SEPIA: Secure-PIN-Authentication-as-a-Service for ATM using Mobile and Wearable Devices
|
|
- Bernice Cook
- 8 years ago
- Views:
Transcription
1 SEPIA: Secure-PIN-Authentication-as-a-Service for ATM using Mobile and Wearable Devices Rasib Khan, Ragib Hasan, and Jinfang Xu SECRETLab, Department of Computer and Information Sciences University of Alabama at Birmingham, Birmingham, AL 35294, USA {rasib, ragib, Abstract Credit card fraud is a common problem in today s world. Financial institutions have registered major loses till today due to users being exposed of their credit card information. Shoulder-surfing or observation attacks, including card skimming and video recording with hidden cameras while users perform PIN-based authentication at ATM terminals is one of the common threats for common users. Researchers have struggled to come up with secure solutions for secure PIN authentication. However, modern day ubiquitous wearable devices, such as the Google Glass have presented us with newer opportunities in this research area. In this paper, we propose Secure-PIN-Authentication-as-a- Service (SEPIA), a secure obfuscated PIN authentication protocol for ATM and other point-of-service terminals using cloudconnected personal mobile and wearable devices. Our approach protects the user from shoulder-surfers and partial observation attacks, and is also resistant to relay, replay, and intermediate transaction attacks. A SEPIA user utilizes a Google Glass or a mobile device for scanning a QR code on the terminal screen to prove co-location to the cloud-based server and obtain a secure PIN template for point-of-service authentication. SEPIA ensures minimal task overhead on the user s device with maximal computation offloaded to the cloud. We have implemented a proof-of-concept prototype to perform experimental analysis and a usability study for the SEPIA architecture. Keywords-ATM, Authentication, Credit/Debit Card, Google Glass, Obfuscated PIN, PIN Template, Point-of-Service, Security I. INTRODUCTION Authentication of users at automatic teller machines (ATMs) is mostly dependent on PIN-based verification. Several usability factors have been studied so far in enhance the security for authentication of users at ATMs. Socio-physical factors, such as, queue length, distractions, length of time for the interaction, urgency, physical hindrance, memorization of PINs, co-located user display, speed of interaction, and the environment are all determinants of the secureness for the procedure [1, 2]. The major concerns from all of these factors are correlated to shoulder-surfing attacks, replay attacks, card cloning, and unintentional PIN sharing [2]. Multiple researches have also been conducted to detect fraudulent card transactions [3, 4]. Security of credit and debit card authentication may be considered as an evolving field to fight against the skillful fraudsters getting hold of modern and more effective means every day [5]. Researches have analyzed the current scenario of credit card fraud [6]. Systems supporting card-less transactions are getting popular, where users can use additional personal devices, such as mobiles phones, to perform the financial transaction [7, 8]. However, even today, incidents of exposure of credit card information are still a common event [9]. The total loss from consumer cyber-attacks in 2013 was estimated at approximately 38 million USD in the US, including 13 and 37 million in Europe and China respectively [9]. Shoulder-surfing attacks, also known as observation attacks, are most common for ATM authentication. In this case, the attacker simply observes the entry procedure of the PIN by the authorized user to get hold of the secret information. Credit and debit card frauds due to identity thefts are increasing every year [10, 11]. Unfortunately, users of such banking systems are still not legally protected by the banks and card companies [12]. Additionally, there are sophisticated scamming techniques using fake terminals, credit card cloning, and remote relay or wormhole attacks which make the process of user protection harder [13 16]. Researchers have studied the reasons for ATM malpractices and the ways users are exposed to attackers [2]. Credit or debit cards may have magnetic strips on them to store the PIN information. Cards with magnetic strips are easy to clone with readily available and cheap card readers [17, 18]. Even though chip-based (EMV) cards are recently gaining popularity, cards still come with the magnetic strips, and it will be a while till all point-of-service devices and banks are upgraded to support only EMV cards. Unfortunately, such EMV cards are still vulnerable to cloning of the bank s certificate and relay attacks [15, 16]. Research on shoulder-surfing resistant PIN entry has not been new [19, 20]. Newer technologies, such as ubiquitous wearable devices and mobile phones have also been utilized in developing secure PIN authentication technologies [21]. However, such devices are also considered as an opportunity for more complex attacks by malicious users [22]. In this paper, we propose the Secure-PIN-Authenticationas-a-Service (SEPIA) framework to enable obfuscated PIN authentication for ATM and other point-of-service terminals using cloud-connected personal mobile and wearable devices. SEPIA allows a user to scan a QR code from the screen of a point-of-service terminal and connects to the cloudbased bank s SEPIA server to obtain secure one-time-use PIN templates. Here, a PIN template is a sequence of digits with marked positions for the user to enter the actual PIN code. The QR code scanning is done using wearable devices,
2 such as the Google Glass 1 wear. The SEPIA service can also be used with a smart phone. The protocol is immune to shoulder-surfing attackers, and ensures resistance against relay and replay attacks by proving co-location with the ATM terminal to the cloud-based bank s server. Our design requires minimal overhead computation on the personal devices with most operations offloaded to the cloud and does not impose any hardware-oriented requirements on the terminals. Contributions: The contributions of this paper are summarized as follows: 1) We have proposed Secure-PIN-Authentication-as-a- Service (SEPIA), a secure obfuscated PIN-based authentication protocol for point-of-service terminals using cloud-connected personal devices. The proposed protocol works with a wearable or mobile device to allow an obfuscated PIN template entry and is resistant to shoulder-surfing, relay, and replay attacks. 2) We have implemented a proof-of-concept prototype for the SEPIA service, using a cloud-based bank server, a desktop-based Java ATM imitating application on Raspberry Pis, and user applications for both Google Glass and Android phones. 3) The implemented SEPIA prototype applications were used to perform experimental analysis, as well as a usability study to investigate the human factors involved in the SEPIA protocol. The rest of the paper is organized as follows. Section II describes the threat and the system model. The SEPIA protocol is presented in Section III. We present a security analysis of the design in Section IV. Section V presents the implementation and experiments for the proof-of-concept SEPIA components. A usability study is presented in Section VI. The related works and conclusion are presented in Sections VII and VIII respectively. II. THE SEPIA MODEL The SEPIA architecture is a protocol for secure ATM pointof-service user authentication using obfuscated PIN codes. In this section, we present the threat and system model to illustrate the functionality of the proposed SEPIA architecture. A. Threat Model The SEPIA threat model includes the definition of the assets and the attackers capabilities in the process of ATM authentication using PIN codes. 1) Assets: The asset for ATM point-of-service authentication is primarily the user s PIN code. The PIN is a secret information known only to the user of the card and is used by the user to authenticate at the ATM along with the credit and/or debit card. 1 Google Glass 2) Attacker s Capability: In the scenario where a user has presented a credit or debit card at an ATM and is about to present the PIN code for authentication, the following are considered to be the potential attacks by a malicious entity: 1) The attacker can be standing in queue behind the authenticating person and looking at the PIN entry and execute a shoulder-surfing or observation attack [19]. The attacker may also install a small camera on the top surface of the ATM terminal to record PIN entries of users at the point-of-service. 2) A bystander may be successful in a partial observation attack, where he is only able to see the partial PIN entry for the user. Given that most PIN codes are 4-digits long, the probability of a PIN-guessing attack still persists. 3) The attacker works at a local restaurant and owns a cheap and readily available card cloning device. A user may visit the restaurant, and when paying with the credit or debit card, the attacker clones the customer s card [14, 17, 18]. 4) The attacker has installed a card skimming device on the ATM machine to get hold of the user s card information. Such devices fit at the card slot on ATM machines and record the card information as the user slides in their card [23]. 5) The attacker can execute a relay attack on the user s card. The attacker operates a modified ATM terminal, and uses relayed card information from an actual credit card user to make payments at another remote terminal [16]. 6) The attacker has installed a legitimate-looking ATM terminal. Users are therefore tricked into thinking the terminal as a valid ATM and puts in their credit/debit card and loses the card information. 7) The user uses an advanced credit/debit card PIN protection service based on memorability and graphical image recall [13]. An attacker keenly follows the entry procedure of the user, or uses a mobile phone camera to record and gain knowledge about the user s graphical password entry and is successful in executing a shouldersurfing attack. 8) An attacker can execute an intermediate interaction attack. In this case, the attacker finds his way to steal the information as the user has been distracted for some reason and exposes the credentials to the attacker. 9) The user utilizes a mobile or wearable device, such as Google Glass to perform secure PIN authentication at the ATM terminal [21]. Unfortunately, the user loses the mobile phone or the Google Glass. The information stored on the device is also therefore lost and lets an attacker gain the knowledge of the user s credentials. B. System Model Next, we define the SEPIA system model, which will allow credit/debit card users to perform secure obfuscated PIN authentication at ATM point-of-service terminals. SEPIA is
