A comprehensive cyber security framework for Mobile

Financial Services
 A comprehensive cyber security framework for Mobile
Financial Services

Abstract
In tandem with technical improvements, the increase of cybercrime has been exponential.
Cybercrime is currently considered one of the world's top 10 threats. A growing number of
businesses are putting in place steps to protect themselves against cybercrime and its
consequences. Despite this, effective cyber-attacks continue to climb. Over two billion individuals
throughout the world previously had no access to conventional banking services because of the
rise of mobile devices. For financial services, banks and other financial organizations are
increasingly using mobile platforms. On the other hand, the use of mobile devices for banking has
created a new attack channel for cybercriminals. This has hampered the adoption of mobile
financial services because of a lack of confidence in the system. Security concerns have been cited
as a major roadblock to the widespread adoption of mobile financial services. A strategy for
minimizing cybercrime in the mobile financial services environment is proposed, and early
findings from the study completed so far are shown.
Introduction
More than $2.1 trillion is expected to be spent by the end of 2019 on fraud-related data breaches
alone. Cybercrime has grown so widespread and destructive that recent occurrences have shown
this. The incidence and repetition of cybercrime are also increasing[ CITATION Agh19 \l 1033 ].
There is a strong financial incentive to commit cybercrime. In order to steal money from bank
accounts, attackers utilize malware. Additionally, ransomwares have been used to extort cash from
its victims. Cybercrime may also be motivated by sabotage or curiosity, among other factors. As a
result of insider misdeeds, cyber assaults might also take place. For example, a member of an
organization's employees may be able to fraudulently gain access to systems if proper safeguards
are not in place. These privileges may be misused to engage in illegal activity. Mistakes or lack of
information might also be the cause of insider abuse.
In order to protect themselves against cybercrime, some organizations have installed technical
safeguards, while other organizations have invested in more extensive information security
programs. Despite these precautions, successful cyber-attacks on organizations are nevertheless
routinely reported in the press:
 Malware.
 Web-based attacks.

1
  Web application attacks.
 Botnets.
 Denial of service.
 Physical damage/theft/loss.
 Insider abuse.
Electronic financial transactions are protected by a sophisticated technological framework in place.
In addition to strong encryption, steganography, many layers of biometric authentication, and a
mix of biometrics-based authentication and tokenization.
A brief review of the history of mobile financial services
We will offer an overview of mobile financial services and the environment in order to assist a
better understanding of cyber security risks in mobile financial services.
Taxonomy of mobile financial services
End-user effectiveness, security, and convenience; bank cost reduction and operational efficiency;
and government and institutional financial inclusion goals are some of the benefits of mobile
banking.
Mobile banking has emerged as a viable alternative to traditional banking channels. As a result,
Fintech 2.0 has added new products like Mobile Insurance into the equation. Everything else
besides insurance may be utilized to make a payment[ CITATION Alj14 \l 1033 ].
Mobile money users don't need a bank account to make purchases. In order to use a mobile wallet,
you must be in possession of a valid credit card. Money and banking are covered in this research.
MFS will be their new moniker. Additional taxonomic features are included in the description of
these three MFS products.
Mobile Wallets are becoming increasingly popular: The e-wallet was a major invention in e-
business. In order to pay for purchases made with merchants that accept E-wallets, clients must
first create an E-wallet account. Google Wallet and PayPal are examples of popular e-wallets.
With the introduction of smartphones, mobile e-wallets were created. In the same way as e-wallets
used to, mobile wallets (M-wallets) provide the same functions. M-wallets also allow for
proximity payments due to their flexibility. Among the mobile wallets are.

Figure 1: Mobile wallet

2
 Mobile Financial Services (MFS)

Mobile Wallet

Technology: NFC, Biometric,

MP*: e.g. Apple Pay, Samsung pay
Tokenization

Predominant user: Banked Payment card holders

Countermeasures: Standards,
Authentication and transaction limits

Mobile Money

Technology: USSD, SMS MP*: MPESA, PAGA etc.

