KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Internet Banking Login with Multi-Factor Authentication

  • Boonkrong, Sirapat (Faculty of Information Technology, King Mongkut's University of Technology North Bangkok)
  • Received : 2016.05.12
  • Accepted : 2016.11.15
  • Published : 2017.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

Internet banking is one of many services provided by financial institutions that have become very popular with an increasing trend. Due to the increased amount of usage of the service, Internet banking has become a target from adversaries. One of the points that are at risk of an attack is the login process. Therefore, it is necessary to have a security mechanism that can reduce this risk. This research designs and develops a multi-factor authentication protocol, starting from a registration system, which generates authentication factors, to an actual authentication mechanism. These factors can be categorised into two groups: short term and long term. For the authentication protocol, only three messages need to be exchanged between a client and a financial institution's server. Many cryptographic processes are incorporated into the protocol, such as symmetric and asymmetric cryptography, a symmetric key generation process, a method for generating and verifying digital signatures. All of the authentication messages have been proved and analysed by the logic of GNY and the criteria of OWASP-AT-009. Even though there are additional factors of authentication, users do not really feel any extra load on their part, as shown by the satisfactory survey.

Keywords

References

  1. G. D. Williamson, "Enhanced Authentication in Online Banking," Journal of Economic Crime Management, vol. 4, no. 2, pp. 1-42, 2006.
  2. M. Johnson, "A New Approach to Internet Banking," University of Cambridge Computer Laboratory, Cambridge, UK, 2008.
  3. Y. Espelid, L.-H. Netland, A. N. Klingsheim and K. J. Hole, "A Proof of Concept Attack against Norwegian Internet Banking Systems," Financial Cryptography and Data Security, pp. 197-201, 2008.
  4. D. Stebila, P. Udupi and S. Chang, "Multi-Factor Password Authenticated Key Exchange," in Proc. of the 8th Australasian Conference on Information Security, pp. 55-66, 2010.
  5. F. Aloul, S. Zahidi and W. El-Hajj, "Two Factor Authentication using Mobile Phones," in Proc. of the IEEE International Conference on Computer Systems and Applications, pp. 641-644, 2009.
  6. D. v. Thanh, I. Jrstad, T. Jonvik and D. v. Thaun, "Strong Authentication with Mobile Phone as Security Token," in Proc. of the 6th IEEE International Conference on Mobile Adhoc and Sensor Systems, pp. 777-782, 2009.
  7. M. Marlinspkie, New Tricks for Defeating SSL in Practice, BlackHat Conference, 2009.
  8. D. Emm, M. Garnaeva, R. Unuchek, D. Makrushin and A. Ivanov, "IT Threat Evolution in Q3 2015," Kaspersky Lab, Moscow, Russia Federation, 2015.
  9. K. C. Park, J. W. Shin and B. G. Lee, "Analysis of Authentication Methods for Smartphone Banking Service using ANP," KSII Transactions on Internet and Information Systems, vol. 8, no. 6, pp. 2087-2103, 2014. https://doi.org/10.3837/tiis.2014.06.016
  10. The Telegraph, "BoE Cyber Attack Exercise Shows Banks Unprepared," 2014. [Online]. Available: http://www.telegraph.co.uk/finance/bank-of-england/10620937/BoE-cyber-attackexercise-shows-banks-unprepared.html. [Accessed April 2016].
  11. A. Hiltgen, T. Kramp and T. Weigold, "Secure Internet Banking Authentication," IEEE Security and Privacy, pp. 21-29, March - April 2006.
  12. Y. Desmedt, I. Karaolis, M. Adham and A. Sadr-Azodi, "How to Attack Two-Factor Authentication Internet Banking," in Proc. of the 17th International Conference on Financial Cryptography and Data Security, pp. 322-328, 2013.
  13. B. Schneier, "Two-Factor Authentication: Too Little, Too Late," Communications of the ACM, vol. 48, no. 4, p. 136, April 2005. https://doi.org/10.1145/1053291.1053327
  14. M. Mannan and P. C. V. Oorschot, "Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer," in Proc. of the 11th International Conference on Financial Cryptography and 1st International Conference on Usable Security, Scarborough, Trinidad and Tobago, pp. 88-103, 2007.
  15. R. Rittenhouse and J. A. Chaudhry, "A Survey of Alternative Authentication Methods," in Proc. of the 2015 International Conference on Recent Advances in Computer Systems, Saudi Arabia, pp. 179-182, 2015.
  16. A. M. Hagalisletto and A. Riiber, "Using the mobile phone in two-factor authentication," in Proc. of the 1st International Workshop on Security for Spontaneous Interaction, Innsbruck, Austria, 2007.
