IDRBT Working Paper No. 11 Authentication factors for Internet banking



Similar documents
An Enhanced Countermeasure Technique for Deceptive Phishing Attack

Advanced Authentication

AUTHENTIFIERS. Authentify Authentication Factors for Constructing Flexible Multi-Factor Authentication Processes

XYPRO Technology Brief: Stronger User Security with Device-centric Authentication

Whitepaper on AuthShield Two Factor Authentication with ERP Applications

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

Public Auditing & Automatic Protocol Blocking with 3-D Password Authentication for Secure Cloud Storage

Authentication Types. Password-based Authentication. Off-Line Password Guessing

FFIEC CONSUMER GUIDANCE

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Multi Factor Authentication API

Aadhaar. Security Policy & Framework for UIDAI Authentication. Version 1.0. Unique Identification Authority of India (UIDAI)

Framework for Biometric Enabled Unified Core Banking

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Dynamic Query Updation for User Authentication in cloud Environment

Voice Authentication for ATM Security

White Paper Preventing Man in the Middle Phishing Attacks with Multi-Factor Authentication

Multi-factor authentication

WHITE PAPER AUGUST Preventing Security Breaches by Eliminating the Need to Transmit and Store Passwords

Remote Access Securing Your Employees Out of the Office

Guide to Evaluating Multi-Factor Authentication Solutions

3D PASSWORD. Snehal Kognule Dept. of Comp. Sc., Padmabhushan Vasantdada Patil Pratishthan s College of Engineering, Mumbai University, India

Entrust IdentityGuard

WHITE PAPER Usher Mobile Identity Platform

Adding Stronger Authentication to your Portal and Cloud Apps

Multi-Factor Authentication of Online Transactions

Stop Identity Theft. with Transparent Two-Factor Authentication. e-lock Corporation Sdn Bhd

Frequently Asked Questions (FAQ)

How CA Arcot Solutions Protect Against Internet Threats

Layered security in authentication. An effective defense against Phishing and Pharming

e-governance Password Management Guidelines Draft 0.1

Enhancing Organizational Security Through the Use of Virtual Smart Cards

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

Enhancing Payment Card Security New Measures to be Phased in from 2 nd Quarter 2010 to 1 st Quarter 2011

FAQ on EMV Chip Debit Card and Online Usage

How Secure is your Authentication Technology?

IDENTITY MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

MCU Online and MFA (Multi Factor Authentication)

Two-Factor Authentication: Tailor-Made for SMS

SCB Access Single Sign-On PC Secure Logon

Multi-Factor Authentication

With the Target breach on everyone s mind, you may find these Customer Service Q & A s helpful.

KEYSTROKE DYNAMIC BIOMETRIC AUTHENTICATION FOR WEB PORTALS

Secure Web Access Solution

Online Cash Management Security: Beyond the User Login

A brief on Two-Factor Authentication

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

SECURING SELF-SERVICE PASSWORD RESET

CRYPTOGRAPHY AS A SERVICE

Business Banking Customer Login Experience for Enhanced Login Security

a. StarToken controls the loss due to you losing your Internet banking username and password.

French Justice Portal. Authentication methods and technologies. Page n 1

MODERN THREATS DRIVE DEMAND FOR NEW GENERATION MULTI-FACTOR AUTHENTICATION

Review Paper on Two Factor Authentication Using Mobile Phone (Android) ISSN

Enhanced Login Security Frequently Asked Questions

Application-Specific Biometric Templates

Mobile Identity: Improved Cybersecurity, Easier to Use and Manage than Passwords. Mika Devonshire Associate Product Manager

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Device-Centric Authentication and WebCrypto

Multifactor Graphical Password Authentication System using Sound Signature and Handheld Device

Hard vs. Soft Tokens Making the Right Choice for Security

When you are prompted to enroll, you will be asked to enter a Security Phrase and select/answer three different Challenge Questions.

