SlideShare a Scribd company logo

5.[25 33]survey on 2-step security for authentication in m-banking

Alexander Decker, profile picture
Alexander Decker

This document summarizes a paper on using a two-step authentication process for mobile banking transactions. The first step uses steganography to hide user ID and password in an image that is sent to the server. The second step uses face recognition, where the user's image is captured and sent to the server database for verification. The full paper provides details on how steganography and face recognition would work as part of the two-step authentication process, discusses security risks of online banking, and outlines the authentication process flow.

Economy & FinanceBusiness
1 of 9
Download to read offline
1
2
3
4
5
6
7
8
9
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Survey on 2-Step Security for Authentication in M-Banking Salve Anup (Corresponding Author) Department of Computer Engineering, AISSMS College of Engineering, Pune -411001 University of Pune, India Tel: +91-9689950004 E-mail: sanupsalve@gmail.com Kashid Suraj Department of Computer Engineering, AISSMS College of Engineering, Pune -411001, University of Pune, India Tel: +91-9762309579 E-mail: surajiphone@gmail.com Patil Rahul Department of Computer Engineering, AISSMS College of Engineering, Pune -411001, University of Pune, India Tel: +91-9579578784 E-mail: patilrahul.sangli@gmail.com Dhamane Harshad Department of Computer Engineering, AISSMS College of Engineering, Pune -411001 University of Pune, India Tel: +91-8793111782 E-mail:hdhamane@gmail.com Abstract Technologies drive the need in every sector and enterprise needs to understand changing need of customer. Financial sector has also no exception. In order to satisfy financial need for customer banks are taking help of new technology such as internet. It is called as e-banking. But problem remain over e-banking is security. Over the e-banking, the potential use of mobile devices in financial applications such as banking and stock trading has seen a rapid increase. The aim of this work is to provide a secure environment in terms of security for transaction by various ways. In this paper we focus on 2-step security for authentication. For this system we use m-banking. Propose the use of “steganography” as means to improve the communication channel. Task of enhancing security include construction of formula for both data encryption and for hiding pattern and also provide system based on biometric information. i.e., face recognition. Keywords: decryption, encryption, face recognition, security, steganography 1. Introduction The Internet is an integral part of our daily lives, and the proportion of people who expect to be able to manage their bank accounts anywhere, anytime is constantly growing. As such, Internet banking has come of age as a crucial component of any financial institution’s multichannel strategy. Internet banking is vast, which is why this type of banking is becoming more and more popular in recent years. Convenience is the one advantage that most people will list first when online banking is mentioned. Not having to go to the bank and wait in line is something that appeals to most banking customers. Other advantage of online banking is the automatic payment of bills; internet banking is to have paycheck automatically deposited into our account. But, the biggest disadvantage of internet banking is security. Customer should be sure that he has a secure connection that is protected before you attempt to bank online. To overcome the drawback of internet banking and security issue new technology is developed known as mobile banking or M-Banking. In the e-Banking the client need the computer machine and internet connection. Some rural areas are not aware of internet. And it is also not possible to everyone to use the internet. To overcome the drawback of e-Banking the new concept of m- 25 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Banking is introduce. The importance of improving M-Banking is beneficial to both the customer and the bank. Mobile banking gives opportunity to everybody for easy banking activities sustainably increasing the interaction between user and bank. It has enabled to increase financial access for in rural areas and paved the way for integrating rural people into the mainstream financial system. Mobile Banking basic Functionality Offered: I. Account Information (a) Balance Overview (b) Account Details (c) Transaction History (d) Account Statements II. Transfers (a) Transfer Between Own Accounts (b) Transfer to same Bank Accounts (c) Transfer to Other Bank Clients III. Cards (a) Card Details (b) Card Statements (c) Card Payments IV. Payments (a) Utility Payments (b) Bill Payments (c) Government Payments (d) Group and Payroll Payments (e) Mobile top-ups However, the amount of transaction money through mobile banking has led to attract criminal attention. Security concerns are important for customers and banks. Finding from studies in e-Banking also have application in the wider field off transaction security for e-Commerce activities. Bank log-in security has to be strong and supervised as banks are integral part of the defense against money laundering [1]. The main reason that Mobile Banking scores over Internet Banking is that it enables “Anywhere, Anytime Banking”. Customer do not need to access computer terminal to access bank account. Now customer can access his bank account anytime, anywhere such as waiting for bus to work, travelling or when waiting for orders to come through in a restaurant. Serious operational risks and potential liabilities are associated with security breaches in the transfer of fund over the Internet. Concern about security has led to major barrier for mobile banking adoption by several banks [1]. Authentication problems issues are related to the transfer of information over the insecure communication channel as shown in Fig. 1. Insecure Information Exchange Fig. 1 Insecure Communication channel Confidential data like password are broken by malicious code. Phishing spoof web page imitating of the user’s online bank is designed and used to encourage the user to enter bank details in this fake page. The data entered is cyber crooks. Recent increases in online fraud have encouraged banks to think about some different multiple factor solutions for their authentication procedure [1] In this paper we focus on 2-step security for authentication process using mobile banking for transaction purpose. Here we make use of different formula i.e., for steganography, for encryption and for session/request id. Only single key is sent along with image used in steganography (cover image) and all formulae in interdependent 26 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 manner. Key is variable i.e., changed every time and transferred in coded format in stego image. So that it becomes very difficult to get data even if key is found. In the second step of authentication, we use biometric information. In the biometric information we use face recognition system. In face recognition, image is capture on client and send to server database for validation. 2. Risk associated with e-Banking I. Interest Rate Risk: Internet rate risk is the risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from different between the timing of rate changes and timing of cash flows. II. Credit Risk: Credit risk is the risk to earnings or capital arising from an obligator's failure to meet the terms of any contract with the bank or otherwise to perform as agreed III. Price Risk: Price risk is the risk to earnings or capital arising from changes in the value of traded collection of financial instruments. IV. Foreign Exchange Risk: Foreign Exchange risk is present when a loan or portfolio of loans is dominated in a foreign currency or is funded by borrowings in another currency. M-Banking Security measures I. Debit and Credit cards coupled to a specific phone number of consumer for supplementary transaction security. II. Transfer channel of SMS can be used with encryption by mobile payment applications to defend data integrity and security. III. Accomplishment of secure PIN for transactions for fund transfer. 