Using Automated Banking Certificates to Detect Unauthorised Financial Transactions

  • C. Corzo
  • F. Corzo S.
  • N. Zhang
  • A. Carpenter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4107)


New or emerging technologies such as e-services, e-/m-commerce, Cyber-payment, mobile banking and pay-as-you-go insurance services are opening up new avenues for criminals to commit computer-related financial fraud and online abuse. This serious situation has been evidenced by the UK Information Security Breach Survey 2004 and the UK National Hi-Tech Crime Unit’s recent report, “Hi-Tech Crime: The Impact On UK Business”. It highlights that online financial fraud is one of the most serious e-crimes and takes the lion’s share of over 60% of e-crime costs, and most of the financial fraud cases are committed by authorised insiders. Authorised insiders can more easily break the security barrier of a bank or a financial institution due to their operating privileges on the banking automated systems. Failure to detect such cases promptly can lead to (sometimes huge) financial loses and damage the reputation of financial institutions. This paper introduces a real-time fraud detection solution – the Transaction Authentication Service (TAS) – to tackle the problem of transaction manipulation by authorised insiders. The paper also introduces an important building block used in the design of TAS, Automated Banking Certificates (ABCs).


Data integrity financial fraud Insider threats Security architecture 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baldwin, A., Shiu, S.: Enabling shared audit data. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 14–28. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Bank for International Settlements, Risk Management Priciples for electronic Banking, found on (January 2006), at
  3. 3.
    Corzo, C., Zhang, N.: Towards a real-time solution to the security threats posed by authorised insiders. In: Proceedings of the ECIW 2004: The 3rd European conference on information warfare and security, Royal Holloway, University of London, UK, June 28-29, 2004, pp. 51–60 (2004)Google Scholar
  4. 4.
    Damgard, I.: Collision free hash functions and public key signatures. In: Price, W.L., Chaum, D. (eds.) EUROCRYPT 1987. LNCS, vol. 304, pp. 203–216. Springer, Heidelberg (1988)Google Scholar
  5. 5.
    Damgard, I.: A design principle for hash functions. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 416–427. Springer, Heidelberg (1990)Google Scholar
  6. 6.
    Davies, D.W., Price, W.L.: The application of digital signatures based on public-key cryptosystems. In: Proc. Intl. Computer Communications Conference, October 1980, pp. 525–530 (1980)Google Scholar
  7. 7.
    Diffie, W., Hellman, M.: New Directions in Cryptography. Information Theory, Transactions on IEEE 22(6), 644–654 (1976)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Diffie, W.: Ten first years of public key cryptography. In: Proceedings of the IEEE, 76th edn., pp. 560–577 (May 1988)Google Scholar
  9. 9.
    Evans, A.: A user authentication scheme not requiring secrecy in the computer. Communications of the ACM 17(8), 437–442 (1974)CrossRefGoogle Scholar
  10. 10.
    Haber, S., Stornetta, W.: How to time-stamp a digital document. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 437–455. Springer, Heidelberg (1991)Google Scholar
  11. 11.
    Kocher, P.: On certificate revocation and validation. In: Hirschfeld, R. (ed.) FC 1998. LNCS, vol. 1465, pp. 172–177. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  12. 12.
    Merkle, R.: A certified digital signature. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 218–238. Springer, Heidelberg (1990)Google Scholar
  13. 13.
    Muñoz, J., Forbe, J., Esparza, O.: Certificate revocation system implementation based on the Merkle hash tree. Journal of Information Security 2(2) (2004)Google Scholar
  14. 14.
    Naor, M., Nissim, K.: Certificate revocation and certificate update. IEEE Journal on selected areas in Communications 18(4), 561–570 (2000)CrossRefGoogle Scholar
  15. 15.
    Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public key cryptosystems. Communications of the ACM 21(2) (February 1978)Google Scholar
  16. 16.
    Tsudik, G.: Message authentication with one-way hash functions. In: Eleventh Annual Joint Conference of the IEEE Computer and Communications Societies, vol. 3, pp. 2055–5059. IEEE, Los Alamitos (1992)Google Scholar
  17. 17.
    O’Gorman,: Comparing passwords, tokens, and biometrics for user authentication. Proceedings of the IEEE 91(12), 2021–2040 (2003)CrossRefGoogle Scholar
  18. 18.
    Rivest, R.: The MD4 Message Digest Algorithm. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 303–311. Springer, Heidelberg (1991)Google Scholar
  19. 19.
    Simmons, G.: The practice of authentication. In: Pichler, F. (ed.) EUROCRYPT 1985. LNCS, vol. 219, pp. 261–272. Springer, Heidelberg (1986)CrossRefGoogle Scholar
  20. 20.
    Wang, X.: How to Break MD5 and other Hash functions. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 19–35. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • C. Corzo
    • 1
  • F. Corzo S.
    • 2
  • N. Zhang
    • 1
  • A. Carpenter
    • 1
  1. 1.School of Computer Sciencethe University of ManchesterManchesterUK
  2. 2.Universidad Escuela Colombiana de Ingeniería 

Personalised recommendations