mbank Introduces Personal Security Image MFA* for Consumer on-line banking *Multi-Factor Authentication

Securing corporate assets with two factor authentication

Authentication Scenarios India. Ramachandran

A puzzle based authentication method with server monitoring

Securing e-government Web Portal Access Using Enhanced Two Factor Authentication

International Journal of Software and Web Sciences (IJSWS)

Multi-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

Security in an Increasingly Threatened World. SMS: A better way of doing Two Factor Authentication (2FA)

Building Secure Multi-Factor Authentication

An Implementation of Secure Online Voting System

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Creating Trust Online TM. Comodo Mutual Authentication Solution Overview: Comodo Two Factor Authentication Comodo Content Verification Certificates

Applying Cryptography as a Service to Mobile Applications

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Whitepaper on AuthShield Two Factor Authentication and Access integration with Microsoft outlook using any Mail Exchange Servers

2-FACTOR AUTHENTICATION FOR MOBILE APPLICATIONS: INTRODUCING DoubleSec

Two-Factor Authentication Making Sense of all the Options

Security enhancement on HSBC India Debit Card

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

BlackShield Authentication Service

Strong Authentication for Secure VPN Access

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Transcription:

IDRBT Working Paper No. 11 Authentication factors for Internet banking M V N K Prasad and S Ganesh Kumar ABSTRACT The all pervasive and continued growth being provided by technology coupled with the increased use of alternate delivery channels by banks, the need for appropriate authentication of customers has now gained significant importance for the banking system. Banks in India have been adopting different authentication mechanisms to provide for security during the last few years. In the search for more effective authentication techniques, an approach which promises substantial benefit pertains to the use of mutual authentication which can be implemented by providing some challenge questions. This paper elucidates the various facets of mutual authentication and outlines the way forward for banks to provide mutual authentication using identifiable pictures, by listing three approaches for storing these pictures, viz: identifiable pictures stored either at the server end or at the client side or by dividing the picture into two transparencies and implementing Visual Cryptography for ensuring Secure Authentication. 1.0 Introduction The technological metamorphosis in banking has resulted in a plethora of delivery channels being now available for customers of banks. The retail customers of banks have perhaps benefited most by the use of technology based systems such as Core Banking, Clustered systems, as well as delivery channels such as Automated Teller Machines, Internet banking and mobile banking, to name a few. In all these new delivery channels the most important requirement pertains to the need for identifying the customer who would no longer be visiting the branch premises but would be accessing services of the bank through the new delivery channels. Identification in the context of banks happens through a variety of means but the most important aspects which are checked pertain to the account number of the customer and the name of the customer. Once the identification process is completed, the next important factor to be validated pertains to authentication of the customer to ensure that the person who claims to be the customer is indeed the one who is the customer. Authentication plays a vital role especially in the cases where the customer is not present in front of the banker or its authorized representative. This assumes more significance in online banking as well, where a public medium of access such as the Internet is used as the means of accessing the bank s IT systems (and thus ultimately the funds too, by the customer ). There are multiple ways through which banks can authenticate users. These range from the simple systems such as a combination of the username and password to complex systems such as biometric and / or one time usage based variable tokens. As technology continues to change, banks need to adapt their security systems to effectively combat threats posed by malafide intents, imposters, hackers, thieves, and the like. Selecting the right technologies for each organization cannot be generalized. However, knowing what authentication techniques are available is the first step in moving over to Working paper No. 11 - Authentication factors for Internet banking 1

