ThinSIM-based Attacks on Mobile Money Systems

Phipps, Rowan; Mare, Shrirang; Ney, Peter; Webster, Jennifer; Heimerl, Kurtis

doi:10.1145/3209811.3209817

Cited by 12 publications

(11 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, to date, there are no strong security controls to suit all mobile money authentication security challenges. However, the existing proposed algorithms, though promising, require more work because they are vulnerable to impersonation attacks; USSD technology vulnerabilities; replay attacks; spoofing attacks; Trojan horse attacks; bruteforce attacks; shoulder-surfing attacks; MITM attacks; insider attacks; identity theft; social engineering attacks; SIM-swapping attacks; malware attacks; agent-driven fraud; and privacy attacks [8,9,11,[22][23][24][25][26]. Therefore, there is a need to develop a secure and efficient multi-factor authentication algorithm for mobile money applications where mobile money subscribers are authenticated using a PIN, OTP, and biometric fingerprints.…”

Section: Problem Statementmentioning

confidence: 99%

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

2021

View full text Add to dashboard Cite

With the expansion of smartphone and financial technologies (FinTech), mobile money emerged to improve financial inclusion in many developing nations. The majority of the mobile money schemes used in these nations implement two-factor authentication (2FA) as the only means of verifying mobile money users. These 2FA schemes are vulnerable to numerous security attacks because they only use a personal identification number (PIN) and subscriber identity module (SIM). This study aims to develop a secure and efficient multi-factor authentication algorithm for mobile money applications. It uses a novel approach combining PIN, a one-time password (OTP), and a biometric fingerprint to enforce extra security during mobile money authentication. It also uses a biometric fingerprint and quick response (QR) code to confirm mobile money withdrawal. The security of the PIN and OTP is enforced by using secure hashing algorithm-256 (SHA-256), a biometric fingerprint by Fast IDentity Online (FIDO) that uses a standard public key cryptography technique (RSA), and Fernet encryption to secure a QR code and the records in the databases. The evolutionary prototyping model was adopted when developing the native mobile money application prototypes to prove that the algorithm is feasible and provides a higher degree of security. The developed applications were tested, and a detailed security analysis was conducted. The results show that the proposed algorithm is secure, efficient, and highly effective against the various threat models. It also offers secure and efficient authentication and ensures data confidentiality, integrity, non-repudiation, user anonymity, and privacy. The performance analysis indicates that it achieves better overall performance compared with the existing mobile money systems.

show abstract

Section: Problem Statementmentioning

confidence: 99%

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

2021

View full text Add to dashboard Cite

show abstract

“…Likewise, the adversary can use a BTS with the same mobile network code as the subscriber's real network to perform a MITM attack since the network authenticates users [26,43,45]. Furthermore, the information carried within the communication channel is in plaintext, thus making USSD data vulnerable to attack and redirection [20,21,52]. Salami attack: This is where an employee of a financial institution installs a malware like a Trojan horse on the server hosting the application to withdraw a small amount of money from the subscribers' accounts and deposit it into their account.…”

Section: Attacks Against Integritymentioning

confidence: 99%

“…Despite the considerable effort invested in providing a more robust and secure system, most of the existing MMSs still rely on a weak two-factor authentication (2FA) scheme. Various attacks to mobile money's 2FA scheme include man-in-the-middle (MITM) attack, authentication attack, replay attack, identity theft, USSD technology vulnerabilities, brute force attack, social engineering attacks, and denial of service (DoS) attack [8][9][10][11][12][13][14][15][16][17][18][19][20][21][22]. Reaves et al [23] also observed that the current MMS uses nonstandard cryptography, which is easily compromised, thus limiting the integrity and privacy guarantees of the software, giving rise to the threat of forged transactions and loss of transaction privacy.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Two-Factor Authentication Scheme for Mobile Money: A Review of Threat Models and Countermeasures

2020

View full text Add to dashboard Cite

The proliferation of digital financial innovations like mobile money has led to the rise in mobile subscriptions and transactions. It has also increased the security challenges associated with the current two-factor authentication (2FA) scheme for mobile money due to the high demand. This review paper aims to determine the threat models in the 2FA scheme for mobile money. It also intends to identify the countermeasures to overcome the threat models. A comprehensive literature search was conducted from the Google Scholar and other leading scientific databases such as IEEE Xplore, MDPI, Emerald Insight, Hindawi, ACM, Elsevier, Springer, and Specific and International Journals, where 97 papers were reviewed that focused on the topic. Descriptive research papers and studies related to the theme were selected. Three reviewers extracted information independently on authentication, mobile money system architecture, mobile money access, the authentication scheme for mobile money, various attacks on the mobile money system (MMS), threat models in the 2FA scheme for mobile money, and countermeasures. Through literature analysis, it was found that the threat models in the 2FA scheme for mobile money were categorised into five, namely, attacks against privacy, attacks against authentication, attacks against confidentiality, attacks against integrity, and attacks against availability. The countermeasures include use of cryptographic functions (e.g., asymmetric encryption function, symmetric encryption function, and hash function) and personal identification (e.g., number-based and biometric-based countermeasures). This review study reveals that the current 2FA scheme for mobile money has security gaps that need to be addressed since it only uses a personal identification number (PIN) and a subscriber identity module (SIM) to authenticate users, which are susceptible to attacks. This work, therefore, will help mobile money service providers (MMSPs), decision-makers, and governments that wish to improve their current 2FA scheme for mobile money.

show abstract

“…Ibtasam [ 18 ] explored the usability and learnability of smartphone mobile wallet applications. Vulnerability of mobile money through “thin-sim” attacks is explored by Phipps [ 32 ]. The problem of security of mobile apps is evaluated by Reaves [ 33 ], and later by Castle [ 5 ].…”

Section: Related Workmentioning

confidence: 99%

Understanding mobile money grievances from tweets

Shah

Mare

Anderson

2019

Proceedings of the Tenth International Conference on Information and Communication Technologies and Development

Self Cite

View full text Add to dashboard Cite

Access to financial services through a mobile phone, known as Mobile Financial Services (MFS), creates an opportunity to expand the reach of financial services to the 1.7 billion unbanked adults worldwide. Nevertheless, MFS adoption has been inconsistent, which motivates a need to identify the challenges that MFS users confront in different countries. In this work, we explore the Twitter as a potential data source to understand such challenges. More broadly, we assess whether (and how) publicly available Twitter data can augment the findings of expensive, large-scale research studies on MFS barriers. Our Qualitative Content Analysis of 9,000 mobile money grievance tweets that were extracted from 54 MFS customer care twitter feeds across six countries reveals service and access issues, incorrect transactions, and fraud as three main challenges MFS users report on Twitter. We discuss the nuances around these challenges and the substantial differences between the common issues reported in different countries. Ultimately, we conclude that Twitter data can elucidate the challenges of MFS adoption and also that it can augment the results of other types of MFS studies.

show abstract

ThinSIM-based Attacks on Mobile Money Systems

Cited by 12 publications

References 21 publications

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

A Secure and Efficient Multi-Factor Authentication Algorithm for Mobile Money Applications

Two-Factor Authentication Scheme for Mobile Money: A Review of Threat Models and Countermeasures

Understanding mobile money grievances from tweets

Contact Info

Product

Resources

About