Strong Authentication for Financial Services: PTDs as a Compromise Between Security and Usability

Strong Authentication for Financial Services: PTDs as a Compromise Between Security and Usability

Giangluigi Me (University of Rome, Italy), Daniele Pirro (University of Rome, Italy) and Roberto Sarrecchia (University of Rome, Italy)
Copyright: © 2009 |Pages: 14
DOI: 10.4018/978-1-60566-366-1.ch007
OnDemand PDF Download:


Currently the most popular attacks to the E-Banking Web applications target the authentication systems relying on the single-side client authentication, showing their definitively ineffectiveness for financial services. Furthermore, most of the Web authentication systems have been developed on the classic username/password mechanism or One time Password systems using a single channel, either mobile or Web, generating an authentication system at inadequate level, enforcing a false perception of security, as phishing shows. The two factors authentication is not the panacea, but mitigates many threats, especially when combined with a Personal Trusted Device, as the popular smartphones represent. As a rule of thumb, the adoption of authentication systems to provide services B2C is driven by its ease-to-use more than the robustness of the adopted security system. For this reason, the proposed solution represents a system which tries to preserve the usability and to strengthen the authentication, with a combined Web/mobile authentication system.
Chapter Preview


A very crucial phase of a web transaction is represented by the user authentication. During this step many problems can occur and many attacks are possible, whose target is to access the restricted resources. In order to face this threat, current systems frequently adopt the HTTP basic authentication mechanism even if the applications are critical. Further authentication mechanisms, described in the following sections, have been proposed to improve web authentication security with regard to user friendliness, not yet representing a panacea, still being prone to different attacks. As Schneier (2005) suggests, two-factor authentication mitigates, but not definitively solves, this problem and no solution is foolproof.

According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year. Currently, the phishing effectiveness has not changed since august 2006, revealing, instead, a slight raising shape of the victims. For this reason, new forms of combined attacks appear, as for the man-in-the-browser attack, where trojan horses can modify the transactions on-the-fly. Furthermore, one of the most famous recent wiretapping scandal (Prevelakis & Spinellis, 2007), the greek cellphone caper, confirms that the definitive solution for financial services over external, untrusted networks is to embed security in the end-to-end partecipant terminals.

