Using the Smart Card Web Server in Secure Branchless Banking

  • Sheila Cobourne
  • Keith Mayes
  • Konstantinos Markantonakis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


In remote areas of developing countries, the mobile phone network may be the only connection with outside organizations such as banks. SMS messages are used in branchless banking schemes such as M-PESA in Kenya, but can be vulnerable to SMS spoofing exploits. This paper proposes a branchless banking system for withdrawal, deposit and transfer transactions, using an application on the phone’s tamper-resistant Subscriber Identity Module (SIM) equipped with a Smart Card Web Server (SCWS) and public key cryptography capabilities.


Smart Card Web Server Branchless Banking Security Mobile Phone PKI-SIM 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
    Hypertext Transfer Protocol over TLS protocol, RFC 2818 (May 2000),
  6. 6.
    Recommendation for Key Management - Part 1: General (Revised). National In- stitute of Standards and Technology (NIST) Special Publication 800-57 (March 2007),
  7. 7.
    Smart Card Web Server: How to bring operators’ applications and services to the mass market (February 2009),
  8. 8.
    OWASP Top Ten Project (2010),
  9. 9.
    Security breach at M-PESA: Telco 2.0 crash investigation (2010),
  10. 10.
  11. 11.
    Smartcard-Web-Server, Approved Version 1.1.2, OMA-TS-Smartcard_Web_Server-V1_1_1_2-20120927-A, Open Mobile Alliance (OMA), Version 1.2 (September 2012),
  12. 12.
    Arora, B., Metz Cummings, A.: A Little World: Facilitating Safe and Efficient M-Banking in Rural India. GIM Case Study No. B051. United Nations Development Programme, New York (2010)Google Scholar
  13. 13.
    Bickford, J., O’Hare, R., Baliga, A., Ganapathy, V., Iftode, L.: Rootkits on smart phones: attacks, implications and opportunities. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile 2010, pp. 49–54. ACM, New York (2010)CrossRefGoogle Scholar
  14. 14.
    GlobalPlatform: GlobalPlatform’s Proposition for NFC Mobile: Secure Element Management and Messaging (April 2009),
  15. 15.
    GlobalPlatform: Confidential Card Content Management - GlobalPlatform Card Specification v2.2 - Amendment A v1.0.1 (January 2011)Google Scholar
  16. 16.
    GlobalPlatform: Remote Application Management over HTTP Card Specification v2.2 Amendment B Version 1.1.1 (March 2012)Google Scholar
  17. 17.
    Goodin, D.: ZeuS trojan attacks bank’s 2-factor authentication (2012),
  18. 18.
    Juniper Networks Inc.: 2011 Mobile Threats Report (2011)Google Scholar
  19. 19.
    Kaliski, B., Staddon, J.: PKCS# 1: RSA cryptography specifications version 2.0. Tech. rep., RFC 2437 (October 1998)Google Scholar
  20. 20.
    Karunanayake, A., De Zoysa, K., Muftic, S.: Mobile ATM for developing countries. In: Proceedings of the 3rd International Workshop on Mobility in the Evolving Internet Architecture, MobiArch 2008, pp. 25–30. ACM, New York (2008)CrossRefGoogle Scholar
  21. 21.
    Kyrillidis, L., Cobourne, S., Mayes, K., Dong, S., Markantonakis, K.: Distributed e-voting using the Smart Card Web Server. In: 2012 7th International Conference on Risk and Security of Internet and Systems (CRiSIS), pp. 1–8 (October 2012)Google Scholar
  22. 22.
    Leyden, J.: HSBC websites fell in DDoS attack last night, bank admits (July 2010),
  23. 23.
    Locke, G., Gallagher, P.: FIPS PUB 186-3: Digital signature standard (DSS). Federal Information Processing Standards Publication (2009)Google Scholar
  24. 24.
    Mas, I., Siedek, H.: Banking through networks of retail agents (May 2008),
  25. 25.
    Mayes, K.E., Markantonakis, K. (eds.): Smart Cards, Tokens, Security and Applications. Springer, New York (2008)Google Scholar
  26. 26.
    Medhi, I., Gautama, S., Toyama, K.: A comparison of mobile money-transfer uis for non-literate and semi-literate users. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, pp. 1741–1750. ACM (2009)Google Scholar
  27. 27.
    Morawczynski, O., Miscione, G.: Examining trust in mobile banking transactions: The case of M-PESA in Kenya. In: Avgerou, C., Smith, M.L., van den Besselaar, P. (eds.) Social Dimensions of Information and Communication Technology Policy. IFIP, vol. 282, pp. 287–298. Springer, Boston (2008)CrossRefGoogle Scholar
  28. 28.
    Paik, M.: Stragglers of the herd get eaten: security concerns for GSM mobile banking applications. In: Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, pp. 54–59. ACM (2010)Google Scholar
  29. 29.
    Panjwani, S., Cutrell, E.: Usably secure, low-cost authentication for mobile banking. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, p. 4. ACM (2010)Google Scholar
  30. 30.
    Sharma, A., Subramanian, L., Shasha, D.: Secure branchless banking. In: ACM SOSP Workshop on Networked Systems for Developing Regions, NSDR (2009)Google Scholar
  31. 31.
    Thinyane, H., Thinyane, M.: ICANSEE: A SIM based application for digital inclusion of the Visually impaired community. In: Innovations for Digital Inclusions, K-IDI 2009. ITU-T Kaleidoscope, pp. 1–6. IEEE (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Sheila Cobourne
    • 1
  • Keith Mayes
    • 1
  • Konstantinos Markantonakis
    • 1
  1. 1.Smart Card Centre, Information Security Group (SCC-ISG)Royal Holloway, University of LondonEghamUK

Personalised recommendations