3. Designed System Our designed system is 2-step authentication process. In the first step of authentication we use steganography and at second step we use biometric information to enhance security over insecure channel. In steganography technique, we hide the user ID and password of client in particular image. We send this image to server for verification. Biometric information is of two types. In physlogical information it contain face, hand, Iris, DNA, finger print etc while in Behavioral information it contain voice, keystroke, signature etc. Biometric characteristics such as universality, distinctiveness, collect ability, permanence, performance, acceptability, circumvention cannot be lost or forgotten and are very difficult to copy, share and distribute. For authentication purpose using biometric information person physically present as in real life. This kind of security can enable clients to use their bank ID and biometric to log the bank server remotely to access their account [1]. 3.1 Authentication Process The following fig shows the general authentication procedure in designed technique: The detailed authentication process is as follows: I. Registration Phase By client’s mobile the registration phase can be performed remotely or personally. At registration following steps are performed. (a) In the first step, the client is also given an e-ID as well as password for processing through his identity. This is first level of authentication. (b) In the second step, the biometric data i.e., face image is captured, preprocessed and features are extracted. The featured templates are formed and stored as enrolled templates. These saved templates are referred during verification phase. This is second level of authentication. II. Login Phase 27 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 At the login time in bank account he is required to enter his e-ID and password. The server performs the following preliminary steps: (a) Checks T is the current time stamp of the user’s machine. (b) Verifies initial login details i.e. the ID and password. (c) If the prior information entered is correct, the user is redirected to the biometrics authentication page and the user is asked to start image transmission through the mobile. III. Transmission Phase This phase takes care of the transmitting information through the internet as we have no control over the insecure channel. (a) In order to avoid the interruption of hackers and intruders we propose to hide the text data into some images related to normal life or otherwise which when encountered by the hacker can be ignored and transmission can be preceded safely. (b) Even if the transmitting data is suspected by the hacker he cannot extract the secret data. IV. Verification Phase Upon receiving the login information and the stego file, the authentication server performs the following steps: (a) The server applies the reverse of the embedding secret data procedure to recover the biometric information from the stego file. (b) Checks the validity of time stamp with the current date and time T 'and T . The server rejects the login request of the user otherwise accepts the request. Here T denotes the expected valid time interval for transmission delay and T ' denotes the receiving timestamp of login attempt by the user. (c) Once the biometrics is successfully derived from the stego file, the face recognition takes places as discussed in section 3.4 and the suitable candidate is matched from the database. (d) Computes T '' and s T from the MAC sent from the server for confirmation. If T then the user rejects this message otherwise calculates the MAC hash function using his private key. After receiving the response message from server user compares the two hash values calculated from MAC and the original value. If the two are equal the server gets authenticated otherwise the operation is terminated. V. Data Transfer The data can be transfer once the user is authenticated then the users are allowed to transfer the data. 3.2 Data Encryption and error checking I. Encryption and Decryption A process of translating a message, called the Plaintext, into an encoded message is called encryption. It helps to protect the original data from unauthorized access. Decryption is process of translating encoded message back to plain text. Before embedding the data into image using steganography technique, data is first encrypted either by using simple technique like 0 converted to 1 or any standard algorithm. Such encrypted data is then used for steganography. II. Error checking Error checking means checking consistency of data in image after receiving by receiver. Because, if random changes are made in the image then resultant extracted data from image may get changed. This can be achieved by carious ways. We can make use of simple techniques such as parity code or any other standard techniques. Data which is required for error checking should also be added to image along with 28 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 original data [2]. 3.3 Steganography Steganography is the practice of hiding private or sensitive information within something that appears to be nothing out of the usual. Steganography would provide an ultimate guarantee of authentication that no other security tool may ensure. Now days there are many forms of steganography that use many different mediums to transmit hidden information. Steganography can use essentially any other form of media to transmit a hidden message, though techniques vary from cover type to cover type. Steganography was around long before computers were invented. As long as people have desired to communicate in secret; steganography has been there, allowing them to at least attempt to do so. The term "Steganography" dates back to 440 BC and derives from a Greek word meaning "covered or hidden writing." This word was used to refer to practices of leaders hiding messages sent to other leaders. Steganography came to what is now the United States as early as the Revolutionary War, during which it took the form of secret message drops, code words, and invisible inks used for communications between General George Washington and a group of spies It continued in use through additional wars, including World War I and II. Following the tragedy of September 11, 2001, investigations revealed that Al'Queda terrorists may have transmitted images containing hidden messages via Usenet. Evidence exists primarily in the form of Islamic extremist websites that provide information on how to embed data in images. Though the use of steganography in planning 9/11 was not confirmed, the possibility of its use sparked new interest in steganography, and led to further research into its use and its prevention [3]. Implementing steganography Steganography literally means "covered writing." Steganography has been used throughout history for secret communications. Instead of making use of some previous techniques of steganography, such as LSB method which are easy to detect, it uses two mathematical formulae. To make use of steganography appropriate image format should be selected such as loss less image formats. The general overview of steganography technique is shown in Fig 4. Cover serves as medium to hide the message being sent. Making use of graphical images as cover solve many problems readily such as large availability of images, various formats of images and variation in size of image. Fig. 2 Steganography and Steganalysis Both server and end user application will communicate only by sending the cover image and then extracting data from it [2]. Here we make use on two mathematical formulae. First formula will generate series of pixel number in which data will hide. Second formula will generate the bit number for ‘n’ bit pixel in which one bit of data will hide. Using these formulae data will be randomly distributed in image instead of sequential and data hiding bit is also changed every time. Using custom images created by the owner (in this case bank) will help to avoid the comparison of the image. 