Utilization of Mobile Network Infrastructure to Prevent Financial Mobile Application Account Takeover
Abstract
The Covid-19 pandemic has kept almost everyone at home and forced them to perform online activities using their mobile gadgets. Penetration of the Internet and mobile use is increased as lockdowns or restrictions on meeting face to face are getting used to. This has become a new market for cyber criminals to carry out their actions, such as spreading Social Engineering, sending Phishing, doing Account Takeover, and ending in theft of money in Financial Mobile Applications. Application protection with OTP SMS and Magic Link SMS still has vulnerabilities, with several examples of cases that have occurred. For this reason, this problem was raised to find a solution using the Mobile Network Infrastructure. The method used is to compare the congruence between the phone numbers registered in the application and the phone numbers used. Every time a user signs in or signs up, the Financial Mobile Application will perform Mobile Network Verification to cellular operators via API. Verification is carried out by utilizing the header enrichment in the background of the application process that was installed on the user's smartphone or tablet to the Mobile Network Verification Server. The Financial Mobile Applications can then determine whether the user is using a valid or invalid telephone number. Therefore, the target account cannot be taken over because the cyber criminal's mobile device does not have the phone number attached to the victim’s mobile device. This proof is carried out with four test case scenarios with the sign-up and sign-in processes on the same phone number and different phone numbers between devices and applications. It is hoped that this kind of protection model can reduce losses experienced by users of Financial Mobile Applications due to Account Takeover.
Downloads
References
Asosiasi Penyelenggara Jasa Internet Indonesia, “Profil Internet Indonesia 2022,” Apji.or.Od, no. June, p. 10, 2022, [Online]. Available: apji.or.id.
CyberEdge Group, “2022 Cyberthreat Defense Report,” CyberEdge Gr., p. 66, 2022.
Medcom.id, “Penipuan Modifikasi APK Jaring 493 Korban dengan Kerugian Rp12 Miliar,” Medcom.id, 2023. https://www.medcom.id/nasional/hukum/Rkje4Q6b-penipuan-modifikasi-apk-jaring-493-korban-dengan-kerugian-rp12-miliar.
K. Chetioui, B. Bah, A. O. Alami, and A. Bahnasse, “Overview of Social Engineering Attacks on Social Networks,” Procedia Comput. Sci., vol. 198, no. 2021, pp. 656–661, 2021, doi: 10.1016/j.procs.2021.12.302.
M. P. Bach, T. Kamenjarska, and B. Žmuk, “Targets of phishing attacks: The bigger fish to fry,” Procedia Comput. Sci., vol. 204, pp. 448–455, 2022, doi: 10.1016/j.procs.2022.08.055.
M. A. Husainiamer, M. Mohd Saudi, and M. Yusof, “Securing Mobile Applications Against Mobile Malware Attacks: A Case Study,” 19th IEEE Student Conf. Res. Dev. Sustain. Eng. Technol. Towar. Ind. Revolution, SCOReD 2021, pp. 433–438, 2021, doi: 10.1109/SCOReD53546.2021.9652685.
P. Doerfler et al., “Evaluating login challenges as a defense against account takeover,” Web Conf. 2019 - Proc. World Wide Web Conf. WWW 2019, pp. 372–382, 2019, doi: 10.1145/3308558.3313481.
J. Bento, P. Saleiro, A. F. Cruz, M. A. T. Figueiredo, and P. Bizarro, “TimeSHAP: Explaining Recurrent Models through Sequence Perturbations,” Proc. ACM SIGKDD Int. Conf. Knowl. Discov. Data Min., pp. 2565–2573, 2021, doi: 10.1145/3447548.3467166.
G. Ali, M. A. Dida, and A. E. Sam, “Two-factor authentication scheme for mobile money: A review of threat models and countermeasures,” Futur. Internet, vol. 12, no. 10, pp. 1–27, 2020, doi: 10.3390/fi12100160.
A. P. Binitie, “Design of a Resilient System against Shoulder Surfing Attack : Adaptable to USSD Channel,” pp. 1–19, 2023.
A. Patience, N. Christiana, and P. Oguguo, “Security against Shoulder Surfing Attack Adaptable to Feature Phones using USSD Technology,” Int. J. Innov. Sci. Res. Technol., vol. 7, no. 12, pp. 560–568, 2022, [Online]. Available: www.ijisrt.com560.
M. Wazid, S. Zeadally, and A. K. Das, “Mobile Banking: Evolution and Threats: Malware Threats and Security Solutions,” IEEE Consum. Electron. Mag., vol. 8, no. 2, pp. 56–60, 2019, doi: 10.1109/MCE.2018.2881291.
J. M. Chigada, “A qualitative analysis of the feasibility of deploying biometric authentication systems to augment security protocols of bank card transactions,” SA J. Inf. Manag., vol. 22, no. 1, pp. 1–9, 2020, doi: 10.4102/sajim.v22i1.1194.
B. Chaimaa, E. Najib, and H. Rachid, “E-banking Overview: Concepts, Challenges and Solutions,” Wirel. Pers. Commun., vol. 117, no. 2, pp. 1059–1078, 2021, doi: 10.1007/s11277-020-07911-0.
Z. P. Zwane, T. E. Mathonsi, and S. P. Maswikaneng, “An intelligent security model for online banking authentication,” 2021 IST-Africa Conf. IST-Africa 2021, pp. 1–6, 2021.
