Improving online banking security with hardware devices

Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology Pub Date : 1900-01-01 DOI:10.1109/CCST.2005.1594874

F. Puente, J. D. Sandoval, P. Hernandez, C. J. Molina

{"title":"Improving online banking security with hardware devices","authors":"F. Puente, J. D. Sandoval, P. Hernandez, C. J. Molina","doi":"10.1109/CCST.2005.1594874","DOIUrl":null,"url":null,"abstract":"Even though it probably has never happened to us, it is possible to introduce our credit card on an ATM and have it steal the money from our account or access our bank account from a computer and have someone else getting access to it. In the first case we believe that the ATM is a trusted device and never tries to cheat us. In the second case, we believe that our computer provides a safe environment for electronic banking. Although there are a few records in history of ATM fraud, we generally believe that it won't happen to us. However, we all know that computers are not safe and still take the risk. Viruses and trojans (malicious software) can do all this and much more, not only in movies but in the real world. This is possible just because we are giving away all the information needed to access our money instead of keeping them. In the first case we are giving away our credit card and the PIN (personal identification number) and in the second case we are giving away our login and password/s. Anyone who can intercept this information can successfully pretend to be us and withdraw our money. Digital signature can solve these problems providing the means for validating a user or a given operation without exposing the data required to do it. However, the point is not if digital signature is the best way to protect our money, but how to implement the system in a way that is easy to use and safe enough. Here we propose some possible implementations based on the idea that not only digital signature is needed but also human interaction is required in order to avoid a classic man-in-the-middle-attack. It is not safe to introduce a smart card on a standard smart card reader, introduce the PIN on the application used to access it, and then expect the application to do exactly what we tell it to do. That would be perfectly fine in a world where we can trust each other and we can consider computers to be completely safe from intrusions. But the truth is unfortunately far from being like that and so we need to look for new ways to protect us from this kind of attacks. Several hardware devices are proposed based on a basic structure where we have a display, some way to input data (such as a keyboard or a few buttons) and some way to communicate with any computer","PeriodicalId":411051,"journal":{"name":"Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CCST.2005.1594874","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 11

Abstract

Even though it probably has never happened to us, it is possible to introduce our credit card on an ATM and have it steal the money from our account or access our bank account from a computer and have someone else getting access to it. In the first case we believe that the ATM is a trusted device and never tries to cheat us. In the second case, we believe that our computer provides a safe environment for electronic banking. Although there are a few records in history of ATM fraud, we generally believe that it won't happen to us. However, we all know that computers are not safe and still take the risk. Viruses and trojans (malicious software) can do all this and much more, not only in movies but in the real world. This is possible just because we are giving away all the information needed to access our money instead of keeping them. In the first case we are giving away our credit card and the PIN (personal identification number) and in the second case we are giving away our login and password/s. Anyone who can intercept this information can successfully pretend to be us and withdraw our money. Digital signature can solve these problems providing the means for validating a user or a given operation without exposing the data required to do it. However, the point is not if digital signature is the best way to protect our money, but how to implement the system in a way that is easy to use and safe enough. Here we propose some possible implementations based on the idea that not only digital signature is needed but also human interaction is required in order to avoid a classic man-in-the-middle-attack. It is not safe to introduce a smart card on a standard smart card reader, introduce the PIN on the application used to access it, and then expect the application to do exactly what we tell it to do. That would be perfectly fine in a world where we can trust each other and we can consider computers to be completely safe from intrusions. But the truth is unfortunately far from being like that and so we need to look for new ways to protect us from this kind of attacks. Several hardware devices are proposed based on a basic structure where we have a display, some way to input data (such as a keyboard or a few buttons) and some way to communicate with any computer

查看原文本刊更多论文

通过硬件设备提高网上银行的安全性

即使它可能从来没有发生在我们身上，它有可能在自动取款机上介绍我们的信用卡，让它从我们的账户中偷走钱，或者从电脑上进入我们的银行账户，让其他人进入它。在第一种情况下，我们相信自动取款机是值得信赖的设备，永远不会试图欺骗我们。在第二种情况下，我们相信我们的计算机为电子银行提供了一个安全的环境。虽然历史上有一些ATM机欺诈的记录，但我们普遍认为这不会发生在我们身上。然而，我们都知道电脑是不安全的，仍然承担风险。病毒和木马(恶意软件)可以做所有这些，甚至更多，不仅在电影中，而且在现实世界中。这是可能的，只是因为我们提供了所有获取我们的钱所需的信息，而不是保留它们。在第一种情况下，我们给出了我们的信用卡和PIN(个人识别号码)，在第二种情况下，我们给出了我们的登录名和密码。任何可以拦截这些信息的人都可以成功地冒充我们并取出我们的钱。数字签名可以解决这些问题，它提供了验证用户或给定操作的方法，而不暴露执行该操作所需的数据。然而，关键不在于数字签名是否是保护我们金钱的最佳方式，而在于如何以一种易于使用和足够安全的方式实现该系统。在这里，我们提出了一些可能的实现，这些实现基于这样的想法:为了避免经典的中间人攻击，不仅需要数字签名，还需要人工交互。在标准智能卡读卡器上引入智能卡，在用于访问它的应用程序上引入PIN，然后期望应用程序完全按照我们的指示去做，这是不安全的。在一个我们可以相互信任的世界里，这将是完美的，我们可以认为计算机是完全安全的，不受入侵的。但不幸的是，事实远非如此，所以我们需要寻找新的方法来保护我们免受这种攻击。基于一个基本结构，我们提出了几种硬件设备，其中我们有一个显示器，一些输入数据的方式(如键盘或几个按钮)和一些与任何计算机通信的方式

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings 39th Annual 2005 International Carnahan Conference on Security Technology

自引率

0.00%

发文量