storage capacity and high system resources. The biometrics features collection may cause privacy problems when they are misused by financial outfits and banks. In order to overcome the problems described above, biometric authentication which is keystroke based that utilizes was researched in [8] and [9]. However, these methods have error rates such as 21% as they depend on behavior attribute that may be different from the attributes of physical nature. For the purpose of present mobile banking needs, the existing biometric methods are also not suitable. For that reason our novel approach that makes use of users usage patterns in terms of key strokes and the time they take to produce input are considered for making mobile banking more secure. It can effectively spoofing attacks which cant be done by biometric methods. The proposed system when compared with biometrics features is very simple as it does not need any scanning of fingerprints, as it can take users input keystroke patterns spontaneously on the fly and authenticate the user on real time basis. This is the approach that can really address spoofing attacks perfectly. The processing of input data which is in text format is also easy so that it reduces additional overhead to authenticate the user based on the inputs given. This authentication system combines users physical attributes with behavioral attributes and effectively avoids security problems in mobile computing. It also does not cause problems to the privacy of users of mobile banking. Experiments are made to test the efficiency of the proposed system. The tests are performed by using a prototype mobile application. The users input given to mobile application is considered for pattern recognition. The training data and test data were used to see how the proposed system works. BPM (Back Propagation Network) algorithm is used for classifying and training the algorithm. It is one of the neural networking algorithms that make use of supervised learning and it is based on the architecture known as feed-forward [10]. The empirical results revealed that the proposed system is capable of providing over 95% accuracy.

II.

The Issues Of E-Transactions Security

In many countries mobile banking has become a common place in banking sector. It is not difference in Korea. According to reports in Korea, FSS (Financial Supervisor Service) there were thirteen incidents each year for the last five years and the number of damages reached to more than 250 million so far. Many incidents are made on PCs of users. The attacks were made due to the vulnerabilities in the system rather than e-financial systems. It does mean that applications used for transactions are secure. However, the device in which applications are running is having security vulnerabilities. This is the case with both PC and mobile handheld devices. For this reason in case of e-transactions vulnerability checking and monitoring of the transactions round the clock are to be considered. The lapses in PC, mobile and the operating systems that run in those devices have inherent security problems and those problems cause damage to e-transactions according to the report. In Korea, with respect to user authentication and digital signature, the financial institutions utilize digital signatures that are secure in nature. They are use one time pad that will maximize the security. The digital certificates and the use of PKI (Public Key Infrastructure) play an important role in safeguarding the interests of the stakeholders involved in the e-business transactions. Recently a device is introduced for providing additional security. However, there is some weak point with security codes as they are having restricted number of password codes. The protection of users authentication information is very essential task. Especially in the systems where e-transactions are involved, this is more and more crucial. The systems at present are using encryption and de4cryption procedures to safeguard the sensitive information. Still there are attacks through memory hacking are evident. Another method used for authentication is PC information based. With respect to mobile banking security methods in Korea, banking transactions are made in both PCs and mobiles. The mobile banking security is less and there were incidents of security issues with mobile banking. According to [11], in mobile banking also attacks like malware and fishing attacks are possible. This is the cause of concern and the Financial Supervision Service in Korea, has taken steps to increase the security in mobile banking. This paper proposes a new security architecture based on the user input patterns for secure authentication of parties involved in e-transactions.

III.

Proposed Authentication Method

The proposed authentication method in this paper is user input pattern based authentication method. Smart phone with touch screen is used as this application has to take user inputs through touch screen. The proposed application is supposed to find the user input patterns, duration time, physical touch size on the screen, and the finger pressure. Biometric related information in the form of fingers touch on the touch screen is used in this case. It also makes it easy whether a person really pressed keys. Liang Xie et al., explores input patterns on mobile devices for detecting malware. Fig. 1 shows the proposed architecture. www.iosrjournals.org 16 | Page

Preventing Spoofing Attacks in Mobile Banking Based on User Input Pattern - Based Authentication

Fig. 1 The Training, Detection and Countermeasures phases of proposed architecture As can be seen in fig. 1, it is evident that there are three phases in the proposed mechanism. The three phases are namely training, detection and countermeasures. In the training phase, the proposed application collects input pattern data from users and it is stored in the financial outfits backend database. This data is used for training the application. As the training phase requires more resources it is to be done at financial outputs system. The training ensures security and avoids any damage to training data and its integrity caused by any kind of malware which is running in smart phone. The purpose of detection phase is to make decisions that will determine whether the transaction requested is from original user or not. This is done by comparing the input patterns extracted on the fly with the input patterns of that user which are already registered with financial outfit. If the patterns are not matching the system considers the transaction as fraud transaction. When the transaction is suspicious, the financial institution suspects it and disapproves. Such transactions need some additional process for completing the authentication. The third phase that is countermeasure phase is meant for executing the secondary authentication process. This gets executed only when there is evidence of suspicious transactions. The financial institutions in this case definitely block all transactions that are not legal. The technical details of counter measures are not in the scope of this paper. With respect to input methods, two types of methods are considered. They are known as scrollwheeling and touch. In mobile devices that support touch screen, the touch method can be used to get input. In this method user just presses a button down with his finger. The action of brushing a finger down or up on the screen is known as scroll-wheeling. For each user these input methods produce different patterns based on their physical attributes. The attributes used pertaining to users input patterns are shown in table 1.

Table 1 Attributes and User Input Patterns Considred As can be seen in table 1, the attributes and user input patterns considered for the experiments are presented. The Back Propagation Network used in this project work is presented in fig. 2.

