This document summarizes and compares different two-factor authentication systems that can be used to prevent social phishing and man-in-the-browser attacks for internet banking. It analyzes SecureID tokens, mobile phones using the Phoolproof protocol, and mobile phones using the MP-Auth protocol. For each option, it evaluates the usability requirements and costs of deployment, as well as the level of security provided against social phishing and man-in-the-browser attacks. The document concludes SecureID tokens and mobile phones with Phoolproof protocol provide strong protection against social phishing but are still vulnerable to man-in-the-browser attacks.
Phishing is an attack that deals with social engineering system to illegally get and utilize another person's information for the benefit of authentic site for possess advantage (e.g. Take of client's secret word and Visa precise elements during online correspondence). It is influencing all the significant areas of industry step by step with a considerable measure of abuse of client qualifications. To secure clients against phishing, different hostile to phishing procedures have been suggested that takes after various methodologies like customer side and server side insurance. In this paper we have considered phishing in detail (counting assault process and grouping of phishing assault) and investigated a portion of the current sites to phishing strategies alongside their points of interest and disadvantages.
One time password(OTP) is the
authentication method used in online banking system today.
Hackers are getting better each day at cracking sensitive
information. Once this happened, they can gain access to our
private network and steal our sensitive business information. A
common technology used for the delivery of OTPs is text
messaging.OTP over SMS might not be encrypted by any serviceprovider.
In addition, the cell phones which is used to receive the
SMS also play an important role, in which more than one phone
comes into account. The vulnerable parts of the cell phone
network can be mount to man-in-the-middle attack[13]. To
overcome the difficulties the virtual password concept is
introduced. The virtual password concept involves a small
amount of human computing to secure user’s passwords in online
environments. To provide high security, we enhance the
existing system with virtualization concept [1]. Hacker may guess
our password but he cannot access our account because he
cannot access virtual password. The major hacking threats like
phishing, key-logger, shoulder-surfing attacks, and multiple
attacks cannot affect our schema. In user-specified functions, we
adopted secret little functions in which security is enhanced.
Virtual password is a password that is valid for only one login
session or transaction and after that it becomes obsolete [12]. The
calculation of the virtual password is done at the client side which
reduces the delay of time in receiving OTP via SMS. To make the
client more convenient in calculating the virtual password an
application is used which reduces the work of the client. This
method is more instant than the traditional OTP system used
today.
E Authentication System with QR Code and OTPijtsrd
As a fast web framework is being created and individuals are informationized, even the budgetary undertakings are occupied with web field. In PC organizing, hacking is any specialized exertion to control the ordinary conduct of system associations and associated frameworks. The current web banking framework was presented to the threat of hacking and its result which couldnt be overlooked. As of late, the individual data has been spilled by a high degree technique, for example, Phishing or Pharming past grabbing a clients ID and Password. Along these lines, a protected client affirmation framework gets considerably more fundamental and significant. Right now, propose another Online Banking Authentication framework. This confirmation framework utilized Mobile OTP with the mix of QR code which is a variation of the 2D standardized identification. 1 6 7 Afrin Hussain "E-Authentication System with QR Code & OTP" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30808.pdf Paper Url :https://www.ijtsrd.com/computer-science/computer-security/30808/eauthentication-system-with-qr-code-and-otp/afrin-hussain
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
call for paper 2012, hard copy of journal, research paper publishing, where to publish research paper,
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
Phishing is an attempt by an individual or a group to thieve personal confidential information such as pass-words, credit card information etc from unsuspecting victims for identity theft, financial gain and other fraudu-lent activities. Here an image based (QR codes) authentication using Visual Cryptography (VC) is used. The use of Visual cryptography is explored to convert the QR code into two shares and both these shares can then be transmitted separately. One Time Passwords (OTP) is passwords which are valid only for a session to validate the user within a specified amount of time. In this paper we are presenting a new authentication scheme for se-cure OTP distribution in phishing website detection through VC and QR codes.
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Phishing is an attack that deals with social engineering system to illegally get and utilize another person's information for the benefit of authentic site for possess advantage (e.g. Take of client's secret word and Visa precise elements during online correspondence). It is influencing all the significant areas of industry step by step with a considerable measure of abuse of client qualifications. To secure clients against phishing, different hostile to phishing procedures have been suggested that takes after various methodologies like customer side and server side insurance. In this paper we have considered phishing in detail (counting assault process and grouping of phishing assault) and investigated a portion of the current sites to phishing strategies alongside their points of interest and disadvantages.
One time password(OTP) is the
authentication method used in online banking system today.
Hackers are getting better each day at cracking sensitive
information. Once this happened, they can gain access to our
private network and steal our sensitive business information. A
common technology used for the delivery of OTPs is text
messaging.OTP over SMS might not be encrypted by any serviceprovider.
In addition, the cell phones which is used to receive the
SMS also play an important role, in which more than one phone
comes into account. The vulnerable parts of the cell phone
network can be mount to man-in-the-middle attack[13]. To
overcome the difficulties the virtual password concept is
introduced. The virtual password concept involves a small
amount of human computing to secure user’s passwords in online
environments. To provide high security, we enhance the
existing system with virtualization concept [1]. Hacker may guess
our password but he cannot access our account because he
cannot access virtual password. The major hacking threats like
phishing, key-logger, shoulder-surfing attacks, and multiple
attacks cannot affect our schema. In user-specified functions, we
adopted secret little functions in which security is enhanced.
Virtual password is a password that is valid for only one login
session or transaction and after that it becomes obsolete [12]. The
calculation of the virtual password is done at the client side which
reduces the delay of time in receiving OTP via SMS. To make the
client more convenient in calculating the virtual password an
application is used which reduces the work of the client. This
method is more instant than the traditional OTP system used
today.
E Authentication System with QR Code and OTPijtsrd
As a fast web framework is being created and individuals are informationized, even the budgetary undertakings are occupied with web field. In PC organizing, hacking is any specialized exertion to control the ordinary conduct of system associations and associated frameworks. The current web banking framework was presented to the threat of hacking and its result which couldnt be overlooked. As of late, the individual data has been spilled by a high degree technique, for example, Phishing or Pharming past grabbing a clients ID and Password. Along these lines, a protected client affirmation framework gets considerably more fundamental and significant. Right now, propose another Online Banking Authentication framework. This confirmation framework utilized Mobile OTP with the mix of QR code which is a variation of the 2D standardized identification. 1 6 7 Afrin Hussain "E-Authentication System with QR Code & OTP" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-4 | Issue-3 , April 2020, URL: https://www.ijtsrd.com/papers/ijtsrd30808.pdf Paper Url :https://www.ijtsrd.com/computer-science/computer-security/30808/eauthentication-system-with-qr-code-and-otp/afrin-hussain
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
call for paper 2012, hard copy of journal, research paper publishing, where to publish research paper,
journal publishing, how to publish research paper, Call For research paper, international journal, publishing a paper, IJERD, journal of science and technology, how to get a research paper published, publishing a paper, publishing of journal, publishing of research paper, reserach and review articles, IJERD Journal, How to publish your research paper, publish research paper, open access engineering journal, Engineering journal, Mathemetics journal, Physics journal, Chemistry journal, Computer Engineering, Computer Science journal, how to submit your paper, peer reviw journal, indexed journal, reserach and review articles, engineering journal, www.ijerd.com, research journals
Modern Method for Detecting Web Phishing Using Visual Cryp-tography (VC) and ...IJERA Editor
Phishing is an attempt by an individual or a group to thieve personal confidential information such as pass-words, credit card information etc from unsuspecting victims for identity theft, financial gain and other fraudu-lent activities. Here an image based (QR codes) authentication using Visual Cryptography (VC) is used. The use of Visual cryptography is explored to convert the QR code into two shares and both these shares can then be transmitted separately. One Time Passwords (OTP) is passwords which are valid only for a session to validate the user within a specified amount of time. In this paper we are presenting a new authentication scheme for se-cure OTP distribution in phishing website detection through VC and QR codes.
