Abstract
In remote areas of developing countries, the mobile phone network may be the only connection with outside organizations such as banks. SMS messages are used in branchless banking schemes such as M-PESA in Kenya, but can be vulnerable to SMS spoofing exploits. This paper proposes a branchless banking system for withdrawal, deposit and transfer transactions, using an application on the phone’s tamper-resistant Subscriber Identity Module (SIM) equipped with a Smart Card Web Server (SCWS) and public key cryptography capabilities.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Hypertext Transfer Protocol over TLS protocol, RFC 2818 (May 2000), http://www.ietf.org/rfc/rfc2818.txt
Recommendation for Key Management - Part 1: General (Revised). National In- stitute of Standards and Technology (NIST) Special Publication 800-57 (March 2007), http://csrc.nist.gov/publications/nistpubs/800-57/
Smart Card Web Server: How to bring operators’ applications and services to the mass market (February 2009), http://www.simalliance.org/en/resources/white_papers/
OWASP Top Ten Project (2010), https://www.owasp.org
Security breach at M-PESA: Telco 2.0 crash investigation (2010), http://www.telco2.net/blog/2010/02/security_breach_at_mpesa_telco.html
Open Mobile Alliance (2011), http://technical.openmobilealliance.org/comms/pages/oma_2011_ar_scws.html
Smartcard-Web-Server, Approved Version 1.1.2, OMA-TS-Smartcard_Web_Server-V1_1_1_2-20120927-A, Open Mobile Alliance (OMA), Version 1.2 (September 2012), http://www.openmobilealliance.org
Arora, B., Metz Cummings, A.: A Little World: Facilitating Safe and Efficient M-Banking in Rural India. GIM Case Study No. B051. United Nations Development Programme, New York (2010)
Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., Iftode, L.: Rootkits on smart phones: attacks, implications and opportunities. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile 2010, pp. 49–54. ACM, New York (2010)
GlobalPlatform: GlobalPlatform’s Proposition for NFC Mobile: Secure Element Management and Messaging (April 2009), http://www.globalplatform.org/documents/GlobalPlatform_NFC_Mobile_White_Paper.pdf
GlobalPlatform: Confidential Card Content Management - GlobalPlatform Card Specification v2.2 - Amendment A v1.0.1 (January 2011)
GlobalPlatform: Remote Application Management over HTTP Card Specification v2.2 Amendment B Version 1.1.1 (March 2012)
Goodin, D.: ZeuS trojan attacks bank’s 2-factor authentication (2012), http://www.theregister.co.uk/2011/02/22/zeus_2_factor_authentication_attack/
Juniper Networks Inc.: 2011 Mobile Threats Report (2011)
Kaliski, B., Staddon, J.: PKCS# 1: RSA cryptography specifications version 2.0. Tech. rep., RFC 2437 (October 1998)
Karunanayake, A., De Zoysa, K., Muftic, S.: Mobile ATM for developing countries. In: Proceedings of the 3rd International Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2008, pp. 25–30. ACM, New York (2008)
Kyrillidis, L., Cobourne, S., Mayes, K., Dong, S., Markantonakis, K.: Distributed e-voting using the Smart Card Web Server. In: 2012 7th International Conference on Risk and Security of Internet and Systems (CRiSIS), pp. 1–8 (October 2012)
Leyden, J.: HSBC websites fell in DDoS attack last night, bank admits (July 2010), http://www.theregister.co.uk/2012/10/19/hsbc_ddos/
Locke, G., Gallagher, P.: FIPS PUB 186-3: Digital signature standard (DSS). Federal Information Processing Standards Publication (2009)
Mas, I., Siedek, H.: Banking through networks of retail agents (May 2008), http://www.cgap.org
Mayes, K.E., Markantonakis, K. (eds.): Smart Cards, Tokens, Security and Applications. Springer, New York (2008)
Medhi, I., Gautama, S., Toyama, K.: A comparison of mobile money-transfer uis for non-literate and semi-literate users. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, pp. 1741–1750. ACM (2009)
Morawczynski, O., Miscione, G.: Examining trust in mobile banking transactions: The case of M-PESA in Kenya. In: Avgerou, C., Smith, M.L., van den Besselaar, P. (eds.) Social Dimensions of Information and Communication Technology Policy. IFIP, vol. 282, pp. 287–298. Springer, Boston (2008)
Paik, M.: Stragglers of the herd get eaten: security concerns for GSM mobile banking applications. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, pp. 54–59. ACM (2010)
Panjwani, S., Cutrell, E.: Usably secure, low-cost authentication for mobile banking. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 4. ACM (2010)
Sharma, A., Subramanian, L., Shasha, D.: Secure branchless banking. In: ACM SOSP Workshop on Networked Systems for Developing Regions, NSDR (2009)
Thinyane, H., Thinyane, M.: ICANSEE: A SIM based application for digital inclusion of the Visually impaired community. In: Innovations for Digital Inclusions, K-IDI 2009. ITU-T Kaleidoscope, pp. 1–6. IEEE (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Cobourne, S., Mayes, K., Markantonakis, K. (2013). Using the Smart Card Web Server in Secure Branchless Banking. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)