CHAPTER ONE

1.0 INTRODUCTION
Securing information from an unauthorized access is a major
problem for any network system. Wireless security, in a broad sense,
focuses on network security, system security, information security, and
physical security. It is made up of a suite of multiple technologies that
solve numerous authentication, information integrity, and identification
problems. The technologies include: firewalls, authentication servers,
biometrics, cryptography, intrusion detection, virus protection, and VPNs
(Virtual Private Networks).
The use of mobile computing devices like handsets and notebook
computers has immensely increased as people are becoming more aware
of the global information technology. In fact in some organizations, the
notebooks or laptops has replaced the desktop as the standard issue
computing platform in order to enable employees to take their work home
with them and maximize productivity. More and more users are now
relying on notebook computers or laptops and even mobile computing
devices such as mobile phones (handsets) as their primary means of
productivity and financial transactions.
Device theft and loss have always been an issue for mobile
devices. With the inclusion of sensitive personal information such as
personal financial information, address books, as well as high value
premium service on the devices, the risk from loss is increasing. In
addition, as mobile devices become smarter and support more data
functions, the industry is facing more of the same threats as personal
computers from malicious software and attacks.
It is obvious that organizations like the financial institutions, can
realize efficiency and productivity gains by embracing mobile computing,
but they also need to comprehend and defend against the unique security
1

issues attached to mobile computing. Mobile devices such as laptops,

notebooks, personal digital assistants, Smartphone, USB storage
(Universal Serial Bus flash drives) and digital cameras are used to copy
files to do jobs that need to be done away from the office. Nevertheless,
poorly managed mobile devices greatly increase the potential for security
failures and information compromise.
Increasingly, people are using networks such as the Internet for
mobile banking, on-line banking, shopping, cashing money on the ATM
(Automated Teller Machine) and many other applications such as in Ecommerce. For example, in electronic banking and other financial
applications, a client may masquerade as another person; this often
involves the transfer of sensitive information such as credit card details
over the network. To support this such type of networked transaction, a
number of security -techniques or schemes have to be developed which
when combined together ,will provide a high level of confidence that any
information relating to the transaction that is received from the network
must have the following criteria (Franklin,2008; Fred,2005):
Integrity:- Has not been altered in any way;
Privacy/Secrecy:- Has not been intercepted and read by anyone;
Authentication:- Has come from an authorized sender;
Non-repudiation:- Has proof that the stated sender initiated the
transaction.
The loss of highly sensitive information and the potential media
scandal are huge problems. The impact might be even greater because, if
a mobile device is stolen or broken into, the companys information can
be exposed as well as personal and financial information of the owner.
The most popular mobile devices are largely based upon consumer
technologies, with lower security design expectations and probably

should not be treated as trusted even after the application of security

policies, technologies and techniques.
Mobile manufacturers and service providers recognize a need for
security solutions that function across multiple platforms, on multiple
networks and can be trusted to responsibly handle multiple media types.
However, the bounty of consumer products and applications geared to the
Internet generation will create significant opportunities for abuse.
Devices that store and move money electronically for sensitive mbanking transactions or other valuable proprietary digital content
exchanges could be at risk from anywhere the signal can be detected
(Milenkovic, 1992).
1.1 STATEMENT OF PROBLEM
This project work has discovered that, mobile computing,
communication, and storage devices are subject to five major areas of
risk, namely:
Physical risk:- Theft or loss of mobile devices
Unauthorized access risk:- Login or network access by an
unauthorized person or computer user;
Operating system or application risk: - All computer operating
systems and applications contain both known and unknown
vulnerabilities that can be exploited to gain control of the device or
access to its data.
Network risk: - Computing and communication devices can be
accessed through the networks to which they are connected without
detection. Viruses, worms, and other malware can enter a computer
or other electronic device through networks, web sites, e-mail
attachments, and mobile storage media.
Mobile data storage device risk. Any mobile device that can be
used to store data (USB drives, Personal Digital Assistants (PDAs),
3

mobile music players, floppy disks, CD-ROMs, DVDs, credit

cards, ATM cards etc.) are subject to loss or unauthorized access.
It is the responsibility of every individual who use such devices to
contain, process, transmit, or access organizational or personal restricted
data to recognize these risks and take the necessary precautions to protect
the devices and the sensitive information they may contain or to which
they may have access. The project work addresses the issues related to
security in mobile computing in banking system, seeking answers to the
following questions:
I.

What support does the target user need?

II.

How can this support be organized in a mobile computing banking

environment?

III.

What are the anticipated benefits and problems of the support?

1.2 OBJECTIVES OF THE PROJECT

The objectives of the study may be stated as follows:
To identify security threats and goals in mobile banking system.
To discuss the features and advantage of mobile computing in
financial institutions.
To investigate some but not all existing measures and models of
security in other to achieve a well secured ICT environment for
mobile banking.
To develop a well secured model and software that will give a high
level of security for the financial transactions in electronic banking
(M-Banking).

1.3 SIGNIFICANCE OF THE PROJECT

The significance of this study includes but not limited to the
following:
4

 To attain the primary goal of having a high level of secured mobile

computing environment.
To provide a secured e-Banking system (mobile banking) that will be
able to maintain the integrity, availability and privacy of data and
devices involved.
1.4 LITERATURE REVIEW
To enforce law on online transactions, Michael ( 2008) said, once a
cybercrime is committed, it is highly unlikely that the perpetrators will be
held accountable and will compensate the victim for the sustained losses.
Investigation and criminal prosecution of cybercrime is difficult, and
many crimes go unpunished. At the same time, self-regulation and market
forces do not necessarily ensure security of online transactions because of
the inherent conflict of interests in the industry.
Many computer-related crimes are not even reported because
businesses try to avoid bad publicity and the potential loss of customer
confidence. Since private legal actions under the current law usually do
not result in adequate compensation for cybercrime victims, crime
prevention becomes the key to ensuring the security of online
transactions. Therefore, there is a need for comprehensive United States
Federal regulations and oversight combined with appropriate legislation
extending rights of private parties to enforce government-mandated
security standards and demand adequate security from the organizations
handling their private information.
Government organizations, businesses, and individuals should also
have a legal right to recover their losses from organizations whose
negligence in maintaining computer systems security precipitated
cybercrime regardless of who committed the actual crime. These
measures would improve online security and reduce crime. As a result,
law enforcement agencies would be able to investigate and prosecute a
5

higher percentage of cybercrimes, thus increasing the deterrent effect of

criminal justice.
Stenographic technique was used by Geeta et al (2010) as another
security approach to secure M-banking. Using Improved M-Banking
Security, valid user will only access his/her bank account with the help of
mobile phone which has Internet facility and the bank application
installed. The data exchange between user and bank is carried under
protection of encryption and decryption technique. It makes use of
images as cover to hide data with the formulae by changing every time
and transferred in coded format. It uses four formulae, two for
steganography(cover image), one for encryption and another one for
session/request id. Only a single key is sent along with image used in
steganography (cover image) and used by all the four formulae in
interdependent manner. The key is a variable steganographed image, so
that it becomes difficult to get data even if the key is found. Both server
and the end user application will communicate only by sending the cover
image and then extracting data from it.
Two mathematical formulae were used to implement the
stenographic technique. First formula will generate series of pixel
number, with the help of key taken as input, in which data will hide.
Second formula will generate the bit number for n bit pixel in which
one bit of data will hide. Only one key is required and needed to be sent
along with cover image which is used by the first formula. In order to
avoid the detection by comparison of modified image with original
image, random pixel other than that which contains data is also modified.
For example, using customized images created by the owner (in this case
bank) will help to avoid the comparison of the image.
The algorithm of the techniques is summarized in figure 1.1 below

Figure 1.1 Stenographic technique.