A secure communication in smart phones using two factor authenticationseSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
Safety Mechanism of Cyber Crime in Indian Banking Systempaperpublications3
Abstract: Use of technology in financial services of course has given a tremendous impetus to their development however, due to heavy dependency on electronic and digital tools to carry out business and payment transactions, a serious threat has also been imposed to the safety and reliability of financial operations. This technology word changes the human life in every manner and every sector. Banking field is one of them. Banking in India originated in the last decades in 18th century. Since that time banking sector applying different ways to provide facilities and securities to a common man regarding to money. Security issues play extremely important role in the implementation of technologies specially in banking. The banking sector is at the core of who comes to cyber security becomes more important on that front. After the arrival of internet and world wibe web communicating banking sector is totally change specially in terms of security because now money is in your hand on a single click, Now users with different kinds of ways is the number of options to manage your money. In this paper an attempt to cyber security mechanism put forward an issues of Indians banks websites.
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
In the era ofinternet, most ofthe people all over the world completed their transaction
on internet. Though the user of electronic transaction or E-money transaction system
increase rapidly but the majority person are concern about the security of this system.
The growth in online transactions has resulted in a greater demand for fast and accurate
user identification and authentication. Conventional method of identification based on
possession of ID cards or exclusive knowledge like a social security number or a
password are not all together reliable. Identification and authentication by individuals'
biometric characteristics is becoming an accepted procedure that is slowly replacing the
most popular identification procedure – passwords. Among all the biometrics, fingerprint
based identification is one of the most mature and proven technique. Along with the
combination of conventional system, biometric security, Global positioning system(GPS)
and mobile messaging we have design an algorithm which increase security ofelectronic
transaction and more reliable to user. A three layer security model to enhancing security
ofelectronic transaction is proposed in this paper.
Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
The financial world has gotten more sophisticated. People need to make informed financial decisions, so
they seek out efficient tools to help them manage their finances. Traditionally, money management software
has been available for individuals to use in their homes on their personal computers. These tools were a
local install, often expensive, and required a learning curve to use them effectively. With a paradigm shift
to cloud computing and storage, users are looking for inexpensive alternatives that are accessible at home
or on their mobile devices. As a result, third-party companies have been forming over the last few years to
meet this need. However, to access the functionality of these online resources, users are required to divulge
their personal financial account login credentials. While third-party companies claim that subscribers’
private information is safely stored on their servers, one cannot ignore the fact that hackers may be able to
break into their system to steal users’ information. Once hackers manage to compromise users’ login
credentials, they have complete control over their accounts. Therefore, there is a need to have a holistic
approach that incorporates security elements to protect users’ accounts from hackers.
We present a novel, holistic model with a new handshake protocol and online account access control,
which authenticate account access and form a sandbox around third-party access to users’ accounts. When
utilizing these novel techniques, users’ login credentials can remain private, providing safeguards against
unauthorized transactions on their accounts.
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
As ATM applications deploy for a banking system, th
e need to secure communications will become critica
l.
However, multicast protocols do not fit the point-t
o-point model of most network security protocols wh
ich
were designed with unicast communications in mind.
In recent years, we have seen the emergence and the
growing of ATMs (Automatic Teller Machines) in bank
ing systems. Many banks are extending their activit
y
and increasing transactions by using ATMs. ATM will
allow them to reach more customers in a cost
effective way and to make their transactions fast a
nd efficient. However, communicating in the network
must satisfy integrity, privacy, confidentiality, a
uthentication and non-repudiation. Many frameworks
have
been implemented to provide security in communicati
on and transactions. In this paper, we analyze ATM
communication protocol and propose a novel framewor
k for ATM systems that allows entities communicate
in a secure way without using a lot of storage. We
describe the architecture and operation of SFAMSS i
n
detail. Our framework is implemented with Java and
the software architecture, and its components are
studied in detailed.
This paper analyzes the various authentication systems implemented for enhanced security and private reposition
of an individual’s login credentials. The first part of the paper describes the multi-factor authentication (MFA) systems, which, though not applicable to the field of Internet of Things, provides great security to a user’s credentials. MFA is followed by a brief description of the working mechanism of interaction of third party clients with private resources over the OAuth protocol framework and a study of the delegation based authentication system in IP-based IoT.
DEFEATING MITM ATTACKS ON CRYPTOCURRENCY EXCHANGE ACCOUNTS WITH INDIVIDUAL US...IJNSA Journal
Presented herein is a User-SpecificKey Scheme based on Elliptic Curve Cryptography that defeats man-inthe-middle attacks on cryptocurrency exchange accounts. In this scheme, a separate public and private key pair is assigned to every account and the public key is shifted either forward or backward on the elliptic curve by a difference of the account user’s password. When a user logs into his account, the server sends the shifted public key of his account. The user computes the actual public key of his account by reverse shifting the shifted public key exactly by a difference of his password. Alternatively, shifting can be applied to the user’s generator instead of the public key. Described in detail is as to how aman-in-the-middle attack takes place and how the proposed scheme defeats the attack. Provided detailed security analysis in both the cases of publickey shifting and generator shifting. Further, compared the effectiveness of another three authentication schemes in defending passwords against MITM attacks.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
In today's world of E-Commerce everything comes online like Music,E-Books, Shopping all most everything is online. If you are using some service or buying things online then you have to pay for that. For that you have to do Net Banking or you have to use Credit card which will do online payment for you. In today's environment when everything is online, the service you are using for E-Payment must be secure and you must protect your banking information like debit card or credit card information from possible threat of hacking. There were lots way to threat like Key logger, Forgery Detection, Phishing, Shoulder surfing. Therefore, we reveal our actual information of Bank and Credit Card then there will be a chance to lose data and same credit card and hackers can use banking information for malicious purpose. In this paper we discuss available E-Payment protocols, examine its advantages and delimitation's and shows that there are steel needs to design a more secure E-Payment protocol. The suggested protocol is based on using hash function and using dynamic or virtual password, which protects your banking or credit card information from possible threat of hacking when doing online transactions.
Safety Mechanism of Cyber Crime in Indian Banking Systempaperpublications3
Abstract: Use of technology in financial services of course has given a tremendous impetus to their development however, due to heavy dependency on electronic and digital tools to carry out business and payment transactions, a serious threat has also been imposed to the safety and reliability of financial operations. This technology word changes the human life in every manner and every sector. Banking field is one of them. Banking in India originated in the last decades in 18th century. Since that time banking sector applying different ways to provide facilities and securities to a common man regarding to money. Security issues play extremely important role in the implementation of technologies specially in banking. The banking sector is at the core of who comes to cyber security becomes more important on that front. After the arrival of internet and world wibe web communicating banking sector is totally change specially in terms of security because now money is in your hand on a single click, Now users with different kinds of ways is the number of options to manage your money. In this paper an attempt to cyber security mechanism put forward an issues of Indians banks websites.
An Algorithm for Electronic Money Transaction Security (Three Layer Security)...Syeful Islam
In the era ofinternet, most ofthe people all over the world completed their transaction
on internet. Though the user of electronic transaction or E-money transaction system
increase rapidly but the majority person are concern about the security of this system.
