Virtual ATM: A Low Cost Secured Alternative to Conventional Mobile Banking

—Mobile banking has become immensely popular among customers as a suitable method for money transaction. Banks are assertively adopting this mode. It is playing a vital role in availing banking services in remote areas where placing branch or ATM booth is not economically feasible. Mobile banking is so far the easiest way of expanding banking coverage. But there is huge possibility of fraud in case of mobile banking as authentication & all type of transaction information is provided via mobile phone including pin. So mobile banking is not intended to be used for big transactions where ATM transactions are suitable because of its two layer authentication system. In this paper, a new system is introduced that provides ATM service without traditional booths but two layer authentications with a tiny OS independent device has been introduced named VATM. This paper discusses how this system works using a low cost device made of micro-controller & CDMA module for communicating with bank for authentication which is used as an alternate of Automated teller machine for providing two layer authentications.


INTRODUCTION
A sound & efficient banking system drives economic growth of a country. Especially in developing countries taking banking services to the doorsteps of multitude is a challenge. For these reasons banks are adopting technology-driven electronic banking services for expanding coverage. However World Bank research shows 2.5 billion of world's adult population is still unbanked, which is about half of the total population [22]. According to the International Telecommunication Union worldwide mobile subscriptions reached nearly 7 billion which is equivalent to 95.5 percent of the world population by May 2014 [21]. So mobile banking has huge potential of being means of providing financial services to this vast unbanked population.
Juniper Research estimated 590million mobile banking users worldwide in 2013, where almost 60% of this total number belongs to Chinese banks [2]. According to Forrester Research (May 2014), there were 51 million mobile banking customers in Europe in 2013 [5]. And Javelin Research shows 95 million mobile bankers in US in 2013 and it is also projected that it will reach 149 million by the end of 2018 [6].
Kenya is one of the world leaders in mobile banking section. According to Communications Commission of Kenya (CCK), April 2014, there are 26 million mobile banking subscribers in Kenya which is 83% of its total Figure 1. Growth of mobile banking in U.S. [6] mobile phone subscribers. Safaricom's M-PESA is the biggest mobile banking provider in Kenya and Tanzania. According to Mobile Transaction, one quarter of the 44 billion dollar economy in Kenya runs via M-PESA. M-PESA is now expanded to Afghanistan, South Africa, India & Eastern Europe [4].
In Bangladesh, almost 87 percent of the total population of 165 million is still outside the network of conventional banking [11]. Majority of these unbanked population lives in rural areas. According to Bangladesh Telecommunication Regulatory Commission (BTRC), total number of mobile phone subscribers in Bangladesh reached 114.8 million by the end of January 2014 which is almost 70 percent of total population [3]. So mobile phone can become an effective and convenient vehicle of expanding banking services in remote areas through mobile banking.  [7].
Though mobile banking is attracting customers, researches show that, it is yet to earn full confidence from the multitude [21]. The lack of confidence is attributable to security gaps of the system. Various fraud incidents, which got wide media coverage, are making them skeptical about adopting mobile banking.

