BANKING AUTHEMTICATION SYSTEM USING MOBILE-OTP WITH QR-CODE

Transcription

1 BANKING AUTHEMTICATION SYSTEM USING MOBILE-OTP WITH QR-CODE Abhishek B. Iyer G.H.Raisoni College of Engineering and Management, Wagholi, Pune, Maharashtra, India Rohit A. Shah G.H.Raisoni College of Engineering and Management, Wagholi, Pune, Maharashtra, India Pritamkumar D. Suryawanshi G.H.Raisoni College of Engineering and Management, Wagholi, Pune, Maharashtra, India Swapnil Tawade G.H.Raisoni College of Engineering and Management, Wagholi, Pune, Maharashtra, India Abstract As a high-speed internet infrastructure is being developed and people are informationized, the financial tasks are also engaged in internet field. However, the existing internet banking system was exposed to the danger of hacking. Recently, the personal information has been leaked by a high-degree method such as Phishing or Pharming beyond snatching a user s ID and Password. Seeing that most of examples which happened in the domestic financial agencies were caused by the appropriation of ID or Password belonging to others, a safe user confirmation system gets much more essential. In this paper, we propose a new Online Banking Authentication system. This authentication system used Mobile OTP with the combination of QR-code which is a variant of the 2D barcode. Keyword- 2D Bar Code, Mobile Learning, One Time Password(OTP), Quick Response (QR)Code, URL. 1) INTRODUCTION Online banking is one of the most sensitive tasks performed by general internet user. Most traditional banks new offer online baking with peace of mind. Although the banks heavily advertise a apparent 100% online security guarantee, typically the fine print makes this conditional a user fulfilling certain security requirements [1]. The number of the users of the domestic banking system has-been increased steadily in the first quarter of The average usage of the service per day was 26,410,000 while the amount of dealings went beyond 26 trillion 950 million won. However, recent banks are becoming increasingly reluctant to reimburse user who fall prey to online scams such as phishing or a pharming. The first hacking incident in Korea in 2005spurred the FSS (The Korean Financial Supervisory Service) to announce a comprehensive countermeasure. One of the countermeasures that draw high attention of the financial agencies is OTP (One Time Password), one of the user confirmation methods is introduces, and Joint Confirmation Centre of OTP is established [2]. The Online financial transaction in the present is apply a security card and public key certificate which are the methods confirming a user, and recently OTP was newly introduced. One-Time Password is a password system where passwords can only be used once and the user has to be authenticated with a new password key each time. This guarantee the safety even if an attacker is tapping password in network or a user loses it. Besides, OTP features anonymity, portability, and extensity, and enables to keep the information from being leaked 1

2 [3]. The type of OTP generate device is smart card, USB, fingerprint recognition and so on. Our propose Online Banking Authentication System use Mobile OTP, one of the OTP generate device which has same security as the existing OTP and with the convenience of mobile features, and the used of semi-permanent. This reduction in acquisition costs as well as easy to download the brother deployment, if the introduction of financial. In addition, user does not require a separate cost except for the initial download costs. Meanwhile, the use of electronic banking services is increased gradually in daily life and currently online banking required the use of security card from each banks. However the current service using security card does not suite modern Mobile environment because we do not know when and where online banking and will be used. If there is emergency situation to do online banking, the online baking cannot be done without the security card. In order to overcome such a weaknesses and inconvenient of security card, our propose authentication system use twodimensional barcodes (2DBarcode) instead of security card. Barcode is fast, easy, accurate and automatic data collection method. Barcode enables products to be tracked efficiently and accurately at speeds net possible using manual data entry system. In this paper, we propose authentication system for online banking which can provide greater security and convenience by mobile OTP with the QR-code, one of the 2D barcode adopted by current international and national standards. The bank generates the QR-code using the user s enter transfer information, the user then use mobile phone to read the code. After that use to a mobile phone generates the OTP code with the input of transfer information and hashed user s mobile serial number. Then user enters the generated OTP code, to complete the transfer process. This paper is organized as follows: We introduce OTP (One-Time Password) [4] and QRcode (two-dimensional barcode)[5] in Section 2. In Section 3, we describe our new scheme and analysis of proposed authentication system. And a conclusion section is end the present paper. 2) RELATED WORK A) OTP (ONE-TIME PASSWORD) An OTP is a generated password which only valid once. The user is given a device that can generate an OTP using an algorithm and cryptographic keys. On the server side, an authentication server can check the validity of the password by sharing the same algorithm and keys. Several software or devices can be used to generate the OTP, for example personal digital assistants, mobile phones, dedicated hardware tokens as it the most secure smart cards is devices among all the OTP generator provide tamper-resistant two-factor authentication: a PIN to unlock the OTP generator(something you know), and the OTP smart card itself(something you have). Figure 1 illustrates the three steps that required to generate an OTP: the collection of some external data, such as the time for synchronous OTP or a challenge for an asynchronous OTP, a ciphering algorithm with secret keys shared by the device and the authentication server, and finally a formatting step that sets the size of the OTP to typically six to eight digits. 2

