How to Secure Web Authentication

Published on June 2016 | Categories: Types, Research | Downloads: 23 | Comments: 0 | Views: 327
of x
Download PDF   Embed   Report

Multi-factor Authentication techniques for securing financial web transactions using Mobile phones.

Comments

Content

Secure Web Authentication Using Cell Phones
Presented By:

Arpit Garg MBA IB(IT) A1802007095 (E11) Batch: 2007-2009

Objectives of Thesis:
‡ ‡

To provide secure wireless environment to the users. To increase faith of the users in online financial web transactions using mobile devices.

What is Authentication?
Authentication is the process of verifying that a person is who they claim to be.

This can be done by using any of the following factors: ‡ ‡ ‡ something you know password or PIN something you have token or smart card (two-factor authentication) something you are biometrics, such as a fingerprint (three-factor authentication)

As computing becomes persistent, people increasingly rely their business over the Internet by using e-commerce. Now, the Internet is a preferred source to avail online eservices such as e-commerce, e-voting, e-banking, e-governance, etc. Online applications require a strong security element to protect user confidential data which is a major concern in internet based online payment system. There are various internet threats which affect the security system of internet and increase the risk for electronic transaction. Most of the authentication system relies on passwords, personal identification numbers & keys to access their personal account information. This type of authentication system actually can not verify or authenticate the identity of the users who he or she claims to be.

The above observation calls for the need of Multifactor Authentication techniques for securing financial web transactions. To do so, we recommend an authentication system based on: ‡ TICs (Transaction Identification code) and ‡ SMS (Short Message Service) Features of TICs: 1. TICS are issued by bank authorities or financial institutions to the user and not by the web server. 2. TIC is similar to OTP (One time password) and one code is used only on one occasion. 3. It eliminates the risk of attack against traditional passwords.

1.

Account-based payment systems
‡ in which each customer has a valid account maintained by a Trusted Third Party. The user can initiate pre-paid or post-paid financial transaction using Smart Cards or Credit cards

2.

E-wallet or E-cash
‡ In this method customers stores digital cash in their E-wallet from a debit card, credit card or virtual check. Digital cash is like electronic cash in virtual savings account where the user can make payment for their purchases. Ewallets are frequently used in payments or small payments.

3.

Personal Wallet
‡ A personal wallet is a software or hardware installed on user s machine. There is no need of server, because payment transaction does not require any wallet server. The user s credit information is stored locally on the user device.

Merchant Agent (MA)

7. Payment Ack.

Merchant s Bank
4. Request for Authorization, payment with order information and both certificates
5. Request for payment approval

2. Merchant s Payment Info. 1. User make purchase request 8. Response 3. Client Order and payment Information with certificate

6. Authorization response for payment

Customer s Agent(CA)

Customer s Bank

Disadvantages of SET
1. SET is designed for wired networks and does not meet all the challenges of wireless network. It is vulnerable to various attacks like merchant can modify transactions data by changing the balance. Transaction flow is from Customer to Merchant so all the details of user s credit cards/debit cards must flow via merchant s side. There is no notification to the Customer from the customer s Bank after the successful transfer. The user has to check his/her balance after logging on to bank website again. SET is only for card based (credit or debit) transactions.

2.

3.

4.

5.

Login Authentication

Login Successful

Selection of Balance Enquiry option

Balance Enquiry

Selection of Credit Card Transfer

Selection of Bank Name and Branch Code

Selection of Credit Card Type

Fill up Requisite Details

Selection of Electronic Transfer

Selection of Bank Name and Branch Code

Fill Up Requisite Information

TIC Password to Open TICs list

Entering Password for TICs

Selection of encrypted TIC

Selected TIC is attached with the Credit Card Transfer Form

Acknowledgment from the Web Server Showing Successful Authentication

SMS Received from Bank Authentication Server

SMS showing details of Submitted Transaction

Reply SMS with YES

Response from the Server if user say YES

Reply SMS with No

Response from the Server if user say No

1. 2. 3. 4. 5. 6. 7. 8.

GSM calls even more secure - A5/3 Algorithm ETSI, 2002, http://www.gsmworld.com/news/press_2002/press_15.shtml http://www.cellular.co.za Website on bouncy castle package: http://www.bouncycastle.org Article on internet attacks: www.educause.edu/ir/library/pdf/CSD4433.pdf Article on attacks on mobile phones: http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1232051,00.html Article on security threats of mobile phones: http://news.zdnet.com/2100-1009_22-5602919.html Website on Wireless development tool kit 2.3: http://java.sun.com/products/sjwtoolkit Website on Web Server: http://tomcat.apache.org/

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close