Professional Documents
Culture Documents
Mobile Banking
Mobile Banking
Mobile Banking
The objective of this Unit is to understand
> Brief history of Mobile banking
> Product features and diversity
> IMPS
75
76 MODULE A: DIGITAL BANKING PRODUCTS
The advan cormont of mobile bankng can The launch of smartphonos with Today, most servicos aro offorod ovar
be attributed to advancement WAP services, enabled banking to be dedicated mobile based
in internot sorvices accossibla via mobilo web apps of most banies
Early 90s Earty 2000 2010 orards The Future and beyond
No internet required Introducton of smartphcnes Initial success of iPhone and Smart wearable devices wll
with WAP support enabling rapid growtn of android based approach 130 million by 2018,
'Pul' services offered the use cft mobile web banking apps 10 tlmes higher than
for examdle: customer estimatd in 2013
Bank website and the servicos Mooile devico detoction -
sende deeignated code tor therein accRAAible on moble Csomers are diverted ta a These wRArables arn CApahla
account balance; bank and tablets mooile b8sed websile or app of providing a number of
sends baeck accaunt
Push' SMS services 'pueh opportunites to
balanco ntormoton Financial Institutions
DcOOunt alorts sont
worldride
Bulomulically, mosty on
real-ime
914.92
920
904.51 0.015
900
886.3
40%
1.10% 1.10% 0.01
D o05
R40
820 0
As per COAI, the telecom subscriber base was 981.65 millions by Decem
ber 2017 (report - ET Telecom). TRAI reported separately that Telecom
subscriber base reached 1190.67 million in December 2017.
We see that there are some variations in these estimates, but on the whole
the base is steadily expanding.
India may reach a l.22 billion telecom subscriber base by 2022 by some
estimates.
The Internet user base in India is expected to reach 627 million in 2019.
India is predominantly acash based economy. The current internet use and
mobile phone use expansion presents an opportunity to widen non-cash
transactions. It is the ubiquitous mobile penetration which is the most
promising option for inclusive banking and fnancial inclusion. The need
of the hour is to come with an innovative mobile payments system that
is customized to Indian ecosystem, solving real problems, having mass
appeal and acceptance.
A mobile banking transaction is far more economical than a transaction
done through traditional banking channels, in terms of either per-trans
action costs or per-branch costs.
Banks have been offering many kinds of mobile banking services through
SMS channel viz.:
Non-Financial transactions
> Balance Enquiry
Mini statement
> Cheque Book Request
Transaction alerts
Financial Transactions
Funds Transfer
> Mobile/DTH Recharge
> Bill payments
In order to avail mobile banking services through SMS channel, the cus
tomer needs to send the request with a keyword and parameters to SMS
short code or long code number, e.g. for Balance Enquiry, customer can
send, by SMS, BAL to 566XXXX (short code) or to 92XXXXXXXX (long
code). This request is sent from the mobile phone to its cellular telephone
service provider to the provider of the called (bank's) number, and then
to the bank's number and thereafter, after conversion in the bank mobile
application server, to its banking server for banking data. In the reverse
leg of this, the end-customer receives response via SMS. These short
codes are standardised for the Indian banking system, both for banks and
telecom operators.
The drawback of SMS based mobile banking is that customer needs to
know exact syntax of the SMS for making the transaction. Moreover, the
SMS channel is not end-to-end encrypted without having an application
on the handset and so all the interim hop-ends of telephone provider
and bank server employees have clear visibility of it, and, an intercepted
copy of the message or transmission data will also be in open plain text.
Further, the SMS remains in SMS format in the sent item of the phone.
All of these are security threats.
UNIT 4: MOBILE BANKING 79
Send Money
Request Money
Check balance
My profile
Pending request
Transactions
UPI PIN
Now customer can use all these options including payments based on UPI
address, Aadhaar, Bank account, IFSC, etc., without internet or smart
phone, and without different elaborate menus, or requiring to remember
USSD codes.
*99# is the main menu in English. For other languages the code expands,
e.g., *99*23# is for Tamil.
The original format of USSD only with GSM phones, released in 2014,
is referred as USSD 1.0, and the enhanced form, released with BHIM
release, in December 2016, adding the BHIM and UPI capabilities, is
referred to as USSD 2.0.
UNIT 4: MOBILE BANKING 81
Acommon code *99*99# has been adopted for all TSPs. It is called Query
Service on Aadhaar Mapper (QSAM) that allows the users to check the
Aadhaar seeding status in the bankaccount along with the last updated date.
