hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers

Li, Shujun; Sadeghi, Ahmad‐Reza; Heisrath, Sören; Schmitz, Roland; Ahmad, Jaleel

doi:10.1007/978-3-642-27576-0_19

Cited by 16 publications

(13 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While RVC itself is platform independent, "wrappers" [62] can be developed to bridge the platform-independent FUs with physical I/O devices/channels (e.g., a device attached to USB port, a host connected via LAN/WLAN, a website URL, etc.). Although there are many candidate protocols that can be considered, as a first step we plan to implement the hPIN/hTAN e-banking security protocol [42], which is a typical (but small-scale) heterogeneous system involving a hardware token, a web browser plugin on the user's computer, and a web service running on the remote e-banking server. We have already implemented an hPIN/hTAN prototype system without using RVC, so the new RVC-based implementation can be benchmarked against the existing system.…”

Section: Future Workmentioning

confidence: 99%

CTL: A Platform-Independent Crypto Tools Library Based on Dataflow Programming Paradigm

Ahmad

Sadeghi

et al. 2012

Financial Cryptography and Data Security

Self Cite

View full text Add to dashboard Cite

Abstract. The diversity of computing platforms is increasing rapidly. In order to allow security applications to run on such diverse platforms, implementing and optimizing the same cryptographic primitives for multiple target platforms and heterogeneous systems can result in high costs. In this paper, we report our efforts in developing and benchmarking a platform-independent Crypto Tools Library (CTL). CTL is based on a dataflow programming framework called Reconfigurable Video Coding (RVC), which was recently standardized by ISO/IEC for building complicated reconfigurable video codecs. CTL benefits from various properties of the RVC framework including tools to 1) simulate the platformindependent designs, 2) automatically generate implementations in different target programming languages (e.g., C/C++, Java, LLVM, and Verilog/VHDL) for deployment on different platforms as software and/or hardware modules, and 3) design space exploitation such as automatic parallelization for multi-and many-core systems. We benchmarked the performance of the SHA-256 implementation in CTL on single-core target platforms and demonstrated that implementations automatically generated from platform-independent RVC applications can achieve a runtime performance comparable to reference implementations manually written in C and Java. For a quad-core target platform, we benchmarked a 4-adic hash tree application based on SHA-256 that achieves a performance gain of up to 300% for hashing messages of size 8 MB.

show abstract

Section: Future Workmentioning

confidence: 99%

CTL: A Platform-Independent Crypto Tools Library Based on Dataflow Programming Paradigm

Ahmad

Sadeghi

et al. 2012

Financial Cryptography and Data Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, it has been highlighted that this approach does not defend against session hijacking or online phishing [11]. Li et al [17] propose a low-cost hardware token based PIN/TAN system for protecting e-banking systems. This hardware takes the form of a physical USB token that has to be inserted into an untrusted computer to perform user/server/transaction authentication.…”

Section: Sms-basedmentioning

confidence: 99%

Authentication and Transaction Verification Using QR Codes with a Mobile Device

Chow

Susilo

Yang

et al. 2016

Security, Privacy, and Anonymity in Computation, Communication, and Storage

View full text Add to dashboard Cite

User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions. Abstract. User authentication and the verification of online transactions that are performed on an untrusted computer or device is an important and challenging problem. This paper presents an approach to authentication and transaction verification using a trusted mobile device, equipped with a camera, in conjunction with QR codes. The mobile device does not require an active connection (e.g., Internet or cellular network), as the required information is obtained by the mobile device through its camera, i.e. solely via the visual channel. The proposed approach consists of an initial user authentication phase, which is followed by a transaction verification phase. The transaction verification phase provides a mechanism whereby important transactions have to be verified by both the user and the server. We describe the adversarial model to capture the possible attacks to the system. In addition, this paper analyzes the security of the propose scheme, and discusses the practical issues and mechanisms by which the scheme is able to circumvent a variety of security threats including password stealing, man-in-the-middle and man-in-the-browser attacks. We note that our technique is applicable to many practical applications ranging from standard user authentication implementations to protecting online banking transactions.

show abstract

“…The Zeus Trojan used in the Eurograbber is a MitB attack, since it injects malicious code into the browser that is activated when the user starts an online banking session. Shujun Li et al [17] also identify a fourth category that they term Man in the Computer (MitC), which is best exemplified by an APT that takes full control of a users PC. This is more pernicious, since it can control all the input and output channels including the keyboard, screen, network, filestore etc., meaning that nothing in the PC can be trusted.…”

Section: State Of the Artmentioning

confidence: 99%

“…hPIN/hTAN [17] is similarly designed with cost and usability in mind, but this is a mechanism for securely sending a transaction to the bank, rather than an OOB confirmation of it. This USB device only uses HMAC as the core cryptographic method and requires neither a second trusted channel nor a secure keypad nor a trusted third party nor encryption, so it is very cheap to manufacture, the estimated cost of this USB device e(3-5).…”

Section: State Of the Artmentioning

confidence: 99%

Boosting Usability for Protecting Online Banking Applications Against APTs

Alhanahnah

Chadwick

2016

2016 Cybersecurity and Cyberforensics Conference (CCC)

View full text Add to dashboard Cite

Abstract-With the advent of Advanced Persistent Threats (APTs) and exploits such as Eurograbber, we can no longer trust the users PC or mobile phone to be honest in their transactions with banks. This paper reviews the current state of the art in protecting PCs from malware and APTs that can modify banking transactions, and identifies their strengths and weaknesses. It then proposes an enhanced USB device based on speech and vision. User trials with a software prototype show that such a device is both user friendly and that users are less susceptible to accepting subtly modified transaction with this device than with other vision only USB devices. Since human factors are usually the weakest point in the security chain, and are often the way that APT actors perform their attacks, the focus of the proposed solution is on improving the usability of existing USB devices. However the device is still not failsafe, and therefore may not be as preferable as Sm@rt TAN-plus that is currently used by many German banks.

show abstract

hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers

Cited by 16 publications

References 23 publications

CTL: A Platform-Independent Crypto Tools Library Based on Dataflow Programming Paradigm

CTL: A Platform-Independent Crypto Tools Library Based on Dataflow Programming Paradigm

Authentication and Transaction Verification Using QR Codes with a Mobile Device

Boosting Usability for Protecting Online Banking Applications Against APTs

Contact Info

Product

Resources

About