A publication by Alireza et al. (2008), proposed an improved

security model in SoonR. SoonR is an application that employs a Mobile
Web 2.0 solution, which provides access to applications and files,
residing on a PC connected to Internet (SoonR). Using SoonR, the
standard mobile phones capable of running a mini-web browser can use
some applications on PCs remotely anywhere with cell phone network
coverage. Having SoonR subscription on a cell phone means that the
users sensitive information is just a couple of key-presses away from the
potential intruders. Cell phone password can be utilized to soften the
unauthorized use of the cell phone. Unlike the security model used by
SoonR and other similar systems. The model proposed to combine multifactor user authentication, one-time passwords, and device authentication
to enhance intrusion deterrence. Additionally, the always-on was replaced
with an on-demand strategy, to reduce exposure. The phone used, has
three capabilities commonly found in todays devices:
Voice with unblocked Caller ID
7

 Internet connection with secure socket layer (SSL)-enabled browser

Short Text Messaging System (SMS) capability
It is assumed that not only the cell phone itself is physically
unsecured but also a 3rd party can overhear the data and voice
communication between the cell phone and the tower. At the same time
the mobile service provider is trusted with the best effort delivery of a
secure voice and data service. Caller-ID was used to authenticate the
device.
However, a potential intruder can fool the Caller-ID into displaying
arbitrary information. Therefore, relying on the Caller-ID alone for
authentication of the device is not the most secure way. A combination of
SMS with Caller-ID was used to authenticate the device.
The work demonstrates that it is feasible to improve the deterrence
against security threats in an off-the-shelf product. The proposed
enhancements consist of:
- Reducing the window of exposure to threats by granting remote access
to the users PC only when required, instead of supporting the current
Always-on policy.
- Reducing the likelihood of impersonation by using multifactor
authentication:
a) Verifying the phones caller id,
b) Asking a one-time password from the user,
- Reducing the risk if devices are stolen by having the one-time
password being generated by something the user knows, rather than
something the user carries.
An important feature of the proposed solution is that it enables
users to manage the tradeoff between security assurances and the
associated usability overhead.

Wambari (2009) on his research study revealed that loss of a

mobile handset and security passwords were the biggest security concerns
both rural and urban businessmen had, regarding an M-banking service.
The urban small business owner is also worried about encryption of data
stored in his mobile phone.
A joint report by Gaurav Jain and colleagues (2009) proposes a
new authentication method that authenticates a user by a more intuitive
and easy-to-remember graphical password scheme for mobile online
banking. Users create their graphical password by drawing on the touch
screen of the device during enrolment. To authenticate, they just need to
re-draw their password on the touch screen again. The system seamlessly
integrates with existing web-based banking service which is transparent
to users. It provides the maximum degree of usability and flexibility to
users to authenticate into the banking service.
Upon

successful

authentication

on

the

device

level,

corresponding text- base banking password, generated by the hash

function in the application, is sent to the bank to allow access to the
users account. The design aims to increase usability for users and at the
same time maintain the security level. In addition, such an authentication
scheme through mobile device requires minimum modification on the
banks servers and also avoids collecting and disclosing personal
identifiable information on a central server. The core authentication
technique used in this design is graphical passwords based on
Background Draw-a-Secret (BDAS), which provides the same capability
to create strong passwords and is relatively easy to remember; but at the
same time, it still requires further studies to improve its feasibility. The
figure 2.1 below shows the process of the authentication technique for
graphical password.

Figure 1.2:

Enrolment and Authentication process for the proposed graphical password

authentication system.

10

CHAPTER TWO
THEORETICAL BACKGROUND
2.1 E-BANKING
E-business has been continuously growing as a new industry
during the last decade and today is widely understood as business
conducted through the Internet, not only including buying and selling
products, but further extended for serving customers and collaborating
with business partners. The banking industry has followed this trend in
recent years, and sometimes called e-banking referring to all banking
transactions completing through Internet applications. (Yang et al., 2007).
Some key issues addressed in the recent literature about the e-banking
include: customer acceptance and satisfaction, privacy concerns,
profitability, operational risks, and competition from non-banking
institutions. In addition to previous electronic banking delivery systems
such as:
- Automated Teller Machines (ATMs) and telephone transaction
processing centres, online banking provides banks with a new and more
efficient electronic delivery tool. While ATMs were first introduced in
early 1 980s and initially an attempt to reduce operating costs, telephone
call centers were developed in the 1990s to handle simple transactions
and provide added customer services from a remote location.
E-banking has been viewed as an upgrade from previous electronic
delivery systems to open new business opportunities for the banking
industry. A more recent e-banking development is wireless internet
applications of banking sometimes called m-banking (mobile banking).
With the combination of two most recent technological advancement:
Internet and mobile phone, a new service (mobile data service) is thus
enabled and the first of such wireless internet commercial transaction was
performed by the banking industry (Yang et al., 2007).
11

2.2 MOBILE BANKING

Wikipedia definition of Mobile banking also known as, MBanking, mbanking, SMS Banking, etc. is a term used for performing
balance checks, account transactions, payments etc, via a mobile device
such as a mobile phone. Mobile banking today is most often performed
via SMS or the Mobile Internet but can also use special programs, called
clients, downloaded to the mobile device. For banks, mobile banking has
become the most promising medium of reaching out to their customers,
because of the ability to provide services at any time or place as long as
there is a cell phone reception (Wikipedia, 2009). There is no limit to the
range of transactions and services for which mobile money could
eventually be used. As a result, mobile banking has significant
implications for economic activity across the board. First, it reduces the
cost and risk inherent in dealing with cash. Secondly, and perhaps more
significantly, it facilitates the flow of money from one party to another
using communications infrastructure that already connects billions of
customers around the world, far more customers than currently have bank
accounts. (Jenkins, 2008; Tiwari and Buse, 2007).
Mobile banking has come in handy in many parts of the world with
little or no Infrastructure development, especially in remote and rural
areas. This part of the mobile commerce is also very popular in countries
where most of their population is unbanked. In most of these places banks
can only be found in big cities and customers have to travel hundreds of
miles to the nearest bank. Countries like Sudan, Ghana and South Africa
received this new commerce very well. (Wikipedia, 2009) For example,
in Nigeria mobile banking is available and practiced in some banks like
DIAMOND BANK and FIRSTINLAND BANK PLC.

12

Mobile Banking can be said to consist of three inter-related

concepts (Wikipedia, 2009):
Mobile Accounting
Mobile Brokerage
Mobile Financial Information Services
Most services in the categories designated Accounting and
Brokerage are transaction-based. The non-transaction-based services of
an informational nature are however essential for conducting transactions
- for instance, balance inquiries might be needed before committing a
money remittance. The accounting and brokerage services are therefore
offered invariably in combination with information services. Information
services, on the other hand, may be offered as an independent module.
2.2.1 Mobile banking business models
A wide spectrum of Mobile/branchless banking models is evolving.
However, no matter what business model, if mobile banking is being used
to attract low-income populations in often rural locations, the business
model will depend on banking agents, i.e., retail or postal outlets that
process financial transactions on behalf of banks. The banking agent is an
important part of the mobile banking business model since customer care,
service quality, and cash management will depend on them. Many
telecommunication companies will work through their local airtime
resellers. These models differ primarily on the question that, who will
establish the relationship (account opening, deposit taking, lending etc.)
to the end customer, the Bank or the Non-Bank/Telecommunication
Company (Telco). Another difference lies in the nature of agency
agreement between bank and the Non-Bank. Models of branchless
banking can be classified into three broad categories - Bank Focused,
Bank-Led and Nonbank-Led.