3 8. Transaction Request Verification SEPIA Server 3. Generate [PIN_Template, Tran_ID] 5. Generate QR [Loc_ID, Req_ID, Tran_ID] User 1. Touch screen to initiate 6. Scan QR Code 10. [PIN on PIN_Template] Touch to begin 11. Verify PIN ATM Fig. 1: The Secure-PIN-Authentication-as-a-Service (SEPIA) for Obfuscated PIN Authentication for ATM using Personal Mobile and Wearable Devices (e.g. Google Glass) dependent on three entities: the user, the ATM terminal, and the bank server. SEPIA Server: The SEPIA server is a cloud-based server owned by the bank and stores the user s SEPIA service profiles. The server incorporates a callable API server to communicate with the user application and the ATM terminal. In our case, we have considered RESTful APIs [24] over HTTPS and client-side certificate verification for all communication. Point-of-Service Terminal: The ATM point-of-service terminal has a unique location identifier, Loc ID, which is approved and assigned by the bank. The ATM incorporates network connectivity and can communicate with the bank over secure connection. User: The user owns a credit/debit card along with a valid PIN code for authentication at the point-of-service terminal. The user owns a personal wearable device, such as the Google Glass, for using the SEPIA service for secure obfuscated PIN authentication. The user may also choose to use a mobile device for using the SEPIA service. However, the larger and relatively impersonal display on the mobile device, compared to the Google Glass, creates some vulnerability for observation attacks. The SEPIA application is installed on the Google Glass or the mobile device. Initially, the user generates a username and password pair to be used for SEPIA on the Google Glass SEPIA app. The mobile application requires the user to log in using the SEPIA username and password. The web-based SEPIA service on the cloud allows the user to store and save the SEPIA username/password information, which is later used during the SEPIA protocol. The user can create a new password at any time, and update it on the bank website and the SEPIA application on the device(s) accordingly. III. THE SEPIA PROTOCOL The SEPIA protocol involves mutual interaction between all three pairs of entities: the user and the ATM, the ATM and the bank, and the user and the bank, as shown in Figure 1. The sequence of interactions and messages in the SEPIA protocol is described as follows. Step 1 [Initiation]: The user, along with the personal mobile or wearable device, approaches the ATM to perform a secure transaction. The ATM screen displays a Touch to begin information screen by default. The user touches the screen (or presses the button) to initiate the protocol. Step 2 [ATM Transaction Request]: At this point, the ATM sends an ATM TRAN REQ message to the bank s secure server. The structure of the message is defined as: ATM TRAN REQ [Req ID, Loc ID] (1) Here, the Req ID is a request identifier which is generated by the ATM for this current transaction request. The Loc ID is the unique and verified identifier for the particular ATM point-of-service assigned by the bank. Step 3 [PIN Template Generation]: Upon receiving the ATM TRAN REQ message from the ATM, the bank generates a transaction identifier, Tran ID, for this particular ATM transaction request. The bank then generates an obfuscated numeric template, PIN Template, for the transaction to be made at the ATM point-of-service. The PIN template is an N-digit numeric pattern, where N 2P, and P is the length of the PIN code required by the bank for the users. The PIN template is generated using a random N-digit generator, with a total of P number of digits marked as * at random places. For example, 8-digit PIN templates for a 4-digit PIN may look like [4 8 * * 2 9 * *], [* * * * 6], etc. Finally, the bank creates a record, REC, for the received ATM TRAN REQ message, and stores it on the local database. REC [Req ID, Loc ID, T ran ID, V alidity, P IN T emplate, T S, IsUsed] Here, TS is the timestamp at which the ATM TRAN REQ message was received by the bank from the ATM. The bank can specify a time limit for PIN template. The bank stores the Validity for the maximum period of time (e.g. 30 seconds) within which the PIN template has to be used. A Validity value too low will require the user to perform the ATM authentication very fast, while a higher value will make the (2)
4 system vulnerable to relay and replay attacks. Additionally, the IsUsed flag is set to FALSE and is saved to keep track if the particular transaction request has been successfully completed or not. Step 4 [ATM Transaction Response]: Next, the bank server responds to the transaction request made by the ATM using an ATM TRAN RES message. The structure of the message is defined as: ATM TRAN RES [T ran ID, V alidity, P IN T emplate] Here, the Tran ID is the identifier generated by the bank for this particular transaction request. The PIN Template is the numeric N-digit template generated by the bank. The bank also sends the Validity token, a timer for the maximum allowed time limit for the particular PIN template and transaction request for the current user. Step 5 [QR Code Generation]: Once the ATM receives the ATM TRAN RES message, it extracts the Tran ID, and generates a quick response (QR) code [25]. The QR code is generated from the following context: (3) QR Code [Loc ID, Req ID, T ran ID] (4) Here, the Loc ID, Req ID, and Tran ID are the location, request, and transaction identifiers respectively. The QR code is then displayed on the ATM screen. Step 6 [QR Code Scan]: At this point, the user is able to see the QR code displayed on the ATM screen. The user then uses his personal mobile or wearable device running the SEPIA application to scan the QR code. The advantage of using a personal wearable device, such as the Google Glass, is that the display of messages in the next phases are only visible to the interacting user. Upon a successful QR code scan, the Loc ID, Req ID, and Tran ID are transferred to the user s device from the ATM screen. Step 7 [User Transaction Request]: Once the user scans the QR code on the ATM screen, a USR TRAN REQ message is created and sent to the bank server over secure communication channel. The structure of the USR TRAN REQ message is as follows: USR TRAN REQ [Username, P assword, Loc ID, Req ID, T ran ID] In this message, the Loc ID, Req ID, and Tran ID had been obtained from the QR scan, and the username and password are the user s personal SEPIA service settings which have been previously saved on the bank s website. Step 8 [Transaction Request Verification]: The bank s cloud-based server receives the USR TRAN REQ message from the user s personal mobile or wearable device. The bank then executes the transaction request verification algorithm in the cloud, and responds to the user s personal device. The transaction verification algorithm as mentioned in Table I. (5) t r a n s a c t i o n r e q u e s t v e r i f y (USR TRAN REQ){ ( uname, pwd, locid, reqid, t r a n I D ) < p a r s e (USR TRAN REQ ) ; s u c c e s s < a u t h e n t i c a t e u s e r ( uname, pwd ) ; i f ( s u c c e s s ) t h e n : REC < g e t r e c ( locid, reqid, t r a n I D ) ; i f (REC!= n u l l ) t h e n : currtime < g e t s y s t e m t i m e ( ) ; i f ( ( currtime REC. TS ) < REC. V a l i d i t y ) t h e n : i f (REC. IsUsed == FALSE) t h e n : u p d a t e (REC. IsUsed, TRUE ) ; r e t u r n ( s u c c e s s, REC ) ; e l s e : r e t u r n ( f a i l u r e, Repeated t r a n s a c t i o n ) ; e l s e : r e t u r n ( f a i l u r e, E x p i r e d t r a n s a c t i o n ) ; e l s e : r e t u r n ( f a i l u r e, I n v a l i d t r a n s a c t i o n r e q u e s t ) ; e l s e : r e t u r n ( f a i l u r e, I n v a l i d u s e r ) ; } TABLE I: SEPIA Transaction Request Verification Algorithm Initially, the USR TRAN REQ is parsed to obtain the username, password, Loc ID, Req ID, and Tran ID. The username/password is used to validate a user for the SEPIA service offered by the bank. If authentication is unsuccessful, the process returns with a failure message and the reason Invalid user. If successful, the Loc ID, Req ID, and Tran ID is used to locate the transaction record, REC, from the banks database. If a REC is not found, the process returns with a failure status and the reason Invalid transaction request. Given that a REC is found in the database, the current system time is then compared to the saved timestamp, TS, within the REC. The time difference must be less than the allowed validity period for the ATM transaction by the user. If the time difference is above the allowed limit, the process returns a failure status and the reason Expired transaction. If the transaction request is still valid, the process then checks if the IsUsed is set to FALSE or not. If it set as TRUE, this means that this is a replay attack, and the process returns a failed status with the failure reason Repeated transaction. Given that the IsUsed flag is FALSE, the process updates the IsUsed flag in REC as TRUE and returns a success status along with the retrieved REC. Step 9 [User Transaction Response]: Given that the transaction request verification algorithm returns a success, the bank server then constructs a USR TRAN RES and sends it back to the user. The structure of the message is shown as below: USR TRAN RES [Status, [P IN T emplate, Rem V alidity] [Reason] ] Here, the status corresponds to the success of the USR TRAN REQ sent earlier. The PIN Template is obtained from the corresponding REC found in the request verification phase. Finally, the Rem Validity is the remaining time for the (6)
