Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

1377587065An Impleme..

advertisement 
An Implementation of Internet Banking Authentication
using OTP and QR Code with Digital signature on
Mobile Phone
Puchong Subpratatsavee1 and Pramote Kuacharoen2
Department of Computer Science, Graduate School of Applied Statistics
National Institute of Development Administration
118 Serithai Rd. Bangkapi, Bangkok 10240 Thailand
puchong.sp@gmail.com1, pramote@as.nida.ac.th2
Abstract. The internet banking is becoming popular in financial transactions
such as money transfer, pay for goods or services, etc. However, transactions
via the internet may be attacked by attacker or criminals such as guessing
passwords or social engineering, etc. although some banks are using OTP
(one-time password) to be used to verify ownership of the account which the
OTP code is used only once and not be reused. OTP code will be sent via SMS
(short message service) to the mobile phone number of the registered account
holder with the bank. However, the OTP can also trap and attack with attacker
as well because of mobile phones nowadays that allows users to install
applications manually on a mobile phone which the attacker could attach
malware or Trojan come in with those applications, when user do the financial
transactions through online banking on the step of the confirmed identity with
OTP the malware or Trojan that may be sent SMS OTP code to the attacker.
This paper presents the design and the implementation of internet banking
authentication with OTP on the mobile phone with a QR Code and digital
signature to prevent the attack from the attacker through the wireless
interception of SMS that sent from the bank and prevent the attack of malware
and Trojan that attached from applications.
Keywords: OTP, QR Code, internet banking, authentication, mobile phone,
digital signature, Trojan
1
Introduction
In financial transactions through online banking is becoming popular due to the convenience and the steps are not complicated, but to make financial transactions over
the Internet is vulnerable to attacks and stolen data, though. the bank uses OTP (one
time password) via SMS to a mobile phone account that is registered for use in the
authentication and authorization of financial transactions online, but SMS can be
attacked and captured it by the attacker such as an attack on a wireless interception,
namely technology GSM that are not safe because there is no identity of both the
sender and the recipient, and research has shown that the communication between the
mobile station and signal, the attacker can sneak and decrypt data with the weakness
of the protocol [4,5] In addition, the attacker can intercept traffic mobile (GSM) including SMS user specific [20] In addition, the attacker can supply the tools and
equipment to be used attack or listen to telephone conversations and secretly read
SMS in order to create online crime [19], furthermore attacker can still attack and
secretly read SMS from mobile phone users, using a Trojan designed to intercept and
robbery SMS from the OTP, the threat is increased by malware was created by
criminals for the purpose of financial crimes. By these Trojans will run when the
victim received from the OTP by SMS to send SMS to another attacker. Or intercept
SMS from the victim turns out to be so. Current capacity and current Trojan that
targets for theft OTP are aimed at phones that use practices that are popular both past
and present, such as Symbian [3], Android [9], BlackBerry [10] and so on. So
researchers are aware of the risks that may arise from the use of the current OTP
password. This paper has designed and developed the OTP form using QR Code with
a digital signature and mobile phones to help increase stability and security for the
authentication and authorization for financial transactions over the Internet safely.
This paper consists of five sections. The next section provides background
information and related work that is relevant to the paper. Section 3 describes the
design and implementation of the proposed barcode. Section 4 presents the
experimental results. The last section, Section 5 concludes the paper.
2
Background and Related Work
This section provides background information related to this paper such as digital
signature, OTP, and the existing two-dimensional barcodes.
2.1
Digital Signature
Digital signature is signature electronic that can be used to prove the truth of the
senders or the signed document. It can verify the original content of the message or
document that has not been altered or modified in transit. A digital signature can be
done easily, but cannot mimic, forged or modify the information by unauthorized
person because the digital signature is use asymmetric cryptography it Make counterfeiting impossible and sender cannot deny responsibility (Non-Repudiation) the information or document with the signature of their own as well. The process of creating a digital signature is shown in Fig. 1.
Fig. 1. The process of creating a digital signature
The message to be sent through a mathematical process called hash function to get
data with a short called message digest, because the original data are often very long,
which makes the encoding process takes longer, then encryption message digest with
private key of the sender, which at this point is like a signature of the sender because
only the sender has the private key of the sender. Then the encrypted data is called a
digital signature and the digital signature is then sent to the recipient along with the
original data.
To check the validity of digital signatures can be made by the recipient to
verify that the data has not been modified in transit. The original data was derived
through a hash function to message digest. The digital signature is decrypted with the
sender's public key to message digest. Then compare the two message digest, if that
both same is shown the data has not been modified and will be sent from the real
sender and the sender cannot deny that the sender of this message, However, if the
data is different, it indicates that the received data is changes during transport. The
process of verify a digital signature is shown in Fig. 2.
Fig. 2. The process of verify a digital signature
2.2
One-Time Passwords via SMS
One-Time Passwords (OTP) is being used as additional factors in the authorization
and authentication because the OTP is accurate only one allowed or requests
verification and OTP can avoid the password list and authentication it is very simple.
Usually OTP will be sent via SMS to the phone number of the user who is required to
register for the service via SMS OTP for authentication or authorization. OTP is
popular nowadays, while allowing more or factor authentication in a Web-based service that would normally just use the password only do the same, for example. Users
need to log on to the particular program or work, some important user needs OTP
valid to prove the identity of the person in order to access the web or access the company's network, rather than using only a password traditional alone [8,21,26,24] and
the OTP can be limited to a very short period of time and cannot be recycled so difficult to attack OTP has also been applied to web applications such as Google Mail [13]
For convenience and stability even more protection and to use in web applications
such as online banking, users need to verