4 U N T

Mobile Banking
The objective of this Unit is to understand
> Brief history of Mobile banking
> Product features and diversity
> IMPS

> Profitability of Mobile Banking

> Risk management and frauds
> Back-end operations and technology
4.1 Overview and brief history
Globally, mobile banking has evolved rapidly from a transactional fea
ture to an experience-driven comprehensive customized offering. Today,
it plays a vital role in the digital strategies of all banks worldwide. It has
evolved from 'pull' based SMS services to 'high-end' personalized offerings
such as wearable devices and biometric apps as shown in the figure. The
application of social media, big data, cloud and near field communication
(NFC) technology has become akey differentiating factor amongst banks.
Banks are increasingly making use of predictive behaviour models, driven
by cash management and deposits data to identify new, low-risk service
opportunities. This allows relationship managers to engage the client with
customized offerings and also reduce banks administrative costs.

75
76 MODULE A: DIGITAL BANKING PRODUCTS

The advan cormont of mobile bankng can The launch of smartphonos with Today, most servicos aro offorod ovar
be attributed to advancement WAP services, enabled banking to be dedicated mobile based
in internot sorvices accossibla via mobilo web apps of most banies

Early 90s Earty 2000 2010 orards The Future and beyond

Early mobile banking Introduction of Banking Servico: boyond

SMS and mobile web
offered over SMS mobile banking apps mobila, towards woarablos

No internet required
'Pul' services offered
for examdle: customer
sende deeignated code tor
account balance; bank
sends baeck accaunt
balanco ntormoton
Introducton of smartphcnes
with WAP support enabling
the use cft mobile web
Bank website and the servicos
therein accRAAible on moble
and tablets
Push' SMS services
DcOOunt alorts sont
Bulomulically, mosty on
real-ime
Initial success of iPhone and
rapid growtn of android based
banking apps
Mooile devico detoction -
Csomers are diverted ta a
mooile b8sed websile or app
Smart wearable devices wll
approach 130 million by 2018,
10 tlmes higher than
estimatd in 2013
These wRArables arn CApahla
of providing a number of
'pueh opportunites to
Financial Institutions
worldride

The advancements in mobile technology and also increase in mobile phone

density in our country, with close to 100 crore subscribers, presents an
unprecedented opportunity to leverage mobile as a platform for inclusive
banking. Not only has mobile banking given immense convenience to
the end customer to avail banking services at his fingertips, but at the
same time it is facilitating to empower the un-banked and under-banked
population of our country through the use of electronic banking services.
MOBILE PHONE SUBSCRIBERS IN INDIA
(igures in Million)
1000
Mobile Phone Subsciberr 980.81
O03

980 Growth 96A80 70%

960
2% 943.97
940 9302 a02

914.92
920
904.51 0.015
900
886.3
40%
1.10% 1.10% 0.01

D o05
R40

820 0

Q4 2013 Q1 2014 02 2014 03 2014 Q4 2014 a1 2015 02 2015

 UNIT 4 : MOBILE BANKING 77

As per COAI, the telecom subscriber base was 981.65 millions by Decem
ber 2017 (report - ET Telecom). TRAI reported separately that Telecom
subscriber base reached 1190.67 million in December 2017.
We see that there are some variations in these estimates, but on the whole
the base is steadily expanding.
India may reach a l.22 billion telecom subscriber base by 2022 by some
estimates.
The Internet user base in India is expected to reach 627 million in 2019.
India is predominantly acash based economy. The current internet use and
mobile phone use expansion presents an opportunity to widen non-cash
transactions. It is the ubiquitous mobile penetration which is the most
promising option for inclusive banking and fnancial inclusion. The need
of the hour is to come with an innovative mobile payments system that
is customized to Indian ecosystem, solving real problems, having mass
appeal and acceptance.
A mobile banking transaction is far more economical than a transaction
done through traditional banking channels, in terms of either per-trans
action costs or per-branch costs.

