1

Continental J. Information Technology 5 (1): 1 - 11, 2011 ISSN: 2141 - 4033 © Wilolud Journals, 2011 http://www.wiloludjournal.com ` Printed in Nigeria

ENHANCED SECURITY IN ELECTRONIC BANKING SYSTEM (USING A 3-FACTOR

AUTHENTICATION TECHNIQUE)

U.A. Kamalu, J.N. Dike, and A. Braimah Department of Electrical/Electronic Engineering, University of Port Harcourt, PMB 5323, Port Harcourt, Rivers

State, Nigeria

ABSTRACT Securing electronic channels, users’ identification and authentication techniques are designed in such a way that only the authorized users are allowed access to the services while keeping others out. In this work, fingerprint authentication was incorporated as an enhancement to the existing smart card and PIN authentication systems. A three factor authentication model and algorithm based on Gabor Filters (GF) were developed. MATLAB 7.5 was used for the modeling of the system and false rejection rate (FRR) and false acceptance rate (FAR) were calculated. From the result, it was possible to detect genuine users and impostors. Since no single security method is entirely secure, the introduction of fingerprint authentication system will in no doubt reduce the risk associated with identity fraud while doing transactions in Automated Teller Machines (ATMs). KEYWORDS: Electronic Banking, False ance Rate, False Rejection Rate, Gabor Filters, Smart Card, FingerCode

INTRODUCTION In modern times, the rapid growth in electronic banking (e-banking) activities has made it a high risk area with a potential for substantial economic loss due to its vulnerability to fraud. Every customer and banking organization has a great concern about the security of e-banking systems, and the ability of the technology to protect users from unauthorised access. One of the highest priorities in the world of information security is confirmation that a person accessing classified information is authorised to do so. Today, the majority of e-banking systems use password or personal Identification Number (PIN) and/or card as credentials to authenticate the user’s identity. The major problem with this type of identification mechanism is that given a password or card, can it be confirmed that it belongs to the person who presents it? E-banking system is a service that allows you to conduct transactions electronically without necessarily being physically present in a bank branch. It is the use of an electronic device (computer, Phone and ATM) to retrieve and process banking data (statements and transaction details), and to initiate transactions (payments, transfers and requests for services) directly with a bank or other financial services provider remotely via a telecommunications network. These existing e-banking transaction methods have a high risk associated with them. Hence, to be efficient, the banking system is continually involved in developing security measures against identity fraud. As early as 1800 BC in Egypt and ancient Mesopotamia, merchants who store their gold (or silver) with a goldsmith (who had a vault) or in the temple had a receipt given them in return for the worth of the gold as an authentication means should they need their gold (or silver) back (Dowd 1999). As more people became involved in these activities, a better identification and authentication technique like the use of cheque and signature had to be invented. Henry Fauld, in 1880, was the first to scientifically suggest that every individual has unique fingerprints (Lee and Gaensslen 1991) The uniqueness of a fingerprint can be determined by the overall pattern of ridges and valleys as well as the local ridge bifurcation or a ridge ending, called minutiae points (Jain 2000), (figure 1). Fingerprint recognition or fingerprint authentication refers to the automated method of verifying a match between two human fingerprints using various algorithms. The two general methods of fingerprint comparison are; global pattern or

