A Multifactor Authentication Security Protocol to Prevent Risks posed by Phishing, For Internet Based Online Payment System
Content
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
114
A Multifactor Authentication Security Protocol to Prevent Risks posed by Phishing, For Internet Based Online Payment System
Dr. Manish Shrivastava
Department of Computer Science & Engineering Institute of Technology, Guru Ghasidas University, Bilaspur CG India
Abstract—Security is a major issue in internet based online payment system. There are various internet threats which affect the security system of internet and increase risk for electronic transaction. The current authentication technique for payment system is not very secure to protect user from identity theft, as a result any attacker gain the access on confidential information of user like credit card number or account password and make illegal transfer of fund which will charged to the valid user. A single factor authentication increases risks posed by phishing, identify theft, fraud and loss of customer confidential information. So financial institution should implement an effective authentication to reduce fraud and make stronger security for applications. Strong customer authentication is necessary to enforce security and assist financial institutions to detect and decrease user identity thefts.
Keywords -- Authentication, Phishing, Theft, Security
—————————— ——————————
1 INTRODUCTION
I
n this proposed mechanism we have focused on security solution for system to implement an end to end authentication and data confidentiality between client and secure server. This proposed a new mechanism for user authentication based on multifactor authentication approach which is completely secure and easy to implement. The proposed protocols have also suggested an approach for two way authentication protocol to authenticate both the parties. This solution can be implemented within the available resources of and it does not require any modification in existing wireless networks. The implementation of this mechanism will not increase expenses of users significantly. This mechanism can be easily implemented and executed on the current expenses charged by financial institution from the users to perform payments or with very less addition to the current charge of payment.
involve identities by registration and certification. SET is also an international standard with published protocol specifications. In Figure 1 on next page we show the flow of messages in the SET protocol. In a typical scenario, the merchant’s site will be accessed via the Internet by customers using their personal computers. While the SET protocol permits customers to make credit-card payments to any of the merchants offering a web-based service, customers also have the option of paying for other types of services using the on-line banking facilities (Internet).
1. User make purchase request
2. merchant’s certificates & payment information
Marchant Agent(MA)
3. Client Order and payment
Information with a certificate
Customer Agent (CA)
8. Response 4. request for authorization, payment with order information and both certificates 7. Payment Ack. 7. Payment Ack.
2. EXISTING SYSTEM
The Secure Electronic Transaction is an open encryption and security specification designed to protect credit card transactions on the Internet. Companies involved in the development of the SET are IBM, Microsoft, Netscape, RSA, Terisa and Verisign. It is supported by major corporations such as VISA Inc. and MasterCard. Although SET had been designed to operate in a wired infrastructure, its transaction flow and implementation of security are of interest to us since it can also be employed in a wireless scenario. The SET protocol is basically used in existing credit-card based payment system and provides enhanced security to web based financial transactions as well as authentication of transaction and
5. Request for payment approval
Merchant Bank
6. Authorization response for payment
Customer Bank
Figure 1: Transaction flow in Secure Electronic Transaction (SET)
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
115
A brief description of the SET protocol, as depicted Figure 1, is described below: 1. The customers visit the merchant’s web site to select various goods for purchasing and get the total cost of all the selected goods, including taxes and shipping costs. The system asks for payment method and the consumer chooses to pay through a credit card using SET. Special software on the consumer's PC, called Digital Wallet, is invoked and it gives choices to customer to select one credit card from the list of credit cards issued to customer. The consumer selects the card to make payment, and the electronic transaction take place based on SET protocol. After getting details of customer payment the merchant contacts the merchant’s Bank for customer authorization and payment. Merchant Bank will contact the customer’s Bank for the same and get approval of payment. Merchant will notify, if transaction is successful. A few seconds later, there is a confirmation to the customer that this order has been processed.
5.
There is no notification to the Customer from the customer’s Bank after the successful transfer. The user has to check his/her balance after logging on bank website again. SET is only for card based (credit or debit) transactions. Account based transactions are not included in SET. Phishing fraud has become a popular technique for user identity theft. Phishers fraudulently capture the sensitive information of users such as passwords and credit card details to gain unauthorized access to the user’s confidential financial data and perform illegal transfer of funds. Phishing is generally carried out using email or an instant message or via phone contact. Identity theft is becoming more popular, because of the users come in the contact of the fake websites and submit their personal information to phishers. Phisher fraudently get the user confidential information and gain the illegal access to user personal data. After getting access to user’s personal information, the phisher can misuse this data by making illegal transfer of fund, or block the user’s account and prevent them to access their own accounts.