4.2 Product features and diversity

Today, banks are offering mobile banking services to their customers
through various channels such as SMS,USSD and through mobile banking
applications (Mobile Apps). However, real time inter-bank mobile banking
payments has been facilitated through the seting up of Inter-bank mobile
banking services (IMPS), termed as Immediate Payment Service, and
operated by the NPCI, with the approval of the Reserve Bank of India.
4.2.1 Mobile Banking: SMS based channel
SMS channel has its own advantages, viz., wider acceptance and usage,
ubiquitous availability in all kinds of mobile handsets (both GSM and
CDMA), etc.
78 MODULE A : DIGITAL BANKING PRODUCTS

Banks have been offering many kinds of mobile banking services through
SMS channel viz.:
Non-Financial transactions
> Balance Enquiry
Mini statement
> Cheque Book Request
Transaction alerts
Financial Transactions
Funds Transfer
> Mobile/DTH Recharge
> Bill payments
In order to avail mobile banking services through SMS channel, the cus
tomer needs to send the request with a keyword and parameters to SMS
short code or long code number, e.g. for Balance Enquiry, customer can
send, by SMS, BAL to 566XXXX (short code) or to 92XXXXXXXX (long
code). This request is sent from the mobile phone to its cellular telephone
service provider to the provider of the called (bank's) number, and then
to the bank's number and thereafter, after conversion in the bank mobile
application server, to its banking server for banking data. In the reverse
leg of this, the end-customer receives response via SMS. These short
codes are standardised for the Indian banking system, both for banks and
telecom operators.
The drawback of SMS based mobile banking is that customer needs to
know exact syntax of the SMS for making the transaction. Moreover, the
SMS channel is not end-to-end encrypted without having an application
on the handset and so all the interim hop-ends of telephone provider
and bank server employees have clear visibility of it, and, an intercepted
copy of the message or transmission data will also be in open plain text.
Further, the SMS remains in SMS format in the sent item of the phone.
All of these are security threats.
 UNIT 4: MOBILE BANKING 79

4.2.2 USSD Based Mobile Banking and USSD code *99#

USSD (Unstructured Supplementary Service Data) is a transmission pro
tocol used by GSM cellular telephones to communicate with the Telecom
Service Providers (TSP).Though similar to Short Mesaging Service (SMS),
USSD messages createareal-time connection which remains open, allowing
a two-way exchange of data, i.e., it is a session based activity, unlike the
store and forward' as in the SMSbased case. In its simplest definition,
USSD is a menu driven form of SMS where a customer would receive a
text menu on his/her phone as opposed to a string of words. The TSP in
turn will connect to the bank server, so that USSD can work between the
customer phone, through theTSP network, TSP backend systems, and the
bank CBS, in a session, interactively, real-time. The menu narrations and
actions on menus can also be programmed at the bank-end server for this
application, typically sitting in front of CBS, routing all USSD activities/
transactions. The convenient way is to have projecting the menus in the
customer handset, menu selection etc., to be managed at the TSP (Tech
nology Service Provider) server or, the bank's mobile banking server sitting
in front of bank's core banking server, to reduce load on core banking.
Each banking activity can be invoked by a specific USSD command (the
codes specifhc to the TSP and the bank mobile USSD software backend),
using no menus. This option is problematic:as customers and bank BC
agents delivering USSD-mobile based banking service at their outlets,
have to remember all the codes and sequences.
Due to its unique features, USSD inds its application in a variety of
services viz. mobile chat, m-commerce, prepaid balance inquiry, mobile
banking, call-related services and any other service that requires interaction
berween the user and the application. Considering its usability, separate
USSD applications have been developed by many banks in India, both
in the mobile banking retail domain as also for in Financial Inclusion,
and are in use.

4.2.3 USSD - *99# Service

NPCI has co-ordinated for an USSD service, where *99# is the common
initial code to dial for any bank mobile customer with mobile phone
80 MODULE A : DIGITAL BANKING PRODUCTS

from any TSP.It goes to customer-phone network's TSP who forwards it

totechnology backend of FI Gateway, and from there to bank backend.
This last leg, and from there processing in bank back-end, its response
that in the reverse flow back to customer, forms a live session. NPCI is the
common co-ordinator for customers to call. The *99# service is currently
offered by about all leading banks and all GSM service providers and can
be accessed in 12 different languages including Hindi and English. *99#
service in USSD platform, offers Financial, Non-fnancial and Value
Added Services (VAS) to the users as per the menus offered in the usual
USSD service of the bank. Actually, a customer calls *99# and registers
with own account, bank details, even preferred language, etc. The *99#
host is at NPCI, that allots this customer aUPIID internally, and provides
the menu based service through USSD to the customer. This customer
still uses voice channel, so that internet is not required. From NPCI to
the other end, NPCIcan transact in all desired existing channels. So, the
Customer can get a menu like ::