The growth in online transactions has resulted in a greater demand for fast and accurate
user identification and authentication. Conventional method of identification based on
possession of ID cards or exclusive knowledge like a social security number or a
password are not all together reliable. Identification and authentication by individuals'
biometric characteristics is becoming an accepted procedure that is slowly replacing the
most popular identification procedure – passwords. Among all the biometrics, fingerprint
based identification is one of the most mature and proven technique. Along with the
combination of conventional system, biometric security, Global positioning system(GPS)
and mobile messaging we have design an algorithm which increase security ofelectronic
transaction and more reliable to user. A three layer security model to enhancing security
ofelectronic transaction is proposed in this paper.
Security analysis of a single sign on mechanism for distributed computer netw...IEEEFINALYEARPROJECTS
To Get any Project for CSE, IT ECE, EEE Contact Me @ 09849539085, 09966235788 or mail us - ieeefinalsemprojects@gmail.co¬m-Visit Our Website: www.finalyearprojects.org
ENHANCING CYBER SECURITY OF ONLINE ACCOUNTS VIA A NOVEL PROTOCOL AND NEW TECH...IJNSA Journal
The financial world has gotten more sophisticated. People need to make informed financial decisions, so
they seek out efficient tools to help them manage their finances. Traditionally, money management software
has been available for individuals to use in their homes on their personal computers. These tools were a
local install, often expensive, and required a learning curve to use them effectively. With a paradigm shift
to cloud computing and storage, users are looking for inexpensive alternatives that are accessible at home
or on their mobile devices. As a result, third-party companies have been forming over the last few years to
meet this need. However, to access the functionality of these online resources, users are required to divulge
their personal financial account login credentials. While third-party companies claim that subscribers’
private information is safely stored on their servers, one cannot ignore the fact that hackers may be able to
break into their system to steal users’ information. Once hackers manage to compromise users’ login
credentials, they have complete control over their accounts. Therefore, there is a need to have a holistic
approach that incorporates security elements to protect users’ accounts from hackers.
We present a novel, holistic model with a new handshake protocol and online account access control,
which authenticate account access and form a sandbox around third-party access to users’ accounts. When
utilizing these novel techniques, users’ login credentials can remain private, providing safeguards against
unauthorized transactions on their accounts.
SFAMSS:A S ECURE F RAMEWORK F OR ATM M ACHINES V IA S ECRET S HARINGijcsit
As ATM applications deploy for a banking system, th
e need to secure communications will become critica
l.
However, multicast protocols do not fit the point-t
o-point model of most network security protocols wh
ich
were designed with unicast communications in mind.
In recent years, we have seen the emergence and the
growing of ATMs (Automatic Teller Machines) in bank
ing systems. Many banks are extending their activit
y
and increasing transactions by using ATMs. ATM will
allow them to reach more customers in a cost
effective way and to make their transactions fast a
nd efficient. However, communicating in the network
must satisfy integrity, privacy, confidentiality, a
uthentication and non-repudiation. Many frameworks
have
been implemented to provide security in communicati
on and transactions. In this paper, we analyze ATM
communication protocol and propose a novel framewor
k for ATM systems that allows entities communicate
in a secure way without using a lot of storage. We
describe the architecture and operation of SFAMSS i
n
detail. Our framework is implemented with Java and
the software architecture, and its components are
studied in detailed.
This paper analyzes the various authentication systems implemented for enhanced security and private reposition
of an individual’s login credentials. The first part of the paper describes the multi-factor authentication (MFA) systems, which, though not applicable to the field of Internet of Things, provides great security to a user’s credentials. MFA is followed by a brief description of the working mechanism of interaction of third party clients with private resources over the OAuth protocol framework and a study of the delegation based authentication system in IP-based IoT.
DEFEATING MITM ATTACKS ON CRYPTOCURRENCY EXCHANGE ACCOUNTS WITH INDIVIDUAL US...IJNSA Journal
Presented herein is a User-SpecificKey Scheme based on Elliptic Curve Cryptography that defeats man-inthe-middle attacks on cryptocurrency exchange accounts. In this scheme, a separate public and private key pair is assigned to every account and the public key is shifted either forward or backward on the elliptic curve by a difference of the account user’s password. When a user logs into his account, the server sends the shifted public key of his account. The user computes the actual public key of his account by reverse shifting the shifted public key exactly by a difference of his password. Alternatively, shifting can be applied to the user’s generator instead of the public key. Described in detail is as to how aman-in-the-middle attack takes place and how the proposed scheme defeats the attack. Provided detailed security analysis in both the cases of publickey shifting and generator shifting. Further, compared the effectiveness of another three authentication schemes in defending passwords against MITM attacks.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
A Novel Approach for E-Payment Using Virtual Password Systemijcisjournal
In today's world of E-Commerce everything comes online like Music,E-Books, Shopping all most everything is online. If you are using some service or buying things online then you have to pay for that. For that you have to do Net Banking or you have to use Credit card which will do online payment for you. In today's environment when everything is online, the service you are using for E-Payment must be secure and you must protect your banking information like debit card or credit card information from possible threat of hacking. There were lots way to threat like Key logger, Forgery Detection, Phishing, Shoulder surfing. Therefore, we reveal our actual information of Bank and Credit Card then there will be a chance to lose data and same credit card and hackers can use banking information for malicious purpose. In this paper we discuss available E-Payment protocols, examine its advantages and delimitation's and shows that there are steel needs to design a more secure E-Payment protocol. The suggested protocol is based on using hash function and using dynamic or virtual password, which protects your banking or credit card information from possible threat of hacking when doing online transactions.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
The E-commerce environment allows companies such as Amazon, EBay, PayPal, financial institutions, and other e-commerce companies alike to allocate services to the consumer over the Internet resulting in the luxury of consumers not visiting a physical store. However, with that luxury also welcomes the risk of threats such as hackers and their various attacks on e-commerce sites and its consumers. To mitigate such risks, adequate security tools are implemented by companies to protect consumers from being victims of identity theft. However, some of the security tools implemented can have limitations in regards to protecting the required assets. In addition, companies offering e-commerce services should invest in additional security controls to implement into their network infrastructure to ensure a safe online environment for their consumers.
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
A counter challenge authentication method is presented for authentication of online users of web applications. The authentication method involves a counter challenge from a user to a web application
asking to provide certain information from one or more user details recorded at the time of registration. The user enters his password and logs into the web application only in case the correct answer is
received from the web application. This advanced authentication method protects online application
users from phishing attacks. An incorrect answer or inability of the web application to provide the
correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and
stopping submission of password to phishers. The authentication method is computer independent and
eliminates dependency on two-factor authentication, hardware tokens, client software installations,
digital certificates, and user defined seals.
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
A counter challenge authentication method is presented for authentication of online users of web ap-
plications. The authentication method involves a counter challenge from a user to a web application
asking to provide certain information from one or more user details recorded at the time of registra-
tion. The user enters his password and logs into the web application only in case the correct answer is
received from the web application. This advanced authentication method protects online application
users from phishing attacks. An incorrect answer or inability of the web application to provide the
correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and
stopping submission of password to phishers. The authentication method is computer independent and
eliminates dependency on two-factor authentication, hardware tokens, client software installations,
digital certificates, and user defined seals.
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
A counter challenge authentication method is presented for authentication of online users of web applications. The authentication method involves a counter challenge from a user to a web application asking to provide certain information from one or more user details recorded at the time of registration. The user enters his password and logs into the web application only in case the correct answer is received from the web application. This advanced authentication method protects online application users from phishing attacks. An incorrect answer or inability of the web application to provide the correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and stopping submission of password to phishers. The authentication method is computer independent and eliminates dependency on two-factor authentication, hardware tokens, client software installations, digital certificates, and user defined seals.