6.
2.
3.
4.
5.
6.
7. 8.
On-line Payment services provided by most of banks, allow customers to make payments online to various persons or organizations that have previously registered themselves with the banks. Customers making online payment provide account number and type (i.e. savings, cheque etc.) and the amount to be transferred to the institution website. The bank generates transaction/reference number to confirm the successful completion of the transaction. At the end of the day, it also sends details of all the transactions carried out in the favour of merchant during the day for audit purpose.
3. EXISTING SECURITY THREATS
SET is a good example of a protocol that is not completely secure in user authentication. SSL-based methods are ignoring essential “security” necessities. Some disadvantages of SET are: 1. SET is designed for wired networks and does not meet all the challenges of wireless network.
4. PROPOSED SYSTEM I am proposing a multitier Authentication technique in which I want to integrate multifactor of security, we need a strong authentication mechanism when using electronic transfer systems. Single factor authentication is considered to be inadequate for this purpose. Thus, we need multi factor authentication. Single-factor authentication is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. To provide secure web transactions using multi factor authentication techniques have to be used. In our system we are using multi factor authentication using five different modes. The implementation is performed using Tokens, Keystroke password, Photo password, TIC and SMS. While SMS has been used in previous approaches to the problem , we are introducing the new concept of Tokens, Keystroke password, Photo password and TIC as a novel method of authenticating a transaction and the user. 1. 2. 3. 4. 5. Tokens Password (keystroke authentication) Photo password TIC Authentication SMS Confirmation
2.
As the SET protocol was designed to maintain the traditional flow of payment data (CA – MA – Merchant’s Bank), There is a need of an end-to-end security mechanism. The third element is the direction of the transaction flow. In SET, transactions are carried out between the Customer Agent and the Merchant. So it is vulnerable to various attacks like merchant can modify transactions data by altering the balance. Transaction flow is from Customer to Merchant so all the details of users credit cards/debit cards must flow via merchant’s side. It increases the user’s risk, since data can be copied and used later to access customer account without authorization.
3.
Tokens Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token. USB Token Device The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USB token is recognized, the customer is prompted to
4.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
116
enter his or her password (the second authenticating factor) in order to gain access to the computer system. USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment. The USB token is generally considered to be user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated. Password (keystroke authentication) Whenever user wants to login to a certain website firstly he has to enter the password, acceptable by the majority of users virtually everyone is used to entering authentication details such as a login id and password. Keystroke dynamics captures typing characteristics such as keystroke duration termed ‘dwell time’ in the literature, and digraphs times-the latency between striking successive keys. These attributes are used to build a model of how a user types-stored as a reference profile. These models are then used by a variety of machine learning algorithms to determine whether or not the extracted details associated with a login attempt is similar enough to the reference profile for that user account. The deployment of keystroke dynamics based user authentication is no longer a novel concept. Keystroke dynamics is a particular instance of behavioural bio metrics that captures the typing style of a user. The dynamics of a user’s interaction with a keyboard input device yields quantitative information with respect to dwell time (how long a key is pressed) and time-of-flight (the time taken to enter successive keys). By collecting the dynamic aspects acquired even during the login process, one can develop a model that captures potentially unique characteristics that can be used for the identification of an individual. To facilitate the development of the model of how the user enters their details, an enrolment phase is required, when the user is asked to enter his/her login id/password until a steady value is obtained (usually limited to 10-15 trials-but this is implementation dependent). Once this data has been collected, a reference ‘signature’ is generated for this user. The reference signature is then used to authenticate the user account on subsequent login attempts. The user with that particular login id/password combination has their keystroke dynamics extracted and then compared with the stored reference signature. If they are within a prescribed tolerance limit the user is authenticated. If not-then the system or take some other suitable action. Keystroke Dynamics monitors, analyses and recognizes all keyboard behaviour performed by the user during his /her access in order to validate and verify the user ’s identity, and is one of the most unusual and innovative biometric technologies in use today . This technology examines such dynamics as speed, pressure, total time taken to type particular words, and the time elapsed between hitting certain keys Photo password Photo password method is a new technique, in which I proposed to add to photo password option along with a normal password for logging in a website. However this technique depends upon user awareness. If a user finds him in a dilemma that whether the appearing website is authentic or not he can go for photo password option. Here we ask a user to enter some of the photographs and