2

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 correlation based fingerprint matching and the minutiae point based fingerprint matching (Abdurazzaq and Salem 2008).A fingerprint matching algorithm which combines the two features as mentioned above was proposed by Jain et al (Jain et al 2000). Although significant progress has been made in designing automatic fingerprint identification systems (AFIS) over the past thirty years, a number of design factors, like lack of perfect minutiae extraction algorithms, difficulty in quantitatively defining a reliable match between fingerprint images, poor fingerprint classification and matching algorithms, etcetera have become impediments in achieving the desired performance (Federal Bureau of Investigation 1984) and (Lee and Gaensslen 1991). Having said this, other authentication techniques like the use of password can be combined with fingerprint technology to form a more reliable security measure against identity fraud. Password as an authentication technique was introduced into the computing world around 1950 in United States of America (Omar 2002). Although, PIN is the most cost-effective security mechanism but has also become very vulnerable to attack as it is now another piece of information targeted by criminals let alone other means by which it can be cracked by hackers as they contain only 10 numerical choices (Omar 2002). Magnetic stripe card was introduced in financial sector in the late 1970 (Halliday 1997). They suffer from one very serious flaw; information stored in them can be extracted or modified by someone with the appropriate tool (Tedder 2009). This makes them very vulnerable to attack. In fact, many organizations no longer issue them for financial transactions. Smart card has come to replace them (Hendry 2001) and (Finkenzeller 2003). In conclusion, each authentication method has its own merit and demerit. Biometrics is quite expensive and may not be 100% accurate. Passwords (PINs) are difficult to control, easy to replicate, easy to guess or can be obtained illegally. Cards can be duplicated, lost, or stolen. One cannot really say any one method is the best to authenticate users. Nonetheless, the weakness of one authentication method can be compensated for by combining other methods to form a more formidable authentication process. In this light, this research is proposing strengthening security measures by combining the use of PIN, smart card and fingerprint recognition in authorising users for any electronic transactions.

Figure 1 Fingerprint image

(II) MODEL

Grant/Deny access

Figure 2 A 3-factor Authentication model

Input Fingerprint Input PIN

Live FingerCode

Insert card

Stored FingerCode

3

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 The process flow in Figure 2 is explained below;

• Insert the smart card into the ATM card reader. The smart card contains cryptographic keys and the stored user’s fingerprint template.

• Enter PIN to unlock the fingerprint template stored in the smart card. • Place finger on the scanner to generate a live-scan fingerprint. • The device compares the live FingerCode with the stored FingerCode in the smart card. • The result of the comparison is rendered as a score which is compared to a threshold value. • If the data are matched, the smart card FingerCode data is converted into a number and combined with the

smart card secret PIN, then used as a symmetric cryptographic key to decrypt the private key. • A nonce (generated random number) is passed from the server to the smart card. • The private key on the smart card is used to encrypt the nonce and pass it back to the server. • The server uses a certified public key to decrypt the encrypted message from the card. • If the same nonce that was originally passed to the card is revealed, then a connection is set up else

connection is declined. ALGORITHM It is assumed that the smart card and PIN already exist and the use of fingerprint is being incorporated into the system. MATLAB code was developed to compare the two fingerprint images while using the filter-based algorithm that employ the use of a bank of Gabor filters to capture both global and local details in a fingerprint as a compact fixed length FingerCode. The fingerprint matching algorithm is based on the Euclidean distance between the two corresponding FingerCodes. However, for a better performance, this algorithm was modified by including cropping. The major reasons for choosing to use this algorithm for the fingerprint matching are;

• It is a hybrid algorithm which combines the global and local features of a fingerprint in determining the authentication of a fingerprint.

• Since the fingerCodes are compressed vector features of a fingerprint, they require a very small space for storage; say 640bytes per fingerprint. This makes it easy for it to be stored on a smart card.

(i) Smart Card During enrolment, the card issuer stores user's specific data such as account holder’s name, account number, card number, date of birth and the fingerprint template (fingerCode) on the smart card. Besides storing user's data onto the smart card, they will also be stored on a central repository for record and recovery purposes in case of card theft or loss as the case may be. (ii) Personal Identification Number The smart card’s PIN is generated with the help of a random number generator and an algorithm that converts those numbers into ASCII coded PIN of required length. After generation the PIN is stored in the smart card and then used to compare with the entered value from the user. (iii) Core Point Determination The first step is to find the centre point of a fingerprint. Centre point location is done to find the point of most curvature by determining the normal of each fingerprint ridge, and then following them inwards towards the centre using 2-D Gausian low pass as shown in Figure 3.