3 Figure 1- Generation of One-Time Password Until recently, OTP solutions were based on proprietary and often patented time-based or event-based algorithms. In 2005, OATH-HOTP [6] was defined as an open standard by major actors in the industry. This open standard allows multi sourcing of the OTP generating devices and authentication servers from different vendors. The HOTP algorithm is based on a secret key and a counter shared by the device and the server, and uses standard algorithms such as SHA-1 and HMAC. OTP has carried more advantages over PKI as it does not require the deployment of smart card readers, drivers and PC software. However in terms of features, OTP only provides identification and authentication, whereas PKI provides addition encryption and signature. OTP being a password based authentication is also vulnerable to man-in-themiddle attacks, such as phishing scams. Since there is no mutual authentication of the PC and the internet service provider server, an attacker can intercept an OTP using a mockup site, and impersonate the user to the real internet web site. B) QR-CODE (2 DIMENSIONAL BARCODE) A QR-code is a two-dimensional barcode introduced by the Japanese company Denso-Wave in This kind of barcode was initially used for tracking inventory in vehicle parts manufacturing and now is widely used in a variety of industries. QR stands for Quick Response as the creator intended the code to allow its contents to be decoded at high speed. Figure 2- Structure of QR-Code 3

4 Each QR-code symbol consists of an encoding region and function patterns. Function patterns include finder, separator, timing patterns and alignment patterns. The finder patterns located at three comers of the symbol intended to assist in easy location of its position, size and inclination. A QR-code is a matrix code developed and released primarily to be a symbol that is easily interpreted by scanner equipment. It contains information in both vertical and horizontal directions, whereas a classical barcode has only one direction of data (usually the vertical one). Compared to a 1Dbarcode, a QR-code can hold a considerably greater volume of information: 7,089 characters for numeric, 4,296 characters for alphanumeric data, 2,953 bytes of binary (8bits) and 1,817 characters of Japanese Kanji/Kana symbols. Besides this, QR-code also has error correction capability. Data can be restored even when substantial parts of the code are distorted or damaged. In the QR-code standard, comers are marked and estimated so that the inside-code can be scanned. The barcode recognition process has 5 steps: (1) edge detection, (2) shape detection, (3) identification of barcode control bar, (4) identification of the barcode orientation, dimensions and bit density using the control bar, and lastly, (5) calculation the value of the barcode. For camera phones and PDAs (Personal Digital Assistant) that are not equipped with QRcode readers, there are some add-on tools that decode QR-codes simply by positioning the device in front of the code. This is done automatically within the streaming flow and the user does not have to take a picture of the QR-code. Quick Mark and 1-nigma readers are good examples of free tools using this technique that are available for many manufactured models and devices. Quick Mark provides extension functionalities to QR-codes, by allowing partial or entire encryption of codes. Another interesting feature is the Magic Jigsaw : this option encodes binary data (a picture for example) as a chain of QR-codes that the user can scan to retrieve the original content. Alternatively, if there is no network connection is available, the code management will have to be done by the mobile device in an autonomous way. If the final user only needs to scan codes and see the result messages, the software mentioned above are sufficient enough. However the developers, who have to manage QR-codes, some SDKs (Software Development kit) are announced and some are already available in the market. 3) PROPOSED AUTHENTICATION SYSTEM Security is one of the most important elements for requirements of the authentication system. Identification through a secure process where only legitimate user should be able to provide services, when they receive authorization from the server using the generated information from the user s mobile device. Also, convenience is very important as well as safety because inconvenience of the authentication system has possible to make renounce the use of the system. Therefore, the authentication system should provide convenience with maximum safety. Therefore an important approach proposed in this paper is currently being used to generate a QR-code instead of use to security card from the bank and use the mobile OTP. The bank 4