Predominant Users: Unbanked Countermeasure: User Awareness

Mobile Banking

Technology: Web protocols, Tokens Predominant user: Banked

Bank account holders Countermeasure: same as those for

Mobile wallet and online banking

Mobile Phone based Fintech products

Mobile Insurance

Figure 2: Mobile Financial Services taxonomy

Apple, Samsung, and Android all accept credit card payments. Near Field Communication (NFC),
a contactless communication technology, is used by mobile wallets to perform near-payments. A
new layer of security is being added to mobile wallet-based payments thanks to smartphone
biometric identification.
Cash remains the preferred method of payment in many underdeveloped countries. Cash
transactions, on the other hand, pose a number of risks, including theft and damage. In addition,
the availability of financial services is a major concern for many. In a cashless society, 'electronic'
money is used in lieu of cash. Cash is exchanged for e-flood through mobile money agents.
Cashless transactions are possible, allowing customers to transmit money or make purchases
without it. Cash-in and cash-out operations may also be handled by agents. In impoverished
countries, the use of mobile money is more prevalent. Unstructured Supplementary Service Data
and Short Message Services are used in mobile money transactions. Messages are sent between
mobile devices and applications in networks using mobile communication technologies. Although
both techniques are unsafe due to the absence of end-to-end encryption.

3
Cellular banking is the expansion of traditional financial services to mobile devices. Customers use
mobile apps to connect to their bank remotely. Customers may also connect to a secure bank
through the internet. A web address is a (URL).
Internet, phone data subscription, and near field technology are the three main ways to access
mobile financial services. Developing a cyber-security strategy for mobile financial services
should examine the unique security challenges of each connection method.
Technology underpinning mobile financial services
It's important to note that the phone's features and methods of financial access affect For example,
biometric authentication with tokens and PINs has increased the security of mobile payments.
However, because to their simplicity, feature phones are more vulnerable to assaults due to USSD
vulnerabilities and lack of end-to-end encryption on SMS. It's also susceptible to mobile virus
assaults since it uses public Wi-Fi to connect[ CITATION Alh19 \l 1033 ].
It takes several parties and technologies to complete a mobile financial services transaction on the
mobile platform. By leveraging NFC technology, a mobile payment request may be sent to a
merchant without having to go via the Internet. Each value chain service provider has unique
technology and procedures. Some of these transactions cross organizational and geographical
lines.
The complex mobile financial services
End User: This might be the originator or recipient of a mobile financial service.
Mobile Network Operator: In certain cases, the MNO supplies MFS.
Mobile Money Operators: Agents of the bank who offer mobile banking services to customers.
They handle monies in and out. Only in the mobile money value chain.
Deposit Money Banks (DMB): Banks offer MMOs with financial services through mobile
banking.
Merchants: They make mobile payment terminals.
Card Issuers: They provide cards that can be used for mobile payments.
Regulators: Regulators in financial services and telecom, they control ecological activity.
Service Providers: Included are third-party service providers and developers of mobile apps.
Cyber security in mobile financial services and countermeasures
 The most typical cyber security risks with mobile applications include the loss or theft of
mobile devices, the misconfiguration of mobile apps, and mobile malware.
 The mobile financial services has the following cyber-vulnerabilities:
 Smartphone architecture is divided into four parts.
 Normal OS and App Environment. It runs third-party applications and has poor security.