II. LITERATURE REVIEW
Research shows that low-income & low-literate people of developing countries can adopt mobile banking services [10]. Research ICT Africa found that, mobile banking can become one of the best ways of reaching unbanked population of Africa where main barrier is the distance to banking services or ATMs [8]. In Nigeria mobile banking is customer's second choice after ATMs for money transaction [9]. But now mobile banking services like Bkash, UCash are allowing customers to deposit & withdraw instantly from their agents [11]. This model is getting more popular now-a-days as it's bringing the bank next to the customer's door. Mobile money transfer like Bkash has a good prospect in developing country like Bangladesh and can contribute to socio-economic development in near future [12]. Shaik S. Ahamad et al. proposed a m-banking solution which ensures secured end to end communication channel and end to end application security from the UICC to the Remote Bank Server via Mobile Equipment by generating all digital signatures in a tamper proof hardware to ensure end to end security at the communication layer and at the application layer [13].
Though mobile banking has huge prospect, adoption rate of mobile banking is still very low [19]. One of the major reasons behind is security risks like theft of mobile device & risk of being hacked [20].
Security aspects of mobile banking have been addressed in the following papers: Aditya K. Tiwari et al. introduced biometric authentication system that enables face authentication in which the user sends his/her encrypted image to the bank server for verification. After banks approval the user's face becomes one of the keys to access the account [14].
H. Elbehiery et al. developed an android application for mobile banking with the help of face recognition and ciphering algorithms for increasing security [15].
Bindu Rama Rao invented a system for agent assisted mobile banking. This system facilitates mobile fund transfer, deposit & withdraws. These operations are conducted by one or more agents needed. In this system the user connects to the bank server with a fund transfer request using his/her handset and receives a one-time token. Then the user approaches to the respective agents to complete the transaction [16].
Manoj & Satish propossed a cost effective symmetric cryptography based SMS banking system where message is encrypted using AES & MD5 hash algroithm. Messages from user mobile are¬ sent in encrypted format which are decrypted by bank server. Bank will also send encrypted secured messages to the customers which are decrypted in his handset [17].
Karun presented a GPRS protocol to establish secure connection between bank servers & mobile devices with two major components. First is basic client server handshake and second is transfer of SPG message using created secure tunnel & exchanged cipher suites as well [18].

A. Overview:
People having access to ATMs are more comfortable using them due to their secured authentication process. An automated teller machine identifies its customer not only with ATM card but also with pin number provided by the customer. So for transaction it requires two layer of authentication. One is customer must insert his/her valid ATM card in ATM machine and the other is the pin number, which is to be provided through the machine. Thus the security is attributed from two independent sources.
In case of mobile banking customers are identified with mobile number & pin. For this all the information provided to the bank use customer's mobile phone which questions the security of the transaction. That's why customers are facing different frauds. Frauds are cloning customers SIM card or stealing mobile phones and accessing their accounts. They can track customer's pin number by installing different sniffing tools. But avoiding mobile banking is not a solution to this problem because rapid expansion of banking coverage is easily possible through mobile banking because placing an ATM booth depends on the usage & traffic because it requires huge investment as ATM machines are expensive, it requires air conditioned infrastructure, installation of network and maintenance, regular cash replenishment & security measures. So placing ATM in rural areas is not a good option.
To acquire ATM service a customer needs to have an ATM card of the bank he/she deals with. Then he/she needs to find an ATM booth which supports that bank. Inserting ATM card & providing PIN in ATM machine he/she get access to his/her account. Then transaction request is made. Machine provides the requested amount to the customer & also returns the ATM card. VATM will provide the same service but in different procedure. System components are given below: Mobile phone: In VATM process ATM card is replaced by mobile phone which is used to send primary withdraw request from customer's mobile to bank.  Bank's agent: Unlike available ATM service money will be provided to customer by bank's agent.

B. Withdraw process:
VATM withdraw process has four major steps. Description of each process is given below: Step 1: First customer needs to find nearby authorized agent of the bank who enables VATM service. Every bank agent will have a unique ID. Customer will have to type agent's ID and amount he/she wants withdraw in the message option of his/her mobile, then send it to the bank's server. Bank will recognize that customer and the agent by his/her mobile number which is used to send request for withdrawal. Authentication will be done in bank's server. If the customer have sufficient balance for withdrawal server will generate a nonce transaction ID for that request.
Step 2: In this step customer receives a SMS from bank containing transaction ID of the request he made. But in case of invalid request customer will receive a SMS containing the reason. Like insufficient balance, wrong agent id etc.
Step 3: After getting transaction ID customer will have to enter that transaction ID & his/her PIN in VATM device. Through VATM device transaction ID & PIN goes to the bank's server in form of a SMS for authentication.
Step 4: After authenticating the entered PIN & transaction ID bank server sends a SMS to the agent's mobile containing transaction ID & amount to pay. Agent verifies the customer with the transaction ID and pays the amount to the customer. In case of wrong PIN customer will be notified through a SMS.
C. Flow Chart:

E. Security:
Proposed system tries to address the security flaws of existing mobile banking services. This system follows the two layer authentication process of automated teller machine. In first layer withdraw request is sent from customer's mobile phone. Bank identifies valid customer with his/her phone number and replies back with an one time use transaction ID which will be valid for a certain period of time. Then in second layer customer inserts the transaction id & pin number in an OS independent device called VATM which is placed in agent's shop. Than bank again verifies customer with his/her pin & identifies the request by the received transaction ID. If everything matches bank ask the agent to pay the customer who holds the transaction ID. In this process customer's mobile phone is only used for sending withdraw request & the VATM device is responsible for transmitting pin. This process protects the customer's secret pin from being sniffed as it is never sent via any device which can be programmed or have operating system.
This system also ensures data confidentiality over network as the device transmits the pin using CDMA network which is more secured than GSM network. So there is no chance of being intercepted by intruders.

F. Device Description:
The VATM device includes the following units: 1. On board interface to communicate with customer 2. A small LCD display 3. A microcontroller 4. CDMA Module Description of each unit given below: 1. On board interface to communicate with customer: A user friendly interface has been created so that user can easily understand how this machine can be used. There are total 18 buttons in this machine. Ten of them are labeled as 0, 1, 2, 3, 4, 5, 6, 7, 8, and 9. These are basically the digit buttons of this machine. Label ! is used for backspace button & " is used for enter button. Left button from the top is reset button & right one is on/off button. All these buttons red colored. There are four green colored buttons. These buttons stands for each bank. Main function of these buttons is sending data provided by the user to the bank which is labeled on button.

A small LCD display:
There is a LCD display in the device. Prompt for transaction id & pin is shown in the screen. User can see what he/she is entering for those fields. First field is for transaction id & second for PIN. After entering transaction id user needs to press enter button to enter pin. But "*" sign is shown for each digit entered in the PIN field. And after pressing send button a message "Done" is shown on the LCD to ensure successful completion. After that the machine again gets ready to process another task and prompts for transaction id & pin.

A microcontroller:
In this device we have used an 8bit micro-controller, PIC16F877A which is connected with all buttons, LCD display & CDMA module. 4. CDMA Module: CDMA module is used in this system for communicating with bank's server via sending SMS from this device.

IV. ADVANTAGES OVER TRADITIONAL ATMS & M-BANKING SERVICES
• Cost of VATM device is significantly low.
• No need to think about traffic & usage for placing VATM point so banking service can be expanded radically and even in rural areas.

PAPER VIRTUAL ATM: A LOW COST SECURED ALTERNATIVE TO CONVENTIONAL MOBILE BANKING
• Not need to create extra account like Bkash because this service can be availed with existing bank accounts. • As the function of VATM is to send a SMS to the bank server so multiple banks can be served with one machine. • No risk of sniffers as pin is never transmitted via mobile phone. This VATM device makes the process more secured by providing two layered authentication like ATM. • No matter if the mobile phone is lost.
• Installation of network & maintenance is not required as VATM device will use available CDMA network. • Placing VATM device does not require any air conditioned room. It is a tiny device which can be placed anywhere. • No need to worry for regular money transfer as money will be provided by bank's agent. • No need to invest for providing security (e.g. security guard, closed circuit camera). • Eco friendly as it consumes negligible amount of electricity. These are the reasons why VATM process could be a better choice for providing banking services. Every step is unambiguous & can easily be understood by a general customer. VATM process can easily be operated compared to ATM machine. So this process will attract general people more. VATM process can work as a tool to expand banking service in remote areas.

V. CONCLUSION
The proposed VATM model provides mobile banking service following the two layer customer authentication process of ATM to make the transaction more secured. VATM service can be provided easily with available CDMA network and simple and compact OS independent device. If we think in bank's prospect VATM would be the most cost effective, transparent & efficient way of providing banking service. In customer's point of view VATM would be easier, affordable & convenient way of availing banking service.