Utilization of Mobile Network Infrastructure to Prevent Financial Mobile Application Account Takeover

  • Aldiansah Prayogi Universitas Indonesia
  • Rizal Fathoni Aji Universitas Indonesia
Keywords: SMS OTP Vulnerability, Mobile Network Verification, Header Enrichment, Account Takeover Prevention

Abstract

The Covid-19 pandemic has kept almost everyone at home and forced them to perform online activities using their mobile gadgets. Penetration of the Internet and mobile use is increased as lockdowns or restrictions on meeting face to face are getting used to. This has become a new market for cyber criminals to carry out their actions, such as spreading Social Engineering, sending Phishing, doing Account Takeover, and ending in theft of money in Financial Mobile Applications. Application protection with OTP SMS and Magic Link SMS still has vulnerabilities, with several examples of cases that have occurred. For this reason, this problem was raised to find a solution using the Mobile Network Infrastructure. The method used is to compare the congruence between the phone numbers registered in the application and the phone numbers used. Every time a user signs in or signs up, the Financial Mobile Application will perform Mobile Network Verification to cellular operators via API. Verification is carried out by utilizing the header enrichment in the background of the application process that was installed on the user's smartphone or tablet to the Mobile Network Verification Server. The Financial Mobile Applications can then determine whether the user is using a valid or invalid telephone number. Therefore, the target account cannot be taken over because the cyber criminal's mobile device does not have the phone number attached to the victim’s mobile device. This proof is carried out with four test case scenarios with the sign-up and sign-in processes on the same phone number and different phone numbers between devices and applications. It is hoped that this kind of protection model can reduce losses experienced by users of Financial Mobile Applications due to Account Takeover.

Downloads

Download data is not yet available.

References

Asosiasi Penyelenggara Jasa Internet Indonesia, “Profil Internet Indonesia 2022,” Apji.or.Od, no. June, p. 10, 2022, [Online]. Available: apji.or.id.

CyberEdge Group, “2022 Cyberthreat Defense Report,” CyberEdge Gr., p. 66, 2022.

Medcom.id, “Penipuan Modifikasi APK Jaring 493 Korban dengan Kerugian Rp12 Miliar,” Medcom.id, 2023. https://www.medcom.id/nasional/hukum/Rkje4Q6b-penipuan-modifikasi-apk-jaring-493-korban-dengan-kerugian-rp12-miliar.

K. Chetioui, B. Bah, A. O. Alami, and A. Bahnasse, “Overview of Social Engineering Attacks on Social Networks,” Procedia Comput. Sci., vol. 198, no. 2021, pp. 656–661, 2021, doi: 10.1016/j.procs.2021.12.302.

M. P. Bach, T. Kamenjarska, and B. Žmuk, “Targets of phishing attacks: The bigger fish to fry,” Procedia Comput. Sci., vol. 204, pp. 448–455, 2022, doi: 10.1016/j.procs.2022.08.055.

M. A. Husainiamer, M. Mohd Saudi, and M. Yusof, “Securing Mobile Applications Against Mobile Malware Attacks: A Case Study,” 19th IEEE Student Conf. Res. Dev. Sustain. Eng. Technol. Towar. Ind. Revolution, SCOReD 2021, pp. 433–438, 2021, doi: 10.1109/SCOReD53546.2021.9652685.

P. Doerfler et al., “Evaluating login challenges as a defense against account takeover,” Web Conf. 2019 - Proc. World Wide Web Conf. WWW 2019, pp. 372–382, 2019, doi: 10.1145/3308558.3313481.

J. Bento, P. Saleiro, A. F. Cruz, M. A. T. Figueiredo, and P. Bizarro, “TimeSHAP: Explaining Recurrent Models through Sequence Perturbations,” Proc. ACM SIGKDD Int. Conf. Knowl. Discov. Data Min., pp. 2565–2573, 2021, doi: 10.1145/3447548.3467166.

G. Ali, M. A. Dida, and A. E. Sam, “Two-factor authentication scheme for mobile money: A review of threat models and countermeasures,” Futur. Internet, vol. 12, no. 10, pp. 1–27, 2020, doi: 10.3390/fi12100160.

A. P. Binitie, “Design of a Resilient System against Shoulder Surfing Attack : Adaptable to USSD Channel,” pp. 1–19, 2023.

A. Patience, N. Christiana, and P. Oguguo, “Security against Shoulder Surfing Attack Adaptable to Feature Phones using USSD Technology,” Int. J. Innov. Sci. Res. Technol., vol. 7, no. 12, pp. 560–568, 2022, [Online]. Available: www.ijisrt.com560.

M. Wazid, S. Zeadally, and A. K. Das, “Mobile Banking: Evolution and Threats: Malware Threats and Security Solutions,” IEEE Consum. Electron. Mag., vol. 8, no. 2, pp. 56–60, 2019, doi: 10.1109/MCE.2018.2881291.

J. M. Chigada, “A qualitative analysis of the feasibility of deploying biometric authentication systems to augment security protocols of bank card transactions,” SA J. Inf. Manag., vol. 22, no. 1, pp. 1–9, 2020, doi: 10.4102/sajim.v22i1.1194.

B. Chaimaa, E. Najib, and H. Rachid, “E-banking Overview: Concepts, Challenges and Solutions,” Wirel. Pers. Commun., vol. 117, no. 2, pp. 1059–1078, 2021, doi: 10.1007/s11277-020-07911-0.