4
  Safe Elements (SE). It's a hardware environment that's more secure than it houses sensitive
data and applications.
 Secure Execution Environment Encrypts sensitive data and authorizes software programs
on the main processor.
 Understanding this architecture has helped create technical countermeasures for MFS. But
this same understanding has been used to defraud the system.
 Flow Of information: Before performing any MFS transaction, users must establish
network communication.
 On addition to databases, service providers invest in software applications and network
infrastructure. Cybercriminals may exploit a weakness in service providers' backend
technology that is not constantly updated and patched.
 Process: Human actors engage with technology via established procedures that must be
optimized and resilient enough to support cybercrime-reducing behaviors.
Overview of the proposed mobile financial services MFS STS framework
Existing anti-cybercrime measures are effective when used in certain scenarios. Social interaction
and the availability of both trustworthy and untrustworthy components render existing safeguards
useless in the face of mobile financial service threats. Controls are devised to limit undesirable
behaviors by untrusted elements while promoting desirable actions by trusted elements in light of
the dynamic social interactions in the mobile financial services and the existence of trusted and
untrusted components.
Because of the compensating controls, the framework is adaptable in the face of changing
environmental circumstances.
The following part discusses how the framework was created.
Approach adopted for developing solution
The mobile financial services is a nebulous domain. Identifying key stakeholders, analyzing
trustworthy and untrusted entities in the mobile financial services, understanding information flow,
and developing requirements for a robust solution were all important steps in developing a resilient
framework for cyber security.
Before proposing a remedy, a five-pronged methodical strategy was used. Listed below are the
stages of the method.
State of the art
Evaluation of mobile financial services current state will be done using best practices and
literature. Human factor strategies and how they might improve cyber security will be studied
because of the human role in developing resilient controls. Ideally, the best method to gather
requirements for a solid framework would be to conduct a thorough investigation. Finally, the flow

5
of information inside the system would be examined to help design controls that would enhance
effective security. In this phase, we will learn about the condition of mobile financial services,
cyber security challenges, human factors, capability maturity and information assurance best
practices[ CITATION Alm14 \l 1033 ].
Requirement
This phase would develop the cyber security framework requirements based on the MFS. To elicit
needs for the framework, Use Case and MosCow methodologies will be utilized with human factor
approaches like soft system methodology (SSM) and interactive management (IM). Other complex
system analysis methodologies uncovered in the ‘If-Is' phase would be used to construct
requirements as needed. To be used in mobile financial services, the output from the state-of-the-
art phase would be sent directly.
Framework
During this phase, the mobile financial services cyber security framework would be developed. As
the project progressed, this would not be a defining moment, but rather a series of incremental
improvements. The requirements collected in the previous phase of the project would be used to
build an integrated framework employing solution architecture and technology governance
frameworks.
Validation
Focused group workshops and peer evaluations would be utilized to test the framework. The
workshops will test the framework. The framework would then be improved.
Exploitation
To the unbanked would be put the proven framework Policies, processes, and guidelines would be
implemented to satisfy particular cyber security needs to let unbanked people use MFS.
The suggested strategy is based on best practices and literature research. The method would be
tweaked as the study progressed.

6
 Figure 3: cycle of events
Preliminary findings and findings from the research project
This section summarizes some early results from the research.
The human aspect is critical in developing a strong solution, according to the literature assessment.
Some current technology countermeasures have failed owing to omission of this critical element.
So we looked at mobile financial services human factors and cyber security.
Human factors and cyber security challenges in mobile financial services
For this project, the stakeholders in mobile financial services were interviewed about the human
aspect and cyber security challenges in order to better understand how to design comprehensive
controls and countermeasures that stakeholders can easily apply[ CITATION Alq15 \l 1033 ].
Human factor methodologies helped attain this aim. Human factor techniques, like the MFS, have
been found to help define ill-defined complex problem areas.
Table 1: Justification for using human factors
SN Approach Technique Justification
1 Soft Systems Rich Picture Understanding of the ambiguous
issue area from the perspective of

7
 the stakeholders
2 Root Definition and Suggested ways to address
Conceptual Model security risks in an ecosystem
from a variety of perspectives.
3 Interactive Idea Writing Ideas are generated via
Management brainstorming on human factor
related cyber security challenges.
4 Nominal Group Technique
5 Interpretive Structural The technique avoided a situation
Modelling ( ISM ) where the focus was on the
solution rather than a
comprehensive understanding of
the challenges.