Send Money
Request Money
Check balance
My profile
Pending request
Transactions
UPI PIN
Now customer can use all these options including payments based on UPI
address, Aadhaar, Bank account, IFSC, etc., without internet or smart
phone, and without different elaborate menus, or requiring to remember
USSD codes.
*99# is the main menu in English. For other languages the code expands,
e.g., *99*23# is for Tamil.
The original format of USSD only with GSM phones, released in 2014,
is referred as USSD 1.0, and the enhanced form, released with BHIM
release, in December 2016, adding the BHIM and UPI capabilities, is
referred to as USSD 2.0.

Acommon code *99*99# has been adopted for all TSPs. It is called Query
Service on Aadhaar Mapper (QSAM) that allows the users to check the
Aadhaar seeding status in the bankaccount along with the last updated date.
Services Offered
Financial Services
Non-Financial Services MPIN
Value Added Services
Process Flow
Customer dials *99#
Request will be received by
the mobile operator gateway
and willbe routed to NPCI
Request will be sent to NPCI
Common USSD Platform
which will send the welcome
screen and prompt customer
to enter his/her IFSC
provided by the Issuer Bank
UNIT 4: MOBILE BANKING 81
Fund Transfer using Mobile number and MMID
Fund Transfer using Account number and IFSC
Fund Transfer using Aadhaar number
Balance Enquiry
Mini Statement
Know MMID
Generate MPIN
> Change MPIN
Generate OTP
QSAM (Query Service on Aadhaar Mapper) or *99*99#
Customer will be confirmed
The details will be sent to the about the status of the
Issuer Bank for processing transaction in the USSD
session
SMS confirmation will be
The menu is maintained at
NPCI Common USSD received by customer in case
Platform of IMPS transaction
Based on the IFSC entered by
the customer, NPCI will
identify the bank to which
the transaction will be
routed
82 MODULE A: DIGITAL BANKING PRODUCTS

Transaction Flow
The high level transaction flow of the *99# service is given below:
Bank l

Telco U

SMPP
Telco
NPCI G w XMLIHTTPS
XML/HTTPS

NPCICurniIUn
USSD PIatform
Bank 2
XML/HTTPS
Telco USSD
G/w XML/HTTPS
A
Talco 2
SMPP
NPCI G/w

Opcrator Prcmiscs Network Dank Premises

Features
USSD uses voice connectivity so, available 24x7, needs no App/
Software, neither Internet connection, works on any phone.
> Accessible through a common code *99# across all TSPs
> No additional charges, while roaming, for using the service
> USSD has been an additional channel for Real-Time banking services
and financial inclusion.
> Low cost, convenient. RBI has placed aRs. 5000 cap for atransaction.
4.2.4 Mobile Banking: Application based
Almost all banks, have been offering application based mobile banking
services to their customers. The application is offered on multiple platforms
such as Java, Symbian, Windows, Android, iOS, etc. Bank customers need
to download the application and can avail host of banking services such as:
> Non-Financial transactions: Balance inquiry, Mini statement, Cheque
book request
Financial transactions: Fund transfer, Mobile/DTH recharge, Bill
Pay etc.
Others: Cards, Loans, Forex, Investment and Insurance, Internet
banking features, etc.
 UNIT 4: MOBILE BANKING 83

