Download - Working Paper No. 11.pdf
-
8/18/2019 Working Paper No. 11.pdf
1/12
Working paper No. 11 - Authentication factors for Internet banking 1
IDRBT Working Paper No. 11
Authentication factors for Internet banking
M V N K Prasad and S Ganesh Kumar
ABSTRACT
The all pervasive and continued growth being provided by technology coupled with the increased
use of alternate delivery channels by banks, the need for appropriate authentication of customers
has now gained significant importance for the banking system. Banks in India have been adopting different authentication mechanisms to provide for security during the last few years. In the search
for more effective authentication techniques, an approach which promises substantial benefit
pertains to the use of mutual authentication which can be implemented by providing somechallenge questions. This paper elucidates the various facets of mutual authentication and outlines
the way forward for banks to provide mutual authentication using identifiable pictures, by listing three approaches for storing these pictures, viz: identifiable pictures stored either at the server
end or at the client side or by dividing the picture into two transparencies and implementing Visual Cryptography for ensuring Secure Authentication.
1.0 Introduction
The technological metamorphosis in banking has resulted in a plethora of deliverychannels being now available for customers of banks. The retail customers of banks have perhaps
benefited most by the use of technology based systems such as Core Banking, Clustered systems,
as well as delivery channels such as Automated Teller Machines, Internet banking and mobile
banking, to name a few. In all these new delivery channels the most important requirement pertains to the need for identifying the customer who would no longer be visiting the branch
premises but would be accessing services of the bank through the new delivery channels.Identification in the context of banks happens through a variety of means but the most important
aspects which are checked pertain to the account number of the customer and the name of the
customer. Once the identification process is completed, the next important factor to be validated
pertains to authentication of the customer – to ensure that the person who claims to be the
customer is indeed the one who is the customer.
Authentication plays a vital role especially in the cases where the customer is not present in
front of the banker or its authorized representative. This assumes more significance in online
banking as well, where a public medium of access such as the Internet is used as the means of accessing the bank’s IT systems (and thus ultimately the funds too, by the customer). There are
multiple ways through which banks can authenticate users. These range from the simple systems
such as a combination of the username and password to complex systems such as biometric and /
or one time usage based variable tokens. As technology continues to change, banks need to adapttheir security systems to effectively combat threats posed by malafide intents, imposters, hackers,
thieves, and the like. Selecting the right technologies for each organization cannot be generalized.
However, knowing what authentication techniques are available is the first step in moving over to
-
8/18/2019 Working Paper No. 11.pdf
2/12
Working paper No. 11 - Authentication factors for Internet banking 2
a secure environment. This paper attempts to provide an overview of the appropriate technological
tools available for authentication in Internet based banking.
Internet banking is the service offering by banks, using which customers can gain access tothe financial services offered by the banks through a computer, using the Internet medium and
without the need for going over to the customer’s bank. This means of access to banking services
has gained substantial ground since its introduction in the late nineties and almost all commercial
banks in the country have internet based access facilities offered to their discerning customers.With the large scale usage of Internet banking, the attendant risks of Internet also began to surface
thus exposing the bank as well as the customer to risks, Cases of malafide access to customer accounts, fraudulent withdrawal of funds, phishing, spamming and other such online frauds began
to surface. Authentication has become one of the main factors in internet banking, for banks to
provide secure and safe banking to the users. This prompted the Reserve Bank of India (RBI), as
the regulator of the banking system in the country, to review the entire gamut of Internet Bankingand come out with guidelines for authentication in respect of online banking. A similar approach
was followed in the other countries of the world as well, with the Federal Financial Institutions
Examination Council (FFIEC) in the US also issuing guidance for banks for single factor authentication in 2001 and two factor authentication in 2005 to prevent online fraud. It is
interesting to note that on June 28, 2011, the FFIEC issued a Supplement to the Authentication inan Internet Banking Environment guidance first issued in Oct. 2005, while RBI issued guidelinesfor banks to implement two factor authentication for online banking in 2008 itself. These have, to
some extent, mitigated the risks associated with Internet Banking.