13

Bank-focused model
The bank-focused model emerges when a traditional bank uses
non-traditional low-cost delivery channels to provide banking services to
its existing customers. Examples range from use of automatic teller
machines (ATMs) to Internet banking or mobile phone banking to
provide certain limited banking services to banks customers. This model
is additive in nature and may be seen as a modest extension of
conventional branch-based banking.

Bank-led model
The bank-led model offers a distinct alternative to conventional
branch- based banking in that customer conducts financial transactions at
a whole range of retail agents (or through mobile phone) instead of at
bank branches or through bank employees. This model promises the
potential to substantially increase the financial services outreach by using
a different delivery channel (retailers/ mobile phones), a different trade
partner (telco / chain store) having experience and target market distinct
from traditional banks, and may be significantly cheaper than the bankbased alternatives. In this model customer account relationship rests with
the bank

Non-bank-led model
The non-bank-led model is where a bank has a limited role in the
day-today account management. Typically its role in this model is limited
to safekeeping of funds. Account management functions are conducted by
a non-bank (e.g. telecom) who has direct contact with individual
customers. Example, Zain in 2009 launched their own mobile money
transfer business known as ZAP in Kenya and other African countries.

14

2.2.2 Mobile Banking Services

Mobile banking can offer services such as the following:
Account Information
1. Mini-statements and checking of account history
2. Alerts on account activity or passing of set thresholds
3. Monitoring of term deposits
4. Access to loan statements
5. Access to card statements
6. Mutual funds / equity statements
7. Insurance policy management
8. Pension plan management
9. Status on cheque, stop payment on cheque
10.Ordering check books
11.Balance checking in the account
12.Recent transactions
13.Due date of payment (functionality for stop, change and deleting of
payments)
14.PIN provision, Change of PIN and reminder over the Internet
15.Blocking of (lost, stolen) cards or cheques

Payments, Deposits, Withdrawals, and Transfers

1. Domestic and international fund transfers
2. Micro-payment handling
3. Mobile recharging
4. Commercial payment processing
5. Bill payment processing
6. Peer to Peer payments
7. Withdrawal at banking agent
8. Deposit at banking agent
15

Especially for clients in remote locations, it will be important to

help them deposit and withdraw funds at banking agents, i.e., retail and
postal outlets that turn cash into electronic funds and vice versa like credit
cards. The feasibility of such banking agents depends on local regulation
which enables retail outlets to take deposits or not.
A specific sequence of SMS messages will enable the system to
verify if the client has sufficient funds in his or her wallet and authorize a
deposit or withdrawal transaction at the agent. When depositing money,
the merchant receives cash and the system credits the clients bank
account or mobile wallet. In the same way the client can also withdraw
money at the merchant: through exchanging SMS to provide
authorization, the merchant hands the client cash and debits the
merchants account.

Investments
Portfolio management services include:
1. Real-time stock quotes
2. Personalized alerts and notifications on security prices
3. Mobile banking

Support
1.

Status of requests for credit, including mortgage approval, and

insurance coverage

2.

Check (cheque) book and card requests

3.

Exchange of data messages and email, including complaint

submission and tracking.

4.

ATM Location

16

Content Services
1. General information such as weather updates, news
2. Loyalty-related offers
3. Location-based services

2.3 SECURITY
In this work, we will look at some security threats and some
general measures of security to the computer system and applications that
run on them. Security of financial transactions being executed from some
remote location and transmission of financial information over the air are
the most complicated challenges that need to be addressed jointly by
mobile application developers, wireless network service providers and the
banks IT departments(Jonan,1992;Fred,2005).

2.3.1 Security threats

To understand the techniques for securing a computer system and
the applications on it, it is important to first understand the various types
of attacks that can be made against it. Some major security threats
perceived by users and computer-based systems providers include
(Milenkovic,1992):
i

Unauthorized disclosure of information

Disclosure of information to unauthorized parties can result in

breach of privacy and in both important and unimportant losses to the

owner of the information. For example revelation of a credit card number,
a proprietary product design, a list of customers or strategic military data,
can be used by adversaries in numerous ways. Depending on the type or
nature of information in question, the consequences of abuse can range
from inconvenience to catastrophic losses.

17

ii

Unauthorized alteration or destruction of information

Destruction of information or undetected altering that cannot be

recovered is potentially equally dangerous. Even apart from the external

leakage, the loss of vital data can put an organization out, of business or
in a big mess. A common incidence of destruction for example, involved
a disgruntled employee who mislabelled the only copy of backup tapes as
scratch, which led to their subsequent erasure.

iii

Unauthorized use of service

This can result, in the loss of revenue to the service provider, like

other system penetrations, it can be exploited to gain illegal access to

information, and these penetrations can bring bad publicity and deter
potential customers. E.g. Eavesdropping: eavesdropping is the act of
surreptitiously listening to a private conversation. Even machines that
operate as a closed system (i.e., with no contact to the outside world) can
be eavesdropped upon via monitoring the faint electro-magnetic
transmissions generated by the hardware such as a TEMPEST, the FBIs
proposed Carnivore program was intended to act as a system of
eavesdropping protocols built into the systems of internet service
providers (Wikipedia,2009).

iv

Denial of Service
This usually implies some form of impairing of the computer

system that result in partial or complete loss of service to its legitimate

customers. For instance a denial of service can come in the form of
programs that multiply and spread themselves called computer worms.
Although these worms do not perform directly hostile acts once they
invade a computer, they tend to consume resources to the part of drawing
the system and rendering it to be unable to provide normal services to
18

legitimate users. Because they harm many people other than the direct
targets, DoS may well be the most serious type of hacker war (Dennis,
2001). Denial of service attacks can result to: denial of access to
information, denial of access to applications, denial of access to systems
and denial of access to communications (Emefoh, 2008).
This frequently includes such things as gaining control of a
computer system or allowing privilege escalation or a denial of service
attack. Many development methodologies rely on testing to ensure the
quality of any code released; this process often fails to discover extremely
unusual potential exploits. The term exploit generally refers to small
programs designed to take advantage of a software flaw that has been
discovered, either remote or local. The code from the exploit program is
frequently reused in Trojan horses and computer viruses. In some cases,
vulnerability can lie in certain programs processing of a specific file
type, such as a non-executable media file. Some security web sites
maintain lists of currently known unpatched vulnerabilities found in
common programs.
v

Social engineering and human error

A computer system is no more secure than the human systems

responsible for its operation. Malicious individuals have regularly

penetrated well-designed, secure computer systems by taking advantage
of the carelessness of trusted individuals, or by deliberately deceiving
them, for example sending messages that they are the system
administrator and asking for passwords. This deception is known as
Social engineering. E.g. Phishing: Phishing is an attempt to criminally
and fraudulently acquire sensitive information, such as usernames,
passwords and credit card details, by masquerading as a trustworthy
entity in an electronic communication. eBay, PayPal and online banks are
common targets. Phishing is typically carried out by email or instant
19

messaging, and often directs users to enter details at a website, although

phone contact has also been used. Phishing is an example of social
engineering techniques used to fool users (Milenkovic, 1992).