R. Laborde et al., “A User-Centric Identity Management Framework based on the W3C Verifiable Credentials and the FIDO Universal Authentication Framework,” 2020 IEEE 17th Annu. Consum. Commun. Netw. Conf. CCNC 2020, 2020, doi: 10.1109/CCNC46108.2020.9045440.
W. A. Hammood, R. Abdullah, O. A. Hammood, S. Mohamad Asmara, M. A. Al-Sharafi, and A. Muttaleb Hasan, “A Review of User Authentication Model for Online Banking System based on Mobile IMEI Number,” IOP Conf. Ser. Mater. Sci. Eng., vol. 769, no. 1, 2020, doi: 10.1088/1757-899X/769/1/012061.
K. K. Kamal, S. Gupta, P. Joshi, and M. Kapoor, “An efficient mCK signing and mobile based identity solution for authentication,” Int. J. Inf. Technol., vol. 15, no. 3, pp. 1637–1646, 2023, doi: 10.1007/s41870-023-01189-8.
W. A. Hammood, R. A. Arshah, S. Mohamad Asmara, and O. A. Hammood, “User Authentication Model based on Mobile Phone IMEI Number: A Proposed Method Application for Online Banking System,” Proc. - 2021 Int. Conf. Softw. Eng. Comput. Syst. 4th Int. Conf. Comput. Sci. Inf. Manag. ICSECS-ICOCSIM 2021, vol. 0, pp. 411–416, 2021, doi: 10.1109/ICSECS52883.2021.00081.
Y. Y. Tefera, T. Kibatu, B. S. Shawel, and D. H. Woldegebreal, “Recurrent Neural Network-based Base Transceiver Station Power Supply System Failure Prediction,” Proc. Int. Jt. Conf. Neural Networks, 2020, doi: 10.1109/IJCNN48605.2020.9206978.
A. A. R. Alsaeedy and E. K. P. Chong, “A review of mobility management entity in LTE networks: Power consumption and signaling overhead,” Int. J. Netw. Manag., vol. 30, no. 1, p. e2088, 2020, doi: https://doi.org/10.1002/nem.2088.
D. Basu, A. Jain, R. Datta, and U. Ghosh, “Optimized Controller Placement for Soft Handover in Virtualized 5G Network,” 2020 IEEE Wirel. Commun. Netw. Conf. Work. WCNCW 2020 - Proc., 2020, doi: 10.1109/WCNCW48565.2020.9124902.
W. D. S. Coelho, A. Benhamiche, N. Perrot, and S. Secci, “Network Function Mapping: From 3G Entities to 5G Service-Based Functions Decomposition,” IEEE Commun. Stand. Mag., vol. 4, no. 3, pp. 46–52, 2020, doi: 10.1109/MCOMSTD.001.1900040.
W. Liang, L. Cui, and F. P. Tso, “Low-latency service function chain migration in edge-core networks based on open Jackson networks,” J. Syst. Archit., vol. 124, p. 102405, 2022, doi: https://doi.org/10.1016/j.sysarc.2022.102405.
M. Golla, G. Ho, M. Lohmus, M. Pulluri, and E. M. Redmiles, “Driving 2FA adoption at scale: Optimizing two-factor authentication notification design patterns,” Proc. 30th USENIX Secur. Symp., pp. 109–126, 2021.
M. Pattaranantakul, C. Vorakulpipat, and T. Takahashi, “Service Function Chaining security survey: Addressing security challenges and threats,” Comput. Networks, vol. 221, p. 109484, 2023, doi: https://doi.org/10.1016/j.comnet.2022.109484.
Y. Xu, C. Dai, and A. Li, “Admission Control for Quality of Services of Mobile Cellular Network,” MobiArch 2020 - Proc. 2020 ACM MobiArch 2020 15th Work. Mobil. Evol. Internet Archit. Part Mobicom 2020, pp. 54–59, 2020, doi: 10.1145/3411043.3412508.
J. A. Overton, M. Cuffaro, and C. J. Mungall, “String of PURLs – frugal migration and maintenance of persistent identifiers,” Data Sci., vol. 3, no. 1, pp. 3–13, 2019, doi: 10.3233/ds-190022.
K. Reese, T. Smith, J. Dutson, J. Armknecht, J. Cameron, and K. Seamons, “A usability study of five two-factor authentication methods,” Proc. 15th Symp. Usable Priv. Secur. SOUPS 2019, pp. 357–370, 2019.
M. D. Pop and A. R. Stoia, “Improving the Tourists Experiences: Application of Firebase and Flutter Technologies in Mobile Applications Development Process,” Proc. - 2021 Int. Conf. Eng. Technol. Comput. Sci. EnT 2021, pp. 146–151, 2021, doi: 10.1109/EnT52731.2021.00033.
Copyright (c) 2023 Jurnal RESTI (Rekayasa Sistem dan Teknologi Informasi)
This work is licensed under a Creative Commons Attribution 4.0 International License.
Copyright in each article belongs to the author
- The author acknowledges that the RESTI Journal (System Engineering and Information Technology) is the first publisher to publish with a license Creative Commons Attribution 4.0 International License.
- Authors can enter writing separately, arrange the non-exclusive distribution of manuscripts that have been published in this journal into other versions (eg sent to the author's institutional repository, publication in a book, etc.), by acknowledging that the manuscript has been published for the first time in the RESTI (Rekayasa Sistem dan Teknologi Informasi) journal ;