Once downloaded these mobile banking applications are casy and efficient
for use by their customers who are proficient in using smart phone appli
cations. These applications are now available across a host of platforms
covering a wide range of smartphones in use. It has been the experience
of banks that once the customer has used the mobile banking app, he
continues to use it unless there is change of handset or mobile number.
However, to use a mobile banking app a customer needs to have GPRS
subscription to download the application and perform transactions. The
customer also needs to have a compatible handset and keep upgrading
the app, for any enhancement or update.
4.2.5 Mobile Wallets
In recent years, the payments industry has witnessed many innovations in
the payment systems and, especially in the area of Mobile Payments. With
the increase in mobile subscriber base and the mobile internet usage in
India, opportunities have arisen for creation of a new business line. One
of these has been the Mobile Wallet.
Mobile wallet transactions were 33 millions in FY 2013, 255 millions in
2015 and 1630 millions in 2017, having values of INRBillionsl0, 82 and
532 in these years respectively.[ RBI data - quoted by E&Y]. The growth
is very steep. In FY 2020, the projection is for 11 billion transactions,
valued at 17 trillion INR.
Advent of players, (Paytm, Mobikwik, PhonePe, etc., and introduction
of UPI, BHIM etc., products, as also Govt. push after demonetisation,
have driven this high growth.
Let us understand how a mobile wallet works.
A Mobile wallet is a mobile-based virtual container, where the user can
preload a certain amount in his/her account created with the mobile wallet
service provider, and spend it, thereafter, at online and offine merchants
listed with tche mobile wallet service provider. For example, if the user goes
to a coffee shop A, which is listed with XYZ mobile wallet, he/she can
pay for the coffee through the phone. Depending on the service provider,
one can also pay through an App, text message, social media account or
website. For example, companies like Paytm, Mobikwick, Freecharge etc.
84 MODULE A: DIGITAL BANKING PRODUCTS

have tied up with various merchants for accepting their payments, through
their Mobile Wallets, fromn the customers.
Mobile wallets can either be bank owned or non-bank owned. For non
bank, the provider should have a PPI license from RBI, before launching
a mobile wallet. Using mobile wallets, customers can make any type of
transactions right from utility payments to e-tailing (online purchases)
and offine payments.
There are separate guidelines which have been issued by RBI for the is
suance of Prepaid Payment Instruments (PPls); mobile wallet is one such
instrument.
Merits and Demerits of Mobile Wallets :
Merits :
While aphysical wallet can be snatched, misplaced or pick pocketed,
a mobile wallet, like any other virtual wallet, cannot be.
Secondly, virtual payments are easy, as one need not carry exact
change of currency.
>Also, mobile wallets allow the user to pay in one-tap unlike net
banking which can call for opening several sub-sites and is time
consuming.
Demerits :
> Only mobile-savvy people (with dependable and speedy internet
connection) can use such services.
There are only a limited number of merchants currently listed, so
one would still need net banking or cash or card.
> There is a limit to the amount one can deposit in mobile wallets
and spend daily, which means mobile wallets are not useful for high
value payments.
4.3 IMPS
Immediate payment service (IMPS) is a real time payment service that is
available 24x7 and 365 days a year, including public holidays. It facili
tates inter-bank, account to account fund transfers. IMPS is available on
 UNIT 4: MOBILE BANKING 85

multiple platforms such as Mobile (App, SMS, WAR USSD), Internet

Banking, ATM and branch as well.
If IMPS is used through internet or ATM, then no prior registration is
required. To use IMPS through a mobile, the mobile number requires
tobe registered with the bank for mobile banking. Once registered, the
customer is provided an MMID (Mobile Money Identifier), a7digit code
and an MPIN which acts as a transaction password.
Remitter Remitter Bank NPCI Swvitch Beneficiary Bank Beneflclary Customer
Customer

Remitting bank customer initiates the transaction on his Beneficiary Bank advises Switch of Approval or Rejections of
mobile and authorizes it wth his M PIN. the transaction

Remitting Bank validates the MPIN, Remitter mobile no,

account balance, debits the customer account and forwards 6 IMPS Switch Advises Approval or Rejection to the Remitting
instructions to lIMPS Switch Bank

IMPS Switch validates the transaction content and forwards

Remitting Bank completes the transaction
the instruction to Beneficiary Bank based on theN BIN

Beneflclary Bank valldates acount detals and credits the Both Remitter and Beneficiary Bank initiate an SMS to their
Customer account respectlve customer Informing them on the transactlon status.