name of person in the photograph at the time of registration. Here our main objective is that if a website is legitimate, then only site can display already registrar photo, and fake site can’t able to produce photo, only legitimate website has photos and correct names related with those photographs. After completing the photo password verification, the website server must send a sms to the user regarding the whole transaction and must ask for a reply as approval for the whole transaction. If user replies as approved then only the transaction will proceed further. TIC Authentication TIC (Transaction Identification Code) Authentication is the technique which is used to identify both the user and the ongoing transaction. TIC code certifies that the current transaction has been initiated by the right person and it is a valid user who is trying to access his/her account TIC codes are: Issued by the Bank or Financial institution to its customer. 8 bit or 16 bit Pseudo randomly generated code which is assigned to the customers. May be complicated digit sequence or combination of numeric or alphanumeric characters. One TIC code is used only once, i.e. a unique TIC is used for each transaction. Here we are assuming financial institutions are responsible to store TIC generation logic and algorithm confidentially and they have their specific parameters to decide the complexity of TICs format. Financial institutions are also responsible for upgrading from time to time the TIC generation logic and data and also to keep it absolutely secret. The user will get the list of TIC codes from the bank or financial institution according to its requirement. The Bank or Financial institution will keep a record of issued TIC codes to its customers and match the same code during the online web transaction. A TIC code is cancelled after each successful transaction (i.e. each TIC code is used only once). We can also decide a validity time period of TICs according to issuing organization policies, which provides an extra security feature in the system. SMS Confirmation After the TIC code identification and validation the remainder of the transaction will proceed. At the end of the transaction the user will get an SMS from the web authentication server to confirm his/her financial transaction. By this SMS user can confirm their transaction by “YES” or “NO”. If user chooses yes then transaction would be committed on the server and if the user denied then transaction would be cancelled.
4.1 Protocol Flow The basic flow of messages for implementing the proposed protocol. This also allows us to identify different components of the system and their functionalities. Figure 2 shows the Protocol for secure web authentication. This protocol starts with the action of money transfer decided by user. Here we assume that the user information is available at server which includes user’s cell phone number. A separate authentication server is recommended to maintain strong security to authenticateusers and their transactions with regular web and database servers of user information. As illustrated in Figure 2, following are the steps, we describe each step of the above protocol.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
117
code information, invoice number and account number to which an amount has to be transferred.
1.User gets Tokens, User id, Password & List of TIC from the Bank
7.
The user will insert a TIC code by simply choosing a TIC code from the stored list of TICs. All details of the transaction, with attached TIC, will be further encrypted by AES encryption technique and submitted to the bank web server. The bank web server would pass it on to the authentication server where it would be decrypted and matched with the list of TICs that have been issued to the user. The bank authorization server decrypts the received message and extracts the TIC. It then verifies the TIC received from the user by comparing it with the stored list of TICs in the user account information at server database. If both TICs match then it cancels the used TIC from its database and goes to the next step. If no TIC matched with those in database then the authentication server will deny the user transaction and display appropriate error message to the user. Bank server generates an acknowledgement to the user, which makes user free to logout from the web portal and wait for a confirmation SMS or to initiate another financial web transaction.
2. Login on Bank website by Token User Id & Keystroke Password Photo Password
3. Verify user info
8.
User System with Encryption / Decryption Module
4. Login Authentication success
( notification to the user, generate session key)
5. Select the Mode of Payment 6. Fill the details of payment with Merchant information/Account information to transfer
7. Send TIC to authenticate transaction
User Bank/Fina ncial Institution Web Server with Encryption/Decr yption Module
8.Verify TIC From TIC
Bank Authorization Server
9.
9. ACK from the Bank
assigned
10. After completing the database updation with respect to the ongoing transaction, the authentication server will send an SMS to the user’s cell phone to verify the initiated web transaction. The cell phone number of the user is available on authentication server. 11. The user would confirm their initiated transaction by choosing “YES” or deny it by choosing “NO” by replying confirmation SMS. 12. The server will notify the user by a Message to acknowledge the successful completion of transaction or declination of the transaction.