Z. P. Zwane, T. E. Mathonsi, and S. P. Maswikaneng, “An intelligent security model for online banking authentication,” 2021 IST-Africa Conf. IST-Africa 2021, pp. 1–6, 2021.

R. Laborde et al., “A User-Centric Identity Management Framework based on the W3C Verifiable Credentials and the FIDO Universal Authentication Framework,” 2020 IEEE 17th Annu. Consum. Commun. Netw. Conf. CCNC 2020, 2020, doi: 10.1109/CCNC46108.2020.9045440.

W. A. Hammood, R. Abdullah, O. A. Hammood, S. Mohamad Asmara, M. A. Al-Sharafi, and A. Muttaleb Hasan, “A Review of User Authentication Model for Online Banking System based on Mobile IMEI Number,” IOP Conf. Ser. Mater. Sci. Eng., vol. 769, no. 1, 2020, doi: 10.1088/1757-899X/769/1/012061.

K. K. Kamal, S. Gupta, P. Joshi, and M. Kapoor, “An efficient mCK signing and mobile based identity solution for authentication,” Int. J. Inf. Technol., vol. 15, no. 3, pp. 1637–1646, 2023, doi: 10.1007/s41870-023-01189-8.

W. A. Hammood, R. A. Arshah, S. Mohamad Asmara, and O. A. Hammood, “User Authentication Model based on Mobile Phone IMEI Number: A Proposed Method Application for Online Banking System,” Proc. - 2021 Int. Conf. Softw. Eng. Comput. Syst. 4th Int. Conf. Comput. Sci. Inf. Manag. ICSECS-ICOCSIM 2021, vol. 0, pp. 411–416, 2021, doi: 10.1109/ICSECS52883.2021.00081.

Y. Y. Tefera, T. Kibatu, B. S. Shawel, and D. H. Woldegebreal, “Recurrent Neural Network-based Base Transceiver Station Power Supply System Failure Prediction,” Proc. Int. Jt. Conf. Neural Networks, 2020, doi: 10.1109/IJCNN48605.2020.9206978.

A. A. R. Alsaeedy and E. K. P. Chong, “A review of mobility management entity in LTE networks: Power consumption and signaling overhead,” Int. J. Netw. Manag., vol. 30, no. 1, p. e2088, 2020, doi: https://doi.org/10.1002/nem.2088.

D. Basu, A. Jain, R. Datta, and U. Ghosh, “Optimized Controller Placement for Soft Handover in Virtualized 5G Network,” 2020 IEEE Wirel. Commun. Netw. Conf. Work. WCNCW 2020 - Proc., 2020, doi: 10.1109/WCNCW48565.2020.9124902.

W. D. S. Coelho, A. Benhamiche, N. Perrot, and S. Secci, “Network Function Mapping: From 3G Entities to 5G Service-Based Functions Decomposition,” IEEE Commun. Stand. Mag., vol. 4, no. 3, pp. 46–52, 2020, doi: 10.1109/MCOMSTD.001.1900040.

W. Liang, L. Cui, and F. P. Tso, “Low-latency service function chain migration in edge-core networks based on open Jackson networks,” J. Syst. Archit., vol. 124, p. 102405, 2022, doi: https://doi.org/10.1016/j.sysarc.2022.102405.

M. Golla, G. Ho, M. Lohmus, M. Pulluri, and E. M. Redmiles, “Driving 2FA adoption at scale: Optimizing two-factor authentication notification design patterns,” Proc. 30th USENIX Secur. Symp., pp. 109–126, 2021.

M. Pattaranantakul, C. Vorakulpipat, and T. Takahashi, “Service Function Chaining security survey: Addressing security challenges and threats,” Comput. Networks, vol. 221, p. 109484, 2023, doi: https://doi.org/10.1016/j.comnet.2022.109484.

Y. Xu, C. Dai, and A. Li, “Admission Control for Quality of Services of Mobile Cellular Network,” MobiArch 2020 - Proc. 2020 ACM MobiArch 2020 15th Work. Mobil. Evol. Internet Archit. Part Mobicom 2020, pp. 54–59, 2020, doi: 10.1145/3411043.3412508.

J. A. Overton, M. Cuffaro, and C. J. Mungall, “String of PURLs – frugal migration and maintenance of persistent identifiers,” Data Sci., vol. 3, no. 1, pp. 3–13, 2019, doi: 10.3233/ds-190022.

K. Reese, T. Smith, J. Dutson, J. Armknecht, J. Cameron, and K. Seamons, “A usability study of five two-factor authentication methods,” Proc. 15th Symp. Usable Priv. Secur. SOUPS 2019, pp. 357–370, 2019.

M. D. Pop and A. R. Stoia, “Improving the Tourists Experiences: Application of Firebase and Flutter Technologies in Mobile Applications Development Process,” Proc. - 2021 Int. Conf. Eng. Technol. Comput. Sci. EnT 2021, pp. 146–151, 2021, doi: 10.1109/EnT52731.2021.00033.

Published
2023-08-12
How to Cite
Aldiansah Prayogi, & Rizal Fathoni Aji. (2023). Utilization of Mobile Network Infrastructure to Prevent Financial Mobile Application Account Takeover. Jurnal RESTI (Rekayasa Sistem Dan Teknologi Informasi), 7(4), 797 - 808. https://doi.org/10.29207/resti.v7i4.5025
Section
Information Technology Articles