Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world
作者: Adam Bates , Kevin R. B. Butler , Bradley Reaves , Patrick Traynor , Nolen Scaife
DOI:
关键词: Financial services 、 Financial inclusion 、 Mobile payment 、 Payment 、 Unbanked 、 Computer science 、 Computer security 、 Cash 、 Branchless banking 、 Liability
摘要: Mobile money, also known as branchless banking, brings much-needed financial services to the unbanked in developing world. Leveraging ubiquitous cellular networks, these are now being deployed smart phone apps, providing an electronic payment infrastructure where alternatives such credit cards generally do not exist. Although widely marketed a more secure option cash, applications often subject traditional regulations applied sector, leaving doubt veracity of claims. In this paper, we evaluate claims and perform first in-depth measurement analysis banking applications. We automated all 46 Android mobile money apps across 246 providers demonstrate that fails provide reliable insights. subsequently comprehensive manual teardown registration, login, transaction procedures diverse 15% apps. uncover pervasive systemic vulnerabilities spanning botched certification validation, do-it-yourself cryptography, myriad other forms information leakage allow attacker impersonate legitimate users, modify transactions flight, steal records. These findings confirm majority fail protections needed by services. Finally, through inspection providers' terms service, discover liability for problems unfairly rests on shoulders customer, threatening erode trust hinder efforts global inclusion.
ufl.edu
acm.org 参考文章(30)
Sheila Cobourne, Keith Mayes, Konstantinos Markantonakis, Using the Smart Card Web Server in Secure Branchless Banking Network and System Security. pp. 250- 263 ,(2013) , 10.1007/978-3-642-38631-2_19
Ming Ki Chong, Usable authentication for mobile banking University of Cape Town. ,(2009)
Damien Octeau, William Enck, Patrick McDaniel, Swarat Chaudhuri, A study of android application security usenix security symposium. pp. 21- 21 ,(2011)
Baraka Nyamtiga, Anael Sam, Loserian Laizer, Enhanced Security Model For Mobile Banking Systems In Tanzania International Journal of Technology Enhancements and Emerging Engineering Research. ,vol. 1, pp. 4- 20 ,(2013)
Thomas La Porta, Patrick McDaniel, Patrick Traynor, Security for Telecommunications Networks ,(2008)
Patrick Traynor, William Enck, Patrick McDaniel, Thomas La Porta, Exploiting open functionality in SMS-capable cellular networks Journal of Computer Security. ,vol. 16, pp. 713- 742 ,(2008) , 10.3233/JCS-2007-0308
Manka Angwafo, Punam Chuhan-Pole, Yes, Africa Can: Success Stories from a Dynamic Continent ,(2011)
Italo Dacosta, Mustaque Ahamad, Patrick Traynor, Trust No One Else: Detecting MITM Attacks against SSL/TLS without Third-Parties Computer Security – ESORICS 2012. pp. 199- 216 ,(2012) , 10.1007/978-3-642-33167-1_12
Erika Chin, Adrienne Porter Felt, Kate Greenwood, David Wagner, Analyzing inter-application communication in Android Proceedings of the 9th international conference on Mobile systems, applications, and services - MobiSys '11. pp. 239- 252 ,(2011) , 10.1145/1999995.2000018
Ross Anderson, Why cryptosystems fail computer and communications security. pp. 215- 227 ,(1993) , 10.1145/168588.168615