29 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Before Data Hiding After Data Hiding From these results, we see that the image appear completely unaltered to the naked eye, and are statistically quite similar as well, making it very difficult for either a human with both images or a computer with only one image to detect something amiss. The beauty of randomly generated images is that a user can continue to generate images until one is found with satisfactory statistics or looks, and this often takes only a few iteration to accomplish [3]. 3.4 Face recognition Face recognition has received considerable interest as a widely accepted biometric, because of the ease of collecting samples of a person, with or without subject’s intension. Face recognition refers to an automated or semi automated process of matching facial images. This type of technology constitutes a wide group of technologies which all work with face but use different scanning techniques. Most common by far is 2D face recognition which is easier and less expensive compared to the other approaches [4]. There are four steps in face recognition as given below: I. Acquiring a sample: In a complete, full implemented biometric system, a sensor takes an observation. The sensor might be a mobile camera. In our system, 2D face picture will be supplied manually to server. II. Extracting Features: For this step, the relevant data is extracted from the predefined captured sample. The outcome of this step is a biometric template which is a reduced set of data that represents the unique features of the enrolled user's face. III. Comparison Templates: For identification purposes, this step will be a comparison between a given image for the subject and all the biometric templates stored on a server database. For verification, the biometric template of the claimed identity will be retrieved (either from a database or a storage medium presented by the subject) and this will be compared to a given image. IV. Declaring a Match: The face recognition system will return a client match from image database server match. Faces in the test images taken using the DROID phone can be of different sizes. Correlating with a standard template size didn’t give good results. So, we correlated the image with templates of different sizes (scale ratios from .6 to 1.8) and compared the correlation values. This technique worked well in detecting faces of different sizes. Fig.3 Face Recognition 30 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 For the face recognition technique we use most popular Eigenvector algorithm. In face recognition security srep if any fake request is send to server from Android application, server will easily detect the fake request. It shows the error message and does not allow the transaction to hacker. Fig. 4 Result of the Face Recognition application for Android. (a) Client correctly recognized, (b) Client correctly rejected [5] 3.5 Custom session ID and request ID In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. The request information object contains all request-local information and server as the vessel for most forms of intercommunication. A Request ID object is born when an incoming request is encountered, and its life expectancy is short, as it dies again when the request has passed through all levels of the module type calling sequence. I. Session ID A session token is a unique identifier, usually in the form of a hash generated by a hash function that is generated and sent from a server to a client to identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. Session id will be constant throughout one session. Server will identify the authorized application’s session using session id. II. Request ID To communicate with server every message hidden in image should have request id. This id will not be sequential fashion instead it will also be generated by formula. We know that key used in this process is variable i.e. changed every time for every message. So the formula for request id will generate id using key for previous transaction. At server, if session id found valid then request id is checked. If any request with incorrect request id will not be processed. As request id is not sequential next id will not be after equal interval but interval depends indirectly on key. This avoids the fake request to server [2]. 31 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Fig.5 General Overview of Session ID and Request ID Architectural Model: Authentication Step-1 Steganography Using Random Bit Technique Generate Request Id and Session Id Extract Text Decrypt Text Encrypt Validate Session Apply Steganography Using Random Bit Technique Activates Camera on Client Side Authentication Step-2 Face Recognition Takes snapshot of user and sends on Server Convert Image to face and match it with server database Fig. 6 Designed 2-step Authentication model 4. Implementation For implementation of proposed system there must be some requirements are as follows I. Mobile device of client must be GPRS/Wi-Fi enabled and camera. II. User must have basic knowledge of internet and mobile. III. Client server application is needed for successful realization of communication between the customer and bank. IV. Bank must provide necessary software to client for authentication and transaction process. V. Speed of the GPR/Wi-Fi data transfer may vary depending on mobile server. 32 | P a g e www.iiste.org
Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 VI. There could not be mobile network problem on client side. 5. Benefits of m-Banking I. Practical and straightforward alerting services. II. Low Cost: No additional hardware to buy. Can be deployed on a large scale at a fraction of the cost of traditional authentication solutions. III. High Security: Unlike our competitors, DIGIPASS for Mobile supports multiple synchronization methods (time-based algorithms in addition to event-based algorithms). Authentication credentials automatically expire either after a configurable time-out or immediately after initial use. IV. High User Acceptance: End-users will enjoy the freedom of secure banking—anywhere, anytime while conveniently using their very own mobile device. V. Fully-Customizable User Interface: Banks can fully customize the interface with their own unique branding scheme (menus, messages, icons, logos, fonts, colors). VI. Password is not exchanged between the server and the mobile. Therefore there is no risk of exposure of user password. VII. Response time and speed of bank’s server increases. VIII. It is difficult to detect password by intruder because password is stored in any particular Image 6. Conclusion In this paper, we have surveyed drawbacks of some of the existing system for authentication. To overcome this drawback we proposed 2-level authentication process based on biometric information and Steganographic approach which improves all identified drawbacks and provide more security for real life. REFERENCES Dushyant Goya1 and Shiuh-Jeng Wang (2010), “Steganographic Authentications in conjunction with Face and Voice Recognition for Mobile Systems”, High Performance Computing Conference, India http://www.hipc.org/hipc2010/HIPCSS10/1569358847.pdf Geeta S. Navale, Swati S. Joshi and Aaradhana A Deshmukh (2010),” M-Banking Security – a futuristic improved security approach”, IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 1, No. 2 www.ijcsi.org/papers/7-1-2-68-71.pdf Jessica Codr (2009)” Unseen: An Overview of Steganography and Presentation of Associated Java Application C-Hide”, Washington University in St.Louis, Department of Computer Science & Engineering, Bryan Hall, Campus Box 1045, One Brookings Drive, St. Louis, Missouri 63130 http://www.cse.wustl.edu/~jain/cse571-09/ftp/stegano/index.html Noor AlSheala and Hasan AlOdail (2011),” Face Recognition System”, KING FAHAD UNIVERSITY OF PETROLEUM AND MINERALS, College of Computer Science and Engineering ICS411 Senior Project Term 082. http://student.kfupm.edu.sa/s200352870/doc/faceFinal.pdf Guillaume Dave, Xing Chao and Kishore Sriadibhatla (2010),” Face Recognition in Mobile Phones”, Department of Electrical Engineering Stanford University Stanford, USA http://www.stanford.edu/class/ee368/Project_10/Reports/Sriadibhatla_Davo_Chao_FaceRecognition.pdf 33 | P a g e www.iiste.org

