EFTS impact on computer security

Electronic funds transfer systems are revolutionizing the banking and financial industry by providing new and varied services for individuals, businesses, and government. These new services, designed to reduce the volume of paper checks processed, introduced new threat areas to the security of bank funds. No security measure and/or device is going to adequately protect the EFT system from potential abuse. There needs to be an integrated management approach assessing the particular company's major risk in the EFTS environment, and a resultant cost effective plan developed in order to provide expanded business services to its customers, while at the same time not leaving the company open to undue financial risk.     

Mobile banking in the government-to-person payment sector for financial inclusion in Pakistan*

ABSTRACT

Whilst there have been growing interest and efforts by governments in developing countries to disburse digital government-to-person (G2P) payments to promote financial inclusion, the role of mobile banking in the receipt of social cash remains under-researched. Through an interpretive case study of the Benazir Income Support Programme (BISP) in Pakistan, this paper applies Orlikowski’s Duality of Technology that critically examines mobile banking usage by women beneficiaries and technology's effects on the institutional properties of their households. Qualitative data were collected through semi-structured interviews from participants located in Pakistan. The findings highlighted that mobile banking enabled women to receive the full amount of grants, securely and conveniently, from agents. However, mobile banking imposed human, socio-economic and technological constraints which restricted women's access to and usage of financial services that limited financial inclusion. Women were socially and politically empowered, thereby, social inclusion was transformative. This paper theoretically contributes to the Duality of Technology framework that was deterministic for women beneficiaries. The study accentuates the redesign of mobile banking to match women's capabilities, and imparting financial and digital training to them. Also, the provision of a range of financial resources to beneficiaries may steer micro-entrepreneurial activities to advance the inclusion agenda in Pakistan.     

An investigation into affective design using sorting technique and Kohonen self-organising map

In this paper, a prototype system that focuses on affective design perspective for iterative product concept development is proposed and described. The prototype system, which emphasises the solicitation of affective attributes from customers, employs a sorting technique, i.e. picture sorts, for acquiring customer's affective requirements and a hierarchical structure for representing designer's formal elements to meet customer's affective requirements in product conceptualisation. As hierarchical structure alone contains qualitative and uncertain inherence, a self-organised algorithm known as Kohonen self-organising map (SOM) neural network is employed to consolidate the relationship between affective requirements from customers and formal elements from designers so as to formulate a customer-oriented product concept. The performance of the prototype system is illustrated by using a case study on the design of a mobile hand phone.     

Liability implications in electronic fund transfers

The purpose of this paper is to present an overview of Electronic Funds Transfer Systems, the Electronic Fund Transfer Act (EFTA) of 1978 and liability implications for financial inititutions and customers. Models of payment transfer prior to EFT are presented followed by a review of the EFT Legislation. Various aspects of regulatory authority, disclosures, preauthorized transfers and error resolution procedures are examined. The paper ends with a discussion of three types of liability: consumer, financial institution, and civel and criminal. An extensive list of references is provided.     

Keystroke dynamics-based authentication for mobile devices

Recently, mobile devices are used in financial applications such as banking and stock trading. However, unlike desktops and notebook computers, a 4-digit personal identification number (PIN) is often adopted as the only security mechanism for mobile devices. Because of their limited length, PINs are vulnerable to shoulder surfing and systematic trial-and-error attacks. This paper reports the effectiveness of user authentication using keystroke dynamics-based authentication (KDA) on mobile devices. We found that a KDA system can be effective for mobile devices in terms of authentication accuracy. Use of artificial rhythms leads to even better authentication performance.     

基于IPSec的大型机场无线局域网接入认证方法研究

民航无线宽带专网CAWN是大型机场运行业务数据的通信手段。CAWN的接入认证及其数据传输的安全性涉及到航空机场的安全运行和乘客的个人隐私等。文章在研究了大型航空机场无线覆盖的网络结构和安全性要求的基础上,提出了基于IPSec的CAWN接入认证和数据传输安全机制的方案．根据国内某机场的CAWN组网方式搭建了实验系统,验证了IPSec的接入认证功能,并对系统的功能和性能进行了测试。实验结果表明加载了IPSec模块的系统能够实现接入认证功能和保障数据传输的安全性,且总体网络性能指标稳定;虽然网络吞吐量略有减小,以及网络延时略有增加,但是能够满足航空机场网络通信的要求。     

An application of locally linear model tree algorithm with combination of feature selection in credit scoring

Nowadays, credit scoring is one of the most important topics in the banking sector. Credit scoring models have been widely used to facilitate the process of credit assessing. In this paper, an application of the locally linear model tree algorithm (LOLIMOT) was experimented to evaluate the superiority of its performance to predict the customer's credit status. The algorithm is improved with an aim of adjustment by credit scoring domain by means of data fusion and feature selection techniques. Two real world credit data sets – Australian and German – from UCI machine learning database were selected to demonstrate the performance of our new classifier. The analytical results indicate that the improved LOLIMOT significantly increase the prediction accuracy.     