2.3.2 Security Measures

Security measures are the necessary precautions that can be
followed in order to protect the devices and the sensitive information they
may contain or to which they may have access to. Some major security
measures are discussed below (Milenkovic, 1992; Fred, 2005).

i.

Authentication
The major goal of authentication is to allow access to legitimate

system users and to deny access to unauthorized parties. Here, only the
one-way authentication is discussed. There are two primary measures of
authentication effectiveness.
i.

The false ratio which is the percentage of illegitimate users that

are admitted erroneously and

ii.

The false rejection ratio which is, the percentage of legitimate

users who are denied access due to failure of the authentication
mechanism. It clearly shows the aim of minimizing both the false
acceptance and false rejection ratios.

This one-way authentication is usually based on:

Possession of a secret code (password)
Possession of an artifact
Unique physiological or behavioral characteristics of the
user.

20

ii. Passwords
This is the most common authentication mechanism based on
sharing of a secret code. In a password-based system each user has a
password, which may initially be assigned by the system or administrator.
Then later, the system allows users to change their passwords to the text
they desire. The system stores all user passwords and uses them to
authenticate the users. When a user tries to log-in the system requests and
the user supplies a presumably secret user-specific password. Although,
passwords offer limited protection as they may be relatively easy to
obtain or guess. For example, unencrypted password files stored in a
system are obviously an easy prey. Some unauthorized users may also
attempt to log in by trying a series of different passwords. One way to
deal with the problem is to limit the number of consecutive attempts to
log-in from a given destination and to disconnect the line thereafter.
Another way to deal with the consecutive attempt is to diab1e the users
account after a certain number of unsuccessful attempts. The user may
subsequently reinstate the account by establishing his or her identity with
the system administrator. Figure 2.1 shows a password dialog box.

Fig 2.1 Screen shot showing Password dialog box

21

iii.

Artifact-based Authentication
This authentication type is commonly used for user authentication

on machine-readable badges (which are usually with magnetic stripes)

and incarnations of electronic smart cards. The badge or card readers may
be installed in or near the terminals and the users are required to supply
the artifact for authentication. Artifact identification is coupled with the
use of a password in many systems; the user must insert the card and then
supply his or her password. An example is the use of Automated Teller
Machines. It is also used in companies where badges are required for
employees to gain access to the work premises. In both cases, the use of
badge as an artifact for computer access and authentication can reduce the
likelihood of undetected loss of an artifact and for cards; the users
password secret is kept away from the system because it is stored in an
unreadable form within the card itself. This makes it difficult for
perpetrators to uncover user passwords. Figure 2.2 shows a sample of
credit card.

Fig 2.2 Screen shot showing Sample of Credit Cards

iv.

Biometric Techniques
Biometric technique is a group of authentication mechanism which

is based on the unique characteristics for each user. Biometric techniques

22

can relatively unobtrusively establish some unique user characteristics.

The characteristic falls into two basic categories:
i.

Physiological characteristics such as fingerprints, capillary patterns

in the retina, hand geometry and facial characteristics.

ii.

Behavioral characteristics, such as signature dynamics, voice

pattern, and turning of keystrokes.
The behavioral characteristic varies with a users state (i.e. a users

stress level and fatigue) and thus may be susceptive to higher false
acceptance or rejection rates. The detection devices are usually self
contained and independent of the computer system, this increases
resistance to common computer penetration methods and improves the
potential for tamper-proofing. The disadvantages of this authentication
technique include high cost, potential invasion of privacy and reluctance
of some user. Its advantages are the accuracy of user authentication and
reduction of false acceptance in security-conscious environments.

v.

Firewall
A firewall can be defined as a way of filtering network data

between a host or a network and another network, such as the Internet,

and is normally implemented as software running on the machine,
hooking into the network stack (or, in the case of most UNIX-based
operating systems such as Linux, built into the operating system kernel)
to provide real time filtering and blocking. Another implementation is a
so-called physical firewall, which consists of a separate machine filtering
network traffic. Firewalls are common amongst machines that are
permanently connected to the Internet (though not universal, as
demonstrated by the large numbers of machines cracked by worms like
the Code Red worm which would have been protected by a properlyconfigured firewall). However, relatively few organizations maintain
23

computer systems with effective detection systems, and fewer still have
organized response mechanisms in place. (Franklin, Milenkovic, 1992)
Firewalls are by far the most common prevention systems from a
network security perspective as they can (if properly configured) shield
access to internal network services, and block certain kinds of attacks
through packet filtering. Figure 2.3 shows a typical firewall
configuration.

SECURE SSL
CONNECTION TO ANT
NETWORK RESOURCE

Fig 2.3 Typical Firewall Configuration

vi.

Cryptography
Security in computer systems can be strengthening by encrypting

sensitive records and messages in transit and in storage. The original text
is called the plaintext or cleartext. The original text is encrypted using
some encryption method parameterized by a key which gives ciphertext.
The cipher text may be stored or transmitted through the communication
medium such as wires and radio links. To get back the plaintext by
decrypting the enciphered message using the decryption key.
A cryptographic system that uses the same key for both encryption
and is said to be symmetric while, when different keys are used at the two
ends is called asymmetric scheme.(MilenKovic, 1992).
24

Encryption: Is the encoding of data for security purposes; especially

used when transmitting confidential information across a network or
through satellite links. Because is often intercepted during transmission, it
is used to counteract any abuse.
Decryption: The process of decoding information so that it can be read
and manipulated. The encrypted text or ciphertext is decoded back to
plaintext.

Fig2.4 Basic model of a cryptographic system: Describing

encryption and decryption methods
Example: one of the first known ciphers is attributed to Julius
Caesar (Caesars cipher).The process is done by substituting each letter
with a letter that comes three places later in the alphabets to illustrate:
using the English alphabet and converting upper case, the plaintext
Caesar would yield the ciphertext FDHYDU, Victoria would yield the
ciphertext, YLFWRULD.

25

2.4 MOBILE SECURITY MODELS

Beyond exploring general security challenges with mobile
environments, it is productive to look in-depth at the security models that
real-world platforms employed. Better understanding of the strengths and
weaknesses of a platforms security model allows researchers to target
their efforts towards specific platform deficiencies or against certain
classes of threats. It is also beneficial to understand the development
decisions and trade-offs made by the platform designers when attempting
to balance security with usability and extensibility.
Unfortunately, mobile platforms have a diverse set of security
models. No two platforms are the same when it comes to security
mechanisms and design decisions, making the development of platform
protection mechanisms a significant challenge.
In order to understand the unique differences between the security
models of various mobile platforms, we detail a simple taxonomy of
common attributes for mobile security models. Our taxonomy
decomposes the security of the mobile device platform into three primary
components: application delivery, trust levels, and system isolation (Jon
and Farnam, 2010).

Application Delivery
Application delivery refers to the ability of a mobile platform to
verify the integrity of the source of an application. Secure application
delivery capabilities are important to, not only assert the source and
identity of a particular application, but also to make it more difficult for
an attacker to install a malicious application on a victims device.
However, it is a significant challenge for platform vendors to balance
restrictive application delivery capabilities while maintaining sufficient
extensibility of the mobile device. Also numerous platforms over the
26

capability for applications are to be cryptographically signed, in order to

assure the end user of the identity of the applications developer.
Obtaining signing keys from the platforms vendor may vary in difficulty
and cost. Platforms may also lock down the mobile device and only allow
installation of application from a single source. On the other hand, some
platforms may choose to focus on open extensibility and allow
applications to come from any source or developer.
For example, Jon, and Farnam,(2010) classify the iPhone with
high application delivery capabilities because each new application must
be authenticated and go through an approval process performed by Apple
before being published in the App Store. Apple also has the capability to
revoke applications from the App Store and maintains a remote kill
switch that allows Apple to blacklist applications that may have already
been installed on a device.