5 validity of the ATM transaction for the current user. This is calculated as follows: Rem Validity = REC.Validity - (Current System Time - TS). Alternatively, if the status is a failure in the request verification phase, the message includes a Reason for the failure. Step 10 [Obfuscated PIN Input]: Given that the user received a success status in the USR TRAN RES message, the PIN Template is then displayed on the users personal mobile or wearable device. In case on a mobile (smart) phone, the PIN Template is displayed and is visible on the phone screen and it depends on the user to prevent other people peeking at the phone screen. If using a Google Glass, the user does not need to worry about shoulder surfers, as the PIN Template will only be visible to the user. The user then enters the P-digit PIN code obfuscated within the N-digit PIN Template on the ATM s input screen. For example, the user is displayed the following 8-digit PIN Template: [4 8 * * 2 9 * *]. Assuming that the 4-digit PIN for the user is [ ], the user enters the following obfuscated PIN [ ]. Step 11 [PIN Verification]: The ATM receives the user s obfuscated PIN input on the screen. The PIN Template which the ATM received earlier in the ATM TRAN RES message is then used to extract the P-digit PIN code obfuscated within the N-digit PIN Template. The extracted PIN is then used by the ATM to authenticate the user and completes the SEPIA protocol. IV. DESIGN ANALYSIS This section presents the security and architectural design analysis for the proposed SEPIA architecture with respect to the threats mentioned in the SEPIA model in Section II. The SEPIA protocol requires a personal wearable device, such as Google Glass, for performing the obfuscated PIN authentication. The system also supports any other (smart) mobile device to be used with the service. However, as it has already been mentioned, the larger screen on the mobile device requires the user to be more careful than when using the user-only display on the Google Glass. Given that the display of the PIN Template is protected, SEPIA ensures shouldersurfing resistant PIN authentication. Any bystander observing or recording the PIN entry procedure will not be able to decipher the actual PIN code that pertains to the authentication of the card user. Let us assume that a non-authorized user scans the QR code while the user is performing the authentication process. There are two possible event scenarios: the user has already scanned the QR and sent the USR TRAN REQ before the attacker has scanned it, or the attacker scans it first before the user. In the first case, the REC for that particular transaction and the PIN Template will already be flagged as used. The attacker will therefore receive a Repeated transaction error code. In the second case, the user will receive the Repeated transaction error, in which case, the whole procedure can be restarted securely. In case an attacker attempts to perform the terminal authentication with the PIN code of a cloned card, the attacker will still require a username/password information. Without the SEPIA service username/password information, which is registered on the bank s website, the attacker will receive the Invalid user error status. Video recording bugs on an ATM terminal or bystanders recording the PIN entry procedure with mobile cameras will still protect the user from being exploited due to the one-timeuse PIN Template. Additionally, the N-digit PIN Template offers 10 (N P ) more numeric combinations for the PIN entry procedure. This makes the task of PIN-guessing with partial observation attacks much more difficult. The user proves colocation with the ATM terminal to the SEPIA server using the corresponding Req ID, Loc ID, and the Tran ID. Therefore, delegating information to a remote terminal and execution of a relay attack becomes impossible. A tainted ATM terminal will not be holding a valid Loc ID which have been assigned by the bank. As a result, the Tran ID for the requested transaction will not be validated by the bank and will be responded with a Invalid transaction request error from the SEPIA server. Similarly, the one-time-use PIN Template and the SEPIA server generated Tran ID also protects the user from replay attacks. Additionally, the timed validity period for each transaction and the corresponding PIN Template prevents users from intermediate interaction attacks. Given that the SEPIA service only allows the PIN Template to be used for Rem Validity time (e.g. 20 seconds), the transaction request gets expired and the user has to start the process from the beginning. Therefore, only an active interaction of the user at the point-of-service will allow the authentication process to be successful. Finally, given that the user loses his personal mobile or wearable device, the credentials are still safe with the user. Unlike other works [21], the devices do not store any information, such as certificates, to decrypt the one-time PIN. Instead, the username/password information is used to retrieve the PIN Template securely from the SEPIA service API, and then the PIN code is mapped by the user on the PIN Template for obfuscated authentication. The SEPIA protocol therefore protects the users even after their personal devices are lost. Unlike other previously proposed schemes [26], the SEPIA service running on the cloud performs the majority of the operation by allowing the user s device to offload the transaction request verification process. The user s personal mobile or wearable device merely acts as a requestor and receiver of the PIN Template from the cloud server. Moreover, SEPIA does not require any hardware upgrades to currently operating ATM or point-of-service terminals. The ATM software can be easily upgraded to incorporate the SEPIA cloud-enabled service for users with Internet-enabled devices. V. IMPLEMENTATION We have implemented a prototype for the proposed SEPIA protocol. The prototype consisted of a cloud-based SEPIA bank server, a Java based desktop application to imitate the ATM terminal, and SEPIA user applications for Android and Google Glass. In this section, we present the details and the experimental results from for prototype implementation. All
6 Initialize SEPIA SEPIA Options (a) Java Desktop ATM Application Layout (b) SEPIA ATM Application Running on Model-B Raspberry Pis Fig. 2: SEPIA ATM Prototype Implementation identifiers within the protocol were generated using the Java universally unique identifier (UUID) package for 32-character long alpha-numeric strings. Network communication between the bank server in the cloud, the ATM, and the user is done via RESTful APIs over HTTPS using server side certificate. A. Bank Server Web Application The SEPIA service was implemented as a web-based application on a cloud instance using Apache Tomcat [27]. The server was deployed in an Amazon EC2 t2.small instance running Ubuntu Server The back-end was implemented using MySQL database, which was running on the same cloud instance. The response and control logic was developed using JavaServer Pages. The application generates 8-digit PIN Templates based on the Java random generator. The first step creates an 8-digit random number, and then replaces 4 random places to create the PIN Template. B. ATM Point-of-Service Terminal Application A real-life ATM terminal context is difficult to simulate within the lab environment. To analyze the complexity of the proposed protocol, we developed an imitated scenario for the ATM point-of-service using a graphical desktop application. The application was developed using Java and an intuitive interface similar to an ATM banking application. The graphical interface for the ATM application is shown in Figure 2a. The ATM application communicates with the bank server over HTTPS using client-side verification. The application was executed on Model B Raspberry Pis 2 with 512 MB RAM and cable network connectivity to communicate with the bank server, as shown in Figure 2b. The application had a start screen with a Start label to indicate users to begin interacting with the ATM for a transaction. Once clicked, the application displayed a QR code of dimention 200px*200px, along with a numeric keypad for the user to enter the PIN template. 