Figure 3 Fingerprint showing core point

4

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 (iv) Cropping The core point is then moved down by say 30 pixels and cropped to a 255x255 image placed around this pseudo-centre point. The size has an odd height and width. (v) Sectorisation The cropped fingerprint image is divided into 5 concentric bands centered on the pseudo-center point. Each of these bands has a radius of 20 pixels, and a centre hole radius of 12 pixels. The total radius of the sectorisation is 223 pixels. Each band is evenly divided into 12 sectors making a total of 60 sectors. The center band is ignored because it has too small an area to be of any use. Thereafter, 6 equal angular Gabor filters will be used which will align with the 12 wedges formed by the bands. (vi) Normalisation Each sector is normalised to a constant mean and variance to eliminate variations in darkness in the fingerprint pattern, due to scanning noise and pressure variations. A constant mean M0 and variance V0 of 100 is used, i is the sector number, Mi is the mean of the sector, and Vi is the variance of the sector (Jain et al 2000).

( ) ( )( )i

ii V

MyxIVMyxN

20

0

,,

−×+= if ( ) iMyxI >, (1)

( ) ( )( )i

ii V

MyxIVMyxN

20

0

,,

−×−= otherwise (2)

(i) Gabor Filterisation The normalised image is passed through a bank of Gabor filters while each filter is performed by producing a 33x33 filter image for 6 angles (0, π/6, π/3, π/2, 2π/3 and 5π/6), and convolving it with the fingerprint image. Gabor filter has advantage that it's invariant with orientation. Even if the fingerprint is rotated to a certain degree, Gabor filtering can compute same extraction, thus they can be matched correctly to a large extent. Equation (3) is the definition of the Gabor filter used (Jain et al 2000).

( ) ( )xfyx

fyxGyx

′

′

+′

−=′′

πσσ

θ 2cos21

exp,;,2

2

2

2

(3)

θθ cossin yxx +=′ (4)

θθ sincos yxy −=′ (5)

The parameters, xσ and yσ were empirically determined and were both set to 4.0. The frequency of the cosine

envelope is determined by the inverse of the distance of two ridges and that distance was found to be on average 8 pixels. (f) Feature Vector of Variances (FingerCode) After getting the 6 filtered images, the variance of the pixel values in each sector is computed. The following is the equation for variance calculation. Fiθ are the pixel values in the ith sector after a Gabor filter with angle θ has been applied. Piθ is the mean of the pixel values. Ki is the number of pixels in the ith sector (Jain et al 2000).

5

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011

(6) (g) Matching The fingerprints in Group A, which are regarded as the enrollee fingerprints are the ones assumed to be stored in the various smart cards of 28 different individuals while group B is the attempt of these same individuals while trying to validate their authenticity via the live scan fingerprints reader. When an image from Group B was fed with the corresponding fingerCode in Group A, the image is processed as explained above and a fingerCode of fixed length is generated. Euclidean distance is measured between the generated input fingerCode and the fingerCode in the smart card. But because in most cases, the input image does not always have the exact appearance of the image captured during the stage of enrolment, the distance is not zero but greater than zero. This can happen for a number of reasons; the scanner may be dirty, a different type of hardware devices is used, the user’s position is not quite right, the lighting may be off etcetera. TEST AND RESULTS MATLAB 7.5 was used for the modeling of the system. Since there are two images for each person, the fingerprint stored in the smart card referred to here as the group A fingerprint and the one used as live fingerprint (group B) were tested against each other for every individual as shown in Table 1. Similarly, fingerprint images from the users in Group B were randomly selected to test against images they do not correspond to in Group A as represented in Table 2. This was done to test impostor attempt. Hence, equations 7 and 8 were used to calculate the false rejection rate (FRR) and the false acceptance rate (FAR) as shown in Tables 3 and 4 respectively. From the matching algorithm, when a fingerprint is matched against itself, a zero score is gotten and this verifies the veracity of the algorithm. This was a perfect scenario because the system used the images of the same individuals that have been used to build the fingerCodes in the various smart cards. When the corresponding fingerCodes of group A and B were used to match each other, the Euclidean distances were a lot greater than zero as further shown in the Tables 1 and 2. This was because they have not exact appearance as to those used to build the fingerCodes in the smart cards. The fingerprint images acquired could not be assured of being with perfect quality because of some instances of insufficient amount of ink or over inking as experienced in this research. For this reason, a pass score (threshold value) of 700 was used. (a) False Rejection Rate False rejection rate or false non-match rate (FRR or FNMR) is a measure of the percent of valid inputs which are incorrectly rejected. Table 3 shows the varying threshold values and the corresponding FRR obtained from the system’s 28 verifications. A graph plotted for the FRR against threshold values is shown in Figure 4.