COUNTER CHALLENGE AUTHENTICATION METHOD: A DEFEATING SOLUTION TO PHISHING ATT...IJCSEA Journal
A counter challenge authentication method is presented for authentication of online users of web applications. The authentication method involves a counter challenge from a user to a web application
asking to provide certain information from one or more user details recorded at the time of registration. The user enters his password and logs into the web application only in case the correct answer is
received from the web application. This advanced authentication method protects online application
users from phishing attacks. An incorrect answer or inability of the web application to provide the
correct answer to the challenge is a clear indication of a phishing attack, thereby alerting the user and
stopping submission of password to phishers. The authentication method is computer independent and
eliminates dependency on two-factor authentication, hardware tokens, client software installations,
digital certificates, and user defined seals.
Banking and Modern Payments System Security AnalysisCSCJournals
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black- hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analyzed banking and modern payments system security.
In this research we will review different payment protocols and security methods that are being used to run banking systems. We will survey some of the popular systems that are being used today, with a deeper focus on the Chips, cards, NFC, authentication etc. In addition, we will also discuss the weaknesses in the systems that can compromise the customer's trust.
Phishing is basically the type of cybercrime in which attackers imitates a real person through institution and mimics that they are sending message from an authorized organization and then take the details of the user personal identity, credit card details and any type of bank information and will breach the personal details of the user. There are many free tools to help in web based scams. Basically the free anti phishing toolbars in the below given study were examined many example in which Spoof Guard anti phishing toolbar is sufficient and good at identifying fraudulent sites and can also gave false positive results. Earth Link, Google, Net Craft, Cloud Mark and Internet Explorer seven detected many of the fraudulent or fake sites even more than 15 of fraudulent sites are false positive. Trust Watch, eBay and Netscape correctly found the fraudulent websites and by the combination of the toolbars the expected outcome came out. Dr. Lalit Pratap | Mr. Shubham Sangwan | Monika "E-Mail Phishing Prevention and Detection" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49541.pdf Paper URL: https://www.ijtsrd.com/other-scientific-research-area/other/49541/email-phishing-prevention-and-detection/dr-lalit-pratap
A secure communication in smart phones using two factor authenticationeSAT Journals
Abstract Most secure systems face security attacks mainly at the client side. Two Factor Authentication (TFA) provides improved protection to the system at the client side by prompting to provide something they know and something they have. This system uses a one time password(OTP) generation method which doesn’t require client-server communication, which frees the system from cost of sending a dynamic password each time the client wants to login. The OTP generation uses the factors that are unique to the user and is installed on a smart phone in Android platform owned by the user. An OTP is valid for a minutes time, after which, is useless. The system thus provides better client level security – a simple low cost method which protects system from hacking techniques like key logging, phishing, shoulder surfing, etc. Keywords—Authentication, OTP, key logging, phishing
IRJET-Content based approach for Detection of Phishing SitesIRJET Journal
Anjali Gupta, Juili Joshi, Khyati Thakker, Chitra bhole "Content based approach for Detection of Phishing Sites", International Research Journal of Engineering and Technology (IRJET), Volume2,issue-01 April 2015.e-ISSN:2395-0056, p-ISSN:2395-0072. www.irjet.net
Abstract
Phishing is a significant problem involving fraudulent email and web sites that trick unsuspecting users into revealing private information. In this paper, we present the design, implementation, and evaluation of content-based approach to detecting phishing web sites. We also discuss the design and evaluation of several heuristics we developed to reduce false positives. Our experiments show that CANTINA is good at detecting phishing sites, correctly labeling approximately 95% of phishing sites.We are going to implement Revelation of Masquerade Attacks: A Content-Based Approach to Detecting Phishing Web Sites using PHP & MYSQL.Our system will crawl the original site of bank and it will retrieve all URL’s, location of bank’s server and whois information. If user get any email with phishing attack link. Then our system will take that url as input and crawl the link, retrieve all url’s and system will compare these url’s with original banks url database, try to find url’s are similar or not. Then system will find location of Phishing link URL and compare location with original banks location. After that system will find out Whois information of URL.System will analyze the information and show the results to the user.
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
Credential Harvesting Using Man in the Middle Attack via Social Engineeringijtsrd
With growing internet users threat landscape is also increasing widely. Even following standard security policies and using multiple security layers will not keep users safe unless they are well aware of the emerging cyber threats and the risks involved. Humans are the weakest link in the security system as they possess emotions that can be exploited with minimum reconnaissance. social engineering is a type of cyber attack where it exploits human behavior or emotions to collect sensitive information such as username, password, personal details, etc. This paper proposes a system that helps end users to understand that even using security mechanisms such as two factor authentication can be useless when the user is not aware of basic security elements and make internet users aware of cyber threats and the risk involved. Sudhakar P | Dr. Uma Rani Chellapandy "Credential Harvesting Using Man in the Middle Attack via Social Engineering" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-6 | Issue-3 , April 2022, URL: https://www.ijtsrd.com/papers/ijtsrd49629.pdf Paper URL: https://www.ijtsrd.com/computer-science/computer-security/49629/credential-harvesting-using-man-in-the-middle-attack-via-social-engineering/sudhakar-p
A FRAMEWORK FOR SECURING EMAIL ENTRANCES AND MITIGATING PHISHING IMPERSONATIO...IJNSA Journal
Emails are used every day for communication, and many countries and organisations mostly use email for official communications. It is highly valued and recognised for confidential conversations and transactions in day-to-day business. The Often use of this channel and the quality of information it carries attracted cyber attackers to it. There are many existing techniques to mitigate attacks on email, however, the systems are more focused on email content and behaviour and not securing entrances to email boxes, composition, and settings. This work intends to protect users' email composition and settings to prevent attackers from using an account when it gets hacked or hijacked and stop them from setting forwarding on the victim's email account to a different account which automatically stops the user from receiving emails. A secure code is applied to the composition send button to curtail insider impersonation attack. Also, to secure open applications on public and private devices.
where can I find a legit pi merchant onlineDOT TECH
Yes. This is very easy what you need is a recommendation from someone who has successfully traded pi coins before with a merchant.
Who is a pi merchant?
A pi merchant is someone who buys pi network coins and resell them to Investors looking forward to hold thousands of pi coins before the open mainnet.
I will leave the telegram contact of my personal pi merchant to trade with
@Pi_vendor_247
how to swap pi coins to foreign currency withdrawable.DOT TECH
As of my last update, Pi is still in the testing phase and is not tradable on any exchanges.
However, Pi Network has announced plans to launch its Testnet and Mainnet in the future, which may include listing Pi on exchanges.
The current method for selling pi coins involves exchanging them with a pi vendor who purchases pi coins for investment reasons.
If you want to sell your pi coins, reach out to a pi vendor and sell them to anyone looking to sell pi coins from any country around the globe.
Below is the contact information for my personal pi vendor.
Telegram: @Pi_vendor_247
Currently pi network is not tradable on binance or any other exchange because we are still in the enclosed mainnet.
Right now the only way to sell pi coins is by trading with a verified merchant.
What is a pi merchant?
A pi merchant is someone verified by pi network team and allowed to barter pi coins for goods and services.
Since pi network is not doing any pre-sale The only way exchanges like binance/huobi or crypto whales can get pi is by buying from miners. And a merchant stands in between the exchanges and the miners.