2.0 Authentication - Overview
Authentication is the process of verifying a claim made by a subject that it should beallowed to act on behalf of a given person, computer, process, etc. Authentication process is
preceded by Authorization, which in the banking context, is preceded by Identification.
Authorization, involves verifying that an authenticated subject has permission to perform certain
operations or access specific resources. Authentication procedures are based on three factors
related to the user – i.e. the person who is authenticating, say a transaction in Internet Banking.They are
1. User knows2. User possesses and
3. User is.
The following are the various options used under each of the three factors.
User knows User possesses User Is
UsernamePassword
PINCard No.CVV 2
3D Secure/ VbV
Identifiable picture
USB TokenSmart Card
OTP bySMS/tokenSwipe cards
Mobile Signature
FingerprintPalm print
IRISVoiceVein pattern
Table 1: Authentication Factors
2.1 Types of Authentication
http://en.wikipedia.org/wiki/Subject_(access_control)http://en.wikipedia.org/wiki/Subject_(access_control)
-
8/18/2019 Working Paper No. 11.pdf
3/12
Working paper No. 11 - Authentication factors for Internet banking 3
Authentication mechanisms are of three kinds based on the authentication factors as shown in Table1. Those include
2.1.1 Single Factor Authentication
An authentication mechanism that utilizes any one of the factors is called single factor
authentication. This is the basic authentication method. (For example, a User id and password comesunder this category).
2.1.2 Two Factor Authentication
An authentication mechanism that utilizes a combination of two factors i.e. (User knows, User possesses). This method is used by various banks for authentication for online banking.
E.g. User using a password as the first factor (User knows) and a One-Time Password (OTP) asthe second factor (User possesses) to perform say, a funds transfer transaction.
2.1.3 Multi Factor Authentication
An authentication mechanism where two or more factors are used in which one of the factors is
necessarily pertaining to ‘the user is’.
(For example, a large value transaction authorized in a bank by using a combination of the person’s
user id, a smart card and his biometric authentication factor).
2.2 Authentication factors used by banks
2.2.1 Authentication factors used by Indian banks
Indian banks generally resort to the use of two factor authentication by seeking the username,
password and OTP’s to authenticate the users in online banking. Most of the banks in India resort toOTP’s by means of SMS or hard tokens as a second factor of authentication. After logging into the
net banking using id, password, for making any transaction banks provide OTP’s and ask password
(same as login password or different) to provide security and reduce fraud. Some of the banks useOTP’s as a second layer of authentication immediately after logging in by id, password and also use
these OTP for doing transactions. It may be mentioned that this has been implemented based on the
regulatory requirements.
2.2.2 Authentication factors used by foreign banks
Foreign banks also use two factor authentication for online banking. Most of banks use the basic
user name, pass code and OTP’s through a mobile device or OTP’s provided by a security device or
by a hard token. There are also instances of certain banks providing an extra layer of authentication by introducing a site key, by means of which the user-customer can identify the fake websites. Some
banks provide hard tokens or security device for getting dynamic OTP’s. Some banks use security
tokens or mobile phones to generate these OTP’s.From the above, it can be seen that although there is no specific pattern in respect of uniformity in
the use of authentication factors for online banking, the approaches seem to follow a general trend,
which pertains to the use of two factor authentication.
-
8/18/2019 Working Paper No. 11.pdf
4/12
Working paper No. 11 - Authentication factors for Internet banking 4
Some of the facilities available in this area are described below
3.0 Mutual authentication
Mutual authentication or two way authentication can be provided between the user and the
Organization. It refers to two parties authenticating each other. When describing onlineauthentication processes, mutual authentication is referred to as website-to-user authentication. Bymeans of this authentication, the user knows that he/she is on the valid banking website. Mutual
authentication can be implemented by providing some challenge questions. The customer selects the
image (identifiable pictures), image title and a text phrase (optional) from a collection of imageswhich are provided in the banking website at the time of enrollment. The customer can further
change this image during his first login. Further when customer enters login id and before entering
the password, the site randomly asks these challenge questions and when the user answers it, it
displays the image, title and phrase. If the displayed image is correct then customer can enter the password and can login in. If not the customer can stop logging in and can contact the bank. This
makes the customer to know whether it is a real banking website or fake website. This facility
provides the customer and server to authenticate mutually so that we can reduce phishing attacks.Identifiable pictures (images) are one of the authentication factors that can be used to provide
website authentication. These identifiable pictures act as an extra layer of authentication to prevent
unauthorized access to the accounts and assure that the customer is at the valid online banking site.Identifiable pictures used for web authentication can be stored in three different ways. They are
1. Images stored at server side (web server),
2. Images stored at client side, and3. Images can be divided into two shares, storing one share at server side and the other share
at client side and merging the two shares using visual cryptography.