( )emptEnroleeAtt

tchFalseNonMaFRR =%

………………………..7

(b) False Acceptance Rate False acceptance rate or false match rate (FAR or FMR) is the probability that the system incorrectly matches the input fingerprint (impostor) to a non-matching template in the smart card. The threshold of the falsely accepted data divided by the number of all impostor data is called FAR. Figure 5 shows the percentages of the FAR against different threshold values plotted using the data in Table 4.

( )temptsimpostorAt

esFalseMatchFAR =%

………………….8

6

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 (c) Equal Error Rate Equal error rate or crossover error rate (EER or CER) is the rate at which both accept and reject errors are equal. The value of the EER can easily be obtained from the receiver operating characteristic or relative operating characteristic (ROC) curve Figure 6. From the plot, the lower the EER, the more accurate the authentication becomes and it is 1300. It is now clear that for this system to perform, the threshold value should be less than 1300. Table 1: Genuine user attempt

S/N Users Owner's Attempt

1 Akan 441.1381

2 Amy 457.6178

3 Chizoke 582.1778

4 Chukwudi 583.4306

5 Emeka 317.8346

6 Evelyn 675.1081

7 Felix 638.1127

8 Irene 687.7296

9 John 493.1664

10 Ronke 482.2931

11 Angela 509.7860

12 Ifeoma 482.1220

13 Christy 513.1870

14 Ngozi 396.7281

15 Jane 467.1906

16 Pius 607.6576

17 Amaka 505.3307

18 Austine 499.6528

19 Shuaib 518.9896

20 Kelechi 412.4090

21 Oshoke 587.3452

22 Chika 386.1747

23 Lizy 611.5577

24 Maureen 562.2672

25 Mathew 438.1325

26 James 1007.4677

27 Ahmed 1437.1531

28 Chinyere 1048.9376 (d) Accuracy of the algorithm It can be seen that the threshold value can be adjusted. When it was made 500 only 12 genuine users were accepted while rejecting (false reject) the remaining 16 genuine users along with all the 25 impostors. When threshold was set to 700, 25 genuine users were accepted while disallowing the remaining 3 genuine users (false reject) along with the 25 impostors. When 1300 was made threshold value, all 28 genuine users were accepted along with an impostor as a “false accept”. However, a pass score or threshold value of 700 was chosen as only three instances of rightful

7

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 owners were rejected while no imposter was allowed at all. Note that for a threshold of 700, 3 genuine users were rejected because their Euclidean distances became very high as a result of either the input fingerprint was too faint or over inked or an incomplete imaged was captured.

Table 2: Impostor attempt

S/N Owner Impostor Impostor's Attempt

1 Akan Ronke 1872.1385

2 Amy John 1555.5743

3 Chizoke Irene 1457.1284

4 Chukwudi Felix 2952.1937

5 Emeka Evelyn 2715.5383

6 Evelyn Chijioke 2617.4957

7 Felix Amy 2668.6579

8 Irene Angela 2425.4510

9 John Emeka 1789.0428

10 Ronke Chukwudi 1480.5745

11 Angela Mathew 2158.4693

12 Ifeoma Christy 1899.1858

13 Christy Ngozi 2529.4673

14 Ngozi Jane 2091.7414

15 Jane Pius 1707.8605

16 Pius Amaka 1210.4234

17 Amaka Austine 1902.9595

18 Austine Shuaib 1636.0905

19 Shuaib Kelechi 1616.1663

20 Kelechi Oshoke 1933.4317

21 Oshoke Chika 1649.8390

22 Chika Lizy 1919.4977

23 Lizy Maureen 2048.3606

24 Maureen Ifeoma 1454.7828

25 Mathew Akan 2572.8120

8

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011 Table 3 FRR (%) against Threshold values

