Abstract
Multi-Factor Authentication (MFA) schemes currently used for verifying the authenticity of Internet banking transactions rely either on dedicated devices (namely, tokens) or on out-of-band channels—typically, the mobile cellular network. However, when both the dedicated devices and the additional channel are not available and the Primary Authentication Terminal (PAT) is compromised, MFA schemes cannot reliably guarantee transaction authenticity. The afore-mentioned situation is typical, e.g., offshore or on-board of aircraft, when only few untrusted terminals have Internet connection.
In this paper, we present FRACTAL, a new scheme providing single-channel transaction MFA through general-purpose additional authentication terminals. Moreover, the proposed solution is also resilient against a potentially-compromised PAT. FRACTAL easily scales up as per the number of multiple authentication factors, and it is extensible beyond the banking scenario, e.g., to unattended and constrained scenarios, by integrating also Internet of Things (IoT) devices as additional authentication terminals. Other than enjoying a formal verification of its security properties via ProVerif, FRACTAL is also supported by an extensive experimental performance assessment. Our real-world Proof-of-Concept scenarios, implemented using Spring micro-services, show that FRACTAL can complete a transaction in about 2 s, independently from the remote server location. The flexibility of use, the guaranteed security, and the striking performance, characterize FRACTAL as a solution with an expected high potential impact in the authentication field, for both Industry and Academia.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Chandio, F., Irani, Z., Zeki, A., et al.: Online banking information systems acceptance: an empirical examination of system characteristics and web security. Inf. Syst. Manag. 34(1), 50–64 (2017)
Luo, G., et al.: Overview of intelligent online banking system based on HERCULES architecture. IEEE Access 8, 107685–107699 (2020)
Carminati, M., Caron, R., Maggi, F., Epifani, I., Zanero, S.: BankSealer: a decision support system for online banking fraud analysis and investigation. Comput. Secur. 53, 175–186 (2015)
Sinigaglia, F., et al.: A survey on multi-factor authentication for online banking in the wild. Comput. Secur. 95, 101745 (2020)
Kiljan, S., et al.: Evaluation of transaction authentication methods for online banking. Futur. Gener. Comput. Syst. 80, 430–447 (2018)
FIDO Alliance Specifications. https://fidoalliance.org/specifications. Accessed 05 Apr 2022
Di Pietro, R., Sciancalepore, S., Raponi, S.: Methods and systems for verifying the authenticity of a remote service. US Patent App. 16/657,088, July 2020
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Blanchet, B., et al.: ProVerif 2.02pl1: automatic cryptographic protocol verifier, user manual and tutorial. Technical report, September (2020)
Tedeschi, P., Sciancalepore, S., Eliyan, A., Di Pietro, R.: LiKe: lightweight certificateless key agreement for secure IoT communications. IEEE Internet Things J. 7(1), 621–638 (2020)
Hirschi, L., Cremers, C.: Improving automated symbolic analysis of ballot secrecy for E-voting protocols: a method based on sufficient conditions. In: IEEE Euro S &P 2019, pp. 635–650 (2019)
CRI-LAB, Code of FRACTAL in ProVerif (2021). https://github.com/cri-lab-hbku/tdf-proverif. Accessed 05 Apr 2022
Spring Community. https://spring.io/why-spring. Accessed 05 Apr 2022
Kotlin Foundation. https://kotlinlang.org/. Accessed 05 Apr 2022
MongoDB Inc. https://mongodb.com. Accessed 05 Apr 2022
Oracle. https://tinyurl.com/y62ds856. Accessed 05 Apr 2022
ZXing Project. https://github.com/zxing/zxing. Accessed 05 Apr 2022
Jetbrains. https://developer.android.com/studio. Accessed 05 Apr 2022
Sciancalepore, S., et al.: On the design of a decentralized and multiauthority access control scheme in federated and cloud-assisted cyber-physical systems. IEEE Internet Things J. 5(6), 5190–5204 (2018)
Bhargav-Spantzel, A., et al.: Privacy preserving multi-factor authentication with biometrics. J. Comput. Secur. 15(5), 529–560 (2007)
Han, Z., Yang, L., Liu, Q.: A novel multifactor two-server authentication scheme under the mobile cloud computing. In: International Conference on Networking and Network Applications (NaNA) 2017, pp. 341–346 (2017)
Shrestha, B., Mohamed, M., Saxena, N.: ZEMFA: zero-effort multi-factor authentication based on multi-modal gait biometrics. In: International Conference on Privacy, Security and Trust (PST) 2019, pp. 1–10. IEEE (2019)
Sabzevar, A.P., Stavrou, A.: Universal multi-factor authentication using graphical passwords. In: IEEE International Conference on Signal Image Technology and Internet Based Systems 2008, pp. 625–632 (2008)
Mohammed, M.M., Elsadig, M.: A multi-layer of multi factors authentication model for online banking services. In: International Conference on Computing, Electrical And Electronic Engineering 2013, pp. 220–224 (2013)
Huang, X., et al.: Robust multi-factor authentication for fragile communications. IEEE Trans. Dependable Secure Comput. 11(6), 568–581 (2014)
Boonkrong, S.: Internet banking login with multi-factor authentication. KSII Trans. Internet Inf. Syst. 11(1), 511–535 (2017)
Council, Federal Financial Institutions Examination, Authentication in an internet banking environment, FFIEC (2005)
Reynolds, J., et al.: A tale of two studies: the best and worst of yubikey usability. In: IEEE Symposium on Security and Privacy (SP) 2018, pp. 872–888 (2018)
Nagaraju, S., Parthiban, L.: Trusted framework for online banking in public cloud using multi-factor authentication and privacy protection gateway. J. Cloud Comput. 4(1), 22 (2015)
Acknowledgements
This work was supported by both the HBKU Technology Development Fund under contract TDF 02-0618-190005 and the NPRP-S-11-0109-180242 from the QNRF-Qatar National Research Fund. Both HBKU and QNRF are members of The Qatar Foundation. This work has been partially supported also by the INTERSCT project, Grant No. NWA.1162.18.301, funded by Netherlands Organisation for Scientific Research (NWO). The findings reported herein are solely responsibility of the authors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Annex A
Annex A
Screen shown on the AAT to validate the transaction. \(\mathcal {A}\) can verify that the details of the intended transaction match the ones on the screen. Then, in case of Scenario #1, \(\mathcal {A}\) can validate the transaction by pressing confirm. In case of Scenario #2, \(\mathcal {A}\) can insert the code on the PAT to verify the transaction (see Fig. 9.)
Screen shown on the PAT to validate the transaction in case of Scenario #2. If the details of the transaction shown on the AAT match the intended ones, \(\mathcal {A}\) can insert the code in the passcode field and press the confirm button to validate the transaction.
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Sciancalepore, S., Raponi, S., Caldarola, D., Di Pietro, R. (2022). FRACTAL: Single-Channel Multi-factor Transaction Authentication Through a Compromised Terminal. In: Alcaraz, C., Chen, L., Li, S., Samarati, P. (eds) Information and Communications Security. ICICS 2022. Lecture Notes in Computer Science, vol 13407. Springer, Cham. https://doi.org/10.1007/978-3-031-15777-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-15777-6_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15776-9
Online ISBN: 978-3-031-15777-6
eBook Packages: Computer ScienceComputer Science (R0)