Product selection in Internet business: a fuzzy approach

In this paper, we propose a methodology which helps customers buy products through the Internet. This procedure takes into account the customer's level of desire in the product attributes, which are normally fuzzy, or in linguistically defined terms. The concept of fuzzy number will be used to measure the degree of similarities of the available products to that of the customer's requirements. The degrees of similarities so obtained over all the attributes give rise to the fuzzy probabilities and hence the fuzzy expected values of availing a product on the Internet as per the customer's requirement. Attribute‐wise the fuzzy expected values are compared with those of the available products on the Internet and the product that is closest to the customer's preference is selected as the best product. The multi‐attribute weighted average method is used here to evaluate and hence to select the best product.     

基于Agent的内部威胁实时检测框架

针对企业信息系统中的内部威胁行为,特别是内部用户的资源滥用行为,提出了一种基于Agent的实时检测框架,通过比较用户身份权限和异常操作行为发现恶意内部威胁行为.该框架有数据采集模块、检测模块、审计模块和响应模块构成.从身份认证、访问控制、操作审计和漏洞检测四个方面对检测系统进行功能说明,并就关键技术给出了详细介绍.应用实例证明该检测框架实现了用户实名登录、行为检测与事后审计,从根本上防止了恶意内部人员获取非法数据并提供响应和干预能力,提高了信息系统的安全性.最后,总结了内部威胁检测技术发展趋势.     

使用可信计算技术防范网络仿冒攻击

网络仿冒攻击已经成为互联网上最大的安全威胁之一,给金融机构和普通消费者造成了巨大的损失,严重影响了网上银行和电子商务的发展。我们分析了当前网络浏览器存在的安全漏洞,讨论了在线用户验证的问题,并且提出了使用可信计算平台对在线用户验证的方法。这种方法不仅能使很多网络仿冒攻击失效,而且可以防范其他在线攻击。     

A benefit–cost perspective of the consumer adoption of the mobile banking system

The present research adopts a benefit–cost perspective to study consumer adoption of the mobile banking services. It is suggested that because of the specific product context of the mobile banking service, such as the difficulty to assess some experiential qualities like the ease of use due to a low trial rate of mobile banking and the inherent risk factor involved in a new financial service technology, models complementary to the technology adoption model may be needed to accommodate these product contexts. In the present research, the benefit–cost framework was employed as an example of the complementary framework to study consumers' adoption of the mobile banking system. The key benefit of mobile banking is convenience, while the key cost is security. A set of ability and risk factors were modelled via structural equation model (SEM) as the antecedents of the benefit and cost of adopting the mobile banking system. The results showed that the empirical data supported most hypothesised relationships among the factors. It is concluded that consumers' new technology adoption behaviour is a complicated phenomenon which may require different models in different product contexts. It is suggested that future research should address the issue of the preconditions and product contexts under which a certain class of models may be most suitable to explain the adoption behaviour.     

一个适用于分布式入侵检测系统的安全通信协议

分布式入侵检测系统的模块间需要进行安全通信，但是目前存在的安全通信协议不能充分保证系统通信的安全性。为满足入侵检测系统中模块问通信可靠、机密、身份认证、数据完整及新鲜的需求，该文提出了一个基于TCP协议的模块间传输安全（MTS）协议。MTS协议由握手子协议和密文传输子协议构成，前者用于协商会话密钥及通信双方的身份认证，后者则使用协商的会话密钥实现数据的安全传输。最后验证了MTS协议的安全性，并在开放的分布式入侵检测系统（ODIDS）中实现了该协议。     

Improving the security of ‘a flexible biometrics remote user authentication scheme’

Recently, Lin–Lai proposed ‘a flexible biometrics remote user authentication scheme,’ which is based on El Gamal's cryptosystem and fingerprint verification, and does not need to maintain verification tables on the server. They claimed that their scheme is secured from attacks and suitable for high security applications; however, we point out that their scheme is vulnerable and can easily be cryptanalyzed. We demonstrate that their scheme performs only unilateral authentication (only client authentication) and there is no mutual authentication between user and remote system, thus their scheme is susceptible to the server spoofing attack. To fill this security gap, we present an improvement which overcomes the weakness of Lin–Lai's scheme. As a result, our improved security patch establishes trust between client and remote system in the form of mutual authentication. Moreover, some standards for biometric-based authentication are also discussed, which should be followed during the development of biometric systems.     