2 Raspberry Pi OK Glass Tap to start Start SEPIA Create New Password Scan Code PIN Template 3 4 * * 9 * * 0 Creates New Google Glass Password Start Camera View New Password abcdefgh Scan QR code Display PIN Template Fig. 3: SEPIA Google Glass Application User Flow C. SEPIA User Application We developed the SEPIA user application for both Android mobile devices and the Google Glass. The Google Glass is a ubiquitous wearable device with the display only viewable to the person wearing the glass. The device therefore inherently filters off the imminent threats for observation attacks. The user control flow for the Google Glass interface is shown in Figure 3. The Google Glass application operates by displaying option cards to the user. Once the application is launched, there are two options: Create New Password, and Scan Code. We implemented a new password creation option for the Google Glass in terms of usability. It is not a trivial task to have manual inputs for the Google Glass device. Therefore, a user is expected to create a new password for the SEPIA Google Glass application. The new password is then displayed on the screen for the user, which he can enter and save on the SEPIA service profile on the bank s website. The other option for scanning the code starts the camera view. Once the user has successfully scanned the QR code, the protocol is automatically triggered and the PIN Template is displayed on the screen. The Android mobile application follows a similar user flow. However, the mobile application does not have the new password creation option. Rather, it has a username/password based login panel to log in to the SEPIA application. After the user logs in, the QR code can be scanned and the PIN Template will be displayed after the protocol is executed. D. Performance Experiment The SEPIA protocol introduces two additional message exchange compared to the single verification request in regular PIN validation protocols. The two message interactions are ATM TRAN REQ and ATM TRAN RES messages between the point-of-service and the bank server, and USR TRAN REQ and USR TRAN RES messages between the user and the bank server. We measured the time required for the two pairs of message interactions with the bank server for a total of 10,000 requests and responses. 1) ATM Request: The plot for sending and receiving 10,000 ATM TRAN REQ and ATM TRAN RES messages is displayed on Figure 4a. The plot also shows the line for the lambda-connectedness of the time measurement. The mean time required for sending and receiving the total 10,000
7 Mean: Mean: (a) ATM TRAN REQ & ATM TRAN RES (b) USR TRAN REQ & USR TRAN RES Fig. 4: Time Measurements between SEPIA Requests and Responses messages was milliseconds, with a standard deviation of milliseconds. The 25% and 75% quartiles were at milliseconds and milliseconds respectively. Even though in a small scale controlled environment, the results show negligible time requirements in terms of the request and response processing. 2) User Request: The user request times are measured between the USR TRAN REQ and USR TRAN RES messages. Figure 4b illustrates the scatter plot for the measured times between the 10,000 request response pairs. The mean required time was at milliseconds, with a standard deviation of milliseconds. The 25% and 75% quartlies were at milliseconds and milliseconds respectively. The times between the user request and response shows that it is more than that of the ATM s. The minimal increase in this case is due to the verification algorithm which runs on the bank server to verify the USR TRAN REQ request and ensure the security of the SEPIA protocol. The required time is still not a major overload in terms of the system overhead. VI. USABILITY STUDY The implemented SEPIA prototype was used to perform a usability study. In this case, we focused on the human factor that is oriented with the operation of the SEPIA service. The study consisted of 8 participant users and their timing measurements while interacting with the SEPIA service. We measured the times which were required for users to scan QR codes using both the Android mobile application and the Google Glass, as well as the times required to enter the PIN code using the PIN Template. A. Demographics and Procedure The usability study was conducted with 8 SEPIA participant users. There were 4 male users within the age range of 27 and 34, and 4 female users within the age range of 22 and 28. Most participants had never used a Google Glass before. The participants were therefore provided a short tutorial on the use of Google Glass. The users were then described the data collection procedure as follows: 1) The participants were provided with a pre-defined PIN code, and were given approximately 10 minutes to register the information in their short-term memory. 2) To observe the comfort of users scanning QR code with mobile devices, the QR code displayed on the SEPIA ATM was scanned for 10 times by each participant. 3) Next, each participant used the Google Glass SEPIA application to scan the QR code for 10 times from the SEPIA ATM application. 4) The ATM application interface was then used for each of the participants to enter their PIN code 10 times. 5) Next, the participants were asked to use the SEPIA protocol to obtain a PIN template and enter the same PIN, but this time, using the PIN template. The procedure was repeated 10 times for each participating user. B. QR Code Scanning We asked the participants to scan the SEPIA QR code using both the Google Glass and the Android application. In both the cases, the users performed the QR scan for at least 10 times. The Android phone, being more convenient and a known device, was easier to use for the users. This was an anticipated outcome, as the Google Glass is not yet a very common gadget to own by the participants. The QR scan times
8 PIN Entry Time Required (milliseconds) Response and PIN Template Entry Time Required (milliseconds) Times Required (milliseconds) QR Scan Time Required (milliseconds) Times Required (milliseconds) Phone Google Glass User (a) User-wise Distribution of QR Scan Times (b) Aggregate Data Distribution for QR Scan Times Fig. 5: QR Code (200px*200px) Scan Times using Mobile Phone and Google Glass Users (a) Only PIN Fig. 6: Time Required by Participants Users (b) PIN on PIN Template for both Google Glass and the Android phone for each of the 8 users is shown in Figure 5a. The smaller box plots for the phone measurements compared to Google Glass shows that the users displayed a more consistent behavior while scanning the QR codes with their phones. However, we observed that the usability and convenience of using the Google Glass to carry out the operation improved even within the 10 times the users performed the QR scan. The highest points for each of the users were among the first few attempts, which drastically improved for all users with repeated trials. We also show the aggregated data distribution for the QR scan times in Figure 5b. The figure also displays the box plot for the mean and the quartiles for the data including the outliers. The mean time required for scanning the QR code using the phone and Google Glass were 4.75 seconds and seconds respectively. The quartiles (25%, 50%, 75%) for the phone were at 3.80 seconds, 4.44 seconds, and 5.05 seconds respectively. The quartiles (25%, 50%, 75%) for the Google Glass were at 7.13 seconds, seconds, and seconds respectively. We saw that an overall approximate difference of
9 Success/Failure (Percentage) Success/Failure (Percentage) 8 to 10 seconds between the QR scan times for the phone and the Google Glass. Additionally, these measurements were for participants who were probably using Google Glass for the first time. This is not a major usability concern for the users, given that we observed the gradual improvement in their use of Google Glass with subsequent trials. Another important factor was the size of the QR code which was being displayed. To introduce the maximum constraint on the users, we generated 200px*200px sized QR images. The performance of scanning using the Google Glass is expected to increase with larger sizes of QR-code images. C. PIN and Obfuscated PIN Entry The participants were asked to perform two procedures. Initially, they were asked to enter only the 4-digit PIN code. The distribution of the time taken and the quartile ranges for the 8 participants for the simple PIN entry is shown in Figure 6a, and the corresponding success/failure ratio is shown in Figure 7a. The mean time taken by all the participants for only the successful attempts was milliseconds. Next, the participants entered the PIN using the PIN Template. We measured two time segments; the response time, and the entry time. The response time was the time required the users to look at the current PIN Template and start the process of entering the numbers. The entry time is the time required for the numbers to be entered as the user mentally superimposes the PIN on the PIN Template. The measured times for all participants is shown in Figure 6b, and the corresponding success/failure ratio is shown in Figure 7b. The mean response and entry time for all successful attempts was milliseconds and milliseconds respectively. The time difference between the two cases allowed us to compare the additional overhead that is being imposed on the users. The total mean time difference, including the response and entry