Running head: SECURITY OF MOBILE BANKINGAPPLICATIONS

A Proposal to Advance the Security of Mobile Banking Applications from Man in the Middle

Attacks

Students Name

Institutional Affiliation

Date
SECURITY OF MOBILE BANKINGAPPLICATIONS
2

Abstract

Mobile banking (m-banking) is one of the most vital applications of mobile commerce

presently available. Mobile phone payments and banking thrive to not only be a popular way

adopted in business transactions, but it also appears to advance rapidly. However, despite its

attractiveness, there seem to be genuine issues in regards to security concerns circling to Man in

the middle attacks. This study pursues to recommend for a secure structure for communication

amid the back end server and mobile device for securing m-banking applications from the Man

in the middle attacks. This study suggests a framework that does not introduce any additional

threats to the mobile banking applications' communication channel. The study recaps the privacy

and security of critical financial data. 

Keywords; Man in the Middle Attacks, mobile banking, security, phishing Attack

SECURITY OF MOBILE BANKINGAPPLICATIONS
3

Introduction

Man in the Middle Attacks on Mobile Banking Applications

A businessman starved of motivation is just like a king with no nation or a computer

without the internet. E-commerce is an idiom for every company brand way of dealing with the

use of the internet. The innovation of mobile technology has changed how contemporary people

use mobile devices in day to day activities. A man in the middle attack is one of the recent

attackers whose intent is to intercept messages through a public key exchange (PKI) and then re-

channel them. The Man substitutes its specific public key for the entreated one to allow the two

different parties to seem still to be in communication with one another. The attacker accesses its

name from the started ball game in which two individuals directly attempt to throw a ball to one

another, whereas another party in the middle of them tries to hook the ball. Further, through

mobile devices, numerous customers have gained access to the stock market account that

significantly requires their credential information. Therefore, mobile banking has enabled people

from all walks of life to access to diversified financial institutions conveniently.

The invader utilizes a program that seems to be the server connecting the client and

seems to be the client towards the server. The attack could also be employed basically to acquire

access to the specific message. Also, it may facilitate the attacker to change the word before re-

transmitting it. Man in the middle attacks commonly is referred to as fire brigade attacks.

According to the article on Man-In-The-Browser Attacks and Mobile Banking aptitude on Man

in the Middle Kumar et al., (2017), the report exposes that mobile banking has exposed

weaknesses in a broad range of various applications running on web servers, smartphones, and

computers.
SECURITY OF MOBILE BANKINGAPPLICATIONS
4

Besides, these defects may increasingly develop smartphones or computers vulnerable to

attacks exposing sensitive data, credit cards, and passwords. Communication is of the principle

in e-commerce; hence, it is vital to protect the connection between mobile devices used by varied

consumers and financial servers of the institutions (Althumairy, Shehri, & Ahamad, 2019). The

documentation in place of mobile banking is less robust and contains a lot of insecurities.

Therefore, imposters target three fields for crucial information; mobile banking application, bank

servers, and the period of message transit.

Methods and Techniques Used by Hackers in Perpetrating Man in the middle attacks

Hackers use Zeus attack a common man in the middle attack, which links it with

smartphone banking applications. Zeus access banking information through form grabbing and

keystroke logging. Unfortunately, it has proven to be challenging to detect Zeus using up-to-date

antivirus. Therefore this gives the reasons why its malware family is among the widespread

botnet on the internet. The malware intents to compromise security for the mobile banking

system. Mobile devices that are powered by Google Android operating systems endangered since

Zeus has developed a variant dubbed with the capacity to run on android phones. With this

ability, its ability to intercept passcodes sent to mobile phones on time. Therefore, it gains the

ability to authenticate sending of passcode to attackers giving them the concern to access privet

online banking sessions (Aravamudhan,2009)

SECURITY OF MOBILE BANKINGAPPLICATIONS
5

Securing communication in mobile banking against Man in the middle attacks

Defense Strategies against Man in the middle attacks

Threats on mobile banking are repeatedly rising, multiplying raising the concern for

camming up with defensive strategies against Man in the middle attacks. Many countermeasures

utilized in controlling Man in the middle attacks, overall security in communication, and majorly

in mobile banking. Some of these measures provide a concrete security posture in the whole

network frame while others provide precise defense against attacks from Man in the middle

attack.