a secure environment. This paper attempts to provide an overview of the appropriate technological tools available for authentication in Internet based banking. Internet banking is the service offering by banks, using which customers can gain access to the financial services offered by the banks through a computer, using the Internet medium and without the need for going over to the customer s bank. This means of access to banking services has gained substantial ground since its introduction in the late nineties and almost all commercial banks in the country have internet based access facilities offered to their discerning customers. With the large scale usage of Internet banking, the attendant risks of Internet also began to surface thus exposing the bank as well as the customer to risks, Cases of malafide access to customer accounts, fraudulent withdrawal of funds, phishing, spamming and other such online frauds began to surface. Authentication has become one of the main factors in internet banking, for banks to provide secure and safe banking to the users. This prompted the Reserve Bank of India (RBI), as the regulator of the banking system in the country, to review the entire gamut of Internet Banking and come out with guidelines for authentication in respect of online banking. A similar approach was followed in the other countries of the world as well, with the Federal Financial Institutions Examination Council (FFIEC) in the US also issuing guidance for banks for single factor authentication in 2001 and two factor authentication in 2005 to prevent online fraud. It is interesting to note that on June 28, 2011, the FFIEC issued a Supplement to the Authentication in an Internet Banking Environment guidance first issued in Oct. 2005, while RBI issued guidelines for banks to implement two factor authentication for online banking in 2008 itself. These have, to some extent, mitigated the risks associated with Internet Banking. 2.0 Authentication - Overview Authentication is the process of verifying a claim made by a subject that it should be allowed to act on behalf of a given person, computer, process, etc. Authentication process is preceded by Authorization, which in the banking context, is preceded by Identification. Authorization, involves verifying that an authenticated subject has permission to perform certain operations or access specific resources. Authentication procedures are based on three factors related to the user i.e. the person who is authenticating, say a transaction in Internet Banking. They are 1. User knows 2. User possesses and 3. User is. The following are the various options used under each of the three factors. User knows User possesses User Is Username Password USB Token Smart Card Fingerprint Palm print PIN OTP by IRIS Card No. CVV 2 SMS/token Swipe cards Voice Vein pattern 3D Secure/ VbV Mobile Signature Identifiable picture 2.1 Types of Authentication Table 1: Authentication Factors Working paper No. 11 - Authentication factors for Internet banking 2

Authentication mechanisms are of three kinds based on the authentication factors as shown in Table 1. Those include 2.1.1 Single Factor Authentication An authentication mechanism that utilizes any one of the factors is called single factor authentication. This is the basic authentication method. (For example, a User id and password comes under this category). 2.1.2 Two Factor Authentication An authentication mechanism that utilizes a combination of two factors i.e. (User knows, User possesses). This method is used by various banks for authentication for online banking. E.g. User using a password as the first factor (User knows ) and a One-Time Password (OTP) as the second factor (User possesses) to perform say, a funds transfer transaction. 2.1.3 Multi Factor Authentication An authentication mechanism where two or more factors are used in which one of the factors is necessarily pertaining to the user is. (For example, a large value transaction authorized in a bank by using a combination of the person s user id, a smart card and his biometric authentication factor). 2.2 Authentication factors used by banks 2.2.1 Authentication factors used by Indian banks Indian banks generally resort to the use of two factor authentication by seeking the username, password and OTP s to authenticate the users in online banking. Most of the banks in India resort to OTP s by means of SMS or hard tokens as a second factor of authentication. After logging into the net banking using id, password, for making any transaction banks provide OTP s and ask password (same as login password or different) to provide security and reduce fraud. Some of the banks use OTP s as a second layer of authentication immediately after logging in by id, password and also use these OTP for doing transactions. It may be mentioned that this has been implemented based on the regulatory requirements. 2.2.2 Authentication factors used by foreign banks Foreign banks also use two factor authentication for online banking. Most of banks use the basic user name, pass code and OTP s through a mobile device or OTP s provided by a security device or by a hard token. There are also instances of certain banks providing an extra layer of authentication by introducing a site key, by means of which the user-customer can identify the fake websites. Some banks provide hard tokens or security device for getting dynamic OTP s. Some banks use security tokens or mobile phones to generate these OTP s. From the above, it can be seen that although there is no specific pattern in respect of uniformity in the use of authentication factors for online banking, the approaches seem to follow a general trend, which pertains to the use of two factor authentication. Working paper No. 11 - Authentication factors for Internet banking 3

