Saurabh Panjwani

Do not embarrass: re-examining user concerns for online tracking and advertising

Recent studies have highlighted user concerns with respect to third-party tracking and online behavioral advertising (OBA) and the need for better consumer choice mechanisms to address these phenomena. We re-investigate the question of perceptions of third-party tracking while situating it in the larger context of how online ads, in general, are perceived by users. Via in-depth interviews with 53 Web users in India, we find that although concerns for third-party tracking and OBA remain noticeable amongst this population, other aspects of online advertising---like the possibility of being shown ads with embarrassing and suggestive content---are voiced as greater concerns than the concern of being tracked. Current-day blocking tools are insufficient to redress the situation: users demand selective filtering of ad content (as opposed to blocking out all ads) and are not satisfied with mechanisms that only control tracking and OBA. We conclude with design recommendations for enduser tools to control online ad consumption keeping in mind the concerns brought forth by our study.

Usably secure, low-cost authentication for mobile banking

This paper explores user authentication schemes for banking systems implemented over mobile phone networks in the developing world. We analyze an authentication scheme currently deployed by an Indian mobile banking service provider which uses a combination of PINs and printed codebooks for authenticating users. As a first step, we report security weaknesses in that scheme and show that it is susceptible to easy and efficient PIN recovery attacks. We then propose a new scheme which offers better secrecy of PINs, while still maintaining the simplicity and scalability advantages of the original scheme. Finally, we investigate the usability of the two schemes with a sample of 34 current and potential customers of the banking system. Our findings suggest that the new scheme is more efficient, less susceptible to human error and better preferred by the target consumers.

Computing security in the developing world: a case for multidisciplinary research

Technology users in the developing world face a varied and complex set of computer security concerns. These challenges are deeply tied to a range of contextual factors including poor infrastructure, non-traditional usage patterns, and different attitudes towards security, which make simply importing security solutions from industrialized nations inadequate. Recognizing this, we describe some of the specific security risks in developing regions and their relationships with technical, political, social, and economic factors. We present concrete examples of how these factors affect the security of individuals, groups, and key applications such as mobile banking. Our analysis highlights the urgency of the concerns that need attention and presents an important intellectual challenge for the research community.

Towards end-to-end security in branchless banking

Mobile-based branchless banking has become one of the key mechanisms for extending financial services to low-income populations in the worlds developing regions. One shortcoming of todays branchless banking systems is that they rely largely on network-layer services for securing transactions and do not implement any application-layer security. Recent results show that several of these systems are, in fact, not end-to-end secure. In this paper, we make the case for designing mobile-based branchless banking systems which build security into the application layer and guarantee end-to-end security to system users. We present a threat model which captures the goals of authenticated transactions in these systems and then provide recommendations for solution design based on our models requirements.

Hyke: a low-cost remote attendance tracking system for developing regions

Tracking attendance is an important consideration for many developing world interventions. In many cases, these interventions are located in remote areas where its not always feasible to deploy expensive attendance tracking systems. In addition, since many existing systems focus on tracking participants (such as patients or students), rather than agents (such as teachers or health workers), they assume a trusted administrative staff on-site to record attendance. In this paper, we present the design of Hyke, a system for remote and cost effective attendance tracking in developing regions. Hyke combines voice-biometrics with accurate location tagging for tracking attendance in remote locations without the need for a trusted mediator on-site. Hyke was designed based on our observation of a currently deployed teacher attendance tracking system in rural Rajasthan, India. We have implemented some of the key components in Hyke, and discuss some of the security concerns in the system. The Hyke biometric stack for voice recognition is built atop several open source technologies, and provides a simple interface for non-expert users. Our evaluations with Indian speakers over telephone audio suggests the biometric stack is at par with the current state of the art. We believe this will be a useful tool for researchers who would like to incorporate voice technologies in their developing world projects.

Practical receipt authentication for branchless banking

Although branchless banking systems have spread to different parts of the developing world, methods to ensure transactional security in these systems have seen slower adoption because of a variety of operational constraints. A basic requirement from such systems is the provision of secure and reliable receipts to users during transactions, and recent attacks have demonstrated that existing systems fall short of fulfilling this requirement in practice. In this paper, we propose a simple and practical protocol to enable users to authenticate transaction receipts in branchless banking systems. Our protocol makes novel use of missed calls (sent from users to the bank) to help distinguish real receipts from spoofed ones and can be implemented on any mobile phone, without software installation. Besides preventing spoofing attacks, the protocol enjoys significant advantages of usability, efficiency and cost, which make it a more practical choice than other schemes. We also discuss ways to use missed calls to mitigate man-in-the-middle attacks on branchless banking systems.

The paper slip should be there!: perceptions of transaction receipts in branchless banking

Mobile-based branchless banking has become a key mechanism for enabling financial inclusion in the developing world. A key component of all branchless banking systems is a mechanism to provide receipts to users after each transaction as evidence for successful transaction completion. In this paper, we present results from a field study that explores user perceptions of different receipt delivery mechanisms in the context of a branchless banking system in India. Our study shows that users have an affinity for paper receipts: despite the provision of an SMS receipt functionality by the system developers and their discouragement of the use of paper, users have pro-actively initiated a practice of issuing and accepting paper receipts. Several users are aware of the security limitations of paper receipts but continue to use them because of their usability benefits. We conclude with design recommendations for receipt delivery systems in branchless banking.

Script-agnostic reflow of text in document images

Reading text from document images can be difficult on mobile devices due to the limited screen width available on them. While there exist solutions for reflowing Latin-script texts on such devices, these solutions do not work well for images of other scripts or combinations of scripts, since they rely on script-specific characteristics or OCR. We present a technique that reflows text in document images in a manner that is agnostic to the script used to compose them. Our technique achieved over 95% segmentation accuracy for a corpus of 139 images containing text in 4 genetically-distant languages-English, Hindi, Kannada and Arabic. A preliminary user study with a prototype implementation of the technique provided evidence of some of its usability benefits.