Wycliffe Ochieng’ is an experienced Software Engineer with over five years’ experience in industry. He holds a BSc in Information Technology from Meru University of Science and Technology and graduated with first class honours. After undergraduate, Wycliffe joined Equity Bank Group and performed roles in mobile Banking support for digital products such as: Eazzy Banking App, Equitel, and Core mobile banking platforms. Currently, he does VAS Engineering: USSD applications development and has interest in cloud Computing with certification in Microsoft Azure. Thus thebasis for his master’s project on Mobile Banking Security.
Project Summary
Project Title: Enhanced Mobile Banking Security: Implementing Transaction Authorization mechanism via USSD Push.
Abstract: Mobile initiated financial transactions need to be authenticated. This is a mandatory requirement since it serves as a security step or mechanism against non-repudiation. This is true for Mobile Banking customers in Kenya. The stage of protection for a given authentication scheme relies upon on characteristic combination, authentication channel, credential storage, and encryption. A range of researches had been performed on mobile banking authentication and their stage of protection. Research has proven challenges related to single factor or two factor authentication schemes. However, there are inadequate studies on authentication schemes that mixes different factors of
authentications for secure and efficient mobile banking transactions.
The goal of the research was to explore challenges of using PIN as the only factor of authentication and further evaluate the effectiveness of incorporating a combined USSD push and PIN efficient multifactor authentication. Convenience non-probability method was used to identify a subset of the population and Snowball
Sampling used to target a total of 385 respondents. A
total number of 442 responses were received through
online administered questionnaires. The study found
84.4% of the respondents use mobile banking frequently.
That is to say, many times during the daily lives. Further
finding was, the de-facto login method used in mobile
banking applications in Kenya, is via PIN and 69% of
respondents have incurred losses due to compromised
PINs. These descriptive statistics necessitated a need for
secure mobile banking app. Hence a need for multi
factor authentication.
The solution implemented offers remedy to challenges
faced by mobile banking customers in Kenya. This solution
was not entirely user’s PIN dependent but also tied to
other details such as International Mobile Equipment
Identity (IMEI), Mobile Systems International Subscriber
Identity Number (MSISDN), and International Mobile
Subscriber Identity (IMSI) in addition to time bound USSD
push augmented with biometric authentication,
Fingerprint. These attributes were encrypted using BCrypt
Hashing Function in mobile banking applications. The
storage of credentials was in distributed locations in
encrypted format. The architecture employed provided
improved security from cyber-attacks such as: identity
theft, phishing, social engineering, spoofing and man in
the middle attack.
In conclusion, use of USSD push in mobile banking
provides an efficient layer of authentication hence
improved mobile banking security.