hPIN/hTAN: A lightweight and low-cost e-banking solution against untrusted computers
Li, SJ, Sadeghi, A-R, Heisrath, S, Schmitz, R and Ahmad, JJ (2012) hPIN/hTAN: A lightweight and low-cost e-banking solution against untrusted computers In: 15th International Conference on Financial Cryptography and Data Security (FC 2011), 2011-02-28 - 2011-03-04, Gros Islet, St. Lucia.
Available under License : See the attached licence file.
In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user’s computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers, screen scrapers, session hijackers, Trojan horses and transaction generators. The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function). In contrast to other hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design can also help increase security because more complicated systems tend to have more security holes. As an important feature, hPIN/hTAN exploits human users’ active involvement in the whole process to compensate security weaknesses caused by careless human behavior.
|Item Type:||Conference or Workshop Item (Paper)|
|Additional Information:||The original publication is available at http://www.springerlink.com|
|Divisions:||Faculty of Engineering and Physical Sciences > Computing Science|
|Depositing User:||Symplectic Elements|
|Date Deposited:||26 Jun 2012 11:18|
|Last Modified:||18 Sep 2014 01:56|
Actions (login required)
Downloads per month over past year