Trust and Security issues of Mobile banking in cloud
*Mr. P. Gurava Reddy **Dr. M. Ashok
Assoc. Professor, Dept. of CSE, CMREC. Principal, SSJEC, hyd.
Abstract: Banks are overlooking their concern about security and also control to take the advantage of business benefits by running core applications over the cloud. However, financial firms have more cautious than industries for adopting cloud’s services, with fears of data security and also regulatory concerns on mind. Till today it’s becoming more increasingly clear the cloud offers many more advantages to the banks. According to the view of Gartner, public cloud market is forecast the rapid growth for upcoming future. However, mobile cloud computing still face challenges in security issues, here we address trust and security issues of mobile cloud which relates in the banking applications with the help of SBE engine. Security becomes a major issue for lightweight devices when users browsing through malicious sites. Here the system uses mobile cloud based virtual computing to provide each user Virtual Machine as security proxy where Web transactions are re-directed through it. Within the VM the SBE uses crawling technology with the checking services to validate IPs, address and certificates.
Keywords: SSE, VM, Web, Cloud computing.
Innovations in security and cloud computing technologies are driving banks and other financial needs to focus on best ways to offer trusted, secure, easy and convenient services to their customers. Still it becomes increasingly clears that the cloud gives many advantages for mobile banking, and here bank System & Technologies examine four ways that banks are getting an advantage of the cloud’s benefit. Payments: As banks are looking to move more functions to hosted environments perhaps one of the best natural to bring to the cloud is payments. Banks are already doing payment process in the cloud environment, even if they did not realize it. Preventing Disintermediation: The other reason for mobile banking to embrace cloud payments is to stave off the threats of disintermediation.
Managing Documents of the Cloud
The cloud provides clear benefits for documents management, like faster system deployments, lower cost of ownership and also the ability to less leverage special talent with giving an enterprise level contents provider that offer hosted cloud’s product. Platform-As-a-Service: Platform-as-a-service  may not giving all the hype like other cloud services. The cloud  may provides more options for smaller banks to leverage analytical capabilities, that they do not have the full resources or talents to managing on their own cost, but that lack of data talents still  face risks for bank even if they are giving outsourcing.
However the cryptographic algorithms unable to prevent the security protocol designer to measure the weakness of human in all the security protocols. “In  SSL supporting browser is an example of this kind. here our research mainly focuses on two major issues caused by human errors like MITM attacks & web based phishing attack, which requires the user to involved manually to makes decision on accept or reject a web site. Here the attackers can intercept the requests through spoofing or poisoning attacks and then confuses the users to send the requests. In SSL-Strip attacks, attackers can explore the vulnerabilities that a user may requests a web site by initiate an unsecured HTTP request. Once receives the request the web server send an HTTP message to the user for initiating an SSL session. Now the attacker tries to intercept the redirect messages by initiating an “SSL session” to the web-servers without sending the re-direct messages to the users. After setup a ‘SSL connection” to the server the attackers can send un-encrypted web pages to their user. It is similar for the users looking the protocols name which can be changes from “HTTP to HTTPS”, and logo will be appears in web browser. This case becomes a Sevier when lightweight mobiles are used.
Similarly of SSL-attack, Phishing-attacks are also shows the exact web content and layout of all the users except web-address is differs and the lock logo didn’t appears on browser status bar to address these attacks many browsers like Firefox, explorer, and chrome are used the anti-phishing filter by verify the web-address repositories to give the alerts to their users if it found a phishing-site. Based on test results false-negative rate is more this is of several reasons. Firstly, the cost for hosting sites will become less and there exist tool like dyndns.org, which can maps the dynamic change of IPs with a domain attackers can easily changes their domain names and corresponding IPs. In addition most of the phishing sites repositories requires user to send report to them regard phishing changes done, which introduces the delay and makes the original information in repositories with fast track mode .
II. RELATED WORK
In , Jackson et al introduced the force HTTPS which force the web browsers to open secure connections to the destination part. If it does not supports an SSL connection, then the users need to setup policies to Force HTTPs . These approaches does not prevents the MITM attacks due to attacker can insert the new HTTPS requests and returns a “no-HTTPS-support” messages and force the browsers to initiating HTTPS session. Here the authors are given best solutions to countering a web based MITM attacks with introducing content of certificate checking and specific password warnings aware of browsers . This method validates a certificate and checks password or address in an un-secured way.