I will leave the telegram contact of my personal pi merchant. I and my friends has traded more than 6000pi coins successfully
Tele-gram
@Pi_vendor_247
BYD SWOT Analysis and In-Depth Insights 2024.pptxmikemetalprod
Indepth analysis of the BYD 2024
BYD (Build Your Dreams) is a Chinese automaker and battery manufacturer that has snowballed over the past two decades to become a significant player in electric vehicles and global clean energy technology.
This SWOT analysis examines BYD's strengths, weaknesses, opportunities, and threats as it competes in the fast-changing automotive and energy storage industries.
Founded in 1995 and headquartered in Shenzhen, BYD started as a battery company before expanding into automobiles in the early 2000s.
Initially manufacturing gasoline-powered vehicles, BYD focused on plug-in hybrid and fully electric vehicles, leveraging its expertise in battery technology.
Today, BYD is the world’s largest electric vehicle manufacturer, delivering over 1.2 million electric cars globally. The company also produces electric buses, trucks, forklifts, and rail transit.
On the energy side, BYD is a major supplier of rechargeable batteries for cell phones, laptops, electric vehicles, and energy storage systems.
how to sell pi coins on Bitmart crypto exchangeDOT TECH
Yes. Pi network coins can be exchanged but not on bitmart exchange. Because pi network is still in the enclosed mainnet. The only way pioneers are able to trade pi coins is by reselling the pi coins to pi verified merchants.
A verified merchant is someone who buys pi network coins and resell it to exchanges looking forward to hold till mainnet launch.
I will leave the telegram contact of my personal pi merchant to trade with.
@Pi_vendor_247
USDA Loans in California: A Comprehensive Overview.pptxmarketing367770
USDA Loans in California: A Comprehensive Overview
If you're dreaming of owning a home in California's rural or suburban areas, a USDA loan might be the perfect solution. The U.S. Department of Agriculture (USDA) offers these loans to help low-to-moderate-income individuals and families achieve homeownership.
Key Features of USDA Loans:
Zero Down Payment: USDA loans require no down payment, making homeownership more accessible.
Competitive Interest Rates: These loans often come with lower interest rates compared to conventional loans.
Flexible Credit Requirements: USDA loans have more lenient credit score requirements, helping those with less-than-perfect credit.
Guaranteed Loan Program: The USDA guarantees a portion of the loan, reducing risk for lenders and expanding borrowing options.
Eligibility Criteria:
Location: The property must be located in a USDA-designated rural or suburban area. Many areas in California qualify.
Income Limits: Applicants must meet income guidelines, which vary by region and household size.
Primary Residence: The home must be used as the borrower's primary residence.
Application Process:
Find a USDA-Approved Lender: Not all lenders offer USDA loans, so it's essential to choose one approved by the USDA.
Pre-Qualification: Determine your eligibility and the amount you can borrow.
Property Search: Look for properties in eligible rural or suburban areas.
Loan Application: Submit your application, including financial and personal information.
Processing and Approval: The lender and USDA will review your application. If approved, you can proceed to closing.
USDA loans are an excellent option for those looking to buy a home in California's rural and suburban areas. With no down payment and flexible requirements, these loans make homeownership more attainable for many families. Explore your eligibility today and take the first step toward owning your dream home.
Yes of course, you can easily start mining pi network coin today and sell to legit pi vendors in the United States.
Here the telegram contact of my personal vendor.
@Pi_vendor_247
#pi network #pi coins #legit #passive income
#US
Lecture slide titled Fraud Risk Mitigation, Webinar Lecture Delivered at the Society for West African Internal Audit Practitioners (SWAIAP) on Wednesday, November 8, 2023.
Even tho Pi network is not listed on any exchange yet.
Buying/Selling or investing in pi network coins is highly possible through the help of vendors. You can buy from vendors[ buy directly from the pi network miners and resell it]. I will leave the telegram contact of my personal vendor.
@Pi_vendor_247
how to sell pi coins at high rate quickly.DOT TECH
Where can I sell my pi coins at a high rate.
Pi is not launched yet on any exchange. But one can easily sell his or her pi coins to investors who want to hold pi till mainnet launch.
This means crypto whales want to hold pi. And you can get a good rate for selling pi to them. I will leave the telegram contact of my personal pi vendor below.
A vendor is someone who buys from a miner and resell it to a holder or crypto whale.
Here is the telegram contact of my vendor:
@Pi_vendor_247
what is the best method to sell pi coins in 2024DOT TECH
The best way to sell your pi coins safely is trading with an exchange..but since pi is not launched in any exchange, and second option is through a VERIFIED pi merchant.
Who is a pi merchant?
A pi merchant is someone who buys pi coins from miners and pioneers and resell them to Investors looking forward to hold massive amounts before mainnet launch in 2026.
I will leave the telegram contact of my personal pi merchant to trade pi coins with.
@Pi_vendor_247
US Economic Outlook - Being Decided - M Capital Group August 2021.pdfpchutichetpong
The U.S. economy is continuing its impressive recovery from the COVID-19 pandemic and not slowing down despite re-occurring bumps. The U.S. savings rate reached its highest ever recorded level at 34% in April 2020 and Americans seem ready to spend. The sectors that had been hurt the most by the pandemic specifically reduced consumer spending, like retail, leisure, hospitality, and travel, are now experiencing massive growth in revenue and job openings.
Could this growth lead to a “Roaring Twenties”? As quickly as the U.S. economy contracted, experiencing a 9.1% drop in economic output relative to the business cycle in Q2 2020, the largest in recorded history, it has rebounded beyond expectations. This surprising growth seems to be fueled by the U.S. government’s aggressive fiscal and monetary policies, and an increase in consumer spending as mobility restrictions are lifted. Unemployment rates between June 2020 and June 2021 decreased by 5.2%, while the demand for labor is increasing, coupled with increasing wages to incentivize Americans to rejoin the labor force. Schools and businesses are expected to fully reopen soon. In parallel, vaccination rates across the country and the world continue to rise, with full vaccination rates of 50% and 14.8% respectively.
However, it is not completely smooth sailing from here. According to M Capital Group, the main risks that threaten the continued growth of the U.S. economy are inflation, unsettled trade relations, and another wave of Covid-19 mutations that could shut down the world again. Have we learned from the past year of COVID-19 and adapted our economy accordingly?
“In order for the U.S. economy to continue growing, whether there is another wave or not, the U.S. needs to focus on diversifying supply chains, supporting business investment, and maintaining consumer spending,” says Grace Feeley, a research analyst at M Capital Group.
While the economic indicators are positive, the risks are coming closer to manifesting and threatening such growth. The new variants spreading throughout the world, Delta, Lambda, and Gamma, are vaccine-resistant and muddy the predictions made about the economy and health of the country. These variants bring back the feeling of uncertainty that has wreaked havoc not only on the stock market but the mindset of people around the world. MCG provides unique insight on how to mitigate these risks to possibly ensure a bright economic future.
US Economic Outlook - Being Decided - M Capital Group August 2021.pdf
Zsun
1. Using Two-factor Authentication Systems to Prevent Social
Phishing & Man-In-The-Browser Attacks
for Internet Banking
Zhe SUN (Zsun012)
Zsun012@aucklanduni.ac.nz
Department of Computer Science, University of Auckland
Abstract
Social Phishing and Man-In-The-Browser are two new efficient ways to steal victims’
important information. Social Phishing use public gatherable information lure user to a
spoofed website to get their secure information. [2] Man-In-The-Browser uses a new Trojan
horse inside user’s browser to modify a victim’s requests and responses during the transaction.
