User-friendly Manual Transfer of Authenticated Online Banking Transaction Data - A Case Study that Applies the What You Enter Is What You Sign Transaction Authorization Information Scheme

Sven Kiljan, Harald Vranken, Marko van Eekelen

Abstract

Online banking relies on user-owned home computers and mobile devices, all vulnerable to man-in-the-middle attacks which are used to steal money from bank accounts. Banks mitigate this by letting users verify information that originates from these untrusted devices. This is not user-friendly since the user has to process the same information twice. It also makes the user an unnecessary critical factor and risk in the security process. This paper concerns a case study of an information scheme which allows the user to enter critical information in a trusted device, which adds data necessary for the recipient to verify its integrity and authenticity. The output of the device is a code that contains the information and the additional verification data, which the user enters in the computer used for online banking. With this, the bank receives the information in a secure manner without requiring an additional check by the user, since the data is protected from the moment the user entered it in the trusted device. This proposal shows that mundane tasks for the user in online banking can be automated, which improves both security and usability.

References

  1. Curran, K. and Dougan, T. (2012). Man in the Browser Attacks. Int. J. Ambient Comput. Intell., 4(1):29-39.
  2. Felt, A. P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. (2011). A Survey of Mobile Malware in the Wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 7811, pages 3-14, New York, NY, USA. ACM.
  3. Gallagher, M. A. and Byrne, M. D. (2015). Modeling Password Entry on a Mobile Device. In Proceedings of the International Conference on Cognitive Modeling.
  4. Herley, C. (2009). So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In Proceedings of the 2009 Workshop on New Security Paradigms Workshop, NSPW 7809, pages 133-144, New York, NY, USA. ACM.
  5. Kiljan, S., Simoens, K., De Cock, D., van Eekelen, M., and Vranken, H. (2014a). Security of Online Banking Systems. Technical Report TR-OU-INF-2014-01 (Open Universiteit).
  6. Kiljan, S., Vranken, H., and Van Eekelen, M. (2014b). What You Enter Is What You Sign: Input Integrity in an Online Banking Environment. In Socio-Technical Aspects in Security and Trust (STAST), 2014 Workshop on, pages 40-47.
  7. Poll, E. and de Ruiter, J. (2013). The Radboud Reader: A Minimal Trusted Smartcard Reader for Securing Online Transactions. In Policies and Research in Identity Management - Third IFIP WG 11.6 Working Conference, IDMAN 2013, London, UK, April 8-9, 2013. Proceedings, pages 107-120.
  8. Sobti, R. and Geetha, G. (2012). Cryptographic Hash Functions: A Review. International Journal of Computer Science Issues, 9(2):461-479.
  9. Weigold, T. and Hiltgen, A. (2011). Secure confirmation of sensitive transaction data in modern Internet banking services. In Internet Security (WorldCIS), 2011 World Congress on, pages 125-132.
  10. Wiseman, S., Mino, G. S., Cox, A. L., Gould, S. J., Moore, J., and Needham, C. (2016). Use Your Words: Designing One-time Pairing Codes to Improve User Experience (to be published). In Proceedings of the 34rd Annual ACM Conference on Human Factors in Computing Systems. ACM Publications.
Download


Paper Citation


in Harvard Style

Kiljan S., Vranken H. and van Eekelen M. (2016). User-friendly Manual Transfer of Authenticated Online Banking Transaction Data - A Case Study that Applies the What You Enter Is What You Sign Transaction Authorization Information Scheme . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 259-270. DOI: 10.5220/0005965102590270


in Bibtex Style

@conference{secrypt16,
author={Sven Kiljan and Harald Vranken and Marko van Eekelen},
title={User-friendly Manual Transfer of Authenticated Online Banking Transaction Data - A Case Study that Applies the What You Enter Is What You Sign Transaction Authorization Information Scheme},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={259-270},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005965102590270},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - User-friendly Manual Transfer of Authenticated Online Banking Transaction Data - A Case Study that Applies the What You Enter Is What You Sign Transaction Authorization Information Scheme
SN - 978-989-758-196-0
AU - Kiljan S.
AU - Vranken H.
AU - van Eekelen M.
PY - 2016
SP - 259
EP - 270
DO - 10.5220/0005965102590270