Secure Internet Banking Authentication

(Submitted to IEEE Security & Privacy)

TEAM MEMBERS

N V Surya Prasad
Reg no.: 07841A0599
Email: nv_suri2009@yahoo.co.in
Mobile: 8008600900

N Srinivas Reddy
Reg no.: 07841A0598
Email: reddy_srinuhyd@yahoo.com
Mobile: 8008500800

D Mani Teja
Reg no.: 07841A0595
Email: maniteja@ymail.com
Mobile: 8008600800

B. TECH. COMPUTER SCIENCE AND ENGINEERING

AURORA’S TECHNOLOGICAL AND RESEARCH INSTITUTE

PARVATHAPUR, HYDERABAD.
 ABSTRACT
Objective

 This article classifies common Internet banking authentication methods regarding potential
threats and their level of security against common credential stealing and channel breaking
attacks, respectively.
 We present two challenge/response Internet banking authentication solutions; one based on
short-time passwords and one certificate-based, and relate them to the taxonomy above.
 We further outline how these solutions can be easily extended for non-repudiation (i.e.,
transaction signing), should more sophisticated content manipulation attacks become a real
problem.
 Finally, we summarize our view on future requirements for secure Internet banking
authentication and conclude by referencing real-live implementations.

Scope

 The Internet of today has become an integral part of our everyday life and the proportion of
users expecting to be able to manage their bank accounts anywhere anytime is constantly
growing. As such, Internet banking has come to age as a crucial component of any financial
institution’s multi-channel strategy.
 Traditionally, information about financial institutions, their customers, and financial
transactions are considered most sensitive. Doing such business via a public network
consequently introduces new challenges for security and trustworthiness.
 Basically, any Internet banking system must solve the issues of authentication, confidentiality,
integrity, and non-repudiation. This means it must ensure that only qualified people can access
an Internet banking account, that the information viewed remains private and cannot be
modified by third parties, and that any transactions made are traceable and verifiable. For
confidentiality and integrity SSL/TLS (Secure Socket Layer) is the de-facto Internet banking
standard while for authentication and non-repudiation no single scheme has become
predominant yet.

Existing System
The existing system has two types of common attacks offline credential stealing attacks and online
channel breaking attacks.
1. Offline credential stealing attacks aim at fraudulently gathering a user’s credentials either by
invading an insufficiently protected client PC by means of some malicious software such as a
virus or trojan horse, or by tricking a user to voluntarily reveal his credentials through
“phishing”, that is, a combination of “spoofed” emails and mock-up web pages.
2. Online channel breaking attacks, such as the malicious “man-in-the-middle”, are even more
sophisticated. Instead of trying to get hold of a user’s credentials, messages between the client
PC and the banking server are unnoticeably intercepted, the intruder masquerading as the
server to the client and as the client to the server, respectively.
 Disadvantages of Existing System
1. Hijacking the trusted brands of well-known financial institutions and tricking users into
entering their credentials into some faked web form.
2. The authenticated banking session could be hijacked or transaction data could silently be
manipulated.
3. Sensitive information can not be passed through public channels.
4. Any unauthorized person can make use of internet banking. High risk of transferring funds and
operating accounts in internet.

Proposed System

We present two state-of-the-art Internet banking authentication schemes based on challenge/response:

the first one using short-time passwords from an offline hardware token, and the second one making
use of a hardware-token based PKI and a FINREAD secure smart-card reader.
1. Short-Time Password Solution
User authentication then works as follows:
1. The user connects to his Internet banking server via SSL/TLS with server-side authentication; this
way the user may ensure to be connected with a genuine banking server by explicitly validating the
server certificate.
2. The user claims his identity by entering his account number on the bank’s login form and, in turn,
the banking server displays an n-digit challenge, asking for a matching m-digit response.
3. The user opens his smart card by entering the corresponding PIN on his smart-card reader before
entering the given challenge. The smart card then calculates the matching response by encrypting the
challenge and the incremented on-card login counter with its symmetric cryptographic key and
encoding the result as an appropriately presentable response string.
4. The user manually copies the shown response to the bank’s login form to be checked by the bank’s
authentication server redoing the same calculation independently.

2. Certificate-Based Solution
User authentication then works as follows:
1. A mutually authenticated SSL/TLS channel between the user PC and the bank’s web server is
established. The user is requested to insert a valid smart card in the card reader. Once the card
is available, its certificates become visible in the web browser and the server initiates an
SSL/TLS renegotiation (via an SSL/TLS Client Hello Request), this time with client
authentication. The FCRA on the card reader detects this and requests the user to input his PIN.
Given that the PIN is valid, the FCRA initiates a signature generation with the authentication
key on the card to complete the SSL/TLS client authentication. An encrypted and mutually
 authenticated SSL/TLS session has now been established over which all the following
communication traffic will be sent.

2. An additional user authentication then is performed at the application layer. A random

challenge is sent to the client which again is forwarded to the FCRA for signature generation.
The FCRA reuses the card’s authentication key to sign the challenge and then double-signs the
signature from the card with the reader’s application key. FCRA maintains timers and counters
appropriately limiting the availability of the keys on the card.

Advantages of Proposed System

1. Short-time passwords successfully thwart offline credential stealing attacks. Since the user’s
credentials are stored on a tamper-resistant smart card and are only accessed through an offline
smart-card reader, there is no way for malicious software to get hold of the user’s symmetric
cryptographic key or related functionality. Phishing attacks also don’t work because there is no
way for an attacker to know which challenge will be given next by a genuine banking server
and because challenges are short-lived and bound to an account number.

2. Certificate based solution effectively thwarts both offline credential stealing as well as online
channel breaking attacks. Because of the FINREAD reader that intercepts all calls to the smart
card, malicious software cannot silently access the smart card and get hold or make use of the
user’s credentials. Moreover, the protocol data- dependent client authentication eliminates both
phishing and online channel breaking attacks.

Hardware Requirements
 Intel / AMD Processor @ 800 MHz
 128 MB RAM(Minimum)
 2 GB HDD Free Space.
 Standard IO Devices (Mouse, Keyboard, Monitor, etc.,)

Software Requirements

 Operating System – Platform Independent (Windows Any version).

 Ms SQL Server 2000 / Oracle 9i.
 Java Development Kit Jdk 1.5.