Abstract
Financial information is extremely sensitive. Hence, electronic banking must provide a robust system to authenticate its customers and let them access their data remotely. On the other hand, such system must be usable, affordable, and portable. We propose a challenge-response based one-time password (OTP) scheme that uses symmetric cryptography in combination with a hardware security module. The proposed protocol safeguards passwords from keyloggers and phishing attacks. Besides, this solution provides convenient mobility for users who want to bank online anytime and anywhere, not just from their own trusted computers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Florencio, D., Herley, C.: A large-scale study of web password habits. In: Proc. of the International Conference on World Wide Web (WWW), pp. 657–666. ACM, New York (2007)
Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: Proc. of the Annual Network and Distributed Systems Security Symposium (NDSS), San Diego, CA (February 2006)
Heron, S.: The rise and rise of the keyloggers. Network Security 6, 4–6 (2007)
Cheswick, W.R., Bellovin, S.M., Rubin, A.D.: Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Longman Publishing Co., Inc., Boston (2003)
Federal Financial Institutions Examination Council: Authentication in an internet banking environment (2005), http://www.ffiec.gov/pdf/authentication_guidance.pdf (Online accessed on October 2008)
Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Commun. ACM 50(10), 94–100 (2007)
Hoang, X., Hu, J.: New encryption model for secure e-commerce transactions using dsp—host, board and server communication issues. In: Proceedings of the IEEE International Conference on Telecommunications, vol. 1, pp. 166–170 (2002)
Hu, J., Xi, Z., Jennings, A., Lee, H.J., Wahyud, D.: Dsp application in e-commerce security. In: IEEE International Conference on Acoustics, Speech, and Signal Processing (ICASSP), May 2001, vol. II, pp. 1005–1008 (2001)
Weiss, K.P.: SecurID. RSA Security Inc., U.S. Patent 4720860 (1988)
Haller, N.: The s/key one-time password system. In: Proceedings of the Internet Society Symposium on Network and Distributed Systems, 151–157 (1994)
Iqbal, Z.: Secure mobile one time passwords for web services (master of science thesis). Technical report, Royal Institute of Technology (May 2006)
Hallsteinsen, S., Jorstad, I., Thanh, D.V.: Using the mobile phone as a security token for unified authentication. In: Proc. of the International Conference on Systems and Networks Communications (ICSNC), vol. 68. IEEE Computer Society, Washington (2007)
Me, G., Pirro, D., Sarrecchia, R.: A mobile based approach to strong authentication on web. In: Proc. of the International Multi-Conference on Computing in the Global Information Technology (ICCGI), vol. 67. IEEE Computer Society, Washington (2006)
Al-Qayedi, A., Adi, W., Zahro, A., Mabrouk, A.: Combined web/mobile authentication for secure web access control. In: IEEE Wireless Communications and Networking Conference (WCNC), vol. 2, pp. 677–681 (2004)
Hager, C., Midkiff, S.: Demonstrating vulnerabilities in bluetooth security. In: Global Telecommunications Conference. IEEE GLOBECOM, December 2003, vol. 3, pp. 1420–1424 (2003)
Insight Consulting: How can bluetooth services and devices be effectively secured? Computer Fraud & Security (1), 4–7 (January 2006)
FreeAuth Project: The freeauth, http://www.freeauth.org (Online accessed on October 2008)
Mannan, M., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
JSR 177 Expert Group: Security and Trust Services API for JavaTM2 Platform, Micro Edition 09 (2004), http://jcp.org/aboutJava/communityprocess/final/jsr177/index.html (Online accessed on October 2008)
Open Base Movil Project: Openbasemovil, http://www.openbasemovil.org (Online accessed on October 2008)
The Legion of the Bouncy Castle: Bouncy castle lightweight crypto api., http://www.bouncycastle.org (Online accessed on October 2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
RifĂ -Pous, H. (2009). A Secure Mobile-Based Authentication System for e-Banking. In: Meersman, R., Dillon, T., Herrero, P. (eds) On the Move to Meaningful Internet Systems: OTM 2009. OTM 2009. Lecture Notes in Computer Science, vol 5871. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05151-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-05151-7_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05150-0
Online ISBN: 978-3-642-05151-7
eBook Packages: Computer ScienceComputer Science (R0)