Trust Levels
Trust levels refer to the capability to assign a particular confidence
or privilege to an application. Comprehensive trust levels are important to
prevent applications from performing actions that they are not authorized
to perform. These trust levels may be specified at numerous points in the
application delivery and installation. Some platforms assign a trust level
when is signed by the vendor or developer. Cryptographic signatures may
be used to determine whether an application is allowed to operate at an
elevated trust level. Other platforms ask the user to decide what trust
level an application may run at or present a set of desired privileges for
the user to approve or deny. Choosing the optimal granularity of trust
levels can present a challenge for mobile security models. If the trust
levels are too coarse-grained, the risk of malicious behavior within
applications may increase. If the trust levels are too fine-grained, it may
27

raise performance concerns to track system events at such a low- level

and usability concerns for users to be able to make an educated decision
about an applications trust.
For example, Googles Android platform is rated at high as it has
a permission based model that strikes a good balance of trust level
granularity. When an application is installed, manifests provided with the
application states the desired capabilities of the application (e.g., access
the network; access the dialer, access coarse-grained location data). The
user is prompted to review the requested capabilities and decide whether
to allow the application to install.
The Windows Mobile platform is rated at medium. While not as
fine-grained as the Android platform, it provides three distinct tiers of
permission: privileged, normal, and blocked. Privileged applications can
perform any action they desire, normal applications are restricted to
certain API calls and are denied access to certain system files, and
blocked applications are completely denied execution. The iPhone is
rated at a low because it has very coarse grained permissions that only
protect a few services such as the location of the user.

System Isolation
System isolation refers to the capability of the platform to isolate or
sandbox a particular application and prevents it from compromising or
affecting the underlying system or other applications. As vulnerabilities
in complex mobile applications are not uncommon; a modern mobile
software platform should include mechanisms to reduce the risk of a
compromise and safe-guard the integrity of the underlying system.
For example, the iPhone platform is rated at low for system
isolation as many of the applications run at the same privilege level.
Therefore, if vulnerability exists in such an application, the integrity of
28

other applications may be compromised as well. Given the large attack

surface of complex Objective-C- based applications; the lack of systemwide sandbox functionality is a cause for concern. On the other hand, the
Android platform is rated at high for system isolation. While
vulnerability within an Android application may allow an attacker to steal
data owned by that application (e.g., steal cookies by exploiting a
browser), other applications and the underlying system is isolated from
the compromise since each application is executed as a unique
identification (UID).

2.5 Data Encryption Standard (DES)

Data Encryption Standard is one algorithm that is believed to
provide a reasonable compromise among the computational complexity
of encryption and decryption, since they represent processing overhead
that increases communication delays. It was originally developed by IBM
and was adopted as an NBS standard in 1977. The DES algorithm
operates on a 64 bit (8 byte) blocks of input at a time. The encryption
process is parameterized by a user supplied 56 bit key (the key
space thus contains 256 combinations). Every bit of the output block is a
complex function of every bit in the input block and of every bit in the
key. (MilenKovic, 1992)
The DES is a symmetric cryptosystem therefore the cipher text is
decrypted using the same key; its structured in such a way that the
decryption process is the exact reverse of the encryption. Like most block
cipher algorithms, DES is based on the Feistel principle. Feistel ciphers
iterate the same basic step in a number of rounds. The same DES
algorithm is used for both encryption and decryption, because cycle j
derives from cycle (j-1) in the following manner (Gollmann, 1999;
Pfleeger, 2000):
29

Lj =Rj-1

.. (1)

Rj = Lj-1 f (Rj-1, kj ).............. (2)

Where is the exclusive-or operation and f is the function
computed
In an expand-shift-substitute-permute cycle. The two equations
show that the result of each cycle depends only on the previous cycle.
By rewriting these equations in terms of Rj-1 and Lj-1, we get
Rj-1 = Lj

.. (3)

And

Lj-1 = Rj f(Rj-1 Lj) ................ (4)

Substituting (3) into (4) gives
Lj-1 = Rj f (Lj , kj) ................ (5)
Equations (3) and, (5) show that these same values could be
obtained from the results of later cycles. This makes property makes the
DES a reversible procedure; data can be encrypted and also the result be
decrypted to derive the plaintext again. Theo decrypt only change is that
the keys must be taken in reverse order (k 16 , k15, ..., k1 ) for decryption.
Using one algorithm either to encrypt or to decrypt is very convenient for
a hardware or software implementation of the DES.

2.6 WIRED EQUIVALENT PRIVACY (WEP) PROTOCOL

The WEP protocol is designed to provide privacy to packet based
wireless Networks based on the IEEE 802.11 standard, which provide
link-level encryption of data. It is a symmetric encryption that relies on
the difficulty of discovering the secret key through a brute-force attack. It
encrypts by taking a secret key and a per-packet 3 byte IV (Initialization
Vector), and using the IV followed by the secret key as the RC4 key. It
then transmits the IV and the RC4 encrypted payload. The WEP service

30

is intended to provide functionality for wireless LAN equivalent to that,

provided by the physical security attributes inherent to wired media.
WEP has a secret internal state which is a permutation of the entire N=
2n possible n bits with two words along with two indices in Q. It is a fast
encryption since it is 10 times faster than DES. Shown in figure 2.5
below (Brain, et al, n.d; Scott, n.d).

Figure 2.5 WEP algorithm.

2.6.1 ADVANTAGE OF WEP

The advantages of using WEP protocol are stated below (IEEE
Submission, 1993):
Reasonably Strong
The security afforded by the algorithm relies on the difficulty of
discovering the secret key through a brute-force attack. This in turn is
related to the length of the secret key (usually expressed in bits) and the
frequency of changing keys. However, it may be an easier problem to
discover k(key) through statistical methods if the key sequence remains
31

fixed and significant quantities of cipher text are available to the attacker.
WEP avoids this by frequently changing the IV and hence k.

Self Synchronizing:
This property is critical for a data-link level encryption algorithm,
where best effort delivery is assumed and packet loss rates can be high.
Synchronization is provided by the initialization vector. An algorithm that
assumes reliable delivery in order to maintain synchronization between
sender and receiver would not provide acceptable performance.

Efficient:
The WEP algorithm is very efficient in comparison to traditional
block ciphers. It uses few resources and can be implemented efficiently in
either hardware or software.
Requirement for an 802.11 Option:
Because of the interest of 802.11 members in making international
products, coupled with the vagary of US export law, the usage of the
WEP algorithm is specifically proposed to be an optional portion of the
802.11 standard.

2.6.2 DISADVANTAGES OF WEP

Some of the weaknesses of WEP are (Ralph and Ralph,2006; IEEE
Submission,1993):

Passive Attack
Traffic can easily be intercepted from the air-link interface
(promiscuous mode). The ciphertext is collected until there is an
initialization vector collision. However, it may be an easier problem to
32

discover by attackers through statistical analysis which improves rapidly

as collisions increases; if the key sequence remains fixed. Also XOR
ciphertext messages are collected to construct XOR of plaintext messages
thereby getting the secret code (Scott, n.d).
Message Modification
If an attacker has a known plaintext and ciphertext pair, he can use
it to construct new messages. He then uses the logic to find the bit
difference between messages and flip bits.