Many researchers developed an anti phishing-site tool for web URL checking . In , the authors addressed effective-ness of using different phishing-tools like IE7, Firefox2, Spoof guard etc, their results proved that evaluated methods and tools are very less effective for finding phishing web URLs. Zhang et al in  proposed a Phishing site Filter “CANTINA”, where they makes usage of hyperlinks and frequency - inverse documents frequency “tf−idf “, here “tf – idf” is a logic to give low priority for the common repeated words. When a web URL is fed into “CANTINA” it generatestes the tf−idf score for the web-pages, then it generates the lexical signature using the top 5” tf –idf”, and it uses Google Search to verify for the specific web site is appears in the N results. The drawbacks with this technique are “CANTINA”. it always depend on the Crawler. When a new web-pages are up, it can stand online for around 53 hours , that means it could not crawled by Google engine.
To address these MITM attacks & phishing attacks, many number of proxy based models are proposed, tahoma , uses a browsers OS running on top of a client’s xen managed VMs to serve like a local security proxy for scanning web applications, flash proxy in , proposed to measure the performance and security issues of flash object browser in mobiles. In , Web Shield , Spy Proxy , Ajax Scope , and Browser Shield , proposed a same proxy-based web security models. Here they used a sandboxs in the remote proxy to perform and render the web applications. While finding security threats with help of monitoring application behavior. But these methods includes overhead when switch from one VM to another VM. Moreover, they shares VMs among the different types of users but the users privacy will be an major issue.
It is based upon that which gives basic components & different models to implement an efficient, easy, secure and scalable search, here we present the architecture, and also the devices of mobile cloud-based SBSE system, here xen-server that provisions the Virtual Machine resource pools , here the Xen-platform provides the xen-API used by the xen web-server to manage the Virtual Machine and conﬁguration of functions to the all mobile users.
The components of Virtual Machine:
• Server: It maintains the all websites to provide management portal to all users and administrators, a database stored in web-server maintains their DNS, IPs and also VM configurations. The web servers will also communicate with all other xen servers of the cloud to perform all the admin instructions. For instant updates. It works with DHCP/DNS servers to provide Domain names & IP addresses to new VMs.
• Mobile User: Here each mobile user has VMs that incorporates with so many services to provide the best features like caching, proxy, and logging. The VM coordinates with SSE services to detecting and correcting MITM & phishing-attacks. Fig.2. show the components of the VM.
Fig 1: Xen Cluster Architecture
• Portal Gateway and Portal Network: It is an access point to all the mobile users for accessing Virtual Machines and all web services, the Portal Network work acts as data exchange source between different xen- internal servers.
• SBS Server: It facilitates SSE service to the users and the Managing Server incharge of the resource allocation management.
• Data Gateway: It is one of the networks used by the VMs & SSE to fetching the web data content.
Fig2: The Components of VM
A. Secure Browser Engine
• SBE: It is a service that can be used by mobile user VMs to provide web-proxy and all caching functions, an user VMs provide different components as shown in the Fig. 2. The implementation part of SBE using a layered architecture. Where the higher layer makes the use of service at its next lower layer.
• SBE service: This service answers the mobile user queries that provided by web browsers. The response of SSE service is made from SSL verifier & Phishing-Filter.
• SSL verifier: It is one of the major service of SSE. SL pickups an URL and collects the certificate from one or multiple domains which running on presentation server. It also verify the certificates chain and store the validation result in the repository of SBE.
• Phishing-Filter: It is another important service given by SSE. In which it verifies each web-page linked. Using the algorithm explained below, it perform check only if the web-site is phishing-site
• SBE Crawler: It is an auto program collecting all security information & web-page information of URL to provide the all related information to SSL verifier & Phishing filter.
Fig 3: SBSE Performance Chat
Algorithm 1 SBE Processing:
1. URL == get the URL ();
3. It sends MSG = redirect SSE service from SBE;
4. If SBE founds MSG in phishing-site SBE sends warning msg to the browser;
5. If user ignore warning msg then it send HTTP request to web server;
7. The web browser gives the HTTP request;
8. End if
9. Else if SSL Verifier return the web-server supporting HTTPS and Phishing-Filter return web server that is not phishing site;
10. SBE sends the certificate to the browser, the browser sends HTTPS Request to web server;
11. Else if SSL verifier return the web server and phishing-filter return the result;
12. SBE inform to the web browser;
13. The web browser send the HTTP Requests to the web server;
14. Else SBE sends a Warning to the browser ;
15. Then the browser jumps to step 4
16. End if;
Here we introduced a mobile cloud based secure web-referral services to counter-based MITM & phishing attacks on the all mobile nodes. In the central system, SBE acts as the foundation for the secure web framework and involves minimal interventions of human to address security decisions. SBSE Phishing-Filter generates less false-positives and false-negatives. In future, SBSSE can extended to counter other attacks like Cross-site Scripting attacks.
. Zscaler Inc., “Zscaler cloud services overview,” July2011.[Online].Available: http://www.zscaler.com/cloudservicesoverview.html . Z. Li, Y. Tang, Y. Cao, V. Rastogi, Y. Chen, B. Liu, and C. Sbisa, “Webshield: Enabling various web defense techniques without clientside modifications,” in NDSS, 2011.