More Related Content

PDF
IRJET - Secure Electronic Transaction using Strengthened Graphical OTP Authen...
IRJET Journal
 
PDF
Two aspect authentication system using secure
Uvaraj Shan
 
PDF
Two aspect authentication system using secure mobile
Uvaraj Shan
 
PDF
Fingereye: improvising security and optimizing ATM transaction time based on ...
IJECEIAES
 
PDF
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET Journal
 
PDF
A secure communication in smart phones using two factor authentications
eSAT Publishing House
 
PDF
IRJET - Graphical Password Authentication for Banking System
IRJET Journal
 
PDF
Augment the Safety in the ATM System with Multimodal Biometrics Linked with U...
inventionjournals
 
IRJET - Secure Electronic Transaction using Strengthened Graphical OTP Authen...
IRJET Journal
 
Two aspect authentication system using secure
Uvaraj Shan
 
Two aspect authentication system using secure mobile
Uvaraj Shan
 
Fingereye: improvising security and optimizing ATM transaction time based on ...
IJECEIAES
 
IRJET- Graphical user Authentication for an Alphanumeric OTP
IRJET Journal
 
A secure communication in smart phones using two factor authentications
eSAT Publishing House
 
IRJET - Graphical Password Authentication for Banking System
IRJET Journal
 
Augment the Safety in the ATM System with Multimodal Biometrics Linked with U...
inventionjournals
 

What's hot (16)

PDF
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
IJCSEIT Journal
 
PDF
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
International Journal of Technical Research & Application
 
PDF
IRJET- Two Level Authentication for Banking System
IRJET Journal
 
PDF
A011140104
IOSR Journals
 
PPTX
Biometrics in India
Kshitij Behl
 
PDF
Detection and prevention method of rooting attack on the android phones
IAEME Publication
 
PDF
ENHANCED AUTHENTICATION FOR WEB-BASED SECURITY USING KEYSTROKE DYNAMICS
IJNSA Journal
 
PDF
Graphical Password Authentication using Images Sequence
IRJET Journal
 
PDF
IRJET- Enhancement in Netbanking Security
IRJET Journal
 
PDF
An Overview on Authentication Approaches and Their Usability in Conjunction w...
IJERA Editor
 
PDF
IRJET- Use of Artificial Intelligence in Cyber Defence
IRJET Journal
 
PDF
Database Security Two Way Authentication Using Graphical Password
IJERA Editor
 
PDF
Security Analysis of Mobile Authentication Using QR-Codes
csandit
 
PDF
Effectiveness of various user authentication techniques
IAEME Publication
 
PDF
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET Journal
 
DOC
Biometric technology
Dharmik
 
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
IJCSEIT Journal
 
SECURED BANKING TRANSACTION USING VIRTUAL PASSWORD
International Journal of Technical Research & Application
 
IRJET- Two Level Authentication for Banking System
IRJET Journal
 
A011140104
IOSR Journals
 
Biometrics in India
Kshitij Behl
 
Detection and prevention method of rooting attack on the android phones
IAEME Publication
 
ENHANCED AUTHENTICATION FOR WEB-BASED SECURITY USING KEYSTROKE DYNAMICS
IJNSA Journal
 
Graphical Password Authentication using Images Sequence
IRJET Journal
 
IRJET- Enhancement in Netbanking Security
IRJET Journal
 
An Overview on Authentication Approaches and Their Usability in Conjunction w...
IJERA Editor
 
IRJET- Use of Artificial Intelligence in Cyber Defence
IRJET Journal
 
Database Security Two Way Authentication Using Graphical Password
IJERA Editor
 
Security Analysis of Mobile Authentication Using QR-Codes
csandit
 
Effectiveness of various user authentication techniques
IAEME Publication
 
IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...
IRJET Journal
 
Biometric technology
Dharmik
 
Ad

Similar to 5.[25 33]survey on 2-step security for authentication in m-banking (20)

PDF
A Cancelable Biometric Based Security Protocol for Online Banking System
IJCSIS Research Publications
 
PDF
A Cancelable Biometric Based Security Protocol for Online Banking System
IJCSIS Research Publications
 
PDF
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
Syeful Islam
 
PDF
IRJET- A Mobile Payment System Based on Face Recognition
IRJET Journal
 
PDF
Secure Authentication for Mobile Banking Using Facial Recognition
IOSR Journals
 
PDF
Enforcing Set and SSL Protocols in E-Payment
AIRCC Publishing Corporation
 
PDF
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 
PDF
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
AIRCC Publishing Corporation
 
PDF
A Review of Information Security from Consumer’s Perspective Especially in On...
Dr. Amarjeet Singh
 
PDF
The Impact of Customer Knowledge on the Security of E-Banking
CSCJournals
 
PDF
IRJET - Anti-Fraud ATM Security System
IRJET Journal
 
PDF
Location Based Services in M-Commerce: Customer Trust and Transaction Securit...
CSCJournals
 
PDF
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD Editor
 
PDF
IRJET- Phishing Attack based on Visual Cryptography
IRJET Journal
 
PDF
Is the Future of Finance Quality Assurance Mobile Aplication.pdf
madhusudhanarao52
 
PPTX
E banking
femymoni
 
PDF
IRJET- Issues & Challenges in Mobile Banking in Pune: A Customers’ Perspective
IRJET Journal
 
PDF
Pay-Cloak:Biometric
ijtsrd
 
PDF
IRJET- Bank Management System
IRJET Journal
 
PDF
A Survey on Mobile Commerce Security Issues and Applications
theijes
 
A Cancelable Biometric Based Security Protocol for Online Banking System
IJCSIS Research Publications
 
A Cancelable Biometric Based Security Protocol for Online Banking System
IJCSIS Research Publications
 
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...
Syeful Islam
 
IRJET- A Mobile Payment System Based on Face Recognition
IRJET Journal
 
Secure Authentication for Mobile Banking Using Facial Recognition
IOSR Journals
 
Enforcing Set and SSL Protocols in E-Payment
AIRCC Publishing Corporation
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
ijcsit
 
ENFORCING SET AND SSL PROTOCOLS IN EPAYMENT
AIRCC Publishing Corporation
 
A Review of Information Security from Consumer’s Perspective Especially in On...
Dr. Amarjeet Singh
 
The Impact of Customer Knowledge on the Security of E-Banking
CSCJournals
 
IRJET - Anti-Fraud ATM Security System
IRJET Journal
 
Location Based Services in M-Commerce: Customer Trust and Transaction Securit...
CSCJournals
 
IJERD (www.ijerd.com) International Journal of Engineering Research and Devel...
IJERD Editor
 