10. SMS to verify user transaction
11. Confirm or denied Transaction by replying 12. Ack, Message from the Server to commit or declination of transaction
Figure 2 1. User gets Tokens, username/password and Transaction Identification codes (TICs) from the Bank. Each user has only one username/password to their account, but TIC code is unique for each online transaction. So users will get list of TIC codes from the bank authority or authorized financial institution according to their requirement. A token, username/keystroke password and photo password is used to identify theuser to the Web server. The a token, username/keystroke password and photo password will be verified by the Bank Authentication Server. After user recognition the user will get option screen to proceed further. The user will get a notification of a successful logging with welcome message. This step also generates a session key. The user will select mode of payment. We have considered two modes of payment: Credit Card based system & Account based Electronic transfer. It is straightforward to add other modes to our system. User will insert the details of payment by filling in a simple form with details such as merchant’s bank and branch
5.CONCLUSION
Phishing fraud has become a popular technique for user identity theft. Phishers fraudulently capture the sensitive information of users such as passwords and credit card details to gain unauthorized access to the user’s confidential financial data and perform illegal transfer of funds. Phishing is generally carried out using email or an instant message or via phone contact. The proposed protocol is secure against phishing attacks. A multifactor secure protocol for user authentication has the capability to secure the user data and maintain integrity, confidentiality and access control from malware access In this proposed mechanism we have focused on security solution for system to implement an end to end authentication and data confidentiality between client and secure server. This proposed a new mechanism for user authentication based on multifactor authentication approach which is completely secure and easy to implement. The proposed protocols have also suggested an approach for two way authentication protocol to authenticate both the parties. This solution can be implemented within the available resources of and it does not require any modification in existing wireless networks. The implementation of this mechanism will not increase expenses
2.
3.
4.
5.
6.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
118
of users significantly. This mechanism can be easily implemented and executed on the current expenses charged by financial institution from the users to perform payments or with very less addition to the current charge of payment.
teaching and research experience, he has a number of papers in various national and international journals to his credit. His field of interest is network security, life member, Indian Society for Technical Educa-
tion, senior member of the IACSIT..
REFERENCES
[1] A. Fourati, H.K.B. Ayed, F. Kamoun, A. Benzekri, “A SET Based Approach to Secure the Payment”, In Mobile Commerce, Proceedings of 27th Annual IEEE Conference on Local Computer Networks, Tampa, Florida, pp. 136 – 140, November 2002. [2] Halevi Shai, Krawczyk Hugo, “ Public-key cryptography and password protocols”, In Proceedings of the 5th ACM conference on Computer and communications security, San Francisco, Volume 2 Issue 3, pp. 230 – 268, November 1998. [3] L. Albert, K. C. Kaya, “CONSEPP: CONvenient and Secure Electronic Payment Protocol Based on X9.59”, In 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, IEEE press, pp. 286-295, December 2001. [4] Manish Shrivastava, “Password Authentication Method Using Keystroke Biometric”, JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, pp. 125-129, JUNE 2011 [5] Jablon David P., Integrity, Sciences, Inc. Westboro, MA, ACM SIGCOMM, “Strong Password - Only Authenticated Key exchange”, Computer Communication Review, Vol. 26, pp. 5 – 26, September 2005. [6] M. Debbabi, M. Saleh, C. Talhi and S. Zhioua, “ Security Evaluation of J2ME CLDC Embedded Java Platform “, In Journal of Object Technology, volume.5, Issue 2, pages 125–154, March– April 2006. (http://www.jot.fm/issues/issues 2006 3/article2) [7] Ayu Tiwari, Sudip Sanyal, Ajith Abraham, Sugata Sanyal and Svein Knapskog, ”A Multifactor Security Protocol For Wireless Payment-Secure Web Authentication using Mobile Devices”, IADIS International Conference, Applied Computing 2007, Salamanca, Spain, pp. 160-167, February 2007. [8] White paper: AEP Smartgate Security, Strong Multi Factor User Authentication for secure information sharing, white paper, AEPN works.http://www.aepnetworks.com/products/downloads/wp_Smar tGateSecurity.pdf [9] White paper : Enhanced Online Banking Security Multi Factor Authentication http: // www. etrust. Com /resoures / download.cfm [10] MasterCard Inc., “SET Secure Electronic Transaction Specification” , Book 1: Business Description, MasterCard Inc., May 1997. [11] William Stallings “Cryptography and Network Security”, Third edition, Pearson Education, 2003.