time, between simple PIN entry and SEPIA was seconds. This can be considered to be a minimal overtime that the users have spent for SEPIA compared to the simple PIN entry. We also observed that the users performed better after a few attempts. Initial attempts took longer times compared to the next ones. This can be seen from the small interquartile range for the PIN Template entry compared to its maximum value. Additionally, the number of failed attempts were also minimal, with a total of only 5% failed attempts, compared to 2.5% for the simple PIN entry. VII. RELATED WORK Luca et al. in [2] and Bhatia et al. [6] have presented an analysis of credit card fraud schemes and loopholes exploited by attackers. Asokan et al. [28] have analyzed the attacks on compromised ATM terminals and presented approximate solutions for the identified security issues. Relay-attacks, particularly on credit cards, have been studied by Drimer et al. [16]. Coventry et al. [1] proposed a biometric-based authentication scheme for ATMs. Raj et al. [3] and Sethi et al. [4] have presented surveys on numerous advanced credit card fraud detection mechanisms. The protocol design for Success/Failure Success/Failure Success/Failure for Users Users (a) Only PIN Success/Failure for Users Users (b) PIN on PIN Template Fig. 7: Success/Failure Ratio for Each Participant the SEPIA service addresses these these possible credit card attacks. Modern solutions for secure financial transactions involve card-less interactions, where users generally rely on a secondary device to perform the operation [7, 8]. However, such solutions have also triggered an increase in stolen credentials which occur with lost devices. There are numerous gamebased authentication techniques, such as the cognitive trapdoor game [29], used to secure PIN entry and authentication for ATMs. Unfortunately, these cognition-centric designs for security will always have limited usability for general users. Sasamoto et al. [13] presented Undercover, a shoulder-surfing resistant PIN authentication. Luca et al. presented Vibraass [26], which uses the phone s vibration channel as a tactile input for preventing shoulder-surfing. These solutions rely on additional hardware requirements at the ATM terminals and may not be a ready-to-deploy solution for secure PIN authentication. SEPIA can work with currently supported hardware on ATM and point-of-service terminals. Lee et al. have presented a similar PIN-mapping technique in [19], and proposed quantitative techniques to evaluate the security for PIN-based authentication approaches. With the introduction
10 of modern devices as the Google Glass, usability of such secure systems can be leveraged greatly. A similar work to ours, Ubic, uses Google Glass to perform decryption of an onscreen QR-based password using the client s certificate [21]. However, SEPIA does not rely on stored client certificates, and can be considered resistant to attacks even if the user loses the personal device. Moreover, the SEPIA service allows the users devices to offload any security critical operations to the cloud and is highly scalable without imposing any resourcehungry operations on the personal mobile or wearable devices. VIII. CONCLUSION ATM authentication using PIN-based entry is highly susceptible to shoulder-surfing or observation attacks. Credit/Debit cards are also not resilient to relay and other skimming and cloning attacks. In this paper, we propose the Secure-PIN- Authentication-as-a-Service (SEPIA), a cloud-based obfuscated PIN-based authentication service for ATMs or point-ofservice terminals using personal mobile or wearable devices. We have focused the security design for SEPIA based on visual privacy of users for a one-time-use PIN template and address the security vulnerabilities in PIN-based authentication. The protocol does not require any additional hardware support for currently operating ATM terminals and employs offloaded computation from the mobile device for verifying the transaction requests. A proof-of-concept prototype implementation was used to perform experimental analysis and a usability study. Results show that users are easily adapted to the process of template-based authentication. Our future work involves applying the SEPIA service to newer application fields, such as, PIN-enabled doors and visual authentication mechanisms. ACKNOWLEDGMENT This research was supported by a Google Faculty Research Award, the Department of Homeland Security Grant FA , and by the National Science Foundation CAREER Award CNS REFERENCES [1] L. Coventry, A. De Angeli, and G. Johnson, Usability and biometric verification at the atm interface, in Proceedings of the SIGCHI conference on Human factors in computing systems. ACM, 2003, pp [2] A. De Luca, M. Langheinrich, and H. Hussmann, Towards understanding atm security: a field study of real world atm use, in Proceedings of the 6th Symposium on Usable Privacy and Security. ACM, [3] S. Raj and A. Portia, Analysis on credit card fraud detection methods, in Computer, Communication and Electrical Technology (ICCCET), 2011 International Conference on, March 2011, pp [4] N. Sethi and A. Gera, A revived survey of various credit card fraud detection techniques, International Journal of Computer Science and Mobile Computing, vol. 3, no. 4, pp , April [5] M. Dlamini, J. H. Eloff, and M. M. Eloff, Information security: The moving target, Elsevier Computers & Security, vol. 28, no. 3, pp , May [6] T. P. Bhatla, V. Prabhu, and A. Dua, Understanding credit card frauds, Cards business review, vol. 1, no. 6, [7] G. Stanley, Card-less financial transaction, Apr , US Patent App. 14/257,588. [8] S. N. White, Secure mobile-based financial transactions, Feb 2013, US Patent 8,374,916. [9] E. Weise, Home depot s credit cards may have been hacked, Online at Sep 2014, usatoday. [10] R. Khan, M. Mizan, R. Hasan, and A. Sprague, Hot zone identification: Analyzing effects of data sampling on spam clustering, Journal of Digital Forensics, Security and Law (JDFSL), vol. Vol. 9, no. 1, pp , [11] Bureau of Justice Statistics, Identity Theft Supplement (ITS) to the National Crime Victimization Survey, Online at content/pub/pdf/vit12.pdf. [12] R. Anderson, Why cryptosystems fail, in Proceedings of the 1st ACM Conference on Computer and Communications Security. ACM, 1993, pp [13] H. Sasamoto, N. Christin, and E. Hayashi, Undercover: Authentication usable in front of prying eyes, in Proceeding of The 26th Annual SIGCHI Conference on Human factors in Computing Systems. New York, NY, USA: ACM, 2008, pp [14] M. Roland and J. Langer, Cloning credit cards: A combined pre-play and downgrade attack on emv contactless. in Proceedings of The 7th USENIX Workshop on Offensive Technologies, [15] R. Anderson and S. J. Murdoch, Emv: Why payment systems fail, Communications of the ACM, vol. 57, no. 6, pp , Jun [Online]. Available: [16] S. Drimer and S. J. Murdoch, Keep your enemies close: Distance bounding against smartcard relay attacks. in Proceedings of The 16th USENIX Security Symposium, 2007, pp [17] S. Schaible, How thieves clone your credit cards, Online at http: // Jul 2014, wfla News Report. [18] J. Kegley, Financial crimes: Credit card cloning is a growing form of identity theft, Online at /financial-crimes-credit-card-cloning.html, Jun [19] M.-K. Lee and H. Nam, Secure and usable pin-entry method with shoulder-surfing resistance, in HCI International 2013-Posters Extended Abstracts. Springer, 2013, pp [20] M.-K. Lee, Security notions and advanced method for human shouldersurfing resistant pin-entry, IEEE Transactions on Information Forensics and Security, vol. 9, no. 4, pp , April [21] J. Hsu, How google glass can improve atm banking security, Online at Mar 2014, ieee Spectrum. [22] S. Safavi and Z. Shukur, Improving google glass security and privacy by changing the physical and software structure, Life Science Journal, vol. 11, no. 5, pp , [23] B. Krebs, Would you have spotted the fraud? Online at http: //krebsonsecurity.com/2010/01/would-you-have-spotted-the-fraud/, Jan 2010, krebs on Security, In-depth security news and investigation. [24] L. Richardson and S. Ruby, RESTful web services. O Reilly Media, Inc., [25] Y. Liu, J. Yang, and M. Liu, Recognition of qr code with mobile phones, in Control and Decision Conference, CCDC Chinese, July 2008, pp [26] A. De Luca, E. von Zezschwitz, and H. Huβmann, Vibrapass: Secure authentication based on shared lies, in Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, ser. CHI 09. New York, NY, USA: ACM, 2009, pp [27] A. Vukotic and J. Goodwill, Apache Tomcat 7, 1st ed. Berkely, CA, USA: Apress, [28] N. Asokan, H. Debar, M. Steiner, and M. Waidner, Authenticating public terminals, Computer Networks, vol. 31, no. 8, pp , [29] V. Roth, K. Richter, and R. Freidinger, A pin-entry method resilient against shoulder surfing, in Proceedings of the 11th ACM Conference on Computer and Communications Security. New York: ACM, 2004, pp
Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008
Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008 Contents Authentication and Identity Assurance The Identity Assurance continuum Plain Password Authentication
More informationImproving Online Security with Strong, Personalized User Authentication
Improving Online Security with Strong, Personalized User Authentication July 2014 Secure and simplify your digital life. Table of Contents Online Security -- Safe or Easy, But Not Both?... 3 The Traitware
More informationImplementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.
