Currently the most popular attacks to the E-Banking Web applications target the authentication systems relying on the single-side client authentication, showing their definitively ineffectiveness for financial services. Furthermore, most of the Web authentication systems have been developed on the classic username/password mechanism or One time Password systems using a single channel, either mobile or Web, generating an authentication system at inadequate level, enforcing a false perception of security, as phishing shows. The two factors authentication is not the panacea, but mitigates many threats, especially when combined with a Personal Trusted Device, as the popular smartphones represent. As a rule of thumb, the adoption of authentication systems to provide services B2C is driven by its ease-to-use more than the robustness of the adopted security system. For this reason, the proposed solution represents a system which tries to preserve the usability and to strengthen the authentication, with a combined Web/mobile authentication system.
TopIntroduction
A very crucial phase of a web transaction is represented by the user authentication. During this step many problems can occur and many attacks are possible, whose target is to access the restricted resources. In order to face this threat, current systems frequently adopt the HTTP basic authentication mechanism even if the applications are critical. Further authentication mechanisms, described in the following sections, have been proposed to improve web authentication security with regard to user friendliness, not yet representing a panacea, still being prone to different attacks. As Schneier (2005) suggests, two-factor authentication mitigates, but not definitively solves, this problem and no solution is foolproof.
According to the Gartner survey of 5,000 online adults in August 2006, an estimated 24.4 million Americans have clicked on a phishing e-mail in 2006, up from approximately 11.9 million in 2005, while 3.5 million have given sensitive information to the phishers, up from 1.9 million adults last year. Currently, the phishing effectiveness has not changed since august 2006, revealing, instead, a slight raising shape of the victims. For this reason, new forms of combined attacks appear, as for the man-in-the-browser attack, where trojan horses can modify the transactions on-the-fly. Furthermore, one of the most famous recent wiretapping scandal (Prevelakis & Spinellis, 2007), the greek cellphone caper, confirms that the definitive solution for financial services over external, untrusted networks is to embed security in the end-to-end partecipant terminals.
In this paper we firstly classify the e/m-banking threats, based on an attack tree model, then we introduce the state of the art of the e/m-banking authentication systems and, finally, we will present a new authentication system, based on a combined web/mobile procedure, taking into account security and usability as major requirements. The basic authentication mechanism is integrated with a challenge/response process and an One Time Password (OTP). The challenge is issued from an authentication server and has to authenticate a mobile device, typically a cell phone with Java capabilities. This device can communicate with any other involved part through a fixed terminal, typically a personal computer, via a Bluetooth connection. The mobile device, once accepted, performs the authentication with the web site or application. This final step is accomplished using a temporary one-time password.