NWAFOR ORIZU COLLEGE OF EDUCATION NSUGBE

IN AFFILIATION WITH
UNIVERSITY OF NIGERIA NSUKKA

DEPARTMENT OF COMPUTER AND ROBOTICS

EDUCATION

TOPIC:

ANDROID MULTIFACTOR AUTHENTICATION FOR

INFORMATION SECURITY IN BANKING SYSTEMS

BY:

UGWUOKE MARYJANE O. 2021813060

UZOCHUKWU PROMISE C. 2020813037

COURSE:

CRE 321: COMPUTER PROGRAMMING APPLICATION AND

MANAGEMENT IN SCHOOL II

SUPERVISOR:

MRS. IKEMELU C.R

APRIL 2023

1
ABSTRACT

The proliferation of digital financial innovations like mobile money has led to the rise
in mobile subscriptions and transactions. It has also increased the security challenges
associated with the current two-factor authentication (2FA) scheme for mobile
money due to the high demand. This review paper aims to determine the threat
models in the 2FA scheme for mobile money. It also intends to identify the
countermeasures to overcome the threat models. A comprehensive literature search
was conducted from the Google Scholar and other leading scientific databases such as
IEEE Xplore, MDPI, Emerald Insight, Hindawi, ACM, Elsevier, Springer, and Specific
and International Journals, where 97 papers were reviewed that focused on the topic.
Descriptive research papers and studies related to the theme were selected. Three
reviewers extracted information independently on authentication, mobile money
system architecture, mobile money access, the authentication scheme for mobile
money, various attacks on the mobile money system (MMS), threat models in the 2FA
scheme for mobile money, and countermeasures. Through literature analysis, it was
found that the threat models in the 2FA scheme for mobile money were categorized
into five, namely, attacks against privacy, attacks against authentication, attacks
against confidentiality, attacks against integrity, and attacks against availability. The
countermeasures include use of cryptographic functions (e.g., asymmetric encryption
function, symmetric encryption function, and hash function) and personal
identification (e.g., number-based and biometric-based countermeasures). This
review study reveals that the current 2FA scheme for mobile money has security gaps
that need to be addressed since it only uses a personal identification number (PIN)
and a subscriber identity module (SIM) to authenticate users, which are susceptible
to attacks. This work, therefore, will help mobile money service providers (MMSPs),
decision-makers, and governments that wish to improve their current 2FA scheme for
mobile money.

1
INTRODUCTION

Authentication has been a part of digital life since MIT implemented a password
system on their shared-access computer in 1961. Today, authentication covers
virtually every interaction you can have on the internet. But up until 2010, the
security of most online services only extended as far as requiring an eight-character
traditional password. Since then, online spending has grown to over $1 trillion
annually in the U.S. alone (you don't have to spend much to get a top-tier 5G phone).

Along with the growth in spending has come a corresponding growth in identity theft
and stolen passwords. To stem the rising tide of online crime and prevent
cybercriminals from taking your money, many banks and online retail stores demand
more than a password for account access. If you want to participate in today's online
marketplaces, you'll need multi-factor authentication.

WHAT IS MULTI-FACTOR AUTHENTICATION?

Authentication is proving you are who you are: your authenticity. A factor of
authentication is a general method of authentication. Multi-factor authentication is
using more than one method to prove your identity. Generally, most security
systems use a combination of two or more factors of authentication.

Multi-factor Authentication (MFA) is an authentication method that requires the

user to provide two or more verification factors to gain access to a resource
such as an application, online account, or a VPN. MFA is a core component of a
strong identity and access management (IAM) policy.

Knowledge factors are something you know

Passwords are the perfect example of a

knowledge factor. Either you know it or
you don't. If you don't, you can't access
your Gmail account. Knowledge factors
were the foundation of security for the
early internet, but making good passwords
is hard, and passwords are generally easy
to guess, buy, or crack.

2
Many websites (especially social media) use two knowledge factors to verify your
identity if you forget your password: your email address and the answer to one or
more security questions like "What street did you grow up on?" This is known as two-
step verification rather than two-factor authentication because even though two
questions are asked, the second factor of authentication isn't different from the first.

Possession factors are something you have

A possession factor is any object or

physical device that can be used to
authenticate you. Everything from keys
to credit cards to your driver's license
can be considered a possession factor.
More and more, your smartphone is
considered a possession factor. If you
want to get into your GitHub account, a one-time password is sent to your phone, and
you need it to access your account. The disadvantage of only using possession factors
for authentication is they can be stolen (in the case of credit cards) or hijacked (in the
case of SMS messages sent to your phone).

Inherence factors are something you are

Inherence factors rely on something

inherent to you to prove your identity.
Inherence factors, or biometrics, are the
authentication factor used by
smartphones from almost every major
manufacturer, including a fingerprint
reader or facial recognition in the case of
the iPhone. The benefit of biometric
authentication is that it's nearly impossible to replicate. The drawback is that it can be
difficult to implement well.

3
Behavior factors are something you do

Behavioral biometrics is on the cutting edge of

authentication. Instead of relying on retinal
scans and fingerprints (physical biometrics),
some companies are looking at behavior
patterns as a way to identify you. The way you
type, the way you talk, the way you walk, and
the way you carry yourself or use your mouse
can be used to identify you.

