Practical receipt authentication for branchless banking

Abstract

Although branchless banking systems have spread to different parts of the developing world, methods to ensure transactional security in these systems have seen slower adoption because of a variety of operational constraints. A basic requirement from such systems is the provision of secure and reliable receipts to users during transactions, and recent attacks have demonstrated that existing systems fall short of fulfilling this requirement in practice. In this paper, we propose a simple and practical protocol to enable users to authenticate transaction receipts in branchless banking systems. Our protocol makes novel use of missed calls (sent from users to the bank) to help distinguish real receipts from spoofed ones and can be implemented on any mobile phone, without software installation. Besides preventing spoofing attacks, the protocol enjoys significant advantages of usability, efficiency and cost, which make it a more practical choice than other schemes. We also discuss ways to use missed calls to mitigate man-in-the-middle attacks on branchless banking systems.