Implementing two-factor authentication: Google s experiences Cem Paya (cemp@google.com) Information Security Team Google Inc. Google services and personalization Identity management at Google 1. Internal
More informationATM FRAUD AND COUNTER MEASURES
ATM FRAUD AND COUNTER MEASURES GENESIS OF ATMs An automated teller machine was first introduced in 1960 by City Bank of New York on a trial basis. The concept of this machine was for customers to pay utility
More informationMulti Factor Authentication API
GEORGIA INSTITUTE OF TECHNOLOGY Multi Factor Authentication API Yusuf Nadir Saghar Amay Singhal CONTENTS Abstract... 3 Motivation... 3 Overall Design:... 4 MFA Architecture... 5 Authentication Workflow...
More informationMulti-factor authentication
CYBER SECURITY OPERATIONS CENTRE (UPDATED) 201 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL
More informationInternational Journal of Software and Web Sciences (IJSWS) www.iasir.net
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) ISSN (Print): 2279-0063 ISSN (Online): 2279-0071 International
More informationSingle Sign-On Secure Authentication Password Mechanism
Single Sign-On Secure Authentication Password Mechanism Deepali M. Devkate, N.D.Kale ME Student, Department of CE, PVPIT, Bavdhan, SavitribaiPhule University Pune, Maharashtra,India. Assistant Professor,
More informationHow Secure is your Authentication Technology?
How Secure is your Authentication Technology? Compare the merits and vulnerabilities of 1.5 Factor Authentication technologies available on the market today White Paper Introduction A key feature of any
More information3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India
3D PASSWORD Tejal Kognule Yugandhara Thumbre Snehal Kognule ABSTRACT 3D passwords which are more customizable and very interesting way of authentication. Now the passwords are based on the fact of Human
More informationSECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER
SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER Mrs. P.Venkateswari Assistant Professor / CSE Erode Sengunthar Engineering College, Thudupathi ABSTRACT Nowadays Communication
More informationAVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS. ftrsecure.com
AVOIDING ONLINE THREATS CYBER SECURITY MYTHS, FACTS, TIPS ftrsecure.com Can You Separate Myths From Facts? Many Internet myths still persist that could leave you vulnerable to internet crimes. Check out
More informationPass-Image Authentication Method Tolerant to Video-Recording Attacks
Proceedings of the Federated Conference on Computer Science and Information Systems pp. 767 773 ISBN 978-83-60810-22-4 Pass-Image Authentication Method Tolerant to Video-Recording Attacks Yutaka Hirakawa
More informationWHITE PAPER Usher Mobile Identity Platform
WHITE PAPER Usher Mobile Identity Platform Security Architecture For more information, visit Usher.com info@usher.com Toll Free (US ONLY): 1 888.656.4464 Direct Dial: 703.848.8710 Table of contents Introduction
More informationAssignment # 1 (Cloud Computing Security)
Assignment # 1 (Cloud Computing Security) Group Members: Abdullah Abid Zeeshan Qaiser M. Umar Hayat Table of Contents Windows Azure Introduction... 4 Windows Azure Services... 4 1. Compute... 4 a) Virtual
More informationWhite Paper: Multi-Factor Authentication Platform
White Paper: Multi-Factor Authentication Platform Version: 1.4 Updated: 29/10/13 Contents: About zero knowledge proof authentication protocols: 3 About Pairing-Based Cryptography (PBC) 4 Putting it all
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationIBM Tivoli Security using Two-Factor Authentication against PHISHING
IBM Tivoli Security using Two-Factor Authentication against PHISHING IBM Tivoli Security IBM Tivoli Security provides an integrated family of security products that provide a comprehensive and scalable
More informationRisks of Offline Verify PIN on Contactless Cards
Risks of Offline Verify PIN on Contactless Cards Martin Emms, Budi Arief, Nicholas Little, and Aad van Moorsel School of Computing Science, Newcastle University, Newcastle upon Tyne, UK {martin.emms,budi.arief,n.little,aad.vanmoorsel}@ncl.ac.uk
More informationProtected Cash Withdrawal in Atm Using Mobile Phone
www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume 2 Issue 4 April, 2013 Page No. 1346-1350 Protected Cash Withdrawal in Atm Using Mobile Phone M.R.Dineshkumar
More informationFramework for Biometric Enabled Unified Core Banking
Proc. of Int. Conf. on Advances in Computer Science and Application Framework for Biometric Enabled Unified Core Banking Manohar M, R Dinesh and Prabhanjan S Research Candidate, Research Supervisor, Faculty
More informationReview Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN 2319-9725
Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN 2319-9725 Rahul Kale Neha Gore Kavita Nilesh Jadhav Mr. Swapnil Shinde Bachelor s Degree program in Information Technology Engineering
More informationApplication-Specific Biometric Templates
Application-Specific Biometric s Michael Braithwaite, Ulf Cahn von Seelen, James Cambier, John Daugman, Randy Glass, Russ Moore, Ian Scott, Iridian Technologies Inc. Introduction Biometric technologies
More informationAuthentication using Mixed-mode approach.
International Journal of Computer Sciences and Engineering Open Access Technical Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Authentication using Mixed-mode approach. Prasad N. Urankar 1* and Prasanna J.
More informationWHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS
WHITEPAPER SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS EXECUTIVE OVERVIEW 2-Factor as a Service (2FaaS) is a 100% cloud-hosted authentication solution that offers flexible security without compromising user
More informationAdding Stronger Authentication to your Portal and Cloud Apps
SOLUTION BRIEF Cyphercor Inc. Adding Stronger Authentication to your Portal and Cloud Apps Using the logintc April 2012 Adding Stronger Authentication to Portals Corporate and consumer portals, as well
More informationTwo-Factor Authentication and Swivel
Two-Factor Authentication and Swivel Abstract This document looks at why the username and password are no longer sufficient for authentication and how the Swivel Secure authentication platform can provide
More informationSecuring Corporate Email on Personal Mobile Devices
Securing Corporate Email on Personal Mobile Devices Table of Contents The Impact of Personal Mobile Devices on Corporate Security... 3 Introducing LetMobile Secure Mobile Email... 3 Solution Architecture...
More informationEntrust IdentityGuard
+1-888-437-9783 sales@identisys.com IdentiSys.com Distributed by: Entrust IdentityGuard is an award-winning software-based authentication enterprises and governments. The solution serves as an organization's
More informationModern two-factor authentication: Easy. Affordable. Secure.