Some of the facilities available in this area are described below 3.0 Mutual authentication Mutual authentication or two way authentication can be provided between the user and the Organization. It refers to two parties authenticating each other. When describing online authentication processes, mutual authentication is referred to as website-to-user authentication. By means of this authentication, the user knows that he/she is on the valid banking website. Mutual authentication can be implemented by providing some challenge questions. The customer selects the image (identifiable pictures), image title and a text phrase (optional) from a collection of images which are provided in the banking website at the time of enrollment. The customer can further change this image during his first login. Further when customer enters login id and before entering the password, the site randomly asks these challenge questions and when the user answers it, it displays the image, title and phrase. If the displayed image is correct then customer can enter the password and can login in. If not the customer can stop logging in and can contact the bank. This makes the customer to know whether it is a real banking website or fake website. This facility provides the customer and server to authenticate mutually so that we can reduce phishing attacks. Identifiable pictures (images) are one of the authentication factors that can be used to provide website authentication. These identifiable pictures act as an extra layer of authentication to prevent unauthorized access to the accounts and assure that the customer is at the valid online banking site. Identifiable pictures used for web authentication can be stored in three different ways. They are 1. Images stored at server side (web server), 2. Images stored at client side, and 3. Images can be divided into two shares, storing one share at server side and the other share at client side and merging the two shares using visual cryptography. The above three mechanisms have been explained in the ANNEXURE I. 3.1 Challenge-Response mechanism Challenge Response mechanism can be implemented for the high value transactions which exceed some threshold. This threshold value depends on the bank. While the customer initiates the transaction beyond the threshold value, the bank site can pose challenge question and if the customer answers it, he/she can proceed with the transaction. This facility provides an extra layer of authentication for two factor authentication (password and OTP). 4.0 Multi factor authentication Mutual authentication requires two or more of the three factors used for authenticating the user. Multi factor authentication provides users higher levels of protection for online banking fraud. Multi factor authentication includes biometrics (something the user is) as one factor; hence it improves security for online banking customers and reduces online fraud. This authentication can be provided for the customers (corporate or individual customers) who make transactions beyond the threshold value that was set up by the bank. Working paper No. 11 - Authentication factors for Internet banking 4

5.0 SMS alert SMS can be sent to the customer immediately after the transaction. SMS sent to the customer after logging onto the online banking website. This can make the customer aware, in the case of unauthorized login or access to his/her account. SMS alerts tend to, as the name suggest only alert the customer. They can complement the authentication factors listed above. 6.0 Identifiable pictures used as authentication factor Identifiable pictures can also be used as password for authentication. These pictures can be used to generate a graphical password every time the user logins from a set of images stored in the client s computer. These images can act as one of the authentication factors (password). 7.0 Suggestions The following table outlines the broad levels of authentication suggested for enhancing the level of security in the authentication process for online banking in the Indian context. Suggestions Mutual Authentication between the user and the Organization using identifiable features such as specific pictures selected by the usercustomer. Risk Mitigation Reduces the risks associated with phishing attacks. Ease of use Cost Strengths/Weakness User friendly and easy to use, remember and implement; there are no major overheads for the bank either. Minor Costs for the banks; no cost implication for the customer Strength: It provides an extra layer of user authentication and helps the user identifying the real website. Weakness: If the entire repository of information storing the user features is compromised or breached, then the factor loses its significance. Working paper No. 11 - Authentication factors for Internet banking 5