The above three mechanisms have been explained in the ANNEXURE –I.
3.1 Challenge-Response mechanism
Challenge –Response mechanism can be implemented for the high value transactions which exceed
some threshold. This threshold value depends on the bank. While the customer initiates thetransaction beyond the threshold value, the bank site can pose challenge question and if the customer answers it, he/she can proceed with the transaction. This facility provides an extra layer of
authentication for two factor authentication (password and OTP).
4.0 Multi factor authentication
Mutual authentication requires two or more of the three factors used for authenticating the user.
Multi factor authentication provides users higher levels of protection for online banking fraud. Multifactor authentication includes biometrics (something the user is) as one factor; hence it improves
security for online banking customers and reduces online fraud. This authentication can be provided
for the customers (corporate or individual customers) who make transactions beyond the thresholdvalue that was set up by the bank.
-
8/18/2019 Working Paper No. 11.pdf
5/12
Working paper No. 11 - Authentication factors for Internet banking 5
5.0 SMS alert
SMS can be sent to the customer immediately after the transaction.
SMS sent to the customer after logging onto the online banking website. This can make the
customer aware, in the case of unauthorized login or access to his/her account.
SMS alerts tend to, as the name suggest only alert the customer. They can complement the
authentication factors listed above.
6.0 Identifiable pictures used as authentication factor
Identifiable pictures can also be used as password for authentication. These pictures can be used togenerate a graphical password every time the user logins from a set of images stored in the client’s
computer. These images can act as one of the authentication factors (password).
7.0 Suggestions
The following table outlines the broad levels of authentication suggested for enhancing the level of
security in the authentication process for online banking in the Indian context.
Suggestions Risk
Mitigation
Ease of use Cost Strengths/Weakness
Mutual
Authentication
between the user and
the Organizationusing identifiablefeatures – such as
specific picturesselected by the user-
customer.
Reduces the
risks associated
with phishing
attacks.
User friendly
and easy to use,
remember and
implement;there are nomajor
overheads for the bank either.
Minor
Costs for
the banks;
no costimplicationfor the
customer
Strength: It provides an extra
layer of user authentication and
helps the user identifying the
real website.Weakness: If the entirerepository of information
storing the user features iscompromised or breached, then
the factor loses its significance.
-
8/18/2019 Working Paper No. 11.pdf
6/12
Working paper No. 11 - Authentication factors for Internet banking 6
Challenge-Response
Mechanism for high
value transactionswhich exceed a
particular threshold
level.
Reduces
phishing type
attacks;incidents
arising out
MIM attacks,and easy
patternrecognition.
Reduces therisk of
Unauthorized
access of accounts; and
enhances
safety of largevalue
transactions.
Easy to use by
simply
answeringquestions and
can be
implementedfor transactions
which cross thethreshold.
Cost is
involved at
the bank end for
posing the
challengequestions.
No cost isinvolved as
far as thecustomer is
concerned.
Strength: This can be used as
an extra layer of
authentication to reduceonline fraud and improves
security.
Weakness: It becomesdifficult for a customer to
remember many challengequestions for different types
of authentications. This mayentice him to use the same
question across multiple
locations and not changingthem at all for long periods of
time. The weaknesses
associated with passwordsmay apply to this factor as
well.
Multi factor authentication can be
provided for thetransactions which
exceed a specific
threshold level.
Reduces therisks related to
identity theftand man in the
middle attacks
etc.
Easy to use. As biometrics
is used costwill be
involved
for the bank as
well as the
customer.