Services Offered
Fund Transfer using Mobile number and MMID
Financial Services Fund Transfer using Account number and IFSC
Fund Transfer using Aadhaar number
Balance Enquiry
Mini Statement
Know MMID
Non-Financial Services MPIN
Generate MPIN
> Change MPIN
Generate OTP
Value Added Services QSAM (Query Service on Aadhaar Mapper) or *99*99#
Process Flow
Transaction Flow
The high level transaction flow of the *99# service is given below:
Bank l
Telco U
SMPP
Telco
NPCI G w XMLIHTTPS
XML/HTTPS
NPCICurniIUn
USSD PIatform
Bank 2
XML/HTTPS
Telco USSD
G/w XML/HTTPS
A
Talco 2
SMPP
NPCI G/w
Features
USSD uses voice connectivity so, available 24x7, needs no App/
Software, neither Internet connection, works on any phone.
> Accessible through a common code *99# across all TSPs
> No additional charges, while roaming, for using the service
> USSD has been an additional channel for Real-Time banking services
and financial inclusion.
> Low cost, convenient. RBI has placed aRs. 5000 cap for atransaction.
4.2.4 Mobile Banking: Application based
Almost all banks, have been offering application based mobile banking
services to their customers. The application is offered on multiple platforms
such as Java, Symbian, Windows, Android, iOS, etc. Bank customers need
to download the application and can avail host of banking services such as:
> Non-Financial transactions: Balance inquiry, Mini statement, Cheque
book request
Financial transactions: Fund transfer, Mobile/DTH recharge, Bill
Pay etc.
Others: Cards, Loans, Forex, Investment and Insurance, Internet
banking features, etc.
UNIT 4: MOBILE BANKING 83
Once downloaded these mobile banking applications are casy and efficient
for use by their customers who are proficient in using smart phone appli
cations. These applications are now available across a host of platforms
covering a wide range of smartphones in use. It has been the experience
of banks that once the customer has used the mobile banking app, he
continues to use it unless there is change of handset or mobile number.
However, to use a mobile banking app a customer needs to have GPRS
subscription to download the application and perform transactions. The
customer also needs to have a compatible handset and keep upgrading
the app, for any enhancement or update.
4.2.5 Mobile Wallets
In recent years, the payments industry has witnessed many innovations in
the payment systems and, especially in the area of Mobile Payments. With
the increase in mobile subscriber base and the mobile internet usage in
India, opportunities have arisen for creation of a new business line. One
of these has been the Mobile Wallet.
Mobile wallet transactions were 33 millions in FY 2013, 255 millions in
2015 and 1630 millions in 2017, having values of INRBillionsl0, 82 and
532 in these years respectively.[ RBI data - quoted by E&Y]. The growth
is very steep. In FY 2020, the projection is for 11 billion transactions,
valued at 17 trillion INR.
Advent of players, (Paytm, Mobikwik, PhonePe, etc., and introduction
of UPI, BHIM etc., products, as also Govt. push after demonetisation,
have driven this high growth.
Let us understand how a mobile wallet works.
A Mobile wallet is a mobile-based virtual container, where the user can
preload a certain amount in his/her account created with the mobile wallet
service provider, and spend it, thereafter, at online and offine merchants
listed with tche mobile wallet service provider. For example, if the user goes
to a coffee shop A, which is listed with XYZ mobile wallet, he/she can
pay for the coffee through the phone. Depending on the service provider,
one can also pay through an App, text message, social media account or
website. For example, companies like Paytm, Mobikwick, Freecharge etc.
84 MODULE A: DIGITAL BANKING PRODUCTS
have tied up with various merchants for accepting their payments, through
their Mobile Wallets, fromn the customers.
Mobile wallets can either be bank owned or non-bank owned. For non
bank, the provider should have a PPI license from RBI, before launching
a mobile wallet. Using mobile wallets, customers can make any type of
transactions right from utility payments to e-tailing (online purchases)
and offine payments.
There are separate guidelines which have been issued by RBI for the is
suance of Prepaid Payment Instruments (PPls); mobile wallet is one such
instrument.
Merits and Demerits of Mobile Wallets :
Merits :
While aphysical wallet can be snatched, misplaced or pick pocketed,
a mobile wallet, like any other virtual wallet, cannot be.