Author : Dr. Manish Shrivastava, Head, Department of Computer Science & Engineering, Institute of Technology, Guru Ghasidas University, Bilaspur, obtained his M. Tech. Degree from DAVV, Indore, and Ph. D. From Guru Ghasidas University, Bilaspur. He has about thirteen years of
114
A Multifactor Authentication Security Protocol to Prevent Risks posed by Phishing, For Internet Based Online Payment System
Dr. Manish Shrivastava
Department of Computer Science & Engineering Institute of Technology, Guru Ghasidas University, Bilaspur CG India
Abstract—Security is a major issue in internet based online payment system. There are various internet threats which affect the security system of internet and increase risk for electronic transaction. The current authentication technique for payment system is not very secure to protect user from identity theft, as a result any attacker gain the access on confidential information of user like credit card number or account password and make illegal transfer of fund which will charged to the valid user. A single factor authentication increases risks posed by phishing, identify theft, fraud and loss of customer confidential information. So financial institution should implement an effective authentication to reduce fraud and make stronger security for applications. Strong customer authentication is necessary to enforce security and assist financial institutions to detect and decrease user identity thefts.
Keywords -- Authentication, Phishing, Theft, Security
—————————— ——————————
1 INTRODUCTION
I
n this proposed mechanism we have focused on security solution for system to implement an end to end authentication and data confidentiality between client and secure server. This proposed a new mechanism for user authentication based on multifactor authentication approach which is completely secure and easy to implement. The proposed protocols have also suggested an approach for two way authentication protocol to authenticate both the parties. This solution can be implemented within the available resources of and it does not require any modification in existing wireless networks. The implementation of this mechanism will not increase expenses of users significantly. This mechanism can be easily implemented and executed on the current expenses charged by financial institution from the users to perform payments or with very less addition to the current charge of payment.
involve identities by registration and certification. SET is also an international standard with published protocol specifications. In Figure 1 on next page we show the flow of messages in the SET protocol. In a typical scenario, the merchant’s site will be accessed via the Internet by customers using their personal computers. While the SET protocol permits customers to make credit-card payments to any of the merchants offering a web-based service, customers also have the option of paying for other types of services using the on-line banking facilities (Internet).
1. User make purchase request
2. merchant’s certificates & payment information
Marchant Agent(MA)
3. Client Order and payment
Information with a certificate
Customer Agent (CA)
8. Response 4. request for authorization, payment with order information and both certificates 7. Payment Ack. 7. Payment Ack.
2. EXISTING SYSTEM
The Secure Electronic Transaction is an open encryption and security specification designed to protect credit card transactions on the Internet. Companies involved in the development of the SET are IBM, Microsoft, Netscape, RSA, Terisa and Verisign. It is supported by major corporations such as VISA Inc. and MasterCard. Although SET had been designed to operate in a wired infrastructure, its transaction flow and implementation of security are of interest to us since it can also be employed in a wireless scenario. The SET protocol is basically used in existing credit-card based payment system and provides enhanced security to web based financial transactions as well as authentication of transaction and
5. Request for payment approval
Merchant Bank
6. Authorization response for payment
Customer Bank
Figure 1: Transaction flow in Secure Electronic Transaction (SET)
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
115
A brief description of the SET protocol, as depicted Figure 1, is described below: 1. The customers visit the merchant’s web site to select various goods for purchasing and get the total cost of all the selected goods, including taxes and shipping costs. The system asks for payment method and the consumer chooses to pay through a credit card using SET. Special software on the consumer's PC, called Digital Wallet, is invoked and it gives choices to customer to select one credit card from the list of credit cards issued to customer. The consumer selects the card to make payment, and the electronic transaction take place based on SET protocol. After getting details of customer payment the merchant contacts the merchant’s Bank for customer authorization and payment. Merchant Bank will contact the customer’s Bank for the same and get approval of payment. Merchant will notify, if transaction is successful. A few seconds later, there is a confirmation to the customer that this order has been processed.
5.
There is no notification to the Customer from the customer’s Bank after the successful transfer. The user has to check his/her balance after logging on bank website again. SET is only for card based (credit or debit) transactions. Account based transactions are not included in SET. Phishing fraud has become a popular technique for user identity theft. Phishers fraudulently capture the sensitive information of users such as passwords and credit card details to gain unauthorized access to the user’s confidential financial data and perform illegal transfer of funds. Phishing is generally carried out using email or an instant message or via phone contact. Identity theft is becoming more popular, because of the users come in the contact of the fake websites and submit their personal information to phishers. Phisher fraudently get the user confidential information and gain the illegal access to user personal data. After getting access to user’s personal information, the phisher can misuse this data by making illegal transfer of fund, or block the user’s account and prevent them to access their own accounts.
6.
2.
3.
4.
5.
6.
7. 8.