It’s hard for unprofessional people to detect or prevent and easy for attackers to get valuable
information from victims. With huge benefits, Internet Banking users’ details are the most
attractive for attackers, like bank account passwords, credit card details and etc. As personal
password protection is the weakest link of Security Chain [1], simply ID and password
protection does not work well against the above threats. Some new Two-factor authentication
systems with Mobile Device have been developed to fight against them. This paper will
analyse and compare how they can anti current threats and protect personal security for
normal Internet Banking users.
1 Introduction
1.1 Background
Internet Banking becomes more popular in our society now for its great positive features,
such as easy to use, saving transport to the bank and queue time on the counter and some
2. other extra benefits. However, as every coin has its pros and cons, Internet banking is not an
exception. Since it was born, attackers around the world have been working on breaking it
and stealing online banking users’ money from their accounts, which looks more safe and
easy than robbing a bank. On the contrary, Online Banking users would not like to be free
ATM machines for hackers. Thus, banks and their security experts have been keeping
developing new technology to protect their customers’ Internet banking accounts. The wars
between them never stop. An accent Chinese general Sun Tzu said in his “Art of War”: “If
you know both yourself and your enemy, you can come out of hundreds of battles
without danger”. We will start to analyse our enemies first and discuss how to defeat
them in the next following chapters.
1.2 Secure Threat for Internet Banking
1.2.1 Social Phishing
Social Phishing is a form of deception in which attacker attempts to fraudulently
acquire sensitive information from a victim by impersonating a trustworthy entity
using victim’s public gatherable information. [2]
Normally, a Social Phishing attacker pretends to be a friend, relative or important
person of the victim (e.g. a victim’s bank manger) sends an email related with the
victim’s account to the victim and asks him to enter a bank URL provided in the
Email. If the victim clicks this URL in the email, he will enter a web page looking
like the Bank’s Internet Banking login page which is indeed a fake website run by the
phisher. When the victim uses his Internet banking user name and password to login
this page, his user name and password will be recorded and sent to the phisher. With
this information, the phisher can login to the real rank’s website and transfer the
victim’s money to his own account.
For normal customers, it is hard to identify that the current Email is from their bank
manger or the phisher, and also the webpage is genuine or not. Scrupulous users may
use their browser to input their banks’ website addresses manually to avoid this
3. phishing attack; while the majority of the Internet Banking users prefer just clicking
the addresses attached in emails if the phisher pretends to be a bank manger they trust.
1.2.2. Man-In-The-Browser
Man-In-The-Browser (MitB) is structurally as a new kind of Man-In-The-Middle
(MitT) attack. It works between the user and the security mechanisms by attacks
browsers with new Trojan horses. The new Trojan is technically more advanced than
prior generations by the way of combining Browser-Helper-Objects, Browser
Extensions, and direct Browser manipulation techniques. [6] It can modify the
transactions in browsers to gain benefits or redirect users’ requests to fraudulent
phishing websites to steal their passwords.
As Philipp Gühring mentioned in his article, a man in the browser attack is more
difficult to prevent and disinfect, for attackers can intercept messages in a public key
exchange and substitute bogus public keys to request party. [6]
A simple illustrate figure can be seen as below:
Figure 1 [8]
From Figure 1, we can see that it works in the following steps:
1. The attacker (Trudy) distributes Trojans to infect the victim (Alice) computer's
software and installs extension into her browser, so that the attack will take off when
the browser starts next time.
2. When the victim (Alice) starts the browser and wants to contact with Internet
banking server (Bob) after Trojans infection, it will automatically register handler for
each page-load and check whether it’s URL in the target lists.
4. 3. When Trojan finds that the target URL has been loaded, it will register a button
event handler in the current page. When the submit button is pressed, all the data in
the form field will be extracted and remembered. It can record and even modify the
value and make the browser continue submitting it (whether modified or not) to the
server. (Trudy, standing in the middle, transfers his certificate to Alice as Bob and
encrypts Alice’s message with his certificate sent to Bob as Alice.)
4. The server receives the form and trusts its value, for it does not know if it has been
recorded / modified or not. Then it performs the transaction and returns with a receipt.
(Bob receives Trudy’s message and trusts it is from Alice. Trudy receives Bob’s reply
before Alice.)
5. The browser receives and displays the receipt (the data on the receipt needs to be
converted back to the user’s real request before being displayed to the user if it has
been modified). (Trudy modifies Bob’s message and sends it to Alice.)
6. The attack completes, while the user trusts that the server has performed the right
traction as he requested. [6] (Alice knows nothing about what Trudy has done and
trusts it is from Bob.) [8]
1.3 Two-Factor Authentication System Solution
There are 3 basic “factors” involved in existing authentication methodologies.
Something the user knows (e.g., ID, password, PIN);
Something the user has (e.g., ATM card, mobile phone); and
Something the user is (e.g., biometric characteristic, such as a fingerprint). [5]
As FFIEC mentioned that, properly designed and implemented multifactor
authentication methods are more secure than single-factor methods and has more
reliable and stronger fraud deterrents. [5]
Security Device can be a second factor that user has for authentication based on the
above definitions. To prevent phishing attacks, Secure-ID Token and Mobile Phone
are the most popular security devices for Internet Banking at this moment. As the
MitB solution concepts talked by Philipp Gühring, the external authorization device
5. and secure communication over insecure systems both have their pros and cons. [6] A
two-factor authentication system using secure devices combining their advantages
seems operative.
2, Two-factor Authentication System Analyse
As FFIEC mentioned, the success of a particular authentication method in Internet
Banking environment depends on more than this technology, two-factor
authentication. It also depends on appropriate policies, procedures, and controls. An
effective authentication method should have customer acceptance, reliable
performance, scalability to accommodate growth, and interoperability with existing
systems and future plans. [5]
There are several different ways to setup an exercisable two-factor authentication
system. Secure-ID Token, Mobile Phone with Phoolproof protocol and Mobile Phone
with MP-Auth protocol are the three main useful systems that will be discussed in this
paper.
As usability is a great concern for any protocol supposed to be used by general users
and security is the main topic need to be discussed, this paper will measure and
discuss security devices by these two factors. In Usability part, it is evaluated based
on implementation requirements and costs for work / study; in Security part, it is
estimated against Social Phishing and Man-In-The-Browser attack, the main threats
mentioned in this paper.
2.1 Secure-ID Token
Figure 2 [9]
6. The Secure-ID Token as we can see from Figure 2 is called Password-Generating
Token [5]. It also has some other names and features in different areas, for example
“Online Security Device” which HSBC bank uses as a One Time Password generator,
and “Net Security Device” used by Royal Bank of Scotland and NatWest bank with a
bank card reader inside.
Whatever, all these devices have a similar feature that is One Time Password
generating function. This token produces a unique pass-code each time. The token
ensures that the same OTP is not used consecutively. The OTP is displayed on a small
screen on the token. The customer first enters his user name and regular password
(first factor), followed by the OTP generated by the token (second factor). The
customer is authenticated if the regular password matches and the OTP generated by
the token matches the password in the authentication server. A new OTP is typically
generated normally every 60 seconds. [5] This very brief period is the life span of that
password and make it secure for authentication.
2.1.1 Usability
2.1.1.1, Deployment Requirement
1, The user need press the button to generate a security ID and input it to the web
form with his user name and password.
2, The user need change the device or its battery when it runs out of energy. Normally,
this kind of device can run continuously for 36 to 42 months or even longer. [7]
3, The bank need set a scheme on Internet Banking Server side cooperating with
User’s Secure-ID Token.