In this paper we firstly classify the e/m-banking threats, based on an attack tree model, then we introduce the state of the art of the e/m-banking authentication systems and, finally, we will present a new authentication system, based on a combined web/mobile procedure, taking into account security and usability as major requirements. The basic authentication mechanism is integrated with a challenge/response process and an One Time Password (OTP). The challenge is issued from an authentication server and has to authenticate a mobile device, typically a cell phone with Java capabilities. This device can communicate with any other involved part through a fixed terminal, typically a personal computer, via a Bluetooth connection. The mobile device, once accepted, performs the authentication with the web site or application. This final step is accomplished using a temporary one-time password.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Milena Head, Eldon Y. Li
Milena Head, Eldon Y. Li
Chapter 1
Jan H. Kietzmann
The recent evolution of mobile auto-identification technologies invites firms to connect to mobile work in altogether new ways. By strategically... Sample PDF
For Those About to Tag
Chapter 2
Adrian Lawrence, Jane Williams
As commercial interest in LBS increases, legal and regulatory bodies are becoming increasingly interested in the extent to which use of LBS may... Sample PDF
Privacy and Location-Based Mobile Services: Finding a Balance
Chapter 3
Dietmar G. Wiedemann, Wolfgang Palka, Key Pousttchi
A sizeable body of research on mobile payment evolved in recent years. Researchers analyzed success factors and acceptance criteria as well as... Sample PDF
Business Models for Mobile Payment Service Provision and Enabling
Chapter 4
Mikko Pynnonen, Jukka Hallikas, Petri Savolainen, Karri Mikkonen
In a digital home a so-called multi-play system integrates networked entertainment and communications systems. Using a mobile phone, all those... Sample PDF
Ubiquitous Communication: where is the Value Created in the Multi-Play Value Network?
Chapter 5
Adam Vrechopoulos, Michail Batikas
Mobile government transform many of the traditional governance practices. The citizens’ adoption of M-Government services (e.g. voting, tax... Sample PDF
Predicting the Adoption of Mobile Government Services
Chapter 6
Katarzyna Wac, Richard Bults, Bert-Jan van Beijnum, Hong Chen, Dimitri Konstantas
Mobile service providers (MoSPs) emerge, driven by the ubiquitous availability of mobile devices and wireless communication infrastructures. MoSPs’... Sample PDF
Towards Mobile Web 2.0-Based Business Methods: Collaborative QoS-Information Sharing for Mobile Service Users
Chapter 7
Giangluigi Me, Daniele Pirro, Roberto Sarrecchia
Currently the most popular attacks to the E-Banking Web applications target the authentication systems relying on the single-side client... Sample PDF
Strong Authentication for Financial Services: PTDs as a Compromise Between Security and Usability
Chapter 8
Antonio Ruiz-Martinez, Daniel Sanchez-Martinez, Maria Martinez-Montesinos, Antonio Gomez-Skarmeta
Non-repudiation is an important issue in mobile business and mobile commerce in order to provide the necessary evidences to prove whether some party... Sample PDF
Mobile Signature Solutions for Guaranteeing Non-Repudiation in Mobile Business and Mobile Commerce
Chapter 9
Soe-Tsyr Yuan, Fang-Yu Chen
Peer-to-Peer applications harness sharing between free resources (storage, contents, services, human presence, etc.). Most existing wireless P2P... Sample PDF
UbiSrvInt: A Context-Aware Fault-Tolerance Approach for WP2P Service Provision
Chapter 10
Dianne Cyr, Milena Head, Alex Ivanov
Anytime anywhere services offered through mobile commerce hold great potential to serve customers in wireless environments. However, there is... Sample PDF
Perceptions of Mobile Device Website Design: Culture, Gender and Age Comparisons
Chapter 11
Douglass J. Scott, Constantinos K. Coursaris, Yuuki Kato, Shogo Kato
This study compared the exchange of emotional content in PC and mobile e-mail in business-related discussions. Forty American business people were... Sample PDF
The Exchange of Emotional Content in Business Communications: A Comparison of PC and Mobile E-Mail Users
Chapter 12
Carla Ruiz-Mafe, Silvia Sanz-Blas, Adrian Broz-Lofiego, Daniel Marchuet
The chapter aims to present an in-depth study of the factors influencing Mobile Internet adoption. The authors analyse the influence of Internet use... Sample PDF
Mobile Internet Adoption by Spanish Consumers
Chapter 13
Mahil Carr
This chapter introduces concepts, frameworks and possible models for introducing mobile payments in India. The introductory section defines mobile... Sample PDF
Framework for Mobile Payment Systems in India
Chapter 14
E.S. Samundeeswari, F. Mary Magdalene Jane
Over the years computer systems have evolved from centralized monolithic computing devices supporting static applications, into client-server... Sample PDF
Mobile Code and Security Issues
Chapter 15
Tommi Pelkonen
This chapter describes the Finnish mobile telecommunications industry trends and prospects. In addition, it presents two theoretical frameworks... Sample PDF
Finland: Internationalization as the key to Growth and M-Commerce Success
Chapter 16
Dickson K.W. Chiu, S.C. Cheun, Ho-Fung Leung
In a service-oriented enterprise, the professional workforce such as salespersons and support staff tends to be mobile with the recent advances in... Sample PDF
Mobile Workforce Management in a Service-Oriented Enterprise: Capturing Concepts and Requirements in a Multi-Agent Infrastructure
Chapter 17
Dawn-Marie Turner, Sunil Hazari
Wireless technology has broad implications for the healthcare environment. Despite its promise, this new technology has raised questions about... Sample PDF
Bringing Secure Wireless Technology to the Bedside: A Case Study of Two Canadian Healthcare Organizations
About the Contributors