On-line Payment services provided by most of banks, allow customers to make payments online to various persons or organizations that have previously registered themselves with the banks. Customers making online payment provide account number and type (i.e. savings, cheque etc.) and the amount to be transferred to the institution website. The bank generates transaction/reference number to confirm the successful completion of the transaction. At the end of the day, it also sends details of all the transactions carried out in the favour of merchant during the day for audit purpose.
3. EXISTING SECURITY THREATS
SET is a good example of a protocol that is not completely secure in user authentication. SSL-based methods are ignoring essential “security” necessities. Some disadvantages of SET are: 1. SET is designed for wired networks and does not meet all the challenges of wireless network.
4. PROPOSED SYSTEM I am proposing a multitier Authentication technique in which I want to integrate multifactor of security, we need a strong authentication mechanism when using electronic transfer systems. Single factor authentication is considered to be inadequate for this purpose. Thus, we need multi factor authentication. Single-factor authentication is inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. To provide secure web transactions using multi factor authentication techniques have to be used. In our system we are using multi factor authentication using five different modes. The implementation is performed using Tokens, Keystroke password, Photo password, TIC and SMS. While SMS has been used in previous approaches to the problem , we are introducing the new concept of Tokens, Keystroke password, Photo password and TIC as a novel method of authenticating a transaction and the user. 1. 2. 3. 4. 5. Tokens Password (keystroke authentication) Photo password TIC Authentication SMS Confirmation
2.
As the SET protocol was designed to maintain the traditional flow of payment data (CA – MA – Merchant’s Bank), There is a need of an end-to-end security mechanism. The third element is the direction of the transaction flow. In SET, transactions are carried out between the Customer Agent and the Merchant. So it is vulnerable to various attacks like merchant can modify transactions data by altering the balance. Transaction flow is from Customer to Merchant so all the details of users credit cards/debit cards must flow via merchant’s side. It increases the user’s risk, since data can be copied and used later to access customer account without authorization.
3.
Tokens Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token. USB Token Device The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USB token is recognized, the customer is prompted to
4.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
116
enter his or her password (the second authenticating factor) in order to gain access to the computer system. USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment. The USB token is generally considered to be user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated. Password (keystroke authentication) Whenever user wants to login to a certain website firstly he has to enter the password, acceptable by the majority of users virtually everyone is used to entering authentication details such as a login id and password. Keystroke dynamics captures typing characteristics such as keystroke duration termed ‘dwell time’ in the literature, and digraphs times-the latency between striking successive keys. These attributes are used to build a model of how a user types-stored as a reference profile. These models are then used by a variety of machine learning algorithms to determine whether or not the extracted details associated with a login attempt is similar enough to the reference profile for that user account. The deployment of keystroke dynamics based user authentication is no longer a novel concept. Keystroke dynamics is a particular instance of behavioural bio metrics that captures the typing style of a user. The dynamics of a user’s interaction with a keyboard input device yields quantitative information with respect to dwell time (how long a key is pressed) and time-of-flight (the time taken to enter successive keys). By collecting the dynamic aspects acquired even during the login process, one can develop a model that captures potentially unique characteristics that can be used for the identification of an individual. To facilitate the development of the model of how the user enters their details, an enrolment phase is required, when the user is asked to enter his/her login id/password until a steady value is obtained (usually limited to 10-15 trials-but this is implementation dependent). Once this data has been collected, a reference ‘signature’ is generated for this user. The reference signature is then used to authenticate the user account on subsequent login attempts. The user with that particular login id/password combination has their keystroke dynamics extracted and then compared with the stored reference signature. If they are within a prescribed tolerance limit the user is authenticated. If not-then the system or take some other suitable action. Keystroke Dynamics monitors, analyses and recognizes all keyboard behaviour performed by the user during his /her access in order to validate and verify the user ’s identity, and is one of the most unusual and innovative biometric technologies in use today . This technology examines such dynamics as speed, pressure, total time taken to type particular words, and the time elapsed between hitting certain keys Photo password Photo password method is a new technique, in which I proposed to add to photo password option along with a normal password for logging in a website. However this technique depends upon user awareness. If a user finds him in a dilemma that whether the appearing website is authentic or not he can go for photo password option. Here we ask a user to enter some of the photographs and