IRJET- Phishing Attack based on Visual Cryptography
IRJET Journal
 
Is the Future of Finance Quality Assurance Mobile Aplication.pdf
madhusudhanarao52
 
E banking
femymoni
 
IRJET- Issues & Challenges in Mobile Banking in Pune: A Customers’ Perspective
IRJET Journal
 
Pay-Cloak:Biometric
ijtsrd
 
IRJET- Bank Management System
IRJET Journal
 
A Survey on Mobile Commerce Security Issues and Applications
theijes
 
Ad

More from Alexander Decker (20)

PDF
Abnormalities of hormones and inflammatory cytokines in women affected with p...
Alexander Decker
 
PDF
A validation of the adverse childhood experiences scale in
Alexander Decker
 
PDF
A usability evaluation framework for b2 c e commerce websites
Alexander Decker
 
PDF
A universal model for managing the marketing executives in nigerian banks
Alexander Decker
 
PDF
A unique common fixed point theorems in generalized d
Alexander Decker
 
PDF
A trends of salmonella and antibiotic resistance
Alexander Decker
 
PDF
A transformational generative approach towards understanding al-istifham
Alexander Decker
 
PDF
A time series analysis of the determinants of savings in namibia
Alexander Decker
 
PDF
A therapy for physical and mental fitness of school children
Alexander Decker
 
PDF
A theory of efficiency for managing the marketing executives in nigerian banks
Alexander Decker
 
PDF
A systematic evaluation of link budget for
Alexander Decker
 
PDF
A synthetic review of contraceptive supplies in punjab
Alexander Decker
 
PDF
A synthesis of taylor’s and fayol’s management approaches for managing market...
Alexander Decker
 
PDF
A survey paper on sequence pattern mining with incremental
Alexander Decker
 
PDF
A survey on live virtual machine migrations and its techniques
Alexander Decker
 
PDF
A survey on data mining and analysis in hadoop and mongo db
Alexander Decker
 
PDF
A survey on challenges to the media cloud
Alexander Decker
 
PDF
A survey of provenance leveraged
Alexander Decker
 
PDF
A survey of private equity investments in kenya
Alexander Decker
 
PDF
A study to measures the financial health of
Alexander Decker
 
Abnormalities of hormones and inflammatory cytokines in women affected with p...
Alexander Decker
 
A validation of the adverse childhood experiences scale in
Alexander Decker
 
A usability evaluation framework for b2 c e commerce websites
Alexander Decker
 
A universal model for managing the marketing executives in nigerian banks
Alexander Decker
 
A unique common fixed point theorems in generalized d
Alexander Decker
 
A trends of salmonella and antibiotic resistance
Alexander Decker
 
A transformational generative approach towards understanding al-istifham
Alexander Decker
 
A time series analysis of the determinants of savings in namibia
Alexander Decker
 
A therapy for physical and mental fitness of school children
Alexander Decker
 
A theory of efficiency for managing the marketing executives in nigerian banks
Alexander Decker
 
A systematic evaluation of link budget for
Alexander Decker
 
A synthetic review of contraceptive supplies in punjab
Alexander Decker
 
A synthesis of taylor’s and fayol’s management approaches for managing market...
Alexander Decker
 
A survey paper on sequence pattern mining with incremental
Alexander Decker
 
A survey on live virtual machine migrations and its techniques
Alexander Decker
 
A survey on data mining and analysis in hadoop and mongo db
Alexander Decker
 
A survey on challenges to the media cloud
Alexander Decker
 
A survey of provenance leveraged
Alexander Decker
 
A survey of private equity investments in kenya
Alexander Decker
 
A study to measures the financial health of
Alexander Decker
 

Recently uploaded (20)

PDF
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
PDF
Circular Flow of Income by Dr. S. Malini
MaliniHariraj
 
PPTX
What is next for the Fractional CFO - August 2025
PaulYoung221210
 
PPTX
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
PDF
Spending, Allocation Choices, and Aging THROUGH Retirement. Are all of these ...
Better Financial Education
 
PDF
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
PDF
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
PDF
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
PPTX
EABDM Slides for Indifference curve.pptx
deeksha8770
 
PPTX
How best to drive Metrics, Ratios, and Key Performance Indicators
PaulYoung221210
 
PDF
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
PDF
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
PPTX
fastest_growing_sectors_in_india_2025.pptx
Grip Invest
 
PDF
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
PPTX
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
PDF
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
PDF
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
PDF
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
PPTX
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
PPTX
4.5.1 Financial Governance_Appropriation & Finance.pptx
RuhulQuddus23
 
Dr Tran Quoc Bao the first Vietnamese speaker at GITEX DigiHealth Conference ...
Gorman Bain Capital
 
Circular Flow of Income by Dr. S. Malini
MaliniHariraj
 
What is next for the Fractional CFO - August 2025
PaulYoung221210
 
Session 11-13. Working Capital Management and Cash Budget.pptx
2023mb21003
 
Spending, Allocation Choices, and Aging THROUGH Retirement. Are all of these ...
Better Financial Education
 
Dialnet-DynamicHedgingOfPricesOfNaturalGasInMexico-8788871.pdf
davidromero210805
 
Mathematical Economics 23lec03slides.pdf
drmabdelnaby2060
 
discourse-2025-02-building-a-trillion-dollar-dream.pdf
Shujjat Ahmed
 
EABDM Slides for Indifference curve.pptx
deeksha8770
 
How best to drive Metrics, Ratios, and Key Performance Indicators
PaulYoung221210
 
Predicting Customer Bankruptcy Using Machine Learning Algorithm research pape...
Razan Shahwan
 