  17. R. D. Pietro, G. Me and M. A. Stangio, "A Two-Factor Mobile Authentication Scheme for Secure Financial Transactions," in Proc. of the International Conference on Mobile Business, Sydney, Australia, 2005.
  18. D. Wang, N. Wang, P. Wang and S. Qing, "Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity," Information Sciences, vol. 321, pp. 162-178, 2015. https://doi.org/10.1016/j.ins.2015.03.070
  19. B. Adida, "Beamauth: Two-Factor Web Authentication with a Bookmark," in Proc. of the ACM Conference on Computer and Communications Security, Alexandria, VA, USA, pp. 48-57, 2007.
  20. A. P. Sabzevar and A. Stavrou, "Universal Multi-Factor Authentication Using Graphical Passwords," in Proc. of the IEEE International Conference on Signal Image Technology and Internet Based Systems, Bali, Indonesia, pp. 625-632, 2008.
  21. K. Najan, P. Ragava, A. Sawant and S. Madchane, "Image Steganography, Compression and Image Morphing for Banking Website," International Journal for Innovative Research in Science and Technology, vol. 2, no. 10, pp. 56-58, 2016.
  22. S. Mahitthiburin and S. Boonkrong, "Improving Security with Two-Factor Authentication using Image," KMUTNB: International Journal of Applied Science and Technology, vol. 8, no. 1, pp. 33-43, January-March 2015.
  23. K. M. Apampa, T. Zhang, G. B. Wills and D. Argles, "Ensuring Privacy of Biometric Factors in Multi-Factor Authentication Systems," in Proc. of the International Conference on Security and Cryptography, Porto, Portugal, 2008.
  24. H. Al-Assam, H. Sallahewa and S. Jassim, "On Security of Multi-Factor Biometric Authentication," in Proc. of the International Conference for Internet Technology and Secured Transactions, London, UK, 2010.
  25. L. T. Premakumari and A. S. Jothi, "Multimodal Biometric Endorsement for Secure Internet Banking using Skin Spectroscopy, Knuckles Texture and Finger Nail Recognition," International Research Journal of Engineering and Technology, vol. 3, no. 2, pp. 1086-1090, 2016.
  26. M. Al-Fairuz and K. Renaud, "Multi-channel, Multi-level Authentication for More Secure eBanking," in Proc. of the International Conference on Information Security for South Africa, 2010.
  27. X. Huang, Y. Xiang, E. Bertino, J. Zhou and L. Xu, "Robust Multi-Factor Authentication for Fragile Communications," IEEE Transactions on Dependable and Secure Computing, vol. 11, no. 6, pp. 568-581, November-December 2014. https://doi.org/10.1109/TDSC.2013.2297110
  28. C. W. Crannel and J. M. Parrish, "A Comparison of Immediate Memory Span for Digits, Letters and Words," The Journal of Psychology, vol. 44, pp. 319-327, 1957. https://doi.org/10.1080/00223980.1957.9713089
  29. W. Ma, J. Campbell, D. Tran and D. Kleeman, "Password Entropy and Password Quality," in Proc. of the 4th International Conference on Network and System Security (NSS), pp. 583-587, 2010.
  30. S. Boonkrong, "Security of Passwords," Journal of Information Technology, vol. 8, no. 2, pp. 112-117, July - December 2012.
  31. Information Technology Laboratory, "Secure Hash Standard (SHS)," 2012.
  32. L. Gong, R. Noodham and R. Yahalom, "Reasoning about Belief in Cryptographic Protocols," in Proc. of the 1990 IEEE Symposium on Research in Security and Privacy, Oakland, California, USA, pp. 234-248, 1990.
  33. R. B. Miller, "Response Time in Man-computer Conversational Transactions," in Proc. of the December 9-11, 1968, Fall Joint Computer Conference, Part I, San Francisco, California, pp. 267-277, 1968.
  34. OWASP, "Testing Multiple Factors Authentication (OWASP-AT-009)," [Online]. Available: https://www.owasp.org/index.php/Testing_Multiple_Factors_Authentication_(OWASP-AT-009). [Accessed July 2014].
  35. N. Usavapipatkul, K. Yochanang and S. Boonkrong, "Authentication by One-Time Password using the Solution of Random Numeric and Simple Calculation," in Proc. of the 8th National Conference on Computing and Information Technology, Chonburi, Thailand, pp. 303-310, 2012.
  36. K.-P. Yee and K. Sitaker, "Passpet: Convenient Password Management and Phishing Protection," in Proc. of the Second Symposium on Usable Privacy and Security, Pittsburgh, Pennsylvania, USA, pp. 32-43, 2006.
  37. S. Gaw and E. W. Felton, "Password Management Strategies for Online Accounts," in Proc. of the Second Symposium on Usable Privacy and Security, Pittsburgh, Pennsylvania, USA, pp. 44-55, 2006.
  38. D. Wang and P. Wang, "Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound," IEEE Transactions on Dependable and Secure Computing, vol. PP, no. 99, 2016.
  39. E. Rescorla and B. Korver, "RFC 2552: Guidelines for Writing RFC Text on Security Considerations," IETF, 2003.