Abstract
We review the security of e-banking platforms with particular attention to the exploitable attack vectors of three main attack categories: Man-in-the-Middle, Man-in-the-PC and Man-in-the-Browser. It will be shown that the most serious threats come from combination attacks capable of hacking any transaction without the need to control the authentication process. Using this approach, the security of any authentication system can be bypassed, including those using SecureID Tokens, OTP Tokens, Biometric Sensors and Smart Cards. We will describe and compare two recently proposed e-banking platforms, the ZTIC and the USPD, both of which are based on the use of dedicated client devices, but with diverging approaches with respect to the need of hardening the Web client application. It will be shown that the use of a Hardened Browser (or H-Browser) component is critical to force attackers to employ complex and expensive techniques and to reduce the strength and variety of social engineering attacks down to physiological fraud levels.
Chapter PDF
Similar content being viewed by others
References
OECD: Malicious Software (Malware): A Security Threat to the Internet Economy. (http://www.oecd.org/dataoecd/53/34/40724457.pdf).
Weigold, Thomas et al: The Zurich Trusted Information Channel: An Efficient Defence against MITM and MS Attacks. IBM Zurich Research Lab — (http://www.zurich.ibm.com/pdf/csc/ZTIC-Trust-2008-final.pdf).
Ronchi, Corrado and Zakhidov, Shukhrat: A Road Map Towards a Practically Secure and Portable e-Banking Platform. EISST Development Lab — Technical Report ECS2008-02.
Gühring, Philipp: Concepts against Man-in-the-Browser Attacks. http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2009 Vieweg+Teubner | GWV Fachverlage GmbH, Wiesbaden
About this chapter
Cite this chapter
Ronchi, C., Zakhidov, S. (2009). Hardened Client Platforms for Secure Internet Banking. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2008 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9283-6_39
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9283-6_39
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-0660-4
Online ISBN: 978-3-8348-9283-6
eBook Packages: Computer ScienceComputer Science (R0)