name of person in the photograph at the time of registration. Here our main objective is that if a website is legitimate, then only site can display already registrar photo, and fake site can’t able to produce photo, only legitimate website has photos and correct names related with those photographs. After completing the photo password verification, the website server must send a sms to the user regarding the whole transaction and must ask for a reply as approval for the whole transaction. If user replies as approved then only the transaction will proceed further. TIC Authentication TIC (Transaction Identification Code) Authentication is the technique which is used to identify both the user and the ongoing transaction. TIC code certifies that the current transaction has been initiated by the right person and it is a valid user who is trying to access his/her account TIC codes are: Issued by the Bank or Financial institution to its customer. 8 bit or 16 bit Pseudo randomly generated code which is assigned to the customers. May be complicated digit sequence or combination of numeric or alphanumeric characters. One TIC code is used only once, i.e. a unique TIC is used for each transaction. Here we are assuming financial institutions are responsible to store TIC generation logic and algorithm confidentially and they have their specific parameters to decide the complexity of TICs format. Financial institutions are also responsible for upgrading from time to time the TIC generation logic and data and also to keep it absolutely secret. The user will get the list of TIC codes from the bank or financial institution according to its requirement. The Bank or Financial institution will keep a record of issued TIC codes to its customers and match the same code during the online web transaction. A TIC code is cancelled after each successful transaction (i.e. each TIC code is used only once). We can also decide a validity time period of TICs according to issuing organization policies, which provides an extra security feature in the system. SMS Confirmation After the TIC code identification and validation the remainder of the transaction will proceed. At the end of the transaction the user will get an SMS from the web authentication server to confirm his/her financial transaction. By this SMS user can confirm their transaction by “YES” or “NO”. If user chooses yes then transaction would be committed on the server and if the user denied then transaction would be cancelled.
4.1 Protocol Flow The basic flow of messages for implementing the proposed protocol. This also allows us to identify different components of the system and their functionalities. Figure 2 shows the Protocol for secure web authentication. This protocol starts with the action of money transfer decided by user. Here we assume that the user information is available at server which includes user’s cell phone number. A separate authentication server is recommended to maintain strong security to authenticateusers and their transactions with regular web and database servers of user information. As illustrated in Figure 2, following are the steps, we describe each step of the above protocol.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
117
code information, invoice number and account number to which an amount has to be transferred.
1.User gets Tokens, User id, Password & List of TIC from the Bank
7.
The user will insert a TIC code by simply choosing a TIC code from the stored list of TICs. All details of the transaction, with attached TIC, will be further encrypted by AES encryption technique and submitted to the bank web server. The bank web server would pass it on to the authentication server where it would be decrypted and matched with the list of TICs that have been issued to the user. The bank authorization server decrypts the received message and extracts the TIC. It then verifies the TIC received from the user by comparing it with the stored list of TICs in the user account information at server database. If both TICs match then it cancels the used TIC from its database and goes to the next step. If no TIC matched with those in database then the authentication server will deny the user transaction and display appropriate error message to the user. Bank server generates an acknowledgement to the user, which makes user free to logout from the web portal and wait for a confirmation SMS or to initiate another financial web transaction.
2. Login on Bank website by Token User Id & Keystroke Password Photo Password
3. Verify user info
8.
User System with Encryption / Decryption Module
4. Login Authentication success
( notification to the user, generate session key)
5. Select the Mode of Payment 6. Fill the details of payment with Merchant information/Account information to transfer
7. Send TIC to authenticate transaction
User Bank/Fina ncial Institution Web Server with Encryption/Decr yption Module
8.Verify TIC From TIC
Bank Authorization Server
9.
9. ACK from the Bank
assigned
10. After completing the database updation with respect to the ongoing transaction, the authentication server will send an SMS to the user’s cell phone to verify the initiated web transaction. The cell phone number of the user is available on authentication server. 11. The user would confirm their initiated transaction by choosing “YES” or deny it by choosing “NO” by replying confirmation SMS. 12. The server will notify the user by a Message to acknowledge the successful completion of transaction or declination of the transaction.