4, The bank need train its staffs and customers to use this Token.
2.1.1.2, Cost Requirement
It costs banks or customers to propose Secure-ID Tokens.
7. 2.1.2 Security
2.1.2.1, Against Social Phishing
Result: 90%Yes, 10%No.
(Some smart phishers can steal money from stupid users.)
Simple Social phishing attacks can be avoided by this device for its randomness,
unpredictability and unique OTP with synchronize and time-sensitive features. [5]
Even if a phisher successfully gets a user’s Internet Banking ID and password with his
spoof website, he can do nothing with the user’s account because he cannot get the
OTP generated by the user’s Secure-ID Token.
Some smart phishers will add a new input field in his spoof website to gather users’
OTP. However, mostly it is useless, for OTP is time-sensitive and expires in 60
seconds. Even a lucky phisher got the OTP and used it within the expire time, a one
more confirm OTP from the Bank website during the transfer would make his trail fail.
It’s really hard for the phisher to ask the victim input his OTP several times without
any reason. There is only one possible successful way for the phisher, which is the
phisher telling the victim that there is something wrong with his input and asking him
to re-input. The phisher can use these OTPs simultaneously on the real bank’s website
and transfer the funds. [2] This is possible only if the victim really trusts the phisher’s
website and would like to input his OTPs as many times as the phisher needs without
doubt.
2.1.2.2, Against MitB
Result: No.
In Gühring’s opinion, all authentication systems using the PC as the single channel for
data transaction are circumvented, [6] and Secure-ID Token is one of the insecure
authentications under MitB attacks. During attacks, Trojans grab users’ requests and
8. alter them before sending to the bank server in real time and modify the server’s reply
to the users. That means, even during account summary check, the hacker can ask the
user to input his OTPs as many times as he needs to do funds transfer.
Whatever, if the Trojans in MitB take users’ input as records only, Secure-ID Token
can also fight against MitB, as OTP will expire in 60 seconds.
2.2 Mobile Phone
Mobile Phone is a good authentication device that can be used as a second factor
between user and server in FFIEC. [5] This part will discuss how it works with
different protocols for Internet Banking. One is called Phoolproof and the other is
called MP-Auth. They will be analysed and estimated with their usability and security
against Social Phishing and MitB attacks.
2.2.1 Mobile Phone with Phoolproof Protocol
Phoolproof protocol was designed by Bryan Parno, Cynthia Kuo, and Adrian Perrig in
early 2006. They proposed to use mobile phone-based authentication to prevent
Phishing and MitM attacks for Internet Banking with less reliance on users. Below is
the working process for PhoolProof protocol:
9. Figure 3 Phoolprool Login processes
Firstly, a shared secret is created between the user and the bank server with sufficient
length e.g. 80-128 bits to avoid brute force attacks. It is generated from an
out-of-band channel, e.g., postal mail, bank counter setup, etc. After that, user will set
up an account with corresponding bank server and receive server’s certificate. The
user’s mobile phone needs to generate a key pair {K1, K1
−1
} stored with server’s
certificate for logins afterward and send the public key (K1) to the server. The mobile
phone will create a bookmark with server’s name and domain name. [3] After setting
up, the user can communicate with the server through it.
Figure 3 illustrates the login process:
1, The user uses the bookmark in his mobile phone to trigger the browser to the
server’s URL via Bluetooth.
2, The browser sends server’s certificate and domain name to the mobile phone.
3, The mobile phone authenticates the server’s certificate with the pre-stored one. If it
is approved, mobile phone will send his certificate to the browser, otherwise warning
the user.
10. 4, The browser and server then establish an SSL/TLS connection. The server will
send the browser a message encrypted by his certificate.
5,The browser retrieves the message. It generates the necessary Diffie-Hellman key
material and calculates a secure hash of the SSL/TLS master secret K (which is based
on the derived Diffie-Hellman key) and all of the previous handshake messages h and
sends h to the mobile phone.
6, The mobile phone encrypts h to make a signature and sends it back to the browser.
7, The browser sends user’s certificate and the client’s Diffie-Hellman key material
with the signature to the server.
8, The server authenticates the user and the SSL/TLS connection has been established,
so that the user can use the browser to do his Internet Banking as usual. [3]
2.2.1.1 Usability
2.2.1.1.1, Deployment Requirement
1, The user needs to install server’s certificate and his own key generating script into
the mobile phone and generate a key pair. He also needs to reinstall server’s
certificate and revoke his key pair in case of public key updating, replacement, lost or
malfunctioning the mobile phone. Additionally, the user’s mobile phone needs a
script to check server’s certificate, domain name and etc. Experienced technical staffs
are necessary for non-technical users to complete this procedure. [4]
2, The server needs to install 2 simple Perl scripts and make some configuration. [3]
3, To make the Local channel between the browser and mobile phone (Bluetooth)
secure, a camera-phone may be required. [4]
4, The browser may need to be modified (e.g. script for generating h) to comply with
this protocol. [4]
2.2.1.1.2, Cost Requirement
11. This system requires a smart phone with a camera. In another word, if the user does
not have it in hand, he may need to purchase a suitable mobile phone.
2.2.1.2 Security
2.2.1.2.1, Against Social Phishing
Result: Yes.
In case of a phishing attack, even if the user inputs his ID and Password into spoofed
website, it is not enough for the phisher, for the absence of the user’s public key
which is setup when the user open an account and stored in the bank’s server. The
phisher can do nothing with the user’s account without the user’s mobile phone. On
the other hand, if the phisher gets the user’s mobile phone but without the use’s ID
and Password, it is still meaningless to login into the user’s account. [3]
2.2.1.2.2, Against MitB
Result: No.
Bryan et al. said that Phoolprool can prevent MitM attacks because the server stored
the user’s public key and his mobile phone stored the server’s certificate; while
Mohammad et al. was against this and indicated that when the browser received the
client’s public key from the mobile phone, attackers might hijack account setup or
(user) public key re-establishment through MitB. [6]
2.2.2 Mobile Phone with MP-Auth Protocol
MP-Auth was designed by Mohammad Mannan and P. C. van Oorschot at Carleton
University in late 2006 and refined in early 2007. The following is the setup and
working process for MP-Auth protocol:
12. Figure 4 MP-Auth Protocol steps [6]
1, 2, The User utilizes browser B to visit the bank server S and establishes an SSL
session using SSL secret key: KBS.
3, The Server generates a random nonce Rs and sends its ID and Rs encrypted with
KBS to the browser B.
4, The browser B decrypts this message and forwards IDs and Rs to the mobile phone
M via Bluetooth.
5, 6, The mobile phone M displays IDs to the User and asks him to input his ID and
Password for the bank server S. The Password will not be stored in the mobile phone.
7, The mobile phone M generates a random secret nonce RM and calculates session
key KMS from Rs and RM. M encrypts user ID: IDU, Password P and message f(Rs) by
using KMS and encrypts RM by using Server S public key Es, and then sends them to
the browser B via Bluetooth.
8, The browser B encrypts the message from M with KBS and sends it to Server S via
SSL.
13. 9, The server S decrypts the message from B and verifies IDU, P and Rs. If it is
successful, S will encrypt f (RM) with KMS, which will be encrypted with KBS later,
and then sends it to the browser B.
10, The browser B uses KBS to decrypt the first shell of the message and sends the rest
to mobile phone M.
11, The mobile phone M decrypts the message to get f (RM) and verifies it with the
local stored RM. M displays success or failure message to the user U.