Modern two-factor authentication: Easy. Affordable. Secure. www.duosecurity.com Your systems and users are under attack like never before The last few years have seen an unprecedented number of attacks
More informationProviding Data Protection as a Service in Cloud Computing
International Journal of Scientific and Research Publications, Volume 3, Issue 6, June 2013 1 Providing Data Protection as a Service in Cloud Computing Sunumol Cherian *, Kavitha Murukezhan ** * Department
More informationIDRBT Working Paper No. 11 Authentication factors for Internet banking
IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased
More informationA SECURE METHOD FOR SIGNING IN USING QUICK RESPONSE CODES WITH MOBILE AUTHENTICATION
A SECURE METHOD FOR SIGNING IN USING QUICK RESPONSE CODES WITH MOBILE AUTHENTICATION Kalpesh Adhatrao 1, Aditya Gaykar 2, Rohit Jha 3, Vipul Honrao 4 Department of Computer Engineering, Fr. C.R.I.T., Vashi,
More informationBeyond passwords: Protect the mobile enterprise with smarter security solutions
IBM Software Thought Leadership White Paper September 2013 Beyond passwords: Protect the mobile enterprise with smarter security solutions Prevent fraud and improve the user experience with an adaptive
More informationRelay attacks on card payment: vulnerabilities and defences
Relay attacks on card payment: vulnerabilities and defences Saar Drimer, Steven J. Murdoch http://www.cl.cam.ac.uk/users/{sd410, sjm217} Computer Laboratory www.torproject.org 24C3, 29 December 2007, Berlin,
More informationMobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim tkkim@stu.ac.kr
Mobile Security Framework; Advances in Mobile Governance in Korea TaeKyung Kim tkkim@stu.ac.kr I. e-banking in Korea 1. e-banking? BIS (Bank for International Settlements) - e-finance(electronic banking)
More informationA puzzle based authentication method with server monitoring
A puzzle based authentication method with server monitoring GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
More informationPASS-IMAGE AUTHENTICATION METHOD TOLERANT TO RANDOM AND VIDEO-RECORDING ATTACKS
International Journal of Computer Science and Applications Technomathematics Research Foundation Vol. 9, No. 3, pp. 20 36, 2012 PASS-IMAGE AUTHENTICATION METHOD TOLERANT TO RANDOM AND VIDEO-RECORDING ATTACKS
More informationMitigating Server Breaches with Secure Computation. Yehuda Lindell Bar-Ilan University and Dyadic Security
Mitigating Server Breaches with Secure Computation Yehuda Lindell Bar-Ilan University and Dyadic Security The Problem Network and server breaches have become ubiquitous Financially-motivated and state-sponsored
More informationAn Innovative Two Factor Authentication Method: The QRLogin System
An Innovative Two Factor Authentication Method: The QRLogin System Soonduck Yoo*, Seung-jung Shin and Dae-hyun Ryu Dept. of IT, University of Hansei, 604-5 Dangjung-dong Gunpo city, Gyeonggi do, Korea,
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationA secure email login system using virtual password
A secure email login system using virtual password Bhavin Tanti 1,Nishant Doshi 2 1 9seriesSoftwares, Ahmedabad,Gujarat,India 1 {bhavintanti@gmail.com} 2 SVNIT, Surat,Gujarat,India 2 {doshinikki2004@gmail.com}
More informationDashlane Security Whitepaper
Dashlane Security Whitepaper November 2014 Protection of User Data in Dashlane Protection of User Data in Dashlane relies on 3 separate secrets: The User Master Password Never stored locally nor remotely.
More informationThe Security Behind Sticky Password
The Security Behind Sticky Password Technical White Paper version 3, September 16th, 2015 Executive Summary When it comes to password management tools, concerns over secure data storage of passwords and
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 10 Authentication and Account Management Objectives Describe the three types of authentication credentials Explain what single sign-on
More informationSECUDROID - A Secured Authentication in Android Phones Using 3D Password
SECUDROID - A Secured Authentication in Android Phones Using 3D Password Ms. Chandra Prabha K M.E. Ph.D. 1, Mohamed Nowfel 2 E S, Jr., Gowtham V 3, Dhinakaran V 4 1, 2, 3, 4 Department of CSE, K.S.Rangasamy
More informationSecurity Levels for Web Authentication using Mobile Phones
Security Levels for Web Authentication using Mobile Phones Anna Vapen and Nahid Shahmehri Department of computer and information science Linköpings universitet, SE-58183 Linköping, Sweden {annva,nahsh}@ida.liu.se
More informationThat Point of Sale is a PoS
SESSION ID: HTA-W02 That Point of Sale is a PoS Charles Henderson Vice President Managed Security Testing Trustwave @angus_tx David Byrne Senior Security Associate Bishop Fox Agenda POS Architecture Breach
More informationIDENTITY THEFT WHAT YOU NEED TO KNOW. Created by GL 04/09
IDENTITY THEFT WHAT YOU NEED TO KNOW Created by GL 04/09 Table of Contents 1. What is Identity Theft? 2. How Do Thieves Steal An Identity? 3. What Do Thieves Do with Stolen Identities? 4. What Can I Do
More informationHow CA Arcot Solutions Protect Against Internet Threats
TECHNOLOGY BRIEF How CA Arcot Solutions Protect Against Internet Threats How CA Arcot Solutions Protect Against Internet Threats we can table of contents executive summary 3 SECTION 1: CA ArcotID Security
More informationRisk Analysis in Skype Software Security
Risk Analysis in Skype Software Security Afnan AlOmrani, Rasheed AlZahrani, Eyas ElQawasmeh Information System Department College of Computer and Information Sciences King Saud University Riyadh, Saudi
More informationProtecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks
Protecting Online Customers from Man-inthe-Browser and Man-in-the-Middle Attacks Whitepaper W H I T E P A P E R OVERVIEW Arcot s unmatched authentication expertise and unique technology give organizations
More informationA brief on Two-Factor Authentication
Application Note A brief on Two-Factor Authentication Summary This document provides a technology brief on two-factor authentication and how it is used on Netgear SSL312, VPN Firewall, and other UTM products.
More informationSecure cloud access system using JAR ABSTRACT:
Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that
More informationProactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation. By Marc Ostryniec, vice president, CSID
Proactive Credential Monitoring as a Method of Fraud Prevention and Risk Mitigation By Marc Ostryniec, vice president, CSID The increase in volume, severity, publicity and fallout of recent data breaches
More informationEnhancing Web Application Security
Enhancing Web Application Security Using Another Authentication Factor Karen Lu and Asad Ali Gemalto, Inc. Technology & Innovations Austin, TX, USA Overview Introduction Current Statet Smart Cards Two-Factor
More informationSECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT
SECURITY IMPLICATIONS OF NFC IN AUTHENTICATION AND IDENTITY MANAGEMENT Dmitry Barinov SecureKey Technologies Inc. Session ID: MBS-W09 Session Classification: Advanced Session goals Appreciate the superior
More informationPassword Management Evaluation Guide for Businesses
Password Management Evaluation Guide for Businesses White Paper 2016 Executive Summary Passwords and the need for effective password management are at the heart of the rise in costly data breaches. Various
More informationMay 2010. For other information please contact:
access control biometrics user guide May 2010 For other information please contact: British Security Industry Association t: 0845 389 3889 f: 0845 389 0761 e: info@bsia.co.uk www.bsia.co.uk Form No. 181.