. G. Aaron and R. Rasmussen, “Anti phishing working group - global phishing survey:,” http://www.antiphishing.org/reports/APWG
. R. Dhamija, J. Tygar, and M. Hearst, “Why phishing works,” in Proceedings of the SIGCHI conference on Human Factors in computing systems. ACM New York, NY, USA, 2006, pp.
. D. Huang, Z. Zhou, L. Xu, T. Xing, and Y. Zhong, “Secure data processing framework for mobile cloud computing,” in Computer
Communications Workshops (INFOCOM WKSHPS), 2011 IEEE
Conference on, april 2011, pp. 614 –618.
. Huang et. al, “Mobile cloud computing,” http://mobicloud.asu.edu, 2010.
. D.Huang, “Mobile Cloud: A Secure Mobile Cloud Computing Platform,”E-Letter of Multimedia Communications Technical Committee Dijiang
. D.Sax, “DNS spoofing (malicious cache poisoning),” RL:http://www.sans.org/rr/firewall/DNS spoof.php November, vol. 12,2000.
(MMTC), IEEE Communications Society (invited paper), 2011.
. S.Whalen, “An introduction to arp spoofing,” Node99 [OnlineDocument], April, 2001.
. H. Xia and J. Brustoloni, “Hardening web browsers against man-inthe- middle and eavesdropping attacks,” in Proceedings of the 14th
international conference on World Wide Web. ACM New York, NY, USA, 2005, pp. 489–498.
. C. Jackson and A. Barth, “ForceHTTPS: Protecting high-security web sites from network attacks,” 2008.
. N. Chou, R. Ledesma, Y. Teraguchi, D. Boneh, and J. Mitchell, “Client-side defense against web-based identity theft,” in Proceedingsof the 11th Annual Network and Distributed System Security
Symposium (NDSS04), San Diego. Citeseer, 2005.
. 590A.Freier, P.Karlton, and P.Kocher, “The SSL protocol version 3.0,”1996.
. Y. Zhang, S. Egelman, L. Cranor, and J. Hong, “Phinding phish: Evaluating anti-phishing tools,” in Proceedings of the 14th Annual Network and Distributed System Security Symposium. Citeseer,
. Y. Zhang, J. I. Hong, and L. F. Cranor, “Cantina: a content-based approach to detecting phishing web sites,” in Proceedings of the 16th
international conference on World Wide Web. New York, NY, USA: ACM, 2007, pp. 639–648.
.M.Moxie,“Sslstripsoftware,” http://www.thoughtcrime.org/software/sslstrip, 2009
. R. Cox, J. Hansen, S. Gribble, and H. Levy, “A safety-oriented platform for web applications,” in Security and Privacy, 2006 IEEE Symposium on, may 2006, pp. 15 pp. –364.
. A. Moshchuk, S. D. Gribble, and H. M. Levy, “Flashproxy: transparently enabling rich web content via remote execution,”in Proceeding of the 6th international conference on Mobile
systems, applications, and services, ser. MobiSys ’08. New York, NY, USA: ACM, 2008, pp. 81–93. [Online]. Available:
. B. Hayes, “Cloud computing,” Common. ACM, vol. 51, no. 7,2008, pp.9–11.
. A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy, “Spyproxy: execution-based detection of malicious web content,”in Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley, CA, USA: USENIX Association, 2007, pp. 3:1–3:16. [Online]. Available: http://dl.acm.org/citation.
. E. Kiciman and B. Livshits, “Ajaxscope: a platform for remotely monitoring the client-side behavior of web 2.0 applications,” SIGOPS Oper. Syst. Rev., vol. 41, October 2007, pp. 17–30.
. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir, “Browsershield: Vulnerability-driven filtering of dynamic html,” ACM Trans. Web, vol. 1, September 2007. [Online]. Available:
. R. Fielding, J. Gettys, J. Mogul, H. Frystyk, L. Masinter, P. Leach,and T. Berners-Lee, “Hypertext transfer protocol – http/1.1,” 1999.
.M.Moxie,“Sslstripsoftware,” http://www.thoughtcrime.org/software/sslstrip, 2009
. Xen, “Xen Virtualization Open Source Project.” [Online]. Available: http://xen.org
*Gurava reddy pathakota pursuing Ph.D in JNTUH, having more than 8+ years of teaching experience and has guided around 50 UG & 20 PG students, currently working as Asst Prof at CMR of Engineering College, Hyderabad. My research areas include Cloud Computing, computer networks.
**Dr. M. Ashok working as Principal SSJEC, hyd. He has 20+ years of Experience in teaching, published 16 Journals at International level, attended 8 national and international conferences, and guiding number of students in their research work, his research areas includes image processing, cloud computing.
...(download the rest of the essay above)