Strength: This provides asecure environment since
multiple factors are used.Weakness: The customer has
to navigate through multiple
levels of complexity making itcumbersome. Challenges
associated with rejection of
certain factors such as biometrics for some target
population groups do exist
thus resulting in customer difficulties.
-
8/18/2019 Working Paper No. 11.pdf
7/12
Working paper No. 11 - Authentication factors for Internet banking 7
8.0 Various Authenticating mechanisms categorized into this matrix, so that
banks can offer multiple options and customers choose what is right for
them
E a s y t o
c r a c k - - - - - - - D i f f i c u l t t o
c r a c k
1. Mutual authentication by identifiable
pictures provides easy access andsomewhat difficult to crack, provides
extra layer of site authentication
beyond two factor authentication.
2. Username, password along with OTP
(by SMS or hard token)easy to use
and difficult to crack
1. Authentication using smart cards and hard
tokens (security devices) is difficult to useand difficult to crack.
2. Biometric authentication is also difficult to
crack and difficult to use.
3. Multi factor authentication also provides
strong authentication but at high cost.
1. Username, password is easy to use
and also easy to crack.
Easy to implement --------------------------------------------------Difficult to implement-----
-
8/18/2019 Working Paper No. 11.pdf
8/12
Working paper No. 11 - Authentication factors for Internet banking 8
ANNEXURE –I
The three different mechanisms of storing the identifiable pictures and authenticating the users to
provide online security are:
1. Authentication using identifiable pictures (images) stored at server side2. Authentication using identifiable pictures stored at client side
3. Authentication using Visual cryptography
1.0 Authentication using identifiable pictures (images) stored at server side
(web server)
Users can select their desired images (identifiable picture) displayed on the bank’s site and the bank’s server stores the image in its database. If the bank’s server displays the customer’s image
while logging in, before entering the password, the customer can be assured that he/she is at the
original online bank website.For example, in the site key mechanism [1], the bank’s site stores an image and text in the bank’s
server and displays it when the customer . This assures the customer that he is at the valid bankingsite.
1.1 Advantages
1. It helps the customers to recognize whether they are at the valid banking site or at the
fraudulent site.
2. It adds another layer of online security to online banking and prevents unauthorized accessto the accounts.
3. It lowers the risk of identity theft and fraud.
4. Reduces the risks related to phishing attacks.
1.2 Disadvantages
1. This does not reduce the man- in- the- middle attacks fully.
2.0 Authentication using identifiable pictures stored at client side
Identifiable pictures can also be stored at client side computer for assuring the user that he is on the
real site and not on a phishing site. In this, the user himself provides some images and the server randomly takes some parts of the images and displays the image and then the user enters the
password.
Picture password mechanism is a novel integration of client side secrets and graphical passwords[2] [3]. It will ask user to create a graphical password by choosing four images in a particular
order from a set of twelve. This set of twelve images which are taken from a large set of images
are stored in the client’s computer. Every time the user logins, he/she has to enter the particular four images in the same order to get a graphical password. It is impossible to the phisher to know
the twelve images set and getting the right set of images, in the right order.
-
8/18/2019 Working Paper No. 11.pdf
9/12
Working paper No. 11 - Authentication factors for Internet banking 9
2.1 Advantages
1. This method makes users fail to reveal even a single image from their password during the phishing attempt and, in a blind test, none revealed the entire password.
2. This feature reduces the brute force attacks and search attacks when compared to site key.
2.2 Disadvantages
1. This method can be used only when the users login from the computer from which theyregistered.
2. It doesn’t recognize the phishing site when the user logins from the other device or
computer.
3.0 Authentication using Visual cryptography
Visual cryptography is a cryptographic technique which allows visual information (pictures, text,
etc.) to be encrypted in such a way that the decryption can be performed by the human visualsystem [4, 5]. It is a visual secret sharing scheme, where an image is broken up into N shares so
that only someone with all N shares could decrypt the image, while any N-1 shares revealed no
information about the original image. It is as if each share was printed on a separate transparency,and decryption performed by overlaying the shares. Only when all N shares were overlaid, theoriginal image would appear.