More informationENHANCED ATM SECURITY SYSTEM USING BIOMETRICS
www.ijcsi.org 352 ENHANCED ATM SECURITY SYSTEM USING BIOMETRICS Prof. Selina Oko 1 and Jane Oruh 2 1 Department of Computer Science, Ebonyi State University Abakaliki, Nigeria 2 Department of Computer
More informationDigital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government
Digital Identity & Authentication Directions Biometric Applications Who is doing what? Academia, Industry, Government Briefing W. Frisch 1 Outline Digital Identity Management Identity Theft Management
More informationA Secure Authenticate Framework for Cloud Computing Environment
A Secure Authenticate Framework for Cloud Computing Environment Nitin Nagar 1, Pradeep k. Jatav 2 Abstract Cloud computing has an important aspect for the companies to build and deploy their infrastructure
More informationMonalisa P. Kini, Kavita V. Sonawane, Shamsuddin S. Khan
International Journal of Scientific & Engineering Research, Volume 5, Issue 7, July-2014 1410 Secured Authentication Using Mobile Phone as Security Token Monalisa P. Kini, Kavita V. Sonawane, Shamsuddin
More informationABSTRACT I. INTRODUCTION
Mobile Backup Web Application Using Image Processing Authentication 1 Walse Reshma S. 2 Khemnar Archana M. 3 Padir Maya S. 4 Prof.K.P.Somase Department Of Computer Engineering, Jcoe(Kuran),Tal:Junnar,Dist:Pune
More informationInside Risks EMV: Why Payment Systems Fail
Vviewpoints DOI:10.1145/2602321 Inside Risks EMV: Why Payment Systems Fail What lessons might we learn from the chip cards used for payments in Europe, now that the U.S. is adopting them too? Ross Anderson
More information8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year
Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year Over 80% of compromised systems were card present or in-person transactions
More informationOne Time Password Generation for Multifactor Authentication using Graphical Password
One Time Password Generation for Multifactor Authentication using Graphical Password Nilesh B. Khankari 1, Prof. G.V. Kale 2 1,2 Department of Computer Engineering, Pune Institute of Computer Technology,
More informationApplication of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card
Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card C. Koner, Member, IACSIT, C. T. Bhunia, Sr. Member, IEEE and U. Maulik, Sr. Member, IEEE
More informationSingle Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com
Single Sign-On for the Internet: A Security Story Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com BlackHat USA, Las Vegas 2007 Introduction With the explosion of Web 2.0 technology,
More informationThe 4 forces that generate authentication revenue for the channel
The 4 forces that generate authentication revenue for the channel Web access and the increasing availability of high speed broadband has expanded the potential market and reach for many organisations and
More informationPayment Fraud and Risk Management
Payment Fraud and Risk Management Act Today! 1. Help protect your computer against viruses and spyware by using anti-virus and anti-spyware software and automatic updates. Scan your computer regularly
More informationTwo Factor Zero Knowledge Proof Authentication System
Two Factor Zero Knowledge Proof Authentication System Quan Nguyen Mikhail Rudoy Arjun Srinivasan 6.857 Spring 2014 Project Abstract It is often necessary to log onto a website or other system from an untrusted
More informationThe Convergence of IT Security and Physical Access Control
The Convergence of IT Security and Physical Access Control Using a Single Credential to Secure Access to IT and Physical Resources Executive Summary Organizations are increasingly adopting a model in which
More informationMicrosoft.NET Passport, a solution of single sign on
Microsoft.NET Passport, a solution of single sign on Zheng Liu Department of Computer Science University of Auckland zliu025@ec.auckland.ac.nz Abstract: As the World Wide Web grows rapidly, accessing web-based
More informationLayered security in authentication. An effective defense against Phishing and Pharming
1 Layered security in authentication. An effective defense against Phishing and Pharming The most widely used authentication method is the username and password. The advantages in usability for users offered
More informationDevice-Centric Authentication and WebCrypto
Device-Centric Authentication and WebCrypto Dirk Balfanz, Google, balfanz@google.com A Position Paper for the W3C Workshop on Web Cryptography Next Steps Device-Centric Authentication We believe that the
More informationWhite Paper: Are there Payment Threats Lurking in Your Hospital?
White Paper: Are there Payment Threats Lurking in Your Hospital? With all the recent high profile stories about data breaches, payment security is a hot topic in healthcare today. There s been a steep
More informationSecuring Virtual Desktop Infrastructures with Strong Authentication
Securing Virtual Desktop Infrastructures with Strong Authentication whitepaper Contents VDI Access Security Loopholes... 2 Secure Access to Virtual Desktop Infrastructures... 3 Assessing Strong Authentication
More informationBiometric Authentication Platform for a Safe, Secure, and Convenient Society
472 Hitachi Review Vol. 64 (2015), No. 8 Featured Articles Platform for a Safe, Secure, and Convenient Society Public s Infrastructure Yosuke Kaga Yusuke Matsuda Kenta Takahashi, Ph.D. Akio Nagasaka, Ph.D.
More informationGuide to Evaluating Multi-Factor Authentication Solutions
Guide to Evaluating Multi-Factor Authentication Solutions PhoneFactor, Inc. 7301 West 129th Street Overland Park, KS 66213 1-877-No-Token / 1-877-668-6536 www.phonefactor.com Guide to Evaluating Multi-Factor
More informationThe Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems
The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems Becky Cutler Rebecca.cutler@tufts.edu Mentor: Professor Chris Gregg Abstract Modern day authentication systems
More informationTwo-Factor Authentication: Guide to FEXCO CFX SMS/APP Verification
Guaranteeing you the Highest Levels of Security Online At FEXCO CFX, we are dedicated to ensuring that our clients enjoy the highest standards of security. In order to combat the risk of online fraud and
More informationWhitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION
Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION TWO-FACTOR AUTHENTICATION A RECENT SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PARED WITH THE FACT THAT
More informationGuide to credit card security
Contents Click on a title below to jump straight to that section. What is credit card fraud? Types of credit card fraud Current scams Keeping your card and card details safe Banking and shopping securely
More informationGlobal Deployment of Finger Vein Authentication
Global Deployment of Finger Vein Authentication Hitachi Review Vol. 61 (2012), No. 1 35 Yutaka Matsui Akihito Sawada Shigenori Kaneko Yuji Nakamaru Ravi Ahluwalia Dipak Kumar OVERVIEW: Finger vein authentication
More informationAwase-E: Image-based Authentication for Mobile Phones using User s Favorite Images
Awase-E: Image-based Authentication for Mobile Phones using User s Favorite Images Tetsuji TAKADA 1 and Hideki KOIKE 2 1 SONY Computer Science Laboratories Muse Bldg. 3-14-13 Higashigotanda, Shinagawa-ku,
More informationWeb Payment Security. A discussion of methods providing secure communication on the Internet. Zhao Huang Shahid Kahn
Web Payment Security A discussion of methods providing secure communication on the Internet Group Members: Peter Heighton Zhao Huang Shahid Kahn 1. Introduction Within this report the methods taken to
More informationENHANCING ATM SECURITY USING FINGERPRINT AND GSM TECHNOLOGY
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 4, April 2014,
More informationCyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014
Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014 Introduction: Cyber attack is an unauthorized access to a computer
More informationMANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security
MANAGING RISK: SECURING DIGITAL IDENTITIES Striking the balance between user experience and security You re more connected, but more at risk too Enterprises are increasingly engaging with partners, contractors
More informationSecurity Failures in Smart Card Payment Systems: Tampering the Tamper-Proof
Security Failures in Smart Card Payment Systems: Tampering the Tamper-Proof Saar Drimer Steven J. Murdoch Ross Anderson www.cl.cam.ac.uk/users/{sd410,sjm217,rja14} Computer Laboratory www.torproject.org
More informationa. StarToken controls the loss due to you losing your Internet banking username and password.
1. What is StarToken? StarToken is the next generation Internet banking security solution that is being offered by Bank of India to all its Internet Banking customers (Retail as well as Corporate). StarToken
More informationExtending EMV payment smart cards with biometric on-card verification
Extending EMV payment smart cards with biometric on-card verification Olaf Henniger 1 and Dimitar Nikolov 2 1 Fraunhofer Institute for Computer Graphics Research IGD Fraunhoferstr. 5, D-64283 Darmstadt,
More informationMODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION
Whitepaper MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION A SURVEY SHOWS THAT 90% OF ALL COMPANIES HAD BEEN BREACHED IN THE LAST 12 MONTHS. THIS PAIRED WITH THE FACT THAT THREATS
More informationpreliminary experiment conducted on Amazon EC2 instance further demonstrates the fast performance of the design.
Privacy-Preserving Public Auditing For Secure Cloud Storage ABSTRACT: Using cloud storage, users can remotely store their data and enjoy the on-demand high-quality applications and services from a shared
More informationGuide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation
Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication Mobile App Activation Before you can activate the mobile app you must download it. You can have up to
More informationEnsuring Security in Cloud with Multi-Level IDS and Log Management System
Ensuring Security in Cloud with Multi-Level IDS and Log Management System 1 Prema Jain, 2 Ashwin Kumar PG Scholar, Mangalore Institute of Technology & Engineering, Moodbidri, Karnataka1, Assistant Professor,
More informationEmerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER
Emerging Trends in the Payment Ecosystem: The Good, the Bad and the Ugly DAN KRAMER SHAZAM, Senior Vice President Agenda The Ugly Fraud The Bad EMV? The Good Tokenization and Other Emerging Payment Options
More informationTwo-Factor Authentication: Tailor-Made for SMS
SAP Thought Leadership Paper SAP Mobile Services Two-Factor Authentication: Tailor-Made for SMS Exploring Myths, Misconceptions, and Best Practices for SMS-Based 2FA Table of Contents 4 Understanding Two-Factor
More informationVoice Authentication for ATM Security
Voice Authentication for ATM Security Rahul R. Sharma Department of Computer Engineering Fr. CRIT, Vashi Navi Mumbai, India rahulrsharma999@gmail.com Abstract: Voice authentication system captures the
More information