Challenge-Response Mechanism for high value transactions which exceed a particular threshold level. Reduces phishing type attacks; incidents arising out MIM attacks, and easy pattern recognition. Reduces the risk of Unauthorized access of accounts; and enhances safety of large value transactions. Easy to use by simply answering questions and can be implemented for transactions which cross the threshold. Cost is involved at the bank end for posing the challenge questions. No cost is involved as far as the customer is concerned. Strength: This can be used as an extra layer of authentication to reduce online fraud and improves security. Weakness: It becomes difficult for a customer to remember many challenge questions for different types of authentications. This may entice him to use the same question across multiple locations and not changing them at all for long periods of time. The weaknesses associated with passwords may apply to this factor as well. Multi factor authentication can be provided for the transactions which exceed a specific threshold level. Reduces the risks related to identity theft and man in the middle attacks etc. Easy to use. As biometrics is used cost will be involved for the bank as well as the customer. Strength: This provides a secure environment since multiple factors are used. Weakness: The customer has to navigate through multiple levels of complexity making it cumbersome. Challenges associated with rejection of certain factors such as biometrics for some target population groups do exist thus resulting in customer difficulties. Working paper No. 11 - Authentication factors for Internet banking 6

8.0 Various Authenticating mechanisms categorized into this matrix, so that banks can offer multiple options and customers choose what is right for them Easy to crack ------- Difficult to crack 1. Mutual authentication by identifiable pictures provides easy access and somewhat difficult to crack, provides extra layer of site authentication beyond two factor authentication. 2. Username, password along with OTP (by SMS or hard token)easy to use and difficult to crack 1. Username, password is easy to use and also easy to crack. 1. Authentication using smart cards and hard tokens (security devices) is difficult to use and difficult to crack. 2. Biometric authentication is also difficult to crack and difficult to use. 3. Multi factor authentication also provides strong authentication but at high cost. Easy to implement --------------------------------------------------Difficult to implement----- Working paper No. 11 - Authentication factors for Internet banking 7

ANNEXURE I The three different mechanisms of storing the identifiable pictures and authenticating the users to provide online security are: 1. Authentication using identifiable pictures (images) stored at server side 2. Authentication using identifiable pictures stored at client side 3. Authentication using Visual cryptography 1.0 Authentication using identifiable pictures (images) stored at server side (web server) Users can select their desired images (identifiable picture) displayed on the bank s site and the bank s server stores the image in its database. If the bank s server displays the customer s image while logging in, before entering the password, the customer can be assured that he/she is at the original online bank website. For example, in the site key mechanism [1], the bank s site stores an image and text in the bank s server and displays it when the customer. This assures the customer that he is at the valid banking site. 1.1 Advantages 1. It helps the customers to recognize whether they are at the valid banking site or at the fraudulent site. 2. It adds another layer of online security to online banking and prevents unauthorized access to the accounts. 3. It lowers the risk of identity theft and fraud. 4. Reduces the risks related to phishing attacks. 1.2 Disadvantages 1. This does not reduce the man- in- the- middle attacks fully. 2.0 Authentication using identifiable pictures stored at client side Identifiable pictures can also be stored at client side computer for assuring the user that he is on the real site and not on a phishing site. In this, the user himself provides some images and the server randomly takes some parts of the images and displays the image and then the user enters the password. Picture password mechanism is a novel integration of client side secrets and graphical passwords [2] [3]. It will ask user to create a graphical password by choosing four images in a particular order from a set of twelve. This set of twelve images which are taken from a large set of images are stored in the client s computer. Every time the user logins, he/she has to enter the particular four images in the same order to get a graphical password. It is impossible to the phisher to know the twelve images set and getting the right set of images, in the right order. Working paper No. 11 - Authentication factors for Internet banking 8