Q2 2025 :Lundin Gold Conference Call Presentation_Final.pdf
Adnet Communications
 
fastest_growing_sectors_in_india_2025.pptx
Grip Invest
 
ECONOMICS AND ENTREPRENEURS LESSONSS AND
ClarenceKennethCasta2
 
The discussion on the Economic in transportation .pptx
awanganiqkmal191
 
NAPF_RESPONSE_TO_THE_PENSIONS_COMMISSION_8 _2_.pdf
Henry Tapper
 
Copia de Minimal 3D Technology Consulting Presentation.pdf
viccarlin12
 
ABriefOverviewComparisonUCP600_ISP8_URDG_758.pdf
AsifimranEmon
 
Who’s winning the race to be the world’s first trillionaire.pptx
ManiRamesh15
 
4.5.1 Financial Governance_Appropriation & Finance.pptx
RuhulQuddus23
 

5.[25 33]survey on 2-step security for authentication in m-banking

  • 1. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Survey on 2-Step Security for Authentication in M-Banking Salve Anup (Corresponding Author) Department of Computer Engineering, AISSMS College of Engineering, Pune -411001 University of Pune, India Tel: +91-9689950004 E-mail: sanupsalve@gmail.com Kashid Suraj Department of Computer Engineering, AISSMS College of Engineering, Pune -411001, University of Pune, India Tel: +91-9762309579 E-mail: surajiphone@gmail.com Patil Rahul Department of Computer Engineering, AISSMS College of Engineering, Pune -411001, University of Pune, India Tel: +91-9579578784 E-mail: patilrahul.sangli@gmail.com Dhamane Harshad Department of Computer Engineering, AISSMS College of Engineering, Pune -411001 University of Pune, India Tel: +91-8793111782 E-mail:hdhamane@gmail.com Abstract Technologies drive the need in every sector and enterprise needs to understand changing need of customer. Financial sector has also no exception. In order to satisfy financial need for customer banks are taking help of new technology such as internet. It is called as e-banking. But problem remain over e-banking is security. Over the e-banking, the potential use of mobile devices in financial applications such as banking and stock trading has seen a rapid increase. The aim of this work is to provide a secure environment in terms of security for transaction by various ways. In this paper we focus on 2-step security for authentication. For this system we use m-banking. Propose the use of “steganography” as means to improve the communication channel. Task of enhancing security include construction of formula for both data encryption and for hiding pattern and also provide system based on biometric information. i.e., face recognition. Keywords: decryption, encryption, face recognition, security, steganography 1. Introduction The Internet is an integral part of our daily lives, and the proportion of people who expect to be able to manage their bank accounts anywhere, anytime is constantly growing. As such, Internet banking has come of age as a crucial component of any financial institution’s multichannel strategy. Internet banking is vast, which is why this type of banking is becoming more and more popular in recent years. Convenience is the one advantage that most people will list first when online banking is mentioned. Not having to go to the bank and wait in line is something that appeals to most banking customers. Other advantage of online banking is the automatic payment of bills; internet banking is to have paycheck automatically deposited into our account. But, the biggest disadvantage of internet banking is security. Customer should be sure that he has a secure connection that is protected before you attempt to bank online. To overcome the drawback of internet banking and security issue new technology is developed known as mobile banking or M-Banking. In the e-Banking the client need the computer machine and internet connection. Some rural areas are not aware of internet. And it is also not possible to everyone to use the internet. To overcome the drawback of e-Banking the new concept of m- 25 | P a g e www.iiste.org
  • 2. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Banking is introduce. The importance of improving M-Banking is beneficial to both the customer and the bank. Mobile banking gives opportunity to everybody for easy banking activities sustainably increasing the interaction between user and bank. It has enabled to increase financial access for in rural areas and paved the way for integrating rural people into the mainstream financial system. Mobile Banking basic Functionality Offered: I. Account Information (a) Balance Overview (b) Account Details (c) Transaction History (d) Account Statements II. Transfers (a) Transfer Between Own Accounts (b) Transfer to same Bank Accounts (c) Transfer to Other Bank Clients III. Cards (a) Card Details (b) Card Statements (c) Card Payments IV. Payments (a) Utility Payments (b) Bill Payments (c) Government Payments (d) Group and Payroll Payments (e) Mobile top-ups However, the amount of transaction money through mobile banking has led to attract criminal attention. Security concerns are important for customers and banks. Finding from studies in e-Banking also have application in the wider field off transaction security for e-Commerce activities. Bank log-in security has to be strong and supervised as banks are integral part of the defense against money laundering [1]. The main reason that Mobile Banking scores over Internet Banking is that it enables “Anywhere, Anytime Banking”. Customer do not need to access computer terminal to access bank account. Now customer can access his bank account anytime, anywhere such as waiting for bus to work, travelling or when waiting for orders to come through in a restaurant. Serious operational risks and potential liabilities are associated with security breaches in the transfer of fund over the Internet. Concern about security has led to major barrier for mobile banking adoption by several banks [1]. Authentication problems issues are related to the transfer of information over the insecure communication channel as shown in Fig. 1. Insecure Information Exchange Fig. 1 Insecure Communication channel Confidential data like password are broken by malicious code. Phishing spoof web page imitating of the user’s online bank is designed and used to encourage the user to enter bank details in this fake page. The data entered is cyber crooks. Recent increases in online fraud have encouraged banks to think about some different multiple factor solutions for their authentication procedure [1] In this paper we focus on 2-step security for authentication process using mobile banking for transaction purpose. Here we make use of different formula i.e., for steganography, for encryption and for session/request id. Only single key is sent along with image used in steganography (cover image) and all formulae in interdependent 26 | P a g e www.iiste.org
  • 3. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 manner. Key is variable i.e., changed every time and transferred in coded format in stego image. So that it becomes very difficult to get data even if key is found. In the second step of authentication, we use biometric information. In the biometric information we use face recognition system. In face recognition, image is capture on client and send to server database for validation. 2. Risk associated with e-Banking I. Interest Rate Risk: Internet rate risk is the risk to earnings or capital arising from movements in interest rates. Interest rate risk arises from different between the timing of rate changes and timing of cash flows. II. Credit Risk: Credit risk is the risk to earnings or capital arising from an obligator's failure to meet the terms of any contract with the bank or otherwise to perform as agreed III. Price Risk: Price risk is the risk to earnings or capital arising from changes in the value of traded collection of financial instruments. IV. Foreign Exchange Risk: Foreign Exchange risk is present when a loan or portfolio of loans is dominated in a foreign currency or is funded by borrowings in another currency. M-Banking Security measures I. Debit and Credit cards coupled to a specific phone number of consumer for supplementary transaction security. II. Transfer channel of SMS can be used with encryption by mobile payment applications to defend data integrity and security. III. Accomplishment of secure PIN for transactions for fund transfer. 