We analyze two token-based authentication schemes, designed for authenticating users in banking systems implemented over mobile networks. The first scheme is currently deployed in India by a mobile banking service provider named Eko with a reach of over 50,000 customers. The second scheme was proposed recently in [SOUPS2010] (in joint effort with Eko) to fix weaknesses in the first system, and is currently being considered for deployment. Both systems rely on PINs and printed codebooks (which are unique per user) for authentication.
In this paper, we present a detailed security analysis of the two schemes. We show that EKO’s current scheme is susceptible to PIN recovery attacks and a class of impersonation attacks wherein the attacker compromises users’ codebooks. The new scheme, on the other hand, is secure against both these attack possibilities. We also show that the two schemes are secure against impersonation attacks where users’ codebooks are not compromised. Variants of the new scheme with improved security are also proposed.