10. SMS to verify user transaction
11. Confirm or denied Transaction by replying 12. Ack, Message from the Server to commit or declination of transaction
Figure 2 1. User gets Tokens, username/password and Transaction Identification codes (TICs) from the Bank. Each user has only one username/password to their account, but TIC code is unique for each online transaction. So users will get list of TIC codes from the bank authority or authorized financial institution according to their requirement. A token, username/keystroke password and photo password is used to identify theuser to the Web server. The a token, username/keystroke password and photo password will be verified by the Bank Authentication Server. After user recognition the user will get option screen to proceed further. The user will get a notification of a successful logging with welcome message. This step also generates a session key. The user will select mode of payment. We have considered two modes of payment: Credit Card based system & Account based Electronic transfer. It is straightforward to add other modes to our system. User will insert the details of payment by filling in a simple form with details such as merchant’s bank and branch
5.CONCLUSION
Phishing fraud has become a popular technique for user identity theft. Phishers fraudulently capture the sensitive information of users such as passwords and credit card details to gain unauthorized access to the user’s confidential financial data and perform illegal transfer of funds. Phishing is generally carried out using email or an instant message or via phone contact. The proposed protocol is secure against phishing attacks. A multifactor secure protocol for user authentication has the capability to secure the user data and maintain integrity, confidentiality and access control from malware access In this proposed mechanism we have focused on security solution for system to implement an end to end authentication and data confidentiality between client and secure server. This proposed a new mechanism for user authentication based on multifactor authentication approach which is completely secure and easy to implement. The proposed protocols have also suggested an approach for two way authentication protocol to authenticate both the parties. This solution can be implemented within the available resources of and it does not require any modification in existing wireless networks. The implementation of this mechanism will not increase expenses
2.
3.
4.
5.
6.
JOURNAL OF COMPUTING, VOLUME 4, ISSUE 2, FEBRUARY 2012, ISSN 2151-9617 https://sites.google.com/site/journalofcomputing WWW.JOURNALOFCOMPUTING.ORG
118
of users significantly. This mechanism can be easily implemented and executed on the current expenses charged by financial institution from the users to perform payments or with very less addition to the current charge of payment.
teaching and research experience, he has a number of papers in various national and international journals to his credit. His field of interest is network security, life member, Indian Society for Technical Educa-
tion, senior member of the IACSIT..
REFERENCES
[1] A. Fourati, H.K.B. Ayed, F. Kamoun, A. Benzekri, “A SET Based Approach to Secure the Payment”, In Mobile Commerce, Proceedings of 27th Annual IEEE Conference on Local Computer Networks, Tampa, Florida, pp. 136 – 140, November 2002. [2] Halevi Shai, Krawczyk Hugo, “ Public-key cryptography and password protocols”, In Proceedings of the 5th ACM conference on Computer and communications security, San Francisco, Volume 2 Issue 3, pp. 230 – 268, November 1998. [3] L. Albert, K. C. Kaya, “CONSEPP: CONvenient and Secure Electronic Payment Protocol Based on X9.59”, In 17th Annual Computer Security Applications Conference, New Orleans, Louisiana, IEEE press, pp. 286-295, December 2001. [4] Manish Shrivastava, “Password Authentication Method Using Keystroke Biometric”, JOURNAL OF COMPUTING, VOLUME 3, ISSUE 6, pp. 125-129, JUNE 2011 [5] Jablon David P., Integrity, Sciences, Inc. Westboro, MA, ACM SIGCOMM, “Strong Password - Only Authenticated Key exchange”, Computer Communication Review, Vol. 26, pp. 5 – 26, September 2005. [6] M. Debbabi, M. Saleh, C. Talhi and S. Zhioua, “ Security Evaluation of J2ME CLDC Embedded Java Platform “, In Journal of Object Technology, volume.5, Issue 2, pages 125–154, March– April 2006. (http://www.jot.fm/issues/issues 2006 3/article2) [7] Ayu Tiwari, Sudip Sanyal, Ajith Abraham, Sugata Sanyal and Svein Knapskog, ”A Multifactor Security Protocol For Wireless Payment-Secure Web Authentication using Mobile Devices”, IADIS International Conference, Applied Computing 2007, Salamanca, Spain, pp. 160-167, February 2007. [8] White paper: AEP Smartgate Security, Strong Multi Factor User Authentication for secure information sharing, white paper, AEPN works.http://www.aepnetworks.com/products/downloads/wp_Smar tGateSecurity.pdf [9] White paper : Enhanced Online Banking Security Multi Factor Authentication http: // www. etrust. Com /resoures / download.cfm [10] MasterCard Inc., “SET Secure Electronic Transaction Specification” , Book 1: Business Description, MasterCard Inc., May 1997. [11] William Stallings “Cryptography and Network Security”, Third edition, Pearson Education, 2003.
Author : Dr. Manish Shrivastava, Head, Department of Computer Science & Engineering, Institute of Technology, Guru Ghasidas University, Bilaspur, obtained his M. Tech. Degree from DAVV, Indore, and Ph. D. From Guru Ghasidas University, Bilaspur. He has about thirteen years of
