Abstract
In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user’s computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers, screen scrapers, session hijackers, Trojan horses and transaction generators.
The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function).
In contrast to other hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design can also help increase security because more complicated systems tend to have more security holes. As an important feature, hPIN/hTAN exploits human users’ active involvement in the whole process to compensate security weaknesses caused by careless human behavior.
Companion web page (with a full edition of this paper): http://www.hooklee.com/ default.asp?t=hPIN/hTAN
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
AlZomai, M., AlFayyadh, B., Jøsang, A., McCullagh, A.: An exprimental investigation of the usability of transaction authorization in online bank security systems. In: Proc. AISC 2008. pp. 65–73 (2008)
American Bankers Association: ABA survey shows more consumers prefer online banking (2010), http://www.aba.com/Press+Room/093010PreferredBankingMethod.htm
AXSionics AG: Personal AXS-token (2009), http://www.axsionics.ch/tce/frame/main/414.htm
Bank Austria: mobileTAN information, http://www.bankaustria.at/de/19741.html
BBC News: PC stripper helps spam to spread (2007), http://news.bbc.co.uk/2/hi/technology/7067962.stm
Borchert, B.: Open sesame! – immediate access to online accounts via mobile camera phone, http://www2-fs.informatik.uni-tuebingen.de/~borchert/Troja/Open-Sesame/indexEN.php
Borchert, B.: Knick-und-Klick-TAN, oder Permutations-TAN, pTAN (2009), http://www2-fs.informatik.uni-tuebingen.de/~borchert/Troja/pTAN
Borchert, B., Beschke, S.: Cardano-TAN, http://www2-fs.informatik.uni-tuebingen.de/studdipl/beschke
Bosselaers, A., Preneel, B.: SKID. In: Bosselaers, A., Preneel, B. (eds.) RIPE 1992. LNCS, vol. 1007, pp. 169–178. Springer, Heidelberg (1995)
CEN (European Committee for Standardization): Financial transactional IC card reader (FINREAD). In: CEN Workshop Agreements (CWA) 14174 (2004)
Cronto Limited: Commerzbank and Cronto launch secure online banking with photoTAN – World’s first deployment of visual transaction signing mobile solution (2008), http://www.cronto.com/download/Cronto_Commerzbank_photoTAN.pdf
Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)
Gühring, P.: Concepts against man-in-the-browser attacks (2007), http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf
IT-Online: World-first SMS banking scam exposes weaknesses (2009), http://www.it-online.co.za/content/view/1092105/142/
Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: Root kits for web. In: Proc. HotSec 2007. pp. 1–4. USENIX (2007)
Jakobsson, M., Myers, S. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley & Sons, Inc. (2007)
Li, S., Shah, S.A.H., Khan, M.A.U., Khayam, S.A., Sadeghi, A.R., Schmitz, R.: Breaking e-banking CAPTCHAs. In: Proc. ACSAC 2010. pp. 171–180 (2010)
Mannan, M., van Oorschot, P.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)
Naor, M., Pinkas, B.: Visual Authentication and Identification. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 322–336. Springer, Heidelberg (1997)
Oppliger, R., Rytz, R., Holderegger, T.: Internet banking: Client-side attacks and protection mechanisms. Computer 42(6), 27–33 (2009)
PC World: Nokia: We don’t know why criminals want our old phones (2009), http://www.pcworld.com/businesscenter/article/163515/nokia_we_dont_know_why_criminals_want_our_old_phones.html
Postbank: mTAN now free for all customers (2008), http://www.postbank.com/pbcom_ag_home/pbcom_pr_press/pbcom_pr_press_archives/pbcom_pr_press_archives_2008/pbcom_pr_pm1063_19_05_08.html
Saturday Star: Victim’s SIM swop fraud nightmare (2008), http://www.iol.co.za/index.php?art_id=vn20080112083836189C511499
Schneier, B.: Two-factor authentication: Too little, too late. Comm. ACM 48(4), 136 (2005)
Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: Secure mobile transaction authentication. In: Proc. ARES 2009, pp. 578–583. IEEE (2009)
Szydlowski, M., Kruegel, C., Kirda, E.: Secure input for web applications. In: Proc. ACSAC 2007. pp. 375–384. IEEE (2007)
The Financial Express: Russian phone virus that ‘steals money’ may spread global (2009), http://www.financialexpress.com/news/russian-phone-virus-that-steals-money-may-spread-global/420770
Toorani, M., Shirazi, A.A.B.: Solutions to the GSM security weaknesses. In: Proc. NGMAST 2008, pp. 576–581. IEEE (2008)
Volksbank Freiburg eG: iTANplus – mehr Sicherheit mit der indizierten TAN, http://www.volksbank-freiburg.de/itan.cfm?CFID=10869033&CFTOKEN=34249989&rand=1246061956151
Volksbank Rhein-Ruhr eG: Bankgeschäfte online abwickeln: Mit Sm@rtTAN optic bequem und sicher im Netz, http://www.voba-rhein-ruhr.de/privatkunden/ebank/SMTop.html
Volksbank Solling eG: Sm@rt-TAN-plus, http://www.volksbank-solling.de/flycms/de/html/913/-/Smart+TAN+plus.html
Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel – An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Li, S., Sadeghi, AR., Heisrath, S., Schmitz, R., Ahmad, J.J. (2012). hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-27576-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27575-3
Online ISBN: 978-3-642-27576-0
eBook Packages: Computer ScienceComputer Science (R0)