2.2.2.1 Usability
2.2.2.1.1, Deployment Requirement
1, The user needs to install the server’s public key system into the mobile phone from
the secure channel (ATM, bank counter, post mail etc.). [4] He also needs to reinstall
the server’s public key in case of public key updating, replacement or lost the mobile
phone. Experienced technical staffs are necessary for non-technical users to complete
this procedure.
2, The browser side needs to install a Firefox Extension to communicate with the
server. [4]
3, The mobile phone needs to install a MIDlet script for encryption/decryption. [4]
4, The server side needs to add PHP scripts to the login page with PHP OpenSSL
functions and mcrypt module. [4]
2.2.2.1.2, Cost Requirement
This system requires a smart phone or PDA, so that if the user does not have it in
hand, he may need to purchase a suitable mobile phone.
2.2.2.2 Security
2.2.2.2.1, Against Social Phishing
14. Result: No.
Mohammad et al. thought that MP-Auth can prevent from phishing attacks. On the
contrary, from my point of view, a smart social phisher’s email could prompt users to
enter their IDs and Passwords into a spoofed Internet Banking website other than their
mobile phones in real life. [4] The phisher can use his own mobile phone which stores
the bank’s certificate to communicate with the real bank server by using the victims’
IDs and Passwords. For the bank server does not store any other information of the
users except their IDs and Passwords, disclosed IDs and Passwords to the smart
phisher will cause disasters without additional protection from the bank. As we all
know, personal password protection is the weakest link of Security Chain, [1] we
cannot simply ascribe to users’ behaviors. Instead, it is the technical staff’s duty to
avoid it.
2.2.2.2.2, Against MitB
Result: Yes.
In MP-Auth, there is no authentication between the mobile phone and the browser.
MitB attack fails against MP-Auth if session ID verification is used, because the
session IDs displayed on the browser and the mobile phone will be different.
Some users cannot detect this difference. Fortunately, transaction integrity
confirmation step also can prohibit the attackers’ actions except viewing even without
session ID verification.
3. Result
From above overall analyse, we can draw a conclusion that, Security Device using
two-factor authentication methods may make the collection of passwords less useful
15. to attackers and thus help restrict phishing attacks. [4] However, their usability issue,
such as additional study / work on deployment, cost of the token / smart phone,
recovery of the token / mobile phone; and security issue like social phishing, MitB
attack and so on [4] have to be considered as important developing conditions.
Secure-ID Token is the most simple security device in two-factor authentication
system for Internet banking. It’s easy to use and deploy together with trusted PCs in
the environment with low security requirement. It does avoid the most phishing
attacks and even some kinds of MitB attacks. Nevertheless, as it is an additional
device that needs to be carried on and cannot work well in high-level security systems,
it may disappear in no far future. Some banks have already developed the new
technology, utilizing SMS messages in mobile phones, to take the place of it. [6]
Mobile phone is a good security device can be used in untrusted PC environment.
Bryan et al. and Mohammad et al. stated that mobile phones with Phoolproof or
MP-Auth work well against security threats in untrusted PC environment.
For usability, Phoolproof is difficult to control by normal users, especially in key pair
generating and certificate installation. As for security, a mobile phone with
Phoolproof protocol has outstanding performance against phishing attacks. The author
insisted in his paper that it can prevent MitM attacks, while it is not true especially for
MitB in the case of session hijacking attacks. In addition, it is unconvincing that the
author assumed that the local channel for mobile phone and PC browser is secure.
Another secure problem is that the user’s key pair and server’s certificate both are
stored in the user’s mobile phone permanently, which may cause information leaking
when the phone is lost or changed. Combining its usability and security, Phoolproof
protocol only suits some particular security environment, and requires users with
some security technique experience.
As Mohammad et al. mentioned in his paper, a mobile phone with MP-Auth protocol
has better usability and security than Phoolproof. [6] However, installing the server
certificate and script into the user’s mobile phone is still not easy for normal users.
MP-Auth has higher security level in local communication with session ID checking
through either direct connection or Bluetooth. It is important that MP-Auth has really
16. good protection from MitM attacks and even MitB attacks, but user’s misusing may
lead to phishing attacks successful. General speaking, compared with Phoolproof,
MP-Auth has easier deployment and similar security control. In another word,
MP-Auth is currently a better choice for normal users and can be used in the
environment with high security requirement if the phishing attacks caused by the
user’s misusing can be avoided.
Overall, the following table describes features for the above 3 security devices:
Usability (Requirement) Security
Deploy
ment
Cost On-devi
ce secret
Trusted
PC OS
Malware-f
ree mobile
Social
Phishing
MitB
Secure-ID
Token
× × × √#
Phoolproof
× ×* × × √
Mp-Auth
× ×* × √
Figure 5 Security Device Comparisons
×* cost takes place if users do not have smart mobile phones
√can be avoided
×requirement
√#conditional avoiding apply
4, Conclusion and Discussion
After analysing and comparing these different secure devices and protocols for
Internet Banking users, I can draw a conclusion that: for the user’s computer it is not
safe enough, we cannot rely on it. Secure ID Token, mostly relying on the security of
the user’s computer, is not a good choice in this situation. Additionally, both
Phoolproof and MP-Auth rely on Malware-free mobile phones, so that malware in
mobile devices will be a potential problem for them. As Tom et al. said social
phishing is so successful for normal users [2] that users’ behaviours are not reliable.
17. [1] Therefore, a mobile phone with Phoolproof or MP-Auth protocol looks not secure
enough for normal users. In my opinion, an authentication system in Internet Banking
disregarding user’s device (PC or Mobile Phone) security level and users’ behaviours
will be more efficient and secure.
5, Acknowledgement
Thank Professor Clark Thomborson (University of Auckland) for his guidance on the
research topics and recommendation to the relevant materials.
6, Reference
1, [GC07] Gilbert Notoatmodjo and Clark Thomborson, Exploring the weakest link:
A study of personal password security, presentation at New Zealand Information
Security Forum, Auckland, 20 December 2007.
2, [JA07] T. Jagatic, N. Johnson, M. Jakobsson, F. Menczer, “Social Phishing”,
Commun. ACM 50(10), pp. 94-100, October 2007.DOI: 10.1145/1290958.1290968
3, [PB06] Parno, B. Kuo, C. and A. Perrig, “Phoolproof Phishing Prevention”.
Proceedings of the Financial, Cryptography and Data Security 10th International
Conference, February 27 - March 2, 2006. Anguilla, British West Indies.
4, [MP07] M. Mannan, P.C. van Oorschot. Using a Personal Device to Strengthen
Password Authentication from an Untrusted Computer. Financial Cryptography and
Data Security (FC'07), Lowlands, Scarborough, Trinidad and Tobago, Feb.12-15,
2007. Extended version: Technical Report TR-07-11 (Mar 2007).
5, [FF05] Federal Financial Institutions Examination Council, Authentication in an
Internet Banking Environment, October 2005.
http://www.ffiec.gov/pdf/authentication_guidance.pdf
18. 6, [Gu07] P. Gühring, “Concepts against Man-in-the-Browser Attacks”, 15 pp., web
manuscript, published circa January 2007. Available:
http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf, 23 July 2008. A
preliminary version of this article was announced in Advances in Financial
Cryptography, Number 3 (FC++3), 25 June 2006.
7, http://www.thefind.com/computers/browse-rsa-securid-sid700-hardware-token
8, [CT07] Clark Thomborson, Cryptography and Steganography CompSci 725
(Handout 10) University of Auckland, 10 September 2007
9, http://en.wikipedia.org/wiki/Image:RSA-SecurID-Tokens.jpg