The various modes of payments, using IMPS, are:

Funds transfer using Mobile Number and MMID (P2P)
> Funds transfer using Account Number (P2A)
> Funds transfer using Aadhaar Number (ABRS)
> Push based merchant payments using Mobile No. and MMID
(P2M)
> Pull based merchant payments using Mobile Number and MMID
(P2M)
> IMPS using USSD channel.
86 MODULE A:DIGITAL BANKING PRODUCTS
4.3.1 Push and Pull Payments
Push: Customer initiated transactions are called Push transactions: E.g.
Mobile recharge and credit card bill payments.
Pull: Merchant initiated transactions are called Pull transactions: E.g.
Auto-debit of monthly instalment for a goods or services purchased from
a merchant.
To understand the concept of push and pull payment services, let us
consider an example. In essence, I have some money. I need to let you
have the money - either in exchange for goods or services, or to settle a
debt. As such, I amn the payer and you are the payee. Here we can define
the first two types of payment - push and pull. Push means I give you
money' - this is a traditional cash payment or 'credit transfer'. Pull means
you take the money' - this is a traditional debit payment. Push payments
have implied consent and pull payments require some form of consent to
be registered, such as a direct debit mandate.
4.3.2 Push based merchant payments in IMPS
Customer goes to the merchant outlet and initiates the transaction from
his mobile by entering merchant credentials such as merchan's mobile
number, merchant's MMID and his own M-PIN, along with Payment
reference

4.3.3 Pull based merchant payments in IMPS

Customer visits the merchant's website and initiates the transaction by
entering customer's credentials such as his own MMID and mobile num
ber. Instead of M-PIN,he enters OTP
Service Fund transfer (using) Merchant/Utility service payment
Products Mobile No. Account No. & Aadhaar PUSH PULL
& MMID IFS Code No.
Inputs Receiver's Receivers bank Receiver's Merchant mobile Remitter's
Needed mobile A/CNo. & Aadhaar number/MMID/ mobile No./
number & IFSC code number payment ref MMID/OTP/
MMID Payment ref
Initiating Mobile/Internet/ATM/Branch
channels
 UNIT 4: MOBILE BANKING 87
Service Fund transfer (using) Merchant/Utility service payment
Access SMS/Mobile APP/USSD/Internet/Branch
mechanism
IMPS Remitter: Needs to be Mobile banking registered, however the registration is not
enabling required for initiating transaction through channels other than Mobile
process Beneficiary: No need to be mobile banking registered for receiving funds using bank
account details or Aadhaar Number

Basically, the IMPS flow and format based messaging, creation of

transaction data, transaction posting and confirmation SMS creation
are the components to be put in place (for the varieties mentioned
above), for these various channels - Internet, branch, mobile bank
ing, etc., and then, IMPS will be available for initiating from these
channels. Mobile banking is one of the channels for this.

4.4 Profitability of Mobile Banking

Mobile banking, to a larger extent, impacts the financial performance
and profitability of banks in a sense that it helps reduce unnecessary cost,
increase efficiency and improves on service delivery to customers. However,
the trends signal are mixed and calls for specific actions.
Mobile use India is steadily on the rise and India stands fourth in Mobile
Banking penetration. In India, mnobile phone users were 524.9 millions in
2013, that increased to estimated730.7 million by end 2017. [statista.com]
Arecent study on Profirability of Scheduled Commercial Banks in India
concludes that there has been a significant growth in the volume and
value of mobile transactions during the last five years. On the other hand
it has also been found that the profitability of these banks has gradually
decreased. The study also found that there was significant relationship
between m-banking and profitability of banks. The decrement in the pro
fitability due to mobile banking has been explained to be on account of the
networking effect of mobile banking. (Refhtps:/www.researchgate.net).
Cost vs. Profit
While there is no actual "standard" cost for app development, it could
probably end up costing you a few crore rupees to design, develop and
deploy a good-quality Phone app. This estimate would increase in case
you hire a developer to do the job for you. Of course, all this effort
88 MODULE A : DIGITAL BANKING PRODUCTS

and expenditure is still worth it if you expect a good ROI or Return of

Investment. This ROI factor is usually very high for banks and huge retail
stores, which have a considerable deal of capital at their disposal, as also
a great number of customers, who they know, depend on their services.
However, it might not turn out to be quite as profitable for an independent
mobile app developer, who does not have a high enough budget for it.
Benefits of mobile banking
Offering innovative, personalized mobile services to attract and retain
new customer segments that value mobility and real-time control
of their finances, at about no extra marketing cost.
> Reduced customer support costs: is a cost effective channel for customer
support, and reaching remote clients.
> Mobile banking results in customer connectedness, real time account
operations and information.
> M-banking enables Anywhere Anytime Banking: Customers now do
not need access to a computer terminal to access their banks; they
can now do so while they are travelling or when waiting for their
orders to come through in a restaurant.