Knowing the Threats

It is vital to know the possible threats because it gives an added advantage in identifying and

resourcing information to implement defensive controls. The implementation of active controls

helps in controlling to stop attacks. On the other hand, passive restraints used to monitor for

possible attacks. It is essential to know the type of attacks used since this helps developers to

prepare against such attacks. Moreover, this provides awareness to prepare a defense for future

threats in the dynamic world.

Defense-in-Depth Approach

There is various way to implement Defensive security control for multiple layers in the

network. Security proves to be more challenging for an attacker to overcome to meet their

objectives. First layers, which are composed of Instruction detection systems (IDSes), give vital

impacts in minimizing harms from attacks hence curbing potential losses. Layers ensuring more
SECURITY OF MOBILE BANKINGAPPLICATIONS
6

reliable security, there is a need to put in place secondary defense measures, which, for instance,

could be a physical security measure, unparticular a well-placed firewall device. Secondary

security helps in achieving goals of slowing down the attackers since they are tedious to perform.

The next layer, or the last line of defense, should be a security measure for malware and virus

protection. Such measures reduce the chances of attackers to achieve their exploitation. Security

is a process, and therefore, monitoring, reviewing, and evaluating of secure algorithms should be

done after some time to provide all the protection needed (Zhou and Claudio, 2011).

Public Key Infrastructure (PKI)

Deploying a Public Key Infrastructure (PKI) that implements mutual authentication is one of the

key activities to address Man in the middle attacks. This design manages public essential

cryptography use. PKI contains critical components that deal with revocation of certificates as

well as proving the validity of implemented certificates. It also provides a user interface for

encryption and signatures (Prowell, 2010).

Implementing PKI does not offer enough prevention to Man in the middle attacks. If the hacker

can capture the critical code exchange, in the beginning, they can perform an attack; hence it is

essential to implement other controls to complement PKI implementation. To add on, KPI could

provide appealing solutions if coupled with mutual authentication.

Encrypted Protocols

The encrypted protocol should reduce the possibility of sniffing off-network credentials by

attackers. An example includes; HTTP, TELNET, and FTP. The encryption provides an

additional layer of security to ensure Secure Shell(SSH), Secure File Transfer protocols (SFTP).
SECURITY OF MOBILE BANKINGAPPLICATIONS
7

Furthermore, encrypted protocol protects sensitive data transmitted in applications. The

encrypted protocol adds a layer for attackers to crack, and this makes it a complicated work to

manage. Hence this protocol is highly recommended over clear-text protocols (Claudio and Zhou

2011).

Confidentiality and Authentication

For safety in conveying data from the device, we should consider several securities minded

plans, one of these being authentication. Therefore authentication refers to the capability of

verifying the channel used for communication. of importance since it ensures that the computer

used in uploading data from the device is the only one that contains the data. With this ability,

we can prevent a third party from accessing the data (Jeon et al., 2011). Another consideration to

put in place is the steps to prevent intruders from reading data that is currently in transmission.

Securing Server Interactions (Application Development)

Mobile banking involves data transmission between server and client applications.

Therefore, knowing the number of risks of transferring data over a given network, dictates the

level of security required.

SECURITY OF MOBILE BANKINGAPPLICATIONS
8

References

Althumairy, A., Shehri, M., & Ahamad, S. (2019). A Secure and Robust Mobile Payment

System. International Journal of Computer Science and Network Security, 19(1), 6.

SECURITY OF MOBILE BANKINGAPPLICATIONS
9

Kumar, P. J., Hu, W., Li, X., & Lal, K. (2017). Mobile Banking Adeptness on Man-In-The-

Middle and Man-In-The-Browser Attacks. Mobile Networks and Applications, 4(2), 13-

19.