Secondly, virtual payments are easy, as one need not carry exact
change of currency.
>Also, mobile wallets allow the user to pay in one-tap unlike net
banking which can call for opening several sub-sites and is time
consuming.
Demerits :
> Only mobile-savvy people (with dependable and speedy internet
connection) can use such services.
There are only a limited number of merchants currently listed, so
one would still need net banking or cash or card.
> There is a limit to the amount one can deposit in mobile wallets
and spend daily, which means mobile wallets are not useful for high
value payments.
4.3 IMPS
Immediate payment service (IMPS) is a real time payment service that is
available 24x7 and 365 days a year, including public holidays. It facili
tates inter-bank, account to account fund transfers. IMPS is available on
UNIT 4: MOBILE BANKING 85
Remitting bank customer initiates the transaction on his Beneficiary Bank advises Switch of Approval or Rejections of
mobile and authorizes it wth his M PIN. the transaction
Beneflclary Bank valldates acount detals and credits the Both Remitter and Beneficiary Bank initiate an SMS to their
Customer account respectlve customer Informing them on the transactlon status.
> Wrob Trojan - poses as the Google Play app and replaces installed
banking apps with Trojan clones
> Zert Security Trojan - impersonates bank login, steals credentials.
> Droid Dream Rootkit - this malware works in android mobile
phones. It goes to the basic level (core of the software) and can
change the software, steal data and can even install malware.
> Key loggers Spyware- pose as third party keyboards that send
keystroke and contextual information to hacker.
Other Risks associated with Mobile Banking
A. Data Mining and Theft
> Mobile devices contain increasing amounts of data and means to
access data about individuals
Criminals understand big data and can leverage analysis for targeted
attacks
> Thus mobile devices may be at risk of getting accessed/mined to
reveal credentials, usage habits of owner, that may be misused.
B.SIM Swap Fraud
a. Fraudsters gets to block user's SIM and obtain a fresh SIM card (by
impersonation and falsehood) and then can get users' OT, messages
etc. Coming on the phone. App-based or automated payments of
all types can be attacked, as also user initiated transactions.
b. Targets vulnerabilities in carrier infrastructure
c. Requires off-device risk-assessment techniques
d Agood practice is to periodically check the bank account balance,
and latest transactions,
e. take up any unusual activity or absence of usual routine activities.
C. Device Impersonation :- Some applications bind the mobile app to
the customer's mobile phone. Using technical identifiers of the mobile
phone (this also happens for an internet banking on a laptop/mobile).
Afrer fraudulently obtaining and using these device parameters, any other
device may be used to attempt to operate the mobile banking.
UNIT 4: MOBILE BANKING 91
Bank's Internet
Cabling in Banking/ Mobile
COREBANKING
Backup Banking
DataCentre
Gateway
For aUSSD/SMS based solution, the customer operates his phone instead
of his computer. The computer had programs for data entry, menu selec
tion, encryption/decryption. Data transfer/upload, etc., controlled by the
application at the host at the ISP and the application at the bank gateway
for the service, are as in above schematic. For USSD/SMS the difference
is that, the phone has to enter details as per known syntax (or select from
a menu pushed by telephone operator, by number only) and send to the
mobile nerwork provider as cell phone message output. An Applet in the
SIM card invokes and enables the mobile application. The application here
also encrypts, manages keys, display data/options on phone screen, keeps
traffic count and controls, etc. The applications at the network provider
end will operate its application using such input values and interact with
the application at the bank gateway, computer-to-computer like for the
internet banking case. The network end application will have two differ
ent modules or applications altogether to talk to-and-fro to a computer
behind and the cell phone in front. among others. Vendor to vendor the
actual implementation will be different.
As an example, to help a detailed understanding, we illustrate the secure
processes at the middle layer for an SMS banking, consisting of first a
module to receive SMS, verify it, provide to next module (OSG) this
converts the SMS messages to HTP format, and controls the SMS/USSD
exchange with the cell phones in transaction activity like a session (instead
of continuing in a store-and-forward experience associated with SMS/
UNIT 4: MOBILE BANKING 93
USSD). This delivers to the next module which is the outward gateway
to the bank and back (BMS). This module, apart from exchanging with
bank system in sessions, keeps track of data/messages sent and received,
and also helps in traffic management between itself and bank gateway,
also,encryption, etc. Asecure hardware device called HSM issued at times
by most technology operators (like HSM - Host Security Module.). The
HSM, a tamper-proof hardware component, provides state-of-the-art
cryptographic functions to the BSP. Upon receiving a request from the
BSP, it performs cryptographic operations, generating transaction keys,
encrypting and decrypting sensitive information. The HSM also manages
the cryptographic keys used to secure mobile financial transactions. The
HSM is further enhanced with the Mobile Shield frmware for secure
business transactions.