4.5 Risk management and frauds

Apart from the usual risks associated with any digitised activity,
Mobile banking offers some extra dimensions ofrisk due to the mobile
technology. Some of the risks associated are :
1. Application Server risks: risk associated with the mobile banking
application server environment inadequate OS hardening, use
of default credentials, inadequate patch/Update maintenance,
encryption logic related issues.
2. Network/Infrastructure risks: This category includes risk associated
with the network devices and infrastructure for mobile banking.
These risks relate to default credentials, Patch/Update maintenance,
hardware failure, physical disconnection of network, inadequate
security etc.
 UNIT 4:MOBILE BANKING 89
3. Transmission risks: This category includes risks associated with the
transmission of datalinformation on account of loss of connectivity
of the mobile devices=, incomplete or garbled messages, data packet
loss, etc.
4. Mobile device risks: This includes risks associated wich multiplicity of
mobile hardware platforms and operating systems, so that continued
services with ll features may not be possible on change of mobile
phone; also the threats of malware infection, privacy violation,
undesirable adverse access to data on compromised mobile devices,
particularly as devices of many OS are there.
5. Mobile application risks: This category includes risks associated with
mobile application. These risks includes insecure coding practice,
inadequate applications, lack of protection of user credentials,
unprotected storage/transmission of data, malicious applications
residing on phone, etc. Often more focus on user convenience than
user security furthers this.
6. End user risks: This category includes risks associated with the end
user. These risks include, loss of device, easy passwords, storing
passwords on device, Jail-breaking of device (access to root directory,
change application or configuration, etc.), not using anti-malware
software, use insecure wireless access, careless use revealing credentials
or remaining always logged in, lack of verification of bank account
periodically, falling prey to vishing or smishing, etc. etc.
Malware has become a major challenge with mobile devices and Android
devices are prone to many mnobile attacks that present even more risks for
financial institutions.
Few examples are mentioned below. However, the situation is dynamic,
and new threats arrive regularly:
> Zitmo Trojan steals mTAN (Transaction Authentication Number)
codes sent by banks in text messages
Banker Trojan steals passwords and other sensitive information
> Perkel/Hesperbot Trojanuses JS injection on PC to request mobile
number, delivers Trojan via SMS. Trojan poses as a security app.
90 MODULE A : DIGITAL BANKING PRODUCTS

> Wrob Trojan - poses as the Google Play app and replaces installed
banking apps with Trojan clones
> Zert Security Trojan - impersonates bank login, steals credentials.
> Droid Dream Rootkit - this malware works in android mobile
phones. It goes to the basic level (core of the software) and can
change the software, steal data and can even install malware.
> Key loggers Spyware- pose as third party keyboards that send
keystroke and contextual information to hacker.
Other Risks associated with Mobile Banking
A. Data Mining and Theft
> Mobile devices contain increasing amounts of data and means to
access data about individuals
Criminals understand big data and can leverage analysis for targeted
attacks
> Thus mobile devices may be at risk of getting accessed/mined to
reveal credentials, usage habits of owner, that may be misused.
B.SIM Swap Fraud
a. Fraudsters gets to block user's SIM and obtain a fresh SIM card (by
impersonation and falsehood) and then can get users' OT, messages
etc. Coming on the phone. App-based or automated payments of
all types can be attacked, as also user initiated transactions.
b. Targets vulnerabilities in carrier infrastructure
c. Requires off-device risk-assessment techniques
d Agood practice is to periodically check the bank account balance,
and latest transactions,
e. take up any unusual activity or absence of usual routine activities.
C. Device Impersonation :- Some applications bind the mobile app to
the customer's mobile phone. Using technical identifiers of the mobile
phone (this also happens for an internet banking on a laptop/mobile).
Afrer fraudulently obtaining and using these device parameters, any other
device may be used to attempt to operate the mobile banking.
 UNIT 4: MOBILE BANKING 91