Injection of messages
WEP checksum is independent of the key but depend only on the
message. An attacker needs only one plaintext-ciphertext pair to form
arbitrary messages to be injected into the network. The IV-key stream
pair can be easily extracted.

33

CHAPTER THREE
SYSTEM ANALYSIS AND DESIGN
3.1

OBJECT-ORIENTED ANALYSIS AND DESIGN

Object-Oriented Analysis and Design (OOAD) is a software

engineering approach that models a system as a group of interacting

objects. Each object represents some entity of interest in the system being
modelled, and is characterized by its class, its state (data elements), and
its behaviour. Various models can be created to show the static structure,
dynamic behavior, and run- time deployment of these collaborating
objects. There are a number of different notations for representing these
models, such as the Unified Modelling Language (UML) (Ralph and
Ralph, 2006; Pat and Jonathan, 2000).
Object-Oriented

Analysis

(OOA)

applies

object-modelling

techniques to analyze the functional requirement for a system. ObjectOriented Design (OOD) elaborates the analysis models to produce
implementation specifications. OOA focuses on what the system does,
while OOD focuses on how the system does it (Ralph and Ralph , 2006).

3.1.1 OBJECT-ORIENTED SYSTEM

An object-oriented system is composed of objects. The behavior of
the system results from the collaboration of those objects. Collaboration
between objects involves sending messages to each other. Sending a
message differs from calling a function, in that, when a target object
receives a message, it itself decides what function to carry out to service
that message. The same message may be implemented by many different
functions, the one selected depending on the state of the targeted object.
The implementation of message sending varies depending on the
architecture of the system being modelled, and the location of the objects
being communicated with.
34

3.1.2 OBJECT-ORIENTED ANALYSIS

Objects-Oriented Analysis (OOA) looks at the problem domain,
with the aim of producing a conceptual model of the information that
exists in the area being analyzed. Analysis models do not consider any
implementation constraints that might exist, such as concurrency,
distribution, persistence, or how the system is to be built. Implementation
constraints are dealt with during Object-Oriented Design (OOD).
Analysis is done before the Design.
The sources for the analysis can be a written requirements
statement, a formal vision document, and interviews with stakeholders or
other interested parties. A system may be divided into multiple domains,
representing different business, technological, or other areas of interest,
each of which are analyzed separately. The result of object-oriented
analysis is a description of what the system is functionally required to do,
in the form of a conceptual model that will typically be presented as a set
of use-cases.

3.1.3 OBJECT-ORIENTED DESIGN

Object-Oriented Design (OOD) transforms the conceptual model
produced in object-oriented analysis to take account of the constraints
imposed by the chosen architecture and any non-functional technological
or environmental-constraints, such as transaction throughput, response
time, run- time platform, development environment, or programming
language. The concepts in the analysis model are mapped onto
implementation classes and interfaces. The result is a model of the
solution domain, a detailed description of how the system is to be built.

35

3.1.4 OBJECT-ORIENTED MODELING

Object-Oriented Modelling (OOM) is a modelling paradigm
mainly used in computer programming. Prior to the rise of OOM, the
dominant paradigm was procedural programming, which emphasized the
use of discrete reusable code blocks that could stand on their own, take
variables, perform a function on them, and return values.
The Object-Oriented paradigm assists the program to address the
complexity of a problem domain by considering the problem not as a set
of functions that can be performed but primarily as a set of related,
interacting objects. The modelling task then is specifying, for a specific
context, those objects (or the class the objects belongs to), their respective
set of properties and methods, shared by all objects members of the class.
The description of these objects is a schema. As an example, in a model
of Online Banking System, a customer is an object. An account is another
object. Transaction is a relationship or association. An account class (or
object for simplicity) has attributes like accountld, type, description,
balance, etc. the Associate itself may be considered as an object, having
attributes,

or

qualifiers

like

transactionld,

amount,

timestamp,

credictAccount, checkBalance, transferfund, etc.(Pat and Jonathan,2000).

An information description or a schema notation is translated by
the programmer or a CASE tool in the case of schema notation (created
using a module specific to the CASE tool application) into a specific
programming language that supports object-oriented programming (or a
class type), a declarative language or into a database schema.

3.1.5 DESIGN NOTATION: UNIFIED MODELING LANGUAGE

Unified Modelling Language (UML) is a graphical notation for
drawing diagrams of software concepts. It can also be defined as a
general-purpose visual modelling language that is used to specify,
36

visualize, construct, and document the artifacts of a software system. It

captures decision and understanding about systems that must be
constructed. It is used to understand, design, browse, configure, maintain
and control information about such systems. It is intended for use with all
development methods, lifecycles stages, application domains, and media.
The modelling language is intended to unify past experience about
modelling techniques and to incorporate current software best practices,
into a standard approach. UML include semantic concepts, notation, and
guidelines. It has static, dynamic, environmental, and organizational
parts. It is intended to be supported by interactive visual modelling tools
that have code generators and report writers. The UML specification does
not define a standard process but is intended to be useful with an
interactive development process. It is intended to support most existing
object oriented development process (Ralph and Ralph, 2006).
The UML captures information about the static structure and
dynamic behaviour of a system. A system is modelled as a collection of
discrete objects that interact to perform work that ultimately benefits an
outside user. The static structure defines the kind of objects that is
important to a system and to its implementation, as well as the
relationship among the objects. The dynamic behaviour defines the
history of objects over time and the communications among objects to
accomplish goals. Modelling a system form several, separate but related
viewpoints permits it to be understood for different purposes.
The UML also contains organizational constructs for arranging
models into packages that permits software terms to partition large
system into workable pieces, to understand and control dependencies
among the packages, and to manage the versioning of model units in a
complex development environment. It contain construct for representing

37

implementation decisions and for organizing run-time elements into

components.

3.1.5.1 USE-CASE DIAGRAM OF THE SYSTEM

A use-case diagram is a description of the behaviour of a system.
The description is written from the point of view of a user, who has just
instructed the system to do something in particular. A use-case captures
the visible sequence of events that a system goes through in response to a
single user stimulus.
A visible event is an event that the user can see. Use-cases do not
describe hidden behaviour at all. They dont discuss the hidden
mechanism of the system. They only describe those things that a user can
see. Below is the use case diagram of the system (fig.3.1).

Fig: 3.1 Use Case Boundary Diagram

38

Note: In the above Boundary Diagram, the large rectangle is the system
boundary. Everything inside the rectangle is part of the system under
development. Outside the rectangle are the actors that act upon the
system.
Actors are entities outside the system that provide the stimuli for
the system. Typically, they are human users, or other systems. Inside the
boundary rectangle are the use-cases. These are the ovals shapes, with
variables inside. The lines connect the actors to the use-cases that they
stimulate.

3.2 SYSTEM DESIGN

3.2.1 CLASS DIAGRAM OF THE SYSTEM
UML class diagrams allow us to denote the static contents of, and
relationship between classes. A class is depicted on the class diagram as a
rectangle with three horizontal sections. The upper section shows the
class name (such as customers, Account, etc), the middle section contains
the class attributes, and the lower section contains the class functions or
methods or operations. The figure 3.2 shows the class diagrams of the
system.