S/N THRESHOLD FRR (%)

1 400 89

2 500 57

3 600 26

4 700 11

5 1300 4

6 1500 0

7 1800 0

8 2000 0

9 2200 0

Table 4 FAR (%) against Threshold values

S/N THRESHOLD FAR (%)

1 400 0

2 500 0

3 600 0

4 700 0

5 1300 4

6 1500 16

7 1800 36

8 2000 60

9 2200 72

9

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011

Figure 4 Graph of FRR (%) against threshold values

Figure 5 Graph of FAR (%) against threshold values.

10

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011

Figure 5 Graph of ROC showing the Equal Error Rate

CONCLUSION AND RECOMMENDATION This research focused on security measures taken to reduce the risk associated with identity fraud while doing transactions in ATMs. As we all know, identity fraud is one of the biggest form of threat to the e-banking industry. Hence, the 3-factor authentication technique designed here would go a long way in preventing the activities of these fraudsters. PIN and smartcards combined with fingerprint offer a number of advantages. The smartcard offered portability for the fingerprint template and PIN encryption. It also provided a reliable tamper-proof infrastructure for storing the fingerprint template without recourse to a central repository. FingerCode (640bytes), a very good compression technique is ideal here as a limited storage is required in the embedded chip of the smart card which also houses the PIN. The results of the simulation would have been better if the fingerprint images were processed with a constant resolution of 500dpi as compared to the irregular resolution used in this research. Binarisation of the enhanced fingerprint before normalization would have produced a better performance.

REFERENCES Abdurazzag A. A. and Salem A. R. (2008), Fingerprint Patterns Recognition System Using Huffman Coding, Proceedings of the World Congress on Engineering 2008 Vol III, pp 1794-1796, 2008, London, U.K. Dowd, K. (1999), ‘The Invisible Hand and the Evolution of the Monetary System, What Is Money?’ Routledge, New York, New York. Federal Bureau of Investigation (1984), ‘The Science of Fingerprints: Classification and Uses’, U.S. Government Printing Office, Washington, D. C.

11

U.A. Kamalu et al.,: Continental J. Information Technology 5 (1): 1 - 11, 2011

Finkenzeller, K (2003), RFID Handbook: Fundamentals and Applications in Contactless Smart Cards and identification, John Wiley and sons Halliday, Stephen G., (1997) Introduction to Magnetic Stripe & Other Card Technologies, SCAN-TECH ASIA 97, Singapore , available at http://www.hightechaid.com/tech/card/intro_ms.htm Hendry, M., (2001) Smart card Security and Applications, Artech House Jain A.K., Prabhakar S., Hong L., and Pankanti S., (2000) “Filterbank-based fingerprint matching,” IEEE Transactions on Image Processing, vol. 9, no. 5, pp. 846-859. Lee, H. C. and Gaensslen R. E., (1991) editors, Advances in Fingerprint Technology, Elsevier, New York. Omar, M. H. (2002). Smart Cards and the Fingerprint: A Proposed Framework for Automated Teller Machine (ATM) System, Master Thesis, School of Infotma.tion Technology, Universiti Utara Malaysia. Tedder, K., (2009) “Now You See It, Now You Don’t: A Review of Fraud Costs and Trends.” First Data Corporation White Paper 2009, p. 9 (http://www.firstdata.com/downloads/thought-leadership/fd_fraudcostsandtrends_whitepaper.pdf). Received for Publication: 20/01 /2011 Accepted for Publication: 30/03 /2011 Corresponding Author: A. Braimah Department of Electrical/Electronic Engineering, University of Port Harcourt, PMB 5323, Port Harcourt, Rivers State, Nigeria Email: omokh77@yahoo.com