3. Designed System Our designed system is 2-step authentication process. In the first step of authentication we use steganography and at second step we use biometric information to enhance security over insecure channel. In steganography technique, we hide the user ID and password of client in particular image. We send this image to server for verification. Biometric information is of two types. In physlogical information it contain face, hand, Iris, DNA, finger print etc while in Behavioral information it contain voice, keystroke, signature etc. Biometric characteristics such as universality, distinctiveness, collect ability, permanence, performance, acceptability, circumvention cannot be lost or forgotten and are very difficult to copy, share and distribute. For authentication purpose using biometric information person physically present as in real life. This kind of security can enable clients to use their bank ID and biometric to log the bank server remotely to access their account [1]. 3.1 Authentication Process The following fig shows the general authentication procedure in designed technique: The detailed authentication process is as follows: I. Registration Phase By client’s mobile the registration phase can be performed remotely or personally. At registration following steps are performed. (a) In the first step, the client is also given an e-ID as well as password for processing through his identity. This is first level of authentication. (b) In the second step, the biometric data i.e., face image is captured, preprocessed and features are extracted. The featured templates are formed and stored as enrolled templates. These saved templates are referred during verification phase. This is second level of authentication. II. Login Phase 27 | P a g e www.iiste.org
  • 4. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 At the login time in bank account he is required to enter his e-ID and password. The server performs the following preliminary steps: (a) Checks T is the current time stamp of the user’s machine. (b) Verifies initial login details i.e. the ID and password. (c) If the prior information entered is correct, the user is redirected to the biometrics authentication page and the user is asked to start image transmission through the mobile. III. Transmission Phase This phase takes care of the transmitting information through the internet as we have no control over the insecure channel. (a) In order to avoid the interruption of hackers and intruders we propose to hide the text data into some images related to normal life or otherwise which when encountered by the hacker can be ignored and transmission can be preceded safely. (b) Even if the transmitting data is suspected by the hacker he cannot extract the secret data. IV. Verification Phase Upon receiving the login information and the stego file, the authentication server performs the following steps: (a) The server applies the reverse of the embedding secret data procedure to recover the biometric information from the stego file. (b) Checks the validity of time stamp with the current date and time T 'and T . The server rejects the login request of the user otherwise accepts the request. Here T denotes the expected valid time interval for transmission delay and T ' denotes the receiving timestamp of login attempt by the user. (c) Once the biometrics is successfully derived from the stego file, the face recognition takes places as discussed in section 3.4 and the suitable candidate is matched from the database. (d) Computes T '' and s T from the MAC sent from the server for confirmation. If T then the user rejects this message otherwise calculates the MAC hash function using his private key. After receiving the response message from server user compares the two hash values calculated from MAC and the original value. If the two are equal the server gets authenticated otherwise the operation is terminated. V. Data Transfer The data can be transfer once the user is authenticated then the users are allowed to transfer the data. 3.2 Data Encryption and error checking I. Encryption and Decryption A process of translating a message, called the Plaintext, into an encoded message is called encryption. It helps to protect the original data from unauthorized access. Decryption is process of translating encoded message back to plain text. Before embedding the data into image using steganography technique, data is first encrypted either by using simple technique like 0 converted to 1 or any standard algorithm. Such encrypted data is then used for steganography. II. Error checking Error checking means checking consistency of data in image after receiving by receiver. Because, if random changes are made in the image then resultant extracted data from image may get changed. This can be achieved by carious ways. We can make use of simple techniques such as parity code or any other standard techniques. Data which is required for error checking should also be added to image along with 28 | P a g e www.iiste.org
  • 5. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 original data [2]. 3.3 Steganography Steganography is the practice of hiding private or sensitive information within something that appears to be nothing out of the usual. Steganography would provide an ultimate guarantee of authentication that no other security tool may ensure. Now days there are many forms of steganography that use many different mediums to transmit hidden information. Steganography can use essentially any other form of media to transmit a hidden message, though techniques vary from cover type to cover type. Steganography was around long before computers were invented. As long as people have desired to communicate in secret; steganography has been there, allowing them to at least attempt to do so. The term "Steganography" dates back to 440 BC and derives from a Greek word meaning "covered or hidden writing." This word was used to refer to practices of leaders hiding messages sent to other leaders. Steganography came to what is now the United States as early as the Revolutionary War, during which it took the form of secret message drops, code words, and invisible inks used for communications between General George Washington and a group of spies It continued in use through additional wars, including World War I and II. Following the tragedy of September 11, 2001, investigations revealed that Al'Queda terrorists may have transmitted images containing hidden messages via Usenet. Evidence exists primarily in the form of Islamic extremist websites that provide information on how to embed data in images. Though the use of steganography in planning 9/11 was not confirmed, the possibility of its use sparked new interest in steganography, and led to further research into its use and its prevention [3]. Implementing steganography Steganography literally means "covered writing." Steganography has been used throughout history for secret communications. Instead of making use of some previous techniques of steganography, such as LSB method which are easy to detect, it uses two mathematical formulae. To make use of steganography appropriate image format should be selected such as loss less image formats. The general overview of steganography technique is shown in Fig 4. Cover serves as medium to hide the message being sent. Making use of graphical images as cover solve many problems readily such as large availability of images, various formats of images and variation in size of image. Fig. 2 Steganography and Steganalysis Both server and end user application will communicate only by sending the cover image and then extracting data from it [2]. Here we make use on two mathematical formulae. First formula will generate series of pixel number in which data will hide. Second formula will generate the bit number for ‘n’ bit pixel in which one bit of data will hide. Using these formulae data will be randomly distributed in image instead of sequential and data hiding bit is also changed every time. Using custom images created by the owner (in this case bank) will help to avoid the comparison of the image. 29 | P a g e www.iiste.org
