How to work on Mobile Banking(SMS Banking)?

CoderForEver

Hello guys. How are you doing? I am going to do my Senior Project on SMS Banking or Mobile Banking (but too limited scope). Currently in our country,none of the banks use this method,even there is no internet banking. Here is the idea how I planned to do the project with 2 of my friends. - Currently, College students who study abroad needs money to be sent from their parents every month which will cover expenses. So when the parents send the money, they will go to bank fill a bulk of forms then it will be send to a bank which is near to the student. The amount is drawn either from the parent's account or direct cash. Take the following cases in mind 1) It takes time. 2)The student is not expected to have an account. s/he is expected to have an ID only. 3)The parents might be busy to go to the bank and fill the form. Since it is a must, they should have to go to send the money. But they might be loosing something (may be their Golden time on work) So the purpose of my project is to make it fast, easy, more secured so that the money will be transfered using the parents mobile (Here there will be a mobile application which will send the data of the filled form to a central server where the parent's account is located)............... Then after authentication (Which will be more SECURED) ...... The server will send an encrypted ID (which contain a the data of the parent , the amount, the student, etc ....) to the parent's cellphone (which is encrypted). So that the Parent will send this ID to his Son/Daughter and the Son/Daughter is expected to go with this ID AND with his Student ID Show to the bank's responsible person,............. When the the responsible person get the ID , he enters in to the system ... it will be then decrypted so that the original information will be retrieved. This is the plan I wanted to do my senior project. I found that GSM modem is a must (which will act as a telephone on the server side to accept incoming SMS messages) in order to accomplish this task. I also found a software which I can write a code to the mobile application which is platform independent and I planned to use C# for authentication on the server side. If you have any idea, please help me. Thank you.

Michel Godfroid

Encryption is not a good idea (for sending back the message). What would you use as encryption key? The ID of the student? That's easily obtained through social engineering, and may even not be a private thing in most schools. Also, if you have to encrypt all the data about the transaction, the encrypted string will be long and difficult to remember. On top of that, students will soon have a collection of 'encrypted' messages, together with their keys, and the unencrypted data. They'll soon pool these together, and reverse-engineer your encryption scheme. Furthermore, your scheme offers no opportunity for the paying bank to clear the transactions. What if a student goes round twice with the same message at two different branches? It's better to have a central server, that distributes unique 'transaction keys', which point to transaction data on the server. (a 13-14 digit number seems to be the biggest that people can dictate and jot down without errors). No duplicates of course, and the digits must be seemingly random. This has the advantage that, if a transaction is intercepted, it will only harm that transaction, and no others. It is also an unbreakable scheme, but it requires paying banks to have access to the central server, in order to retrieve the information. It also allows the paying banks to claim the money from the parent's bank, and to mark the transaction as payed, so it cannot be claimed twice.

CoderForEver

I will not use students’ ID. When I said ID it is kind of collection of strings (some from the name, from the branch, from his parents name and others, including even the date (I will have some random picking of this strings by different mechanisims which I will use as an encryption , so that the decryption will be processed by a reverse mechanism)) Even if it is long, the user , either the parents or the student will write it on paper , so that it will be neither forgotten nor easy to break. By the way students and the parents will not know the unencrypted or decrypted data. Even if they go to the bank with a fake ID, how do you think it will be stored on the system? I mean the parents didn’t sent anything and neither the bank stored that data. And I forgot to mention about deleting the transaction after it is completed (which will avoid claiming of transaction twice). It is done when the student gets his cash. It is also possible to notify the parents whether their child get the money or not. Is that makes sense? Because of the problem of technology in our country, to have a central server is unimaginable. Thank you for your response.

Michel Godfroid

CoderForEver wrote:

to have a central server is unimaginable

Well, you still need it for clearing the transaction, and for verifying the transaction exists :) This was the whole argument for keeping 'cheques': A cheque was a difficult to duplicate, uniquely numbered piece of paper. As long as central servers were not practical, they provided a clearing mechanism which was based on physical evidence. As soon as the evidence is electronic, and by definition allows copying without data loss, clearing HAS to be done through a central server. Your system of picking pieces of strings from various bits of information is well-known by old programmers like myself. It was used for example by tour-operators to check the validity of voucher claims entered by hotels and transportation companies. But it was not fail-safe. We used it because the paying departments didn't have access to online terminals, and still had to dispatch payments. (Waiting for the weekly batch processing was not an option). It is a typical example of security by obscurity, which is a bad practice nowadays. (In those days, most people had never heard of a computer, much less had access to one, so it didn't matter so much.) It also provides an opportunity for key collision. Once your encryption algorithm starts omitting data from the key or the data, it becomes a hashing algorithm, and cannot guarantee uniqueness any more. Do telephone operators sell pre-paid rechargeable cards in your country? I suppose they do. Well here if you want to recharge your phone, you go to local phone shop, and you buy credit from an operator. The cashier punches in the amount, and the cash register requests a 13-digit number from the operator network. This is then printed on your receipt. And this is the number you send to your mobile operator to claim the credit on your phone. Your phone is then topped up, and the transaction is cleared. This is a typical example of an easily duplicated piece of evidence, which can still be only used once. It ALWAYS requires a central server. Breaking it is impossible, because it is impossible to guess a valid, active transaction number. Sending a message back to the parents? Sure why not, but how long are you going to wait before sending a no-claim message? and will this no-claim message cancel the transaction?

CoderForEver

Oh, sorry. When I mention about central server, I think I wrote the wrong idea. So, yes they do have a central server. The idea of the telephone operators sounds nice. It works in our country, once up on a time it had a problem which is fixed now (the problem was, if you take one card and when u send to the mobile operator and at the same time your friend is doing the same thing but both of you are using only on card, both of you will get the amount at the card. i.e by concurrency you faked the operator. But this time, even if I dont know they did it, the problem is fixed). About the claim, I hope I will wait may be up to 2 or 3 days for the student to take the cash. If not the amount will be transfered back to the parent's account. I think it is a good idea, isnt it? About the encryption, can you tell me the best algorithm for this one, or recommend me free book or sites to read it. Thank you Michel.

Michel Godfroid

CoderForEver wrote:

by concurrency you faked the operator

Probably because their central server had some bugs ;P

CoderForEver wrote:

If not the amount will be transfered back to the parent's account

Be carefull with those things. Once you enter the wonderful world of online banking, local regulations may apply. I'm not sure if banks in your country can (or will) reverse a transaction which has not been opposed by the initiating party. There may be rules regarding the the validity and expiry date of the transaction, and since you will be introducing a new form of payment, you will be exploring uncharted legal territory. Now since this a senior project, this will not matter much (you'll be building a prototype) but if you pursue this project further later, you should get legal advice. Regarding encryption and signing, you stand no chance of having your project adopted (by the banks) if you don't have at least 2-factor authentication. (something you own - something you know)http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci992919,00.html[^] What banks use in my country for GSM payments is as follows: The bank assigns you a personal certificate, which is stored on the SIM card chip (this requires cooperation of the mobile operators, who distribute the SIM cards, and must allow the certificate to be stored there) this certificate (on the chip) is the something you own. They also assign you a pin code, or you use the standard GSM pin-code, which unlocks the personal certificate on your card. this is the something you know. (the personal certificate won't be regurgitated by the card if you don't type the right pincode). Once you have the personal certificate, you can use this certificate's keys to encrypt and/or sign any messages between the bank and the payer (in this case the parents). Of course, for a senior project, you won't be able to use all this (building you own SIM-cards and re-programming them might be a bit out of scope). But you should at least be able to to simulate the process (maybe not on a mobile phone, but on a PC), in order to demonstrate that you thought about the problem. On the receiving side, it's a bit more complicated (or

CoderForEver

Hello my friend. I think we got to go on the SMS banking thing. But we got one trouble before we submit our proposal. The following is the description. Please, help me if you know any thing about it. Currently, we are not using GSM modem but CDMA. Because we cant find GSM modem in our area. We also found that a lot of applications that are done using Java MIDI, that are for mobile applications. We also found a tool, Netbeans for developing our software. But there is one thing. We got an application which send and receives SMS messages. But we cant view the SMS message. It is encrypted or I dont know about it. I also found that if I use a port number for it, it will be easy. So we have also found an application which uses GSM and works on serial port. The problem is we are now using USB (the CDMA works like a flash .... it uses USB port)port not serial port. and the application is not working for us. So, if you know, please, how can use USB port to send data using this CDMA device. By the way we also used Hyperterminal on Windows 7 to work on with this application. I hopt to hear from u soon. Bye