Spear Phishing and Social Engineering :

Weapon of choice for financial cybercrime and advanced attacks at
corporations
> Phishing occurs via email, sms, Twitter and other social networking,
blogs, IM and news feeds. By some messages/queries/suggestions
for gains/rewards the fraudsters entice the user to use a link/option
sent to device, so that specific options are invoked (so fraudster
downloads a Malware), or disclose credentials. With such info., the
fraudster can take away money.
Spear phishing is repeated targeted phishing on the same persons
slowly, through apparently unrelated actions over time, so that all
credentials etc., can be taken out, and misused.
Commercial phishing kits, such as Rock Phish make it casy for even
the inexperienced to launch a relatively sophisticated attack
> Modern phishing site lifespan is measured in hours, rendering even
regularly updated blacklists virtually ineffective
> Somewhat effective measure is to guard against the temptation to do
any selecrion/enter/or any other computer based acrion or revealing
of identity.

4.6 Back end operations and technology

The back end technology and operations of application based mobile
banking and internet banking are similar in nature.
92 MODULE A: DIGITAL BANKING PRODUCTS

Customer & device

00 ISP/Mobile ISP /Mob. Network

Network Vendor Middleware

Bank's Internet
Cabling in Banking/ Mobile
COREBANKING
Backup Banking
DataCentre
Gateway

For aUSSD/SMS based solution, the customer operates his phone instead
of his computer. The computer had programs for data entry, menu selec
tion, encryption/decryption. Data transfer/upload, etc., controlled by the
application at the host at the ISP and the application at the bank gateway
for the service, are as in above schematic. For USSD/SMS the difference
is that, the phone has to enter details as per known syntax (or select from
a menu pushed by telephone operator, by number only) and send to the
mobile nerwork provider as cell phone message output. An Applet in the
SIM card invokes and enables the mobile application. The application here
also encrypts, manages keys, display data/options on phone screen, keeps
traffic count and controls, etc. The applications at the network provider
end will operate its application using such input values and interact with
the application at the bank gateway, computer-to-computer like for the
internet banking case. The network end application will have two differ
ent modules or applications altogether to talk to-and-fro to a computer
behind and the cell phone in front. among others. Vendor to vendor the
actual implementation will be different.
As an example, to help a detailed understanding, we illustrate the secure
processes at the middle layer for an SMS banking, consisting of first a
module to receive SMS, verify it, provide to next module (OSG) this
converts the SMS messages to HTP format, and controls the SMS/USSD
exchange with the cell phones in transaction activity like a session (instead
of continuing in a store-and-forward experience associated with SMS/
 UNIT 4: MOBILE BANKING 93

USSD). This delivers to the next module which is the outward gateway
to the bank and back (BMS). This module, apart from exchanging with
bank system in sessions, keeps track of data/messages sent and received,
and also helps in traffic management between itself and bank gateway,
also,encryption, etc. Asecure hardware device called HSM issued at times
by most technology operators (like HSM - Host Security Module.). The
HSM, a tamper-proof hardware component, provides state-of-the-art
cryptographic functions to the BSP. Upon receiving a request from the
BSP, it performs cryptographic operations, generating transaction keys,
encrypting and decrypting sensitive information. The HSM also manages
the cryptographic keys used to secure mobile financial transactions. The
HSM is further enhanced with the Mobile Shield frmware for secure
business transactions.
At times an Adapter is provided,
Adaptor:-The Adaptor, required only when non-standard interfaces to the
bank systems are used, is a customizable module that translates messages
to and from the format used by the bank's back-end. The Adaptor seam
lessly insulates the BSP from the specifics of the bank systems' interfaces.
The diagram below from Gemalto, illustrates this. Incidentally, this is an
example, and there will be other implementations from other providers
varying in details.
User Mobile Operator Financial Institution

HSM

OTA

HTTP
SMB HTTP STANDARD
SMS
XML
STKML KNL HTTP

XML
Adaptor
SIM Bank
SMSC OSG BMS BSF
Applet Systerm

Mobile Account
Man

Broker

Mobile Banking Architecture (Source: Gemalto)