Preliminary results
The stakeholders' worldview affects their understanding of mobile financial services. User
registration for mobile financial services products is handled by the principal in the ecosystem who
acts as a bank representative. For this reason, the principle must be very cautious while enrolling
people. Money float (physical or electronic) concerns may arise for agents. Customer cash-outs
may be delayed. Agents near banks may potentially delay cash replenishment, allowing e-float to
fill the void.
Banking and principals do not function after-hours. So, for example, cash-in capability of mobile
financial services is only available during regular banking hours. Money transfers and internet
payments are also available 24/7.
Mobile financial services product confidence has been eroded due to inadequate network
connection. Regulations in the ecosystem include the financial services and telecommunications
authorities[ CITATION Ash12 \l 1033 ].
Regulators have different goals. Unlike the FS regulator, the telecom regulator is focused on
quality.

8
 Figure4: mobile money operator
Communications services Compliance and performance management inside the STS need
collaboration between these authorities.
The DMB participants contributed 38 issues out of 269 issues total. Awareness, infrastructure,
procedure, and others were among the topics evaluated by the committee. Others highlighted
concerns about mobile malware and insider threats. A danger to the STS is balancing user
experience and mobile app security. Mobile money carriers have adopted minimum Know Your
Customer (KYC) rules to boost uptake. Concerns are raised by the regulators. To design and
implement rules for cyber security inside the mobile financial services, the regulator group raised
concern.
International money transfer capabilities utilizing mobile financial services may be a conduit for
money laundering and terrorist funding due to jurisdictional disparities in legal and regulatory
requirements. All groups agreed that increasing user understanding of technology, security, and
consumer protection was important. However, the ecosystem did not properly understand its duty
for user awareness. Others expect banks and service providers to educate customers on cyber
security[ CITATION Aug14 \l 1033 ].
Also, most mobile financial services vendors lack a dedicated cyber security support desk.
Customers' worries about cyber security were handled equally. Cybercrime cases take a long time
to investigate and resolve, even when successfully reported. On average, customers are urged to be
more cautious while using mobile financial services products. Customers' complaints about cyber
fraud have been ignored, and the failure to resolve problems has harmed faith in mobile financial
services. Participants developed a prioritized set of goals to solve the challenges presented. In the
complex mobile financial services, these aims would, according to the participants, reduce the
danger of cybercrime.
9
So that legislative foundations for controlling cyber security were established, the CERT group
was concerned[ CITATION Bin08 \l 1033 ].
Table 2: Top cyber security goals
Group Objectives

Financial Services Set up a cyber-security operations Centre for the whole industry.
Regulators
Banks Make sure there aren't any issues with infrastructure (e.g. electricity,
Internet, technology) that might harm your company.
Unbanked Users should be educated on the dangers of social engineering.
Banked Reduce the risk of insider misuse in banks by enforcing separation of
duties.
CERT Improve the public's understanding of technology and data security.
Assemble a picture of how familiar phone hackers operate.
Service Providers Increase confidence in mobile financial services by learning about the
security measures in place. Be willing to adapt to new circumstances.
As the environment and the legal and regulatory landscape changed, mobile financial services
were revised to reflect these changes.
One size does not fit all when it comes to raising cyber security awareness, and the CERT group
was interested in crafting a program suited to the requirements of key stakeholders.
What we learned from SMEs in our semi structured interviews is as follows:
 Financial intermediaries and settlement firms should be recognized as different
stakeholders in mobile financial services because of the critical roles they play in the
industry.
 Some experts believe that technologies that accept incomplete commits due to
infrastructure (Internet, power) failures should be implemented in order to reduce the risks
affecting information flow within the ecosystem.
 Forensic software interfaces were proposed to enhance forensic investigation.