The concept of Visual Cryptography can be used in internet banking. The picture is divided intotwo shares and one share can be stored at bank’s server and the other share can be stored at client
side. The customer is already provided with one share image and when he/she logs in, the bank’s
server provides the other secret shared image and by using visual cryptographic technique, the twotransparencies are overlaid and display the decrypted image. It is not possible to retrieve the secret
information from one of the shares. Images can be of any format. jpg, png or bitmap images can be
used.
3.1 Image Decryption using visual Cryptography
In this mechanism, share 1 image is stored at server side and share 2 images are stored at clientside, i.e. at the client’s computer. When the customer logs in to the banking site, the server side
image transparency is merged through visual Cryptographic technique with client side stored
image and displays the overlapped decrypted image as shown in figure 1, so that the customer can proceed with further login process.
http://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Cryptography
-
8/18/2019 Working Paper No. 11.pdf
10/12
Working paper No. 11 - Authentication fact
Figure 1: i
3.2 Text decryption using Visu
Figure 2 shows the text encrypti
message has been split into two
have full black and white pixelsresult is light-colored block wit
second share can be crafted to
information about the original i
ors for Internet banking
Share 1
Share 2
age decryption using visual cryptography
al Cryptography
on using visual cryptography. In the below fig
shares. The original logo is split into two of th
. When these two blocks are overlaid, they alih half white and half black pixels. If only on
reveal any possible image; hence, individua
age [4].
Share
10
ure 2, IDRBT text
e same blocks that
gn exactly and the share is given, a
l shares reveal no
1 + Share 2
-
8/18/2019 Working Paper No. 11.pdf
11/12
Working paper No. 11 - Authentication factors for Internet banking 11
Share 1
IDRBT
Share 2
Share 1 + Share 2
Figure 2: Text decryption using visual cryptography
3.3 Advantages of visual cryptography
1. An essential advantage of visual cryptography is that there is no need for any previous
knowledge or experience in the field of cryptography in order to apply it.2. It's impossible to retrieve the information when one share is intercepted.
3. Visual cryptography is performed only with the combination of two shares. Hence it can
reduce phishing attacks to some extent.
3.4 Disadvantages
1. If the customer logs in from any other device or computer, this system does not assure for
phishing site, as the client side secret is stored within the registered computer.
3.5 Challenges in implementation
1. An image has to be split into two shares and merging the shares and displaying a decryptedimage should be in very less time.
2. While storing one share in client’s computer, i.e. the customer can login only from the
registered computer. He is not able to login from any other unregistered computer.
-
8/18/2019 Working Paper No. 11.pdf
12/12
Working paper No. 11 - Authentication factors for Internet banking 12
4.0 Conclusion
This paper describes the use of identifiable pictures for authentication in internet banking. These
pictures or images can be used for website authentication and to identify phishing website so that
can reduce fraud and phishing. We explained the three ways of storing these pictures, storing
images at server side, storing images at client side and storing one image share in server and theother share in the client’s computer and merging the shares using the concept of visual
cryptography. In this concept, either one share can’t reveal the image only with the combination of two shares reveal the decrypted image; hence reduce phishing attacks, man in the middle attacks.
5.0 References
1. Fraud Vulnerabilities in Site Key Security at Bank of America, Review draft to Bank of America/RSA: June 26, 2006, Cambridge, MA, July 18, 2006
http://www.redforcelabs.com/Documents/SiteKey.pdf
2. Picture password protects your account from phishing,4 November 2011http://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.html
3. PhorceField: A Phish-Proof Password Ceremonyhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdf
4. Visual Cryptography Wikipediahttp://en.wikipedia.org/wiki/Visual_cryptography
5. Visual Cryptography Deze pagina in het Nederlandshttp://users.telenet.be/d.rijmenants/en/visualcrypto.htm
http://www.redforcelabs.com/Documents/SiteKey.pdfhttp://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.htmlhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdfhttp://en.wikipedia.org/wiki/Visual_cryptographyhttp://users.telenet.be/d.rijmenants/nl/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/en/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/en/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/nl/visualcrypto.htmhttp://en.wikipedia.org/wiki/Visual_cryptographyhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdfhttp://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.htmlhttp://www.redforcelabs.com/Documents/SiteKey.pdf