5 generates the QR-code using entered by user s transfer information and the user has to recognize as to read the code using their mobile phone and generate the OTP code using transfer information and the hashed user s mobile device serial number in their mobile phone. Finally, execute the transfer by user input the generated OTP code on the screen. In our propose scheme, we assume the secure communication between the user (PC) service providers and service providers certification authority. A) ASSUMPTION The proposed authentication system is the promise of the following assumption. User and the certification authority (CA) has been shared the hashed the serial number (SN) of user s mobile device through a secure process. User can recognize the QR-code by their mobile device and it can decode of the code. Assume the secure communication through SSL/TLS handshaking between the user (PC) and the certification authority (CA) and the service providers (Bank). User to download the mobile OTP program (algorithm) provided by certification authority (CA) or the service providers (Bank) and used it. Generates the OTP algorithm between the user and the certification authority (CA) is synchronized by Time-Event combinations method. B) PROPOSED SYSTEM The proposed authentication system performed the user authentication and digital signatures using authorized certificates in the same way as the existing authentication. To recognize and convert the code, we generate the mobile OTP code into a two-dimensional barcode using user s transfer information (TI), requested transfer time (T) and the hashed serial number (SN) of user s mobile device instead of security card. The authentication process of proposed system is shown below the Figure. 4. User uses his/her own public certificate to login and then transfer information to start the transfer transaction. o Transfer Information (TI) = TB TA TM o TB : Transfer Bank (Bank code) o TA : Transfer Account o TM : Transfer Money Server indicates and then converted the information to a QR-code with random value (RN`) on the screen using user enters the transfer information (TI), the requested time of transfer (T) and random value (RN). At the same time, the server sent it to certification authority (CA) to inputted information of transfer (TI) and the requested time of transfer (T). 5

6 Figure 4- A Proposed Authentication System Certification authority (CA) generated the OTP by received the transfer information (TI), the requested time of transfer (T) and the user s hashed serial number (SN). User will convert the QR-code on the screen using their mobile device and it is divided into two phases. First, user uses their mobile device (phones) to read the random value (RN) which show on the screen to verify the random value (RN`). If the random value is accurate, user will proceed to the next step. And then confirm the converted the information of transfer. If the information is accurate, user will generate OTP code in the mobile device. If the information does not match, the transfer will be cancelled. When user execute the generated OTP, mobile device generate the OTP by reads the transfer information (TI), perceived value of time (T) and hashed serial number (SN) 6

7 of user s mobile device are shared with the certification authority (CA). And output the generated OTP on the screen of mobile devices. User input the generated OTP code from mobile device on the screen. Server (Bank) sent OTP to certification authority (CA) to received OTP from user. Certification authority (CA) compared by received OTP code (OTP1) and generated the OTP code (OTP2), sent to server (Bank) to for OTP code approval. When the server (Bank) received approve of OTP from certification authority (CA), it will verify the entered OTP code with user consistent value and user digital signature. If the approve of OTP value does not receive, the transfer will be cancelled. Authorized user signed his certificate to complete the transfer. Server (Bank) to verify the digital signature and final approve of transfer. 4) SECURITY ANALYSIS Our proposed system use the camera of mobile device to recognize of QR-code, does not separate to communicate between the user s PC and mobile devices. Also the user and certification authority (CA) has been shared the hashed the serial number (SN) of user s mobile device through a secure process in the initial registration phase. If a counterfeit or altered the PIN, the OTP value is change. In our proposed system, the user to prevent Phishing attacks by identifying the value of random number (RN) before to verify the information of transaction when the conversion of QR-code. Meanwhile, our proposed system require a prerequisite input of transaction information using QR-code and authorized authentication by the public certificate for the generation of OTP. Through this process, identified as legitimate users and can block the use of malicious user. Also the time value used to generate the OTP code is not possible to change arbitrarily because we used the user s requested time of transfer. 5) CONCLUSION The use of electronic banking services is increased gradually in daily life and existing online banking required the usage of security card from each bank which does not match modern mobile environment because we do not know when and where online banking will be used. If there is emergency situation to do online banking, the online banking cannot be done without the security card. In order to overcome such discomfort of security card, online banking authentication system using 2D barcode instead of security card is proposed. The bank generates the QR-code using user input transfer information and then user need to recognize as to read the code using their mobile phone, after generate the OTP code using transfer information and the hashed user s mobile device number in their mobile phone. Finally, terminate the transfer by user typing of generated OTP code on the screen. 7

8 So, We propose new authentication system for online banking can provide greater security and convenience by using mobile OTP with the QR-code, one of the 2D barcode adopted by current international and national standards. REFERENCES 1) YoungeSil Lee, Online Banking Authentication System, Dongseo University, South Korea, ) Mohammad Mannan, P. C. Van Oorschot, Security and Usability: TheGap in Real-World Online Banking, North Conway, NH, USA, ) Sang-Il Cho, HoonJae Lee, Hyo-Taek Lim, Sang-Gon Lee, OTPAuthentication Protocol Using Stream Cipher with Clock-Counter,October, ) Jean-Daniel Aussel, Smart Cards and Digital Identity, Telektronikk3/ ISSN ) ISO/IEC 18004:2000(E) IT-Automatic Identification and Data Capture Techniques- QR Code,