10
 O2 O4

O3 O5 O7

O6 O8

O10

O11 O12

O9

O1

Figure 4: objectives relationship between mobile financial services

 The user interface might be made more secure without sacrificing usability.
 A shared services strategy was advocated in light of the high cost of deploying
countermeasures.
 As a way to reduce the danger of Wi-Fi vulnerabilities, mobile apps that can recognize
unauthorized Wi-Fi accesses were recommended.
 Another suggestion was that if a mobile device is not properly patched and updated, the
app should be able to disconnect immediately.
 A 24/7 customer support Centre to react to cybercrime incidents was recommended
because of the human element's susceptibility.
There is a concept that myth and belief should be taken into account while developing a method to
combat cybercrime.
A legislative structure that supports the MFS STS's distinctive functioning should be designed
As a starting point for constructing a robust cyber security countermeasure for the MFS STS,
experts overwhelmingly recommended tightening technological controls, increasing user
awareness, and considering human factors and process workflow.

11
A majority of the experts' comments is consistent with the difficulties mentioned in the IM
workshops and the goals indicated for reducing cyber security risks in the complex MFS STS
system.
Conclusion
Despite its inherent advantages, lack of trust has hampered mobile financial services
implementation. Lack of faith in mobile financial services was caused by cybercrime. Anti-
cybercrime efforts haven't worked in lowering cybercrime and increasing mobile financial services
confidence.
In order to combat cybercrime, a comprehensive structure is required. With the approach,
researchers may better understand how information flows in the mobile financial services
sociotechnical system, reducing the risk of cybercrime. A stakeholder-based approach was used to
develop MFS cyber security goals.
An in-depth analysis of mobile financial services and their complex ecosystem was conducted to
better understand their benefits and the threat of cybercrime to their deployment. When creating a
robust cyber security architecture for the system, the complexity of mobile financial services and
social interaction should be considered. Mobile finance technology helps stakeholders.
Cybercriminals use technological weaknesses to target mobile financial services. Technics analysis
identified further issues and answers. Existing mobile financial services cybercrime prevention
solutions were evaluated. There are still issues such as data privacy, mobile forensics and human
aspects. A strong cyber security architecture was designed for mobile banking services.
Frameworks for solution design, IT governance, and information assurance.
References
1. Aghili SF, Mala H (2019) Security analysis of an ultra–lightweight RFID authentication
protocol for m–commerce. Int J Commun Syst 32(3):e3837
2. Aljohani A (2014) Mobile payments with instant settlements. Eighth International
Conference on Next Generation Mobile Apps, Services and Technologies
(NGMAST’2014), pp 181–185, 10–12 Sept 2014, Oxford, UK
3. Alharbi MH, Alhazmi OH (2019) Prototype: User authentication scheme for IoT using
NFC. International Conference on Computer and Information Sciences (ICCIS), pp 1–5, 3–
4 April 2019, Sakaka, Saudi Arabia
4. Almuairfi S, Veeraraghavan P, Chilamkurti N, Doo-Soon P (2014) Anonymous proximity
mobile payment (APMP). Peer-to-Peer Net Appl (Springer) 7(4):620–627
5. Alqahtani M (2015) a framework of mobile transaction use: the user’s perspective.
Dissertation, University of East Anglia

12
6. Ashok A, Gajera S, Chakraborty J, Arolker P, Rai N (2012) M-wallet: an SMS based
payment system. Int J Eng Res Appl(IJERA), ISSN: 2248–9622
7. Augsburg C, Hedman J (2014) Value added services and adoption of mobile payments. In:
Proceedings of the sixteenth international conference on electronic commerce (ICEC’14),
Philadelphia, PA, USA, pp 27–32
8. Binga P, Caia FU, Xiongb FU (2008) efficient mobile payment system based on ECC [J].
Application Research of Computers, Vol.9
9. Bojjagani S, Sastry VN (2017) A secure end-to-end SMS-based mobile banking protocol.
Int J Commun Syst (IJCS) Wiley 30(15): https://doi.org/10.1002/dac.3302
10. Bojjagani S, Brabin DRD, and Rao PVV (2020) Phish Preventer: a secure authentication
protocol for prevention of phishing attacks in mobile environment with formal verification.
Proc Comput Sci (Elsevier) 171:1110–1119

13