Certificate sharing system for secure certificate distribution in mobile environment

As mobile and Internet technologies evolve, mobile services (e.g., Internet banking, social commerce) continuously expand and diversify. In order to use these mobile services, it is essential that security services, especially distribution certificates (e.g., bank certificates), relevant to mobile devices be provided. Some approaches to providing distribution certificates between a user's mobile device and a personal computer (PC) have been proposed. However, the existing approaches do not guarantee that the certificate in the mobile devices same with the issued one from the PC, causing constraints on mobile services such as mobile phone banking and mobile commerce (M-commerce).In this paper, we propose a novel approach that shares certificates securely without modification of the existing standard certificate format between a smartphone and a PC. We also implemented the certificate sharing system (CSS) in a virtual private network (VPN). The CSS provides strong end-to-end data security for the certificate with a key size of 192-bits which is able to guarantee an expiration date of three years. It also provides strong data security on physical devices with the use of device ID. The certificate that is shared between devices is available only through the CSS's authorization process. In addition, the CSS provides a flexible and extensible system for sharing certificates in enterprise environments. The CSS module of a PC was implemented by way of a standard web language, and the CSS module of a smartphone was developed with the assistance of mobile applications with a small size of 1210KB.     

Usability evaluation of voiceprint authentication in automated telephone banking: Sentences versus digits

This paper describes an experiment to investigate the usability of voiceprints for customer authentication in automated telephone banking. The usability of voiceprint authentication using digits (random strings and telephone numbers) and sentences (branded and unbranded) are compared in a controlled experiment with 204 telephone banking customers. Results indicate high levels of usability and customer acceptance for voiceprint authentication in telephone banking. Customers find voiceprint authentication based on digits more usable than that based on sentences, and a majority of participants would prefer to use digits.     

Authentication and access control in RFID based logistics-customs clearance service platform

The content security requirements of a radio frequency identification (RFID) based logistics-customs clearance service platform (LCCSP) are analysed in this paper. Then, both the unified identity authentication and the access control modules are designed according to those analyses. Finally, the unified identity authentication and the access control on the business level are implemented separately. In the unified identity authentication module, based on an improved Kerberos-based authentication approach, a new control transfer method is proposed to solve the sharing problem of tickets among different servers of different departments. In the access control module, the functions of access controls are divided into different granularities to make the access control management more flexible. Moreover, the access control module has significant reference value for user management in similar systems.     

Measure the quality level for a supplier-demand system by a multicommodity stochastic-flow network

From the point of view of quality management, it is important to meet the customer's demand. The probability that the system can satisfy the customer's demand is an important performance index, and can be used to measure the quality level of the system. In this paper, we use a multicommodity stochastic-flow network to describe the relationship between the supplier and the customer. Each node as well as each arc has several possible capacities and may fail. The network allows multiple types of commodities to be transmitted from the source to the sink. Given the demand for each commodity at the sink, evaluation of the probability that the system meets the demands is performed. Such a probability, named the system reliability, is a performance index of quality level. At first, a simple algorithm is proposed to generate all lower boundary points for the demand, and the system reliability can be calculated in terms of such points. The computational complexity of the proposed algorithm is polynomial time in number of arcs, nodes and minimal paths.     

Impact of electronic funds transfer systems on networks

Networks for electronic funds transfer systems have very high volumes of transactions to be processed. This means that changes must be made in EFT message-switching computer hardware. High volumes also mean that a transaction-oriented executive must be used. Terminal requirements will vary, depending on whether the transactions are paper-based or paperless transfers of funds. Integrating financial transactions with retail transactions with an electronic point-of-sale subsystem is a real systems challenge. Such a system must provide total control for the financial institution and improved point-of-sale productivity for the supermarket.     

利用OpenSSL实现PKI中数字签名及数字验证的研究

主要介绍如何利用OpenSSL实现数字签名及数字验证,重点关注数字签名及数字验证的处理流程。通过对比实验,得到数字签名方案中的几个特点,并着重分析算法和公钥算法对数字签名方案效率的影响,为完善数字签名在实际通信安全领域中的应用提供建议。     

User perceptions of security and usability of single-factor and two-factor authentication in automated telephone banking

This paper describes an experiment to investigate user perceptions of the usability and security of single-factor and two-factor authentication methods in automated telephone banking. In a controlled experiment with 62 banking customers a knowledge-based, single-factor authentication procedure, based on those commonly used in the financial services industry, was compared with a two-factor approach where in addition to the knowledge-based step, a one-time passcode was generated using a hardware security token. Results were gathered on the usability and perceived security of the two methods described, together with call completion rates and call durations for the two methods. Significant differences were found between the two methods, with the two-factor version being perceived as offering higher levels of security than the single-factor authentication version; however, this gain was offset by significantly lower perceptions of usability, and lower ratings for convenience and ease of use for the two-factor version. In addition, the two-factor authentication version took longer for participants to complete. This research provides valuable empirical evidence of the trade-off between security and usability in automated systems.