Dynamic knowledge based authentication model for enhancing security of USSD banking transactions

Abstract

A large part of mobile banking transactions in Africa are facilitated by USSD technology. In authenticating customers, banks rely on a single security vector: a shared secret such as a six-digit PIN. This mechanism presents vulnerabilities that are commonly exploited to perpetuate fraud. In particular, this study focuses on insider threats, privacy leakage and social engineering attacks. To address these challenges, the study proposes a dynamic authentication model that poses diverse challenge questions based on available customer and transactional data. These challenge questions are unique to a given customer and variable over time making it difficult for anyone other than the legitimate user to deduce the correct response. A test-driven approach was used to guide development with the test scenario increasing in complexity after each iteration. Validation tests show the proposed scheme demonstrably provided enhanced security. The true acceptance score for legitimate users stood at 92.8 percent. As for guessing attacks by adversarial users, the probability of a correct guess was reduced to less than 0.08 percent. Performance-wise, the computational overhead increased by only 22 percent as compared to the classical method. This was sufficiently small as not to be noticeable by a user in real-world deployment. The study points to the feasibility of the model but recommends further research on challenge question generation for even greater security.