Usably Secure, Low-Cost Authentication for Mobile Banking* Saurabh Panjwani, Ed Cutrell Microsoft Research India * Many thanks to Anupam Varghese (EKO.

Slides:

Advertisements

Similar presentations

Identity theft Protecting your credit identity. Identity Theft Three hundred forty three million was lost from consumers in 2002 The number of complaints.

Advertisements

Smart Card Authentication. Outline for Today Introduction of Smart Card Authentication Different Authentication Techniques Explain Authentication Techniques.

McAfee One Time Password

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Results from a Mobile Finance Survey. 2 2 Second survey sponsored by CheckFree with fieldwork in April 2008; First survey completed in March ,007.

Business Transformation and Mobile Money

Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.

Who Are We? A simple, fast and safe global instant money transfer platform With over 12 years of dedicated service experience.

Where to Stash Your Cash

M-PAYMENT SYSTEM (e–WALLET ).

OTP – SMS Two-Factor Authentication. TABLE OF CONTENTS Introduction3 OTP – SMS Two-Factor Authentication5 Technical Overview9 Features10 Benefits11 About.

Stephen Crick Business Development Manager Tokenless™ Authentication.

G-Xchange, Inc., (GXI) the mobile money service arm of Globe Telecom, operator of GCash, is the world’s first Telco- led, bank agnostic mobile money platform.

New Delhi, India, 14 March 2013 Innovating Cyber Defense Approaches to Combat Online Financial Fraud in Developing Economies Charles Iheagwara, Director,

Mobile Based Two Factor Authentication For Online Transactions Authentication For Online Transactions.

© Copyright IBSP – IBSP Hong Kong Ltd Internet Business Service Provider.

Don’t Let Anybody Slip into Your Network! Using the Login People Multi-Factor Authentication Server Means No Tokens, No OTP, No SMS, No Certificates MICROSOFT.

The M-Pesa Payment Platform FDCF project (DFID) An Introduction Nick Hughes November 2005.

Microfinance and Technology Building Operational Solutions for Microfinance and SME Projects May 24, 2010.

“Electronic Payment System”

Simple Online Accounts for Your Business – With Help from Microsoft Azure, Big Red Cloud Makes Accounting Easier for Thousands of Businesses MICROSOFT.

Online and Mobile Banking. Online banking Online Banking  Online banking is a fairly established practice in our internet-saturated world.  Many people.

Check It Out 1. 2 Purpose Check It Out will teach you how to use a checking account responsibly.

Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.

Mobile Identity and Mobile Authentication (mobile e-signature) Valdis Janovs Sales Director Lattelecom Technology SIA.

FINANCIAL PORTAL FOR BUSINESS CUSTOMERS. BTA-ONLINE SYSTEM FOR LEGAL ENTITIES БТА-ONLINE services of financing portal allows to make banking transactions.

E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.

Real Security InterSwyft Technical information's.

BANK IN A BOX Baku, Azerbaijan October 2012.

Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.

Social impacts of the use of it By: Mohamed Abdalla.

African Banking Technology Conference 3 April 2008 Nairobi - Kenya Patrick Mburu Director, ATS - Africa.

Submitted to: Submitted by: Sonia Afrin (MSS ) Khan Mehedi Hasan

Payment Gateways for e-Government services 24 May 2007

Internet& Mobile Banking the future in banking ? Bucharest, 4 th of April, 2012.

Accumulus Delivers Enterprise Class Subscription Billing and Automation Solutions for Gaming, Retail, and More on the Scalable Microsoft Azure Platform.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Computerization of a bank  Automatic Teller Machines  Net Banking  Phone Banking  Savings/ Current/ Fixed Deposit/ Recurring Deposit  Loans against.

Usably Secure, Low-Cost Authentication for Mobile Banking Saurabh Gupta Sandeep Kumar Gupta.

Check It Out 1. 2 Introductions Instructor and student introductions Module overview.

Power LogOn® Adds Card-Based, Multi- Factor Authentication to Microsoft Azure Logon, Plus Password Management for All Other Logons MICROSOFT AZURE ISV.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Step 2 – Register a Card To register a UR Card, you can send an to or fill out the registration form at one of our awesome

Computer Security Set of slides 8 Dr Alexei Vernitski.

DIGITIZING OUR WALLETS Digital Wallets for E-Commerce Development.

Electronic Banking & Security Electronic Banking & Security.

Websms Offers Professional Messaging Solutions via Web, , Gateway or Directly Out of Excel (Online) on the Microsoft Office 365 Platform OFFICE 365.

Secure Quick Reliable Login ● SQRL pronounced “squirrel”. ● Acronym confusion – QR no longer stands for “Quick Response” two-dimensional bar codes. Optional.

MOBILE PAYMENTS (“M-PAYMENTS”) August 2007 Potential impact on South African banking industry Team Galahad Lionel Diakanyo Joshua Makgate Sean Rule.

Discover How You Can Increase Collaboration with External Partners While Reducing Your Cost in Managing an Extranet from the Azure Cloud MICROSOFT AZURE.

Universal Financial Access 2020: Goal and WBG Target 1 Goal: By 2020, adults globally have access to a transaction account or electronic instrument to.

Merchants: Manage Business Payments with Ease By Payza – Online Payment Processor How to Deal with Payza Problems.

Checking Accounts Open, Manage, and Reconcile. 1. What is a checking account?  A checking account is opened at a bank or other financial institution.

PCI COMPLIANCE & A/R AUTOMATION 101 Nodus Technologies, Inc.

