ONE-TOUCH FINANCIAL TRANSACTION AUTHENTICATION

Daniel V. Bailey, John Brainard, Sebastian Rohde, Christof Paar

Abstract

We present a design for a Wi-Fi user-authentication token that tunnels data through the SSID field, packet timing, and packet length. Previous attempts to build an online-banking transaction-signing token have been only moderately successful, due in large part to usability problems. Average consumers, especially in the United States, are simply unwilling to transcribe strings of digits from PC to token and back again. In a departure from previous work, our token communicates using point-to-point side-channels in Wi-Fi that allow two devices to directly exchange messages – even if one is also connected to an access point. The result is a token that can authenticate transactions using only one touch by the user. The increased usability means more transactions can be authenticated, reducing fraud and driving more banking business online.

References

  1. Apple (2008). About the apple remote control. Available at http://support.apple.com/kb/HT1522.
  2. Balfanz, D. and Felten, E. (1999). Hand-Held Computers Can Be Better Smart Cards. 8th USENIX Security Symposium, 271.
  3. Bardram, J., Kjaer, R., and Pedersen, M. (2003). ContextAware User Authentication-Supporting ProximityBased Login in Pervasive Computing. Proceedings of Ubicomp, pages 107-123.
  4. Corner, M. and Noble, B. (2002). Zero-interaction authentication. Proceedings of the 8th annual international conference on Mobile computing and networking, pages 1-11.
  5. IEEE (2007). IEEE 802.11-2007. IEEE standard for information technology-telecommunications and information exchange between system-local and metropolitan area networks specific requirements-part 11: Wireless LAN medium access control (MAC) and physical layer (PHY) specifications.
  6. Kershaw, M. (2004). Kismet. Referenced 2008 at http://www.kismetwireless.net/presentations/5hopekismet.pdf.
  7. Lauradoux, C. (2007). Throughput/code size tradeoff for stream ciphers. The State of the Art of Stream Ciphers - SASC.
  8. Libnet (2008). The libnet packet construction library. available at http://www.packetfactory.net/libnet/.
  9. LORCON (2008). Lorcon (loss of radio connectivity). available at http://802.11ninja.net/lorcon.
  10. MadWifi (2008). Madwifi wlan driver. http://madwifi.org/.
  11. Matsumiya, K., Aoki, S., Murase, M., and Tokuda, H. (2005). A zero-stop authentication system for sensorbased embedded real-time applications. J. Embedded Comput., 1(1):119-132.
  12. McCune, J. M., Perrig, A., and Reiter, M. K. (2006). Bump in the ether: A framework for securing sensitive user input. In Proceedings of the 2006 USENIX Annual Technical Conference, page 185198.
  13. Merritt, R. (2008). Wi-fi jumps into the pan. EETimes, June 6th, 2008. Available at http://www.eetimes.com/ news/latest/showArticle.jhtml?articleID=208401238.
  14. M'Raihi, D., Bellare, M., Hoornaert, cache, D., and Ranen, O. (2005). An hmac-based one-time password http://www.ietf.org/rfc/rfc4226.txt.
  15. M'Raihi, D., Machani, S., Pei, M., and Rydell, J. (2008a). Totp: Time-based one-time password algorithm. http://www.ietf.org/internet-drafts/draftmraihi-totp-timebased-00.txt.
  16. M'Raihi, D., Rydell, J., Naccache, D., Machani, S., and Bajaj, S. (2008b). Ocra: Oath challenge-response algorithms. http://www.ietf.org/internet-drafts/draftmraihi-mutual-oath-hotp-variants-07.txt.
  17. Myers, B. (2001). Using handhelds and PCs together. Communications of the ACM, 44(11):34-41.
  18. Parno, B., Kuo, C., and Perrig, A. (2006). Phoolproof Phishing Prevention. LECTURE NOTES IN COMPUTER SCIENCE: Tenth Financial Cryptography and Data Security Conference, 4107.
  19. RT73 (2008). The rt73 driver homepage. available at http://rt2x00.serialmonkey.com/.
  20. Schneier, B. and Shostack, A. (1999). Breaking Up is Hard to Do: Modeling Security Threats for Smart Cards. USENIX Workshop on Smartcard Technology.
  21. WinPcap (2008). Winpcap: The windows packet capture library. available at http://www.winpcap.org/.
Download


Paper Citation


in Harvard Style

V. Bailey D., Brainard J., Rohde S. and Paar C. (2009). ONE-TOUCH FINANCIAL TRANSACTION AUTHENTICATION . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009) ISBN 978-989-674-005-4, pages 5-12. DOI: 10.5220/0002182400050012


in Bibtex Style

@conference{secrypt09,
author={Daniel V. Bailey and John Brainard and Sebastian Rohde and Christof Paar},
title={ONE-TOUCH FINANCIAL TRANSACTION AUTHENTICATION},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)},
year={2009},
pages={5-12},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002182400050012},
isbn={978-989-674-005-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2009)
TI - ONE-TOUCH FINANCIAL TRANSACTION AUTHENTICATION
SN - 978-989-674-005-4
AU - V. Bailey D.
AU - Brainard J.
AU - Rohde S.
AU - Paar C.
PY - 2009
SP - 5
EP - 12
DO - 10.5220/0002182400050012