2.1 Advantages 1. This method makes users fail to reveal even a single image from their password during the phishing attempt and, in a blind test, none revealed the entire password. 2. This feature reduces the brute force attacks and search attacks when compared to site key. 2.2 Disadvantages 1. This method can be used only when the users login from the computer from which they registered. 2. It doesn t recognize the phishing site when the user logins from the other device or computer. 3.0 Authentication using Visual cryptography Visual cryptography is a cryptographic technique which allows visual information (pictures, text, etc.) to be encrypted in such a way that the decryption can be performed by the human visual system [4, 5]. It is a visual secret sharing scheme, where an image is broken up into N shares so that only someone with all N shares could decrypt the image, while any N-1 shares revealed no information about the original image. It is as if each share was printed on a separate transparency, and decryption performed by overlaying the shares. Only when all N shares were overlaid, the original image would appear. The concept of Visual Cryptography can be used in internet banking. The picture is divided into two shares and one share can be stored at bank s server and the other share can be stored at client side. The customer is already provided with one share image and when he/she logs in, the bank s server provides the other secret shared image and by using visual cryptographic technique, the two transparencies are overlaid and display the decrypted image. It is not possible to retrieve the secret information from one of the shares. Images can be of any format. jpg, png or bitmap images can be used. 3.1 Image Decryption using visual Cryptography In this mechanism, share 1 image is stored at server side and share 2 images are stored at client side, i.e. at the client s computer. When the customer logs in to the banking site, the server side image transparency is merged through visual Cryptographic technique with client side stored image and displays the overlapped decrypted image as shown in figure 1, so that the customer can proceed with further login process. Working paper No. 11 - Authentication factors for Internet banking 9

Share 1 Share 1 + Share 2 Share 2 Figure 1: image decryption using visual cryptography 3.2 Text decryption using Visual Cryptography Figure 2 shows the text encryption using visual cryptography. In the below figure 2, IDRBT text message has been split into two shares. The original logo is split into two of the same blocks that have full black and white pixels. When these two blocks are overlaid, they align exactly and the result is light-colored block with half white and half black pixels. If only one share is given, a second share can be crafted to reveal any possible image; hence, individual shares reveal no information about the original image [4]. Working paper No. 11 - Authentication factors for Internet banking 10

Share 1 IDRBT Share 2 Share 1 + Share 2 Figure 2: Text decryption using visual cryptography 3.3 Advantages of visual cryptography 1. An essential advantage of visual cryptography is that there is no need for any previous knowledge or experience in the field of cryptography in order to apply it. 2. It's impossible to retrieve the information when one share is intercepted. 3. Visual cryptography is performed only with the combination of two shares. Hence it can reduce phishing attacks to some extent. 3.4 Disadvantages 1. If the customer logs in from any other device or computer, this system does not assure for phishing site, as the client side secret is stored within the registered computer. 3.5 Challenges in implementation 1. An image has to be split into two shares and merging the shares and displaying a decrypted image should be in very less time. 2. While storing one share in client s computer, i.e. the customer can login only from the registered computer. He is not able to login from any other unregistered computer. Working paper No. 11 - Authentication factors for Internet banking 11

4.0 Conclusion This paper describes the use of identifiable pictures for authentication in internet banking. These pictures or images can be used for website authentication and to identify phishing website so that can reduce fraud and phishing. We explained the three ways of storing these pictures, storing images at server side, storing images at client side and storing one image share in server and the other share in the client s computer and merging the shares using the concept of visual cryptography. In this concept, either one share can t reveal the image only with the combination of two shares reveal the decrypted image; hence reduce phishing attacks, man in the middle attacks. 5.0 References 1. Fraud Vulnerabilities in Site Key Security at Bank of America, Review draft to Bank of America/RSA: June 26, 2006, Cambridge, MA, July 18, 2006 http://www.redforcelabs.com/documents/sitekey.pdf 2. Picture password protects your account from phishing, 4 November 2011 http://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.html 3. PhorceField: A Phish-Proof Password Ceremony http://www.cs.sunysb.edu/~rob/papers/phorcefield.pdf 4. Visual Cryptography Wikipedia http://en.wikipedia.org/wiki/visual_cryptography 5. Visual Cryptography Deze pagina in het Nederlands http://users.telenet.be/d.rijmenants/en/visualcrypto.htm Working paper No. 11 - Authentication factors for Internet banking 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information