hPIN/hTAN: a lightweight and low-cost e-banking solution against untrusted computers

Authors:
Shujun Li;Ahmad-Reza Sadeghi;Sören Heisrath;Roland Schmitz;Junaid Jameel Ahmad
Affiliations:
University of Konstanz, Germany;Darmstadt University of Technology and Fraunhofer SIT, Darmstadt, Germany;Ruhr-University of Bochum, Germany;Stuttgart Media University, Germany;University of Konstanz, Germany
Venue:
FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Year:
2011

Citing 11
Cited 1

Visual Authentication and Identification

CRYPTO '97 Proceedings of the 17th Annual International Cryptology Conference on Advances in Cryptology
Two-factor authentication: too little, too late

Communications of the ACM - Transforming China
Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft

Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft
Transaction generators: root kits for web

HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
An exprimental investigation of the usability of transaction authorization in online bank security systems

AISC '08 Proceedings of the sixth Australasian conference on Information security - Volume 81
The Zurich Trusted Information Channel --- An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks

Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Solutions to the GSM Security Weaknesses

NGMAST '08 Proceedings of the 2008 The Second International Conference on Next Generation Mobile Applications, Services, and Technologies
Internet Banking: Client-Side Attacks and Protection Mechanisms

Computer
Optimised to Fail: Card Readers for Online Banking

Financial Cryptography and Data Security
Using a personal device to strengthen password authentication from an untrusted computer

FC'07/USEC'07 Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security
Breaking e-banking CAPTCHAs

Proceedings of the 26th Annual Computer Security Applications Conference

Secure computing with the MPEG RVC framework

Image Communication

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user's computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers, screen scrapers, session hijackers, Trojan horses and transaction generators. The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function). In contrast to other hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design can also help increase security because more complicated systems tend to have more security holes. As an important feature, hPIN/hTAN exploits human users' active involvement in the whole process to compensate security weaknesses caused by careless human behavior.