94 MODULE A:DIGITAL BANKING PRODUCTS

We see that in the above example considers an OTA (Over The Air) in the
telecom network provider as part of the model, so that all updates can be
remotely effected both in their SMS reading and processing engine, and
the module interacting with the bank.
Network Configuration :
An operator can provide the service to subscribers that have bank accounts
with different financial institutions. A bank can also choose to work with
several operators, to provide mobile banking services to its customers, in
dependently of their mobile service provider. It is also possible for several
banks with light mobile banking trafhc to share a Bank Secure Platform.
4.6.1 End-to-end Security
Since mobile banking transactions can be initiated from almost anywhere
and transaction details are transmitted over unprotected networks end-to
end security and confidentiality of data is attempted by ciphering infor
mation for secure transfer over the mobile phone, the GSM network, the
operator's infrastructure and the connection to the financial institution.
The information entered by the user is collected and encrypted by the
applet residing in the tamper-proof SIM card.
88{9
User data
GSM Network Financial Institution

Ciphered User Data

User data Ciphered end-to-end

Secured Data transfer

For security, sensitive data, such as PIN and transaction details are never
stored in the SIM card or the platform. All customer and financial infor
 UNIT 4: MOBILE BANKING 95

mation is kept exclusively at the bank, which also has the sole control over
the cryptographic keys used to secure financial transactions.
Strong 2-factor Authentication :
Bank customers must be sure that no one can make transactions on their
behalf, and banks must be able to verify that customers are indeed who
they claim to be. Most of the banks have responded to this requirement
with strong two-factor authentication.
Mobile Banking Application PIN:
Users are required to identify themselves to che bank with aMobile Banking
PIN that protects access to financial information and transactions. Secret
keys only known to the SIM card and the bank are used to encrypt and
sign transaction data, further proving the identity of the user.
Data Integrity :
Since data is digitally signed, any atempt to manipulate it will be detected
because the signature will no longer correspond to the signed message.
Non-repudiation:
In the context of mobile banking, non-repudiation refers to authenticat
ing the customer and the financial institution participating in a financial
transaction with high degree of certainty so that the parties cannot later
deny having performed the transaction. To ensure non-repudiation, a
proof must be generated to show that the transaction was performed by
that party. This can be addressed by the following:
> A user PIN known only to the user and protected by encryption
> A transaction confirmation code sent by the bank
> A transaction log that records the details of every transaction.
4.6.2 Transaction Flow
Amobile banking transaction is initiated by the mobile user and is com
pleted when the result is displayed on the user's phone. The following
example shows the communication fow for an account balance request.
96 MODULE A:DIGITAL BANKING PRODUCTS

Acustomer browses Mobile Banking pages on the mobile phonc and

requests an account balance from the bank by selecting the account
and entering the PIN to confirm the transaction.
The request is encrypred and signed in the SIM and sent to the
mobile operator's Gateway and then onwards to bank Gateway.
The bank Gateway decrypts, translates the MPIN and the request
and sends it to the bank system for processing.
> Afrer bank's processing, the reverse flow happens. Back all the way
to the SIM card.
The response is decrypted in the SIM card and presented to the
user.

A
The mobile user sees the result of his or her request on the phone
display.
4.7 Information Security Tips
> We have covered some security issues, few risks were mentioned,
as also suggestions for protections. A common guideline to be
remembered is that, the specificweaknessarcasdepend on the current
technology solution, the current technical platform, and the usage
practices. All these will continue to be dynamic. With evolution of
technology, newer operational methods, etc., newer risks may arise
and some existing risks may be miigated fully or partly.
To take care of this, the basic management approach would be to
> Check and collect all the IT risks, threats and specihc weaknesses
of the technology pieces.
Document these and get remediation implenmented, in technology,
as also by complementary usage practice controls.
> Get thespecific technical solutions (Anti-malware, anti-phishing,
anti-virus, auto log out feature of inactive logged in users, updating
the OS patches, using a regular periodic routine, etc., etc.)
r Have security testing- Vulnerability Assessment, Penetration testing,
Application Security testing with random data and out-of-range'