HOW IS MULTI-FACTOR AUTHENTICATION USED?

The most common form of multi-factor authentication is two-factor authentication

involving the use of a possession factor and a knowledge factor. This level of security
has been the gold standard since 1965 when the first ATM was installed. Today we
use a plastic smart card as our possession factor at the ATM, but 50 years ago, they
used bespoke personal checks. As for the knowledge factor, like today, the original
ATM used a four-digit personal identification number which is likely the origin of
using a PIN as a knowledge factor.

RSA SecurID key fob

Most types of two-factor authentication

involve the use of a one-time password.
An OTP is an additional password you
must enter to authenticate yourself that's
only good for one use. Its earliest
implementation involved a key fob
(possession factor) that displays a six-

4
digit passcode that changes at fixed intervals. The user has to append the OTP to their
login credentials to access their account.

Another common example of two-factor authentication used today involves sending a

time-based OTP as an SMS text message, email, or even an automated voice call to a
user's device to be input after entering their username and password. Although this
method of OTP distribution is popular, it's fallen out of favor in the security
community because of the prevalence of phishing attacks and SIM-card hijacking.

WHY IS MULTI-FACTOR AUTHENTICATION (MFA) NECESSARY FOR BANKS AND

FINANCIAL INSTITUTIONS?

 Rise of Cybersecurity Threats to Banks and Financial Institutions

It is estimated that the cost of cyber attacks in the banking sector has increased
dramatically, reaching 15.4 million Euros per firm yearly. Protecting the assets of the
consumer is the main goal of cyber security in digital banking. More and more
activities or transactions are being done online as more and more businesses are
going cashless. Cybercrimes in digital banking have an impact on both the customer
and the banks. Banks have to invest a substantial sum of money and resources in
order to be able to recover data. Along with that banks also lose their customer’s trust
when such issues arise.

 Cybersecurity Threats

Banking security experts today need to be familiar with a dizzying array of

terminologies and methods, including Trojans, Rock Phish, phishing, pharming, spear
phishing, session hijacking, man-in-the-middle, and man-in-the-browser attacks.
Obtaining private user data like usernames, passwords, credit card numbers, and
social security numbers is the common goal of most attack tactics, despite the
diversity of the attacks. The issue stems from the fact that these credentials are all
static but never change. Once obtained, the attacker can use them to pose as the
customer and commit fraud.

5
WHY IS MFA REQUIRED FOR BANKS AND FINANCIAL INSTITUTIONS?

The biggest drawback of using the traditional user ID and password logins is that the
passwords can be easily stolen by hackers which can cause millions of dollars in
damages. Brute-force cyberattacks are a serious concern since cybercriminals can use
automated password cracking tools to try different login and password combinations
until they discover the proper combination.

Multifactor authentication is a security measure that requires users to provide more

than one piece of evidence to verify their identity. This can include something that the
user knows, like a password or PIN, something that the user has, like a security token
or key, or something that the user is, like a fingerprint or iris scan.

THE FUTURE OF MULTI-FACTOR AUTHENTICATION

As more of the world's business moves online and the sophistication of hackers
continue to grow, the need for security will grow along with it. Given that over two
billion passwords were compromised in 2021 (a number that has been growing since
we began keeping count), using a simple password is no longer sufficient to lock
down sensitive data like medical records and credit card information. From where we
stand now, the future of online authentication looks like it will be shaped by two
paradigms: passwordless authentication and passive authentication.

Security professionals don't like passwords as an authentication method. People are

bad at picking them (the top passwords of 2022 were "password" and "123456"), and
they're not user-friendly. Good passwords are also hard to remember. Even if you
have a strong password that you can remember, passwords are vulnerable to
numerous methods of hacking, from phishing and social engineering to data breaches
and brute-force attacks.

6
In the future, public-key encryption will likely supplant passwords, verification codes,
and OTPs for most services. Instead of relying on an easily compromised knowledge
factor to keep your PayPal account safe, your private encryption key will be stored on
a possession factor like your mobile phone or a key fob, which will be locked behind
an inherence factor like your fingerprint or a face scan.

If security professionals don't like passwords, users don't like logging in or onerous
login requirements. Soon, you likely won't realize you're authenticating yourself as
more businesses adopt passive authentication schemes that rely on behavioral and
physical biometrics. Instead of logging in to your computer after it goes into sleep
mode, your computer will analyze your typing rhythm and perform periodic face
scans to authenticate you continuously.

CONCLUSION

Multi-factor authentication (MFA) can be an important security measure for banks

and financial institutions. MFA adds an extra layer of security by requiring users to
provide more than one form of authentication. It ensures that only the right people
have access to the valuable assets and information of a bank or financial institution.

MFA is needed for banks to protect against various online threats, such as phishing
attacks, account takeovers and several others. In this digital age, it is more important
than ever to have the proper security measures in place to protect your business and
customers. MFA is one of the most effective ways to protect your organization from
cybercrime.

REFERENCE
 www.androidpolice.com
 https://blog.miniorange.com
 www.researchgate.net/publication/344366463_Two-
Factor_Authentication_Scheme_for_Mobile_Money_A_Review_of_Threat_Models
_and_Countermeasures