MOBILE PHONE FINANCIAL SERVICES

ELECTRONIC PAYMENT SYSTEM

CENTRALIZED AUTHENTICATION SERVICES THROUGH MOBILE PHONE

International TOP ups Business presentation

Keyhub Identity and Access Management App is Powered by Azure and Offers Customers Easy Authentication, Authorization for Mobile Devices MICROSOFT AZURE.

Consider cards over cash

Open, Manage, and Reconcile

1603, Sidra Tower, Shaikh Zayed Road Dubai Media City, Dubai UAE PO Box No : Transactional / Promotional.

Mobile Payment Protocol 3D by Using Cloud Messaging

Consider cards over cash

Big Red Cloud Offers a Simple Online Accounts Solution for Business Owners and Bookkeepers Hosted on the Powerful Microsoft Azure Platform MICROSOFT AZURE.

The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.

Presentation transcript:

Usably Secure, Low-Cost Authentication for Mobile Banking* Saurabh Panjwani, Ed Cutrell Microsoft Research India * Many thanks to Anupam Varghese (EKO India Financial Services Ltd.). Thanks also to Aishwarya Ratan, Indrani Medhi, Prasad Naldurg, Raghav Bhaskar (Microsoft Research)

Mobile Banking Over 1 billion people in the world with mobile phones but no bank accounts Banks say, Lets use phones to serve these people! Several mobile banking services exist today – M-PESA (Kenya), Wizzit (S.A.), GCash (Philippines) – > 100 million dollars transacted per day

How does it work? A network of human agents mediate transactions – Run small businesses: mobile recharge, pharmacy etc – Commissioned by m-banking provider M-banking outlet in Delhi An m-banking agent sends an SMS to the bank for a deposit transaction Courtesy: CKS

How does it work? Agent Bank Hari deposits 100/- Credit Haris a/c with 100/- Haris a/c credited Hari

How does it work? Agent Bank Hari withdraws 100/- Credit agents a/c with 100/- Agents a/c credited Hari

Benefits Benefit to customers: – Low-cost, low-effort savings (often, theres interest) – A new remittance channel – Others that evolve contextually (m-payments) Benefit to agents: – A second source of income Note: different from mobile banking for the rich There, the goal is convenience ; here, it is access.

Security Issues Phones can be lost or stolen. Banks must authenticate users. Hari Bank Credit agents a/c with 100/- Is this really Hari?

Challenges How do we authenticate via a phone like this? No GPRS, Cant install software Typical m-banking users phone Courtesy: EKO … while also ensuring A simple interface (want low-literate users to use it) Low cost (want it to scale)

Current Practice Most banks use PINs to authenticate users For good security, PINs must be protected Cant rely on GSM security – Network-layer protection only + several known attacks Then how do banks protect PINs? – Some dont care! – Others protect them, but dont tell you how!

Our work Partnered with EKO, m-banking service in India – 1.5 years in operation, 70K customers, partners of SBI – Support from Gates Foundation EKO uses PINs + security tokens for authentication Endorsed by Verisign Inc. Our contribution: – Find a flaw in EKOs scheme – Propose a new solution – Test it with real users EKO locations

EKOs Authentication Solution Every user has a PIN & holds a unique codebook – Appends a signature to each transaction message – A fresh signature each time Example: If PIN = 6391, OTP = , then, Signature = Each entry is a 10-digit string with a 6-digit one-time password and 4 gaps, denoted Our Finding: Given 7 such signatures from a user, the PIN can be recovered.

Implications The PIN is redundant in EKOs scheme – Security rests on codebook and phone, not on PIN PIN loss could have other bad consequences – Users use same PIN across different accounts; loss of PIN could damage other accounts they hold

The New Scheme* Like EKOs scheme, uses one-time passwords, but each OTP is a 10-digit random number Variant of the well-known one-time pad scheme Caveat: Need PINs with distinct digits Example: PIN = 2340, signature is: * Developed in collaboration with EKO India Financial Services Ltd.

How do they compare? Method Secure against impersonation Secure against PIN recovery Secure against impersonation, given booklets Secure against man-in-the- middle forgeries Plain PIN NO EKO YESNO Ours YES (Ongoing work) New scheme is more secure than plain PIN entry and EKOs scheme

How do they compare? New scheme is more usable than EKOs scheme. (Based on a usability study with 34 current and potential m- banking customers in Delhi, Bihar*) 65% of participants found the new scheme easier to use than EKOs. (10% were neutral.) * Thanks to CKS India Pvt. Ltd. for helping us conduct the study.

What do users say? Users reported several advantages of new scheme: – new scheme is easy as it involves typing only 4 digits – only matching of numbers needs to be done, which is easy – everything is given in the booklet, just needs to be looked up Offered interesting cognitive explanations –.. need to lay less stress on my brain and more on my eyes, which is why it is easier to handle. Pro-actively spoke about security benefits – the PIN is mixed up here and not written in plain, which means it is more secure –new scheme is more easy to use: it is more secure, therefore it is more easy

Beyond Mobile Banking PIN-entry using our scheme provides better security than PIN-entry at ATMs – Secure against skimming attacks. (Skimming attacks caused a loss of > $1 billion in 2009.) – Reasonably secure against shoulder-surfing attacks Similar solution is used for online-banking by some European banks – Drawback: phishing attacks. Caveat: Decreased usability (users need to carry tokens)

Conclusion Cryptanalyzed EKOs authentication scheme Proposed a new authentication solution – More secure, more usable! – Easy to deploy (no software installation, no changing network protocol) – Potentially applicable beyond mobile banking Future work – Get rid of the codebook, can we?