Usably Secure, Low-Cost Usably Secure, Low-Cost Authentication for Mobile Authentication for Mobile BankingBanking

Saurabh GuptaSandeep Kumar Gupta

Need For Mobile BankingNeed For Mobile Banking

People need money on the run. Banks provide security, interest.

Use Cases – Buying Use Cases – Buying SomethingSomething

Use Case - Depositing Use Case - Depositing MoneyMoney

Use Case – Withdrawing Use Case – Withdrawing MoneyMoney

What Security ?What Security ?

How is it secured on How is it secured on Mars ?Mars ?

Application level encryption Typically have an application implementing the favorite encryption scheme. Provides end to end encryption.

Possible because Can ask people to install and use them. Phones are powerful enough to run them.

Challenges on EarthChallenges on Earth Fundamentally, GSM channel is weakly encrypted. Can not rely on network layer encryption. Need for end to end encryption Can not install applications on user ends.

Mobile Banking In GeneralMobile Banking In Generalo Cell Phoneo 2 factor authenticationo 4 digit pino A codebook with synchronized security tokens.

 

Old Scheme New Scheme

Overview of 2 schemesOverview of 2 schemes

Both use 2 factor authentication schemes.

 

Question: Impersonator?

1.                         2.                            3.

Security AnalysisSecurity Analysis4 different types of attacks considered.

• Pin Recovery• Type 0: Impersonator gets phone• Type 1: Impersonator gets phone and codebook• Type 2: Impersonator gets phone and PIN

Security AnalysisSecurity Analysis• Pin Recovery• Type 0: Impersonator gets phone• Type 1: Impersonator gets phone and codebook• Type 2: Impersonator gets phone and PIN

User StudyUser Study Ethnography

15 people from Delhi

19 people from Bihar

Composition 8 agents 13 existing users 13 potential users

Tasks Plain PIN entry EKO signature formulation

New signature formulation

Parameters RecordedParameters Recorded

ResultsResults

ResultsResults

ResultsResults

DiscussionDiscussion Effect of increased cognitive effort. Effect of entering only 4 digits instead of 10. Statistical significance of results

User Case StudiesUser Case Studies  What is required to validate your claim?

• from the perspective of paper publishing?o Novelty of the idea.  o Quick papers for promotion.

•  for proving soundly?o Acceptability of the idea.

 Parameters studied in this paper:  1.                                       2.         

  

Parameters that should have been studied:

1.                                       2. 

Solutions:

• Submit an idea, verify later?• Get in touch with right kind of people to do social case

studies; sociologists?  Questions:• End product derived from user interaction?