39

40

41

Figure 3.2: Class Diagram of the System

42

Description
Rectangle represents classes, and arrows represent associations in
which one object holds a reference to and invokes methods upon the
other.

A dash ( - ) character in front of the variables in the class icon denotes

private.

A plus (+) character in front of functions or operations in the class

icon denotes public.
The type of a variable or a function argument is shown after the colon
following the variable or argument name. Similarly, the return value
of a function is shown after the colon following the function.

3.2.2 SEQUENCE DIAGRAM OF THE SYSTEM

Sequence diagrams are used to show or describe the detail
implementation of system behaviours shown in the use-case diagram. It
also describes how a particular classs method is implemented. Below are
the descriptions of the systems sequence diagrams of some of the
behaviours shown in the use-case diagram.

3.2.2.1 Authenticate User Sequence Diagram

The diagram (fig 3.3) is described as follows:
In other to authenticate the customer, the system takes these steps
The customer types his/her username and password, the request is
generated by the midlet to validate the user using the encrypted
authentication data.
Encryption and decryption takes place to authenticate if it is the
right customer that wants to log- in through the use of boolean
result from the database. If the result is True, the customer will be

43

allowed to go to the next module to find the menu for transactions.

And if not, there will be an error message, denying the customer
from logging in (invalid user name or password).
3.2.2.2 Get Account Balance Sequence Diagram
The diagram (fig 3.4) is described as follows:
After a customer has been authenticated to get to the transaction
menu module he/she picks the transaction of his/her choice. If the
characters are not equal to 12, this message will be displayed (please
your account no and transaction password must be equal to 12
characters long each).
Highlight the account balance (BALANCE ENQUIRY) from the
menu and press Ok.
The customer has to pass through another authentication module to
get into his/her account.
The customer types in his account number and transaction
password (transaction-id).
The account number and transaction password is encrypted and
checked with the cipher text in the database for authentication. If
the result returns True, the account balance for the said account
number is viewed if not true (false) the customer will not be
allowed to view the balance and an error message will be
displayed.
3.2.2.3 Debit Account Sequence Diagram
The diagram (fig 3.5) is described as follows:
From the transaction menu module
The customer highlights CASH TRANSFER on the menu and
press Ok.

44

 The customer types in his/her account number and the transactionid for authentication.
The account number and transaction-id are encrypted and
authenticated with the database. If True, the customer is allowed to
debit the account and credit another, if False an error message is
displayed.
A customer is allowed to debit the account only if there is a
sufficient amount available and

a message

is displayed

transaction performed successfully if not, an error message is

displayed showing insufficient balance and the transaction will
halt.

3.2.2.4 Credit Account Sequence Diagram

The diagram (fig 3.6) is described as follows:
The customer highlights DEPOSIT FUNDS (Credit Account) on
the menu and press Ok. A message is displayed notifying the
customer that the module is strictly operated by a bank official.

45

Figure: 3.3 Authenticate User Sequence Diagram

46

DESCRIPTION

The dashed lines hanging down from the object and the actor are
called life lines. A message being sent from the object to another
is shown as arrow between the life lines. Each message is labeled
with a name.

Arguments appear either in the parenthesis that follow the name or

next to data tokens (the little arrows with the circles on the end).

Time is in the vertical dimension, so the lower a message appears,

the later it is sent.

The skinny little rectangle on the lifeline of the Bmobile object is

called activation. Activations represent the time that a function
executes. In this case, it shows how long the authenticate user
function or method runs.

Messages leaving the activation to the right were sent by the

authenticate user method. The unlabeled arrow shows the
authenticate user function or method returning to the actor and
passing back a return value.

47

Figure 3.4: Get Account Balance Sequence Diagram

48

Figure 3.5: Debit Account Balance Sequence Diagram

49

Figure: 3.6 Credit Account Balance Sequence Diagram

50

3.2.3 DATABASE DESIGN

Designing the database through object/data modelling in the UML
gives one the ability to capture more items on the diagrams visually than
with traditional ER notations. The aim here is to map logical
analysis/design elements such as classes to tables, attributes to columns,
types to data types and associations to relationships, which will help
comprehend how the application will interact with the database.

DATABASE DIAGRAM ELEMENTS

The database diagram elements that are used to describe the
database diagrams are given below with their associated icons.
Table
Primary key

PK

Foreign key FK

FK

Primary/foreign key

Identifying relationship

o ...* 1

Non-identifying relationship

I...* 1

The figure 3.7 below shows the database diagrams of the system.

51

Figure 3.7: Database Design

52

3.2.4 DEPLOYMENT DIAGRAM OF THE SYSTEM

Deployment diagram depicts a static view of the run-time
configuration of processing nodes and the components that run on those
nodes. In other words, deployment diagrams show the hardware for the
system, the software that is installed on that hardware and middleware
used to connect the disparate machines to one another. The figure 3.8
below shows the deployment diagram of the system.

53

Figure 3.8: Deployment Diagram of the System

54

DESCRIPTION

The three-dimensional boxes represent nodes, either software or

hardware. Physical nodes are labelled with the stereotype device.

Connections between nodes are represented with simple lines and

are assigned stereotypes RMI and JDBC.

Nodes contain software components.

55

CHAPTER 4
SYSTEM IMPLEMENTATION
The previous chapter has provided a better understanding of
Systems Analysis and its requirements, but there must be a way of
converting the analytical information into a logical system design model
that can then be implemented on a computer (using any programming
language of your choice and a relational database).

4.1 MOBILE SECURITY BANKING ARCHITECTURE

The high level architecture of the system is shown in figure 4.1.

56

Figure 4.1: Architecture of Mobile Banking Security Services

57

DESCRIPTION

A client, web consumer is the J2ME application (MIDLet), a JSR

172 stub and supporting classes and the JSR 172 runtime.

The network refers to the wireless and wired networks, part of the
internet and the communication protocols.

The server, web services producer (mobile security bank) typically

behind fire walls. This server has access to back-end resources.

The database (postqresSQL) stores web service producer data.

4.2 CHOICE OF PROGRAMMING LANGUAGE

The Java programming language is an advance programming
language designed by Sun Microsystems. Java has object oriented
features which includes inheritance, polymorphism, data abstraction and
data encapsulation.
However, the most appealing feature of the Java programming
language is that it is platform independent. Platform independent means
that java programs either in source code or object code are independent of
the operating system used in writing the program (i.e. java program can
run in any operating system).

58

4.3

SCREEN SHOTS OF DEMOS

4.3.1 Splash Screen

Figure 4.2 Screen shot of the splash screen

59

4.3.2 Welcome Page Screen

Figure 4.3 Screen shot of the Welcome page

60

4.3.3 Screen to authenticate user to perform transactions

Figure 4.4 Screen shot of Authentication page

61

4.4 SYSTEM SPECIFICATION

This refers to the specification of hardware and software
requirement for using the mobile security banking system software.
The Hardware Requirements for testing the software are as
follows:
i)

Intel Dual core 2.0 GHz processor speed (minimum)

ii)

Minimum of 1 GB RAM or higher

iii)

15 inches monitor

iv)

Minimum Of 40GB hard disk drive or higher

v)

52 CD ROM drive
The software requirements for testing the software are as follows:

i) Windows Operating System or any other Java compatible OS

ii) Java Development Kit (jdk) version 1.5 or higher
iii) Sun Application server version 9.1 or higher
iv) Microsoft Internet Explorer version 4.0 (or higher) or any other web
browsers
v) PostgreSQL database.