Fig. 2 The architecture of three layer Back Propagation Network www.iosrjournals.org 17 | Page

Preventing Spoofing Attacks in Mobile Banking Based on User Input Pattern - Based Authentication
As seen in fig. 2, the architecture of BMN has three layers. They are input layer, hidden layer and output layer. For users input pattern data processing is done in the input layer. The total number of processing nodes in the input layer is equal to the number of users who are involved in the experiments. In the hidden layer, the number of processing nodes influences the performance and accuracy of training process. For both forward and backward passes, the transfer function equations are provided.

IV.

Experimental Results

A Linux based smart phone by name Motoroi is used for the experiments. It includes Android 2.1 version OS and the device has touch screen of 3.7 inch. The prototype application is developed using API given by Android. The developed mobile application which is used for all experiments where select people numbered 50 at age between 20 and 30 years who know mobile operations well has the following user interface.

Fig. 2 Mobile Application Used for Experiments As can be seen in fig. 2, the mobile application developed in the said environment has provision to the users to involve in experiments. 50 users were selected for the experiments. They used touch screen with their own familiar way. The key stokes with different pressures and patterns are recognized by the proposed system. Evaluation of the inputs given by 50 users is done. Table 1 shows the results of 50 users.

Table 2 Test Results of 50 users As can be seen in table 1, it is evident that when compared to other states, the states of 10 hidden nodes brought more accuracy. When 12 input nodes are used with 10 hidden nodes the accuracy was highest that is 97 while the accuracy rate with 8 hidden nodes is less than 90%. Figures 3, 4, 5 and 6 are the difference between the training graphs 6 hidden nodes and 10 hidden nodes when number of input nodes considered is 12. Both cases accuracy is increased as shown in graph in proportion to the number of iterations. However, the accuracy rates of 10 hidden nodes are higher than that of 6 hidden nodes. Even though the number of iterations is increased to some thousands, in case of 6 hidden nodes, there is no change in the accuracy level. Fig. 3 CCR % with 10 hidden nodes Fig. 3 CCR % with 6 hidden nodes Fig. 4 Network Improvement with 10 hidden nodes Fig. 4 Network Improvement with 6 hidden nodes

V.

Conclusion

Mobile banking is a rapidly growing domain which is being used in real time applications especially mobile banking. Banking and other financial sectors are providing access to their services through mobile banking paradigm. From the review of literature it is understood that mobiles are having limitations in terms of their processing power and also resources. This along with their mobility nature cause security problems. www.iosrjournals.org 18 | Page

Preventing Spoofing Attacks in Mobile Banking Based on User Input Pattern - Based Authentication
Especially physical theft and also spoofing attacks are cause of concern. The existing techniques and even biometric applications have security problems such as spoofing attacks. To overcome this drawback, this paper proposed a new mechanism that analyzes users input patterns through mobile devices without causing any problems to privacy of users of mobile banking. Our approach is based on the input patterns given by mobile banking users and analyzing them. With this approach it is easy to recognize fraud transactions from that of genuine ones. The experimental results revealed that our approach yields high accuracy and does not cause any privacy problems to users in contrast to biometrics based authentications.

References
[1] [2] [3] [4] [5] [6] Hojin Seo and Huy Kang Kim. User Input Pattern-based Authentication Method to Prevent Mobile e-Financial Incidents, IEEE Computer Soceity, IEEE 2011. Mobile Security Report 2009, McAfee, www.mcafee.com, 2009. XSS, SQL Injection and Fuzzing Barcode Cheat Sheet, ttp://www.iro ngeek.com/xss-sql-injection-fuzzing-barcode-generator.php Aubrey-Derrick Schmidt, Frank Peters, Florian Lamour, Christian Scheel, Seyit Ahmet Camtepe, and Sahin Albayrak, Monitoring Smartphones for Anomaly Detection, Mobile Network and Application, 2008, pp. 92-106 N.L Clarke, and S.M furnell, Authentication of users on mobile telephones A survey of attitudes and practices, Computer & Security, vol 24, 2005, pp. 519-527 J.Koreman, A.C Morris, D.Wu, S.Jassim, H.Sellahewa, J.Ehlers, G.Ghollet, G.Aversano, H.Bredin, S.Garcia -Sallicetti, L.Allano, B.Ly Van, and B. Dorizzi, Multi-modal biometric authentication on the SecurePhone PDA, in Proc. 2nd Int. Workshop Multimodal User Authentication, Toulouse, France, 2006. Chris Roberts, Biometric attack vectors and defense, Computers& Security, vol 26, 2007, pp. 14-25 N.L Clarke, and S.M furnell, Advanced user authentication for mobile devices, Computer & Security, vol 26, 2007, pp. 109-119 Seong-seob Hwang, Sungzoon Cho, and Sunghoon Park, Keystroke dynamics-based authentication for mobile devices, Computers & Security, vol 28, 2009, pp. 85-93 Robert Hecht-Nielsen, Theory of the Backpropagation Neural Network, IEEE Neural Networks, 1989, pp. 593-605 Jin Nie, and Xianling Hu, Mobile Banking Information Security and Protection Methods, Computer Science and Software Engineering International Conference, 2008, pp. 587-590

[7] [8] [9] [10] [11]

AUTHORS K.Sujana. M.Tech from Lords Institute of Engineering and Technology, Hyderabad. Her received B.Tech Degree from Computer Science and Engineering. Her research interested towards s Network Security. Md.Murtuza Ahmed Khan and he is Associate Professor in Lords Institute of Engineering and Technology Hyderabad. He has received B.Tech Degree Computer Science and Engineering, M.Tech P.G. in Software Engineering. His main research interest in Network Security.

www.iosrjournals.org

19 | Page