At times an Adapter is provided,
Adaptor:-The Adaptor, required only when non-standard interfaces to the
bank systems are used, is a customizable module that translates messages
to and from the format used by the bank's back-end. The Adaptor seam
lessly insulates the BSP from the specifics of the bank systems' interfaces.
The diagram below from Gemalto, illustrates this. Incidentally, this is an
example, and there will be other implementations from other providers
varying in details.
User Mobile Operator Financial Institution
HSM
OTA
HTTP
SMB HTTP STANDARD
SMS
XML
STKML KNL HTTP
XML
Adaptor
SIM Bank
SMSC OSG BMS BSF
Applet Systerm
Mobile Account
Man
Broker
We see that in the above example considers an OTA (Over The Air) in the
telecom network provider as part of the model, so that all updates can be
remotely effected both in their SMS reading and processing engine, and
the module interacting with the bank.
Network Configuration :
An operator can provide the service to subscribers that have bank accounts
with different financial institutions. A bank can also choose to work with
several operators, to provide mobile banking services to its customers, in
dependently of their mobile service provider. It is also possible for several
banks with light mobile banking trafhc to share a Bank Secure Platform.
4.6.1 End-to-end Security
Since mobile banking transactions can be initiated from almost anywhere
and transaction details are transmitted over unprotected networks end-to
end security and confidentiality of data is attempted by ciphering infor
mation for secure transfer over the mobile phone, the GSM network, the
operator's infrastructure and the connection to the financial institution.
The information entered by the user is collected and encrypted by the
applet residing in the tamper-proof SIM card.
88{9
User data
GSM Network Financial Institution
mation is kept exclusively at the bank, which also has the sole control over
the cryptographic keys used to secure financial transactions.
Strong 2-factor Authentication :
Bank customers must be sure that no one can make transactions on their
behalf, and banks must be able to verify that customers are indeed who
they claim to be. Most of the banks have responded to this requirement
with strong two-factor authentication.
Mobile Banking Application PIN:
Users are required to identify themselves to che bank with aMobile Banking
PIN that protects access to financial information and transactions. Secret
keys only known to the SIM card and the bank are used to encrypt and
sign transaction data, further proving the identity of the user.
Data Integrity :
Since data is digitally signed, any atempt to manipulate it will be detected
because the signature will no longer correspond to the signed message.
Non-repudiation:
In the context of mobile banking, non-repudiation refers to authenticat
ing the customer and the financial institution participating in a financial
transaction with high degree of certainty so that the parties cannot later
deny having performed the transaction. To ensure non-repudiation, a
proof must be generated to show that the transaction was performed by
that party. This can be addressed by the following:
> A user PIN known only to the user and protected by encryption
> A transaction confirmation code sent by the bank
> A transaction log that records the details of every transaction.
4.6.2 Transaction Flow
Amobile banking transaction is initiated by the mobile user and is com
pleted when the result is displayed on the user's phone. The following
example shows the communication fow for an account balance request.
96 MODULE A:DIGITAL BANKING PRODUCTS
A
The mobile user sees the result of his or her request on the phone
display.
4.7 Information Security Tips
> We have covered some security issues, few risks were mentioned,
as also suggestions for protections. A common guideline to be
remembered is that, the specificweaknessarcasdepend on the current
technology solution, the current technical platform, and the usage
practices. All these will continue to be dynamic. With evolution of
technology, newer operational methods, etc., newer risks may arise
and some existing risks may be miigated fully or partly.
To take care of this, the basic management approach would be to
> Check and collect all the IT risks, threats and specihc weaknesses
of the technology pieces.
Document these and get remediation implenmented, in technology,
as also by complementary usage practice controls.
> Get thespecific technical solutions (Anti-malware, anti-phishing,
anti-virus, auto log out feature of inactive logged in users, updating
the OS patches, using a regular periodic routine, etc., etc.)
r Have security testing- Vulnerability Assessment, Penetration testing,
Application Security testing with random data and out-of-range'