4.5 USER GUIDE

This aspect is concerned with how to use the software. The
software is user friendly and interactive, this makes it easy for people
who do not know how to use computer efficiently.
To use the software the users have to do the following:
1)

Boot a PC

2)

When the PC starts up, run the SUN application server by going
through

(start

button),

All

program,

Application Server 9.1, Start default server.

62

Sun

Microsystems,

4.6 PERFORMANCE EVALUATION

Existing system
An example to be considered here as an existing mobile banking
system, is the First Bank Nigeria Plcs FirstMobile. Figure 4.5
highlights the strength of BMobile over FirstMobile.

Features and Functionalities

S/N BMobile
1

FirstMobile

Balance enquiry check account Balance Enquiry check

balance

account balance

Deposit Account transfer funds Money transfer transfer

from one account to another

fund from one account to

another

Credit Account- this module is Does not exist here

maintained by a bank official. It will
be more useful or used as an
alternative when there is network
break down to credit customers
account. When there is a downtime
of the banks ISP network, this
module serves as an advantage in
serving customers.

To authenticate user software is Software is installed on

installed on the phone. A username, the mobile phone and
password,

Account

number

and four digits PIN is given

transaction Id (12 digits) are required to

the

customer.

No

which is not easy to be picked by a Account Number needed.

hacker.
Figure 4.5 features and functionalities of BMobile and FirstMobile

63

Strength and weakness of mobile banking system

Three major issues are crucial in the operation and implementation of
mobile banking.
Security: Although all cell phone users ,operating mobile banking
claim to have high levels of security on their mobile phones, but
the reality is that financial information are transmitted over the air
waves and some information stored on the cell phone which could
get lost unknowingly. In this project, the mobile service
transactions are secured by the use of cryptographic technology.
Ease of Use: The modules used in the development of BMobile is
designed to be user friendly, the simulated phone uses a full
QWERTY keyboard which a user can interact with having little or
no guidance at all.

Signal Access: To adopt the use of BMobile, a user must be within

the network coverage of the telecommunication service provider
for the mobile device. For example its sometimes tough to get
signal in tall buildings and some remote part of the country.

64

CHAPTER FIVE
SUMMARY AND CONCLUSION
5.1

SUMMARY
As mobile banking gains more popularity and becomes enticing

target for attackers, this project has discussed in detail the security threats
that can be encountered, security measures and models that can be used to
curb unauthorized access to vital customer financial information.
Since mobile banking allows user to operate their accounts with the
help of a mobile phone, it helps both customer and banking institutions,
saving them from daily banking stress. But the issue of a sure security is
very important; this project has also developed application software that
will give a high level of security for the financial transactions in mobile
banking using a high levelled standard cryptographic model coded in Java
programming language, which when used can solve in a very high
percentage the problems of security in mobile banking.

BENEFITS OF THE SYSTEM

This project work presents the following contributions to knowledge:
This project will serve as one of the solutions (if adopted) to the
current Central Bank of Nigerias Cashless Policy Society
Campagne being proposed by Lamido Sanusi (CBNs Governor),
to reduce the flow of cash outside the walls of the banking hall.
The mobile banking technology on your cell phone is just another
attempt at helping one perform another everyday function from the
convenience of ones cell phone outside the walls of the banking
halls.
Security: A high level of security is embedded in this developed
mobile banking system with the use of encryption and decryption

65

technology. All information remains encrypted when its sent

between the cell phone and the bank.

5.2

CONCLUSION
As mobile banking gains more grounds, so also attackers will

develop more ways of breaking into the system; making the devices face
a range of new security threats. We believe that domain of mobile
security presents a number of interesting challenges that are becoming
ever- important to explore as the adoption and use of these mobile
platforms continues to accelerate. It is expected that, the financial
institutions engaging in mobile banking should adopt a novel application
or approach (like this one, we developed) that uses a good security model
and gives their customers satisfying services.

66

REFERENCES
Alireza P. S., and Joao P.S. (2008) Improving the security of MobilePhone access to remote personal computers. International Conference on
Software and Data Technologies.
Brain, W. and Bryon, W. E-lecture note C1S6930,Advanced Topics in
Mobile Computing
Dennis, G. (2001) Hacking into Computer Systems (DoS) Retrieved May
22, 2008 from http://www.vnadmin-net
Emefoh, A. C.(2008) Financial security for on-line Businesses M.Sc.
Seminar paper, Department of Computer Science, University of Nigeria
Nsukka .
Franklin, Templeton investments (n.d) Security.
Retrieved May20, 2008 from http://www.franklintempleton.comlretail/j
spapp/home/ft-home.j sp
Fred Halsall (2005) Multimedia Communications, Applications,
Networks, Protocols and Standards: Pearson Education (Singapore) Pte
Ltd., Indian Branch.
Geeta, S. N., Swati S.J, Aaradhana A. D., (2010) M-Banking a futuristic
security approach. International Journal of Computer Science Issues, Vol.
7, Issue 1, No. 2 pp 68-71
Gollmann, D. (1999) Computer Security: John Wiley & Sons Ltd, West
Sussex, England.
Gaurav, J., Deng, A., Chau T., Heejune, J.J.(2009) Touch-based
Authentication for Secure Online Banking: ECE 1518- Final Report, The
Identity, Privacy and Security Institute, University of Toronto.
Jenkins, B. (2008) Developing Mobile Money Ecosystem. Washington,
DC: IFC and Harvard Kennedy School
Jon, O. and Farnam J. (2010): When Mobile Than Fixed (and vice versa):
Demystifying Security challenges in Mobile Environments. The Eleventh
International Workshop on Mobile computing Systems and Applications
February 22, 2010 Annapolis, MD, USA.

67

Jonan C.N. (1992) Prentice Halls Illustrated Dictionary of Computing,

Australia: Macarthur Press.
MilenKovic Milan (1992). Operating Systems concepts and Design?
(Security and Protection), New York: MCGraw-Hill Inc.
Micheal, E. (2008) Security Online Transactions: Crime Prevention is the
key. Unknown Retrieved 11/09/2010
Pat Niemeyer and Jonathan Knudsen (2000) Learning Java
O Reilly: First edition.
Pfleeger, C.P. (2000) Security in Computing, Second Edition: PrenticeHall mc, United State of America.
Ralph Morelli and Ralph Walde (2006) Java Java Java: object-Oriented
Problem Solving Prentice Hall
Scott,F. Itsik M. and Adi S.(n.d) Weaknesses in the Key Scheduling
Algorithm of RC4
Tiwar-i, and Buse, S. (2007): The Mobile Commerce Prospects: A
Strategic Analysis of Opportunities in the Banking sector. Hamburg
University Press (Ebook as PDF download).
Wambari A. (2009) Mobile Banking In Developing Countries (a Case On
Kenya). Research project, Vaasan Ammattikorkeakoulu, University of
Applied Sciences, Kenya.
WEP: The Wired Equivalent Privacy Algorithm IEEE 802.11
submission Interoperable LAN/MAN Security (SILS), 5 February 1993
(November 1994)
Wikipedia (2009) Mobile Banking Security in the US and all over the
world. Retrieved April 7, 2009
Wikipedia (December, 2009) Mobile Banking in the world
Yang, J., Whitefied, M. and Boehme, K. (2007). New issues and
challenges facing e-banking in rural areas: as empirical study,
International Journal of Electronic Finance Vol. 1, No 3, pp 336-3 54

68