  • 6. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Before Data Hiding After Data Hiding From these results, we see that the image appear completely unaltered to the naked eye, and are statistically quite similar as well, making it very difficult for either a human with both images or a computer with only one image to detect something amiss. The beauty of randomly generated images is that a user can continue to generate images until one is found with satisfactory statistics or looks, and this often takes only a few iteration to accomplish [3]. 3.4 Face recognition Face recognition has received considerable interest as a widely accepted biometric, because of the ease of collecting samples of a person, with or without subject’s intension. Face recognition refers to an automated or semi automated process of matching facial images. This type of technology constitutes a wide group of technologies which all work with face but use different scanning techniques. Most common by far is 2D face recognition which is easier and less expensive compared to the other approaches [4]. There are four steps in face recognition as given below: I. Acquiring a sample: In a complete, full implemented biometric system, a sensor takes an observation. The sensor might be a mobile camera. In our system, 2D face picture will be supplied manually to server. II. Extracting Features: For this step, the relevant data is extracted from the predefined captured sample. The outcome of this step is a biometric template which is a reduced set of data that represents the unique features of the enrolled user's face. III. Comparison Templates: For identification purposes, this step will be a comparison between a given image for the subject and all the biometric templates stored on a server database. For verification, the biometric template of the claimed identity will be retrieved (either from a database or a storage medium presented by the subject) and this will be compared to a given image. IV. Declaring a Match: The face recognition system will return a client match from image database server match. Faces in the test images taken using the DROID phone can be of different sizes. Correlating with a standard template size didn’t give good results. So, we correlated the image with templates of different sizes (scale ratios from .6 to 1.8) and compared the correlation values. This technique worked well in detecting faces of different sizes. Fig.3 Face Recognition 30 | P a g e www.iiste.org
  • 7. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 For the face recognition technique we use most popular Eigenvector algorithm. In face recognition security srep if any fake request is send to server from Android application, server will easily detect the fake request. It shows the error message and does not allow the transaction to hacker. Fig. 4 Result of the Face Recognition application for Android. (a) Client correctly recognized, (b) Client correctly rejected [5] 3.5 Custom session ID and request ID In computer science, a session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. The request information object contains all request-local information and server as the vessel for most forms of intercommunication. A Request ID object is born when an incoming request is encountered, and its life expectancy is short, as it dies again when the request has passed through all levels of the module type calling sequence. I. Session ID A session token is a unique identifier, usually in the form of a hash generated by a hash function that is generated and sent from a server to a client to identify the current interaction session. The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. Session id will be constant throughout one session. Server will identify the authorized application’s session using session id. II. Request ID To communicate with server every message hidden in image should have request id. This id will not be sequential fashion instead it will also be generated by formula. We know that key used in this process is variable i.e. changed every time for every message. So the formula for request id will generate id using key for previous transaction. At server, if session id found valid then request id is checked. If any request with incorrect request id will not be processed. As request id is not sequential next id will not be after equal interval but interval depends indirectly on key. This avoids the fake request to server [2]. 31 | P a g e www.iiste.org
  • 8. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 Fig.5 General Overview of Session ID and Request ID Architectural Model: Authentication Step-1 Steganography Using Random Bit Technique Generate Request Id and Session Id Extract Text Decrypt Text Encrypt Validate Session Apply Steganography Using Random Bit Technique Activates Camera on Client Side Authentication Step-2 Face Recognition Takes snapshot of user and sends on Server Convert Image to face and match it with server database Fig. 6 Designed 2-step Authentication model 4. Implementation For implementation of proposed system there must be some requirements are as follows I. Mobile device of client must be GPRS/Wi-Fi enabled and camera. II. User must have basic knowledge of internet and mobile. III. Client server application is needed for successful realization of communication between the customer and bank. IV. Bank must provide necessary software to client for authentication and transaction process. V. Speed of the GPR/Wi-Fi data transfer may vary depending on mobile server. 32 | P a g e www.iiste.org
  • 9. Control Theory and Informatics www.iiste.org ISSN 2224-5774 (print) ISSN 2225-0492 (online) Vol 1, No.1, 2011 VI. There could not be mobile network problem on client side. 5. Benefits of m-Banking I. Practical and straightforward alerting services. II. Low Cost: No additional hardware to buy. Can be deployed on a large scale at a fraction of the cost of traditional authentication solutions. III. High Security: Unlike our competitors, DIGIPASS for Mobile supports multiple synchronization methods (time-based algorithms in addition to event-based algorithms). Authentication credentials automatically expire either after a configurable time-out or immediately after initial use. IV. High User Acceptance: End-users will enjoy the freedom of secure banking—anywhere, anytime while conveniently using their very own mobile device. V. Fully-Customizable User Interface: Banks can fully customize the interface with their own unique branding scheme (menus, messages, icons, logos, fonts, colors). VI. Password is not exchanged between the server and the mobile. Therefore there is no risk of exposure of user password. VII. Response time and speed of bank’s server increases. VIII. It is difficult to detect password by intruder because password is stored in any particular Image 6. Conclusion In this paper, we have surveyed drawbacks of some of the existing system for authentication. To overcome this drawback we proposed 2-level authentication process based on biometric information and Steganographic approach which improves all identified drawbacks and provide more security for real life. REFERENCES Dushyant Goya1 and Shiuh-Jeng Wang (2010), “Steganographic Authentications in conjunction with Face and Voice Recognition for Mobile Systems”, High Performance Computing Conference, India http://www.hipc.org/hipc2010/HIPCSS10/1569358847.pdf Geeta S. Navale, Swati S. Joshi and Aaradhana A Deshmukh (2010),” M-Banking Security – a futuristic improved security approach”, IJCSI International Journal of Computer Science Issues, Vol. 7, Issue 1, No. 2 www.ijcsi.org/papers/7-1-2-68-71.pdf Jessica Codr (2009)” Unseen: An Overview of Steganography and Presentation of Associated Java Application C-Hide”, Washington University in St.Louis, Department of Computer Science & Engineering, Bryan Hall, Campus Box 1045, One Brookings Drive, St. Louis, Missouri 63130 http://www.cse.wustl.edu/~jain/cse571-09/ftp/stegano/index.html Noor AlSheala and Hasan AlOdail (2011),” Face Recognition System”, KING FAHAD UNIVERSITY OF PETROLEUM AND MINERALS, College of Computer Science and Engineering ICS411 Senior Project Term 082. http://student.kfupm.edu.sa/s200352870/doc/faceFinal.pdf Guillaume Dave, Xing Chao and Kishore Sriadibhatla (2010),” Face Recognition in Mobile Phones”, Department of Electrical Engineering Stanford University Stanford, USA http://www.stanford.edu/class/ee368/Project_10/Reports/Sriadibhatla_Davo_Chao_FaceRecognition.pdf 33 | P a g e www.iiste.org