Usably secure, low-cost authentication for mobile banking

Panjwani, Saurabh; Cutrell, Edward

doi:10.1145/1837110.1837116

Cited by 24 publications

(13 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although these services are not new, the security of the underlying technology is poorly understood: unlike ATMs and credit cards in the West, there are no industry standards for building secure mobile banking technology; in fact, at least three such services have been successfully attacked in different ways in the past year alone [10,11,12]. The core challenge in designing secure solutions for this application stems from the fact that a majority of the phones available in developing regions are still of a very basic nature: they are either not programmable at all or offer only limited programming capability.…”

Section: Unique Usage Patternsmentioning

confidence: 99%

Computing security in the developing world

Ben-David

Hasan

Pal

et al. 2011

Proceedings of the 5th ACM Workshop on Networked Systems for Developing Regions

Self Cite

View full text Add to dashboard Cite

show abstract

Section: Unique Usage Patternsmentioning

confidence: 99%

Computing security in the developing world

Ben-David

Hasan

Pal

et al. 2011

Proceedings of the 5th ACM Workshop on Networked Systems for Developing Regions

Self Cite

View full text Add to dashboard Cite

show abstract

“…User credentials are protected from theft using different techniques, like programming the SIM card of users' phones [2] or using special security tokens to encipher PINs [1]. See [21] for a detailed discussion on this topic.…”

Section: Risksmentioning

confidence: 99%

“…We also assume that agents use suitable credentials like passwords to authenticate themselves to the bank and the secure channel ensures credential privacy. Several branchless banking services (including Eko) are beginning to use programmable phones for agents and those for which this assumption does not hold, our protocol can be adapted to provide authenticated communication from bank to agent (and techniques like [21] can be used for privacy). As such, we focus on securing bank-customer communication in the rest of the paper.…”

Section: The Protocolmentioning

confidence: 99%

Practical receipt authentication for branchless banking

Panjwani¹

2013

Proceedings of the 3rd ACM Symposium on Computing for Development

Self Cite

View full text Add to dashboard Cite

Although branchless banking systems have spread to different parts of the developing world, methods to ensure transactional security in these systems have seen slower adoption because of a variety of operational constraints. A basic requirement from such systems is the provision of secure and reliable receipts to users during transactions, and recent attacks have demonstrated that existing systems fall short of fulfilling this requirement in practice. In this paper, we propose a simple and practical protocol to enable users to authenticate transaction receipts in branchless banking systems. Our protocol makes novel use of missed calls (sent from users to the bank) to help distinguish real receipts from spoofed ones and can be implemented on any mobile phone, without software installation. Besides preventing spoofing attacks, the protocol enjoys significant advantages of usability, efficiency and cost, which make it a more practical choice than other schemes. We also discuss ways to use missed calls to mitigate man-in-the-middle attacks on branchless banking systems.

show abstract

“…A security weakness in Eko's scheme and a potential fix are reported in [14]. (The fix was devised in joint work with Eko.)…”

Section: The Choice Of User Credentialsmentioning

confidence: 99%

“…We make the following suggestion: use numeric passwords (PINs) along with OTPs but leverage human computation capabilities to combine OTPs with PINs in a way that foils eavesdropping attacks against the latter. One candidate solution is the substitution-based coding technique of [14], which enables users to mentally transform 4-digit PINs into random 4-digit numbers using 10-digit one-time keys. The transformation scheme of [14] has been shown to be usable by low-literate users and is also a secure 2-factor solution; indeed, Eko, which was involved in developing the solution, plans to deploy it in the near future.…”

Section: On 2-factor Authenticationmentioning

confidence: 99%

Towards end-to-end security in branchless banking

Panjwani

2011

Proceedings of the 12th Workshop on Mobile Computing Systems and Applications

Self Cite

View full text Add to dashboard Cite

Mobile-based branchless banking has become one of the key mechanisms for extending financial services to low-income populations in the world's developing regions. One shortcoming of today's branchless banking systems is that they rely largely on network-layer services for securing transactions and do not implement any application-layer security. Recent results show that several of these systems are, in fact, not end-to-end secure.In this paper, we make the case for designing mobile-based branchless banking systems which build security into the application layer and guarantee end-to-end security to system users.We present a threat model which captures the goals of authenticated transactions in these systems and then provide recommendations for solution design based on our model's requirements.

show abstract

Usably secure, low-cost authentication for mobile banking

Cited by 24 publications

References 5 publications

Computing security in the developing world

Computing security in the developing world

Practical receipt authentication for branchless banking

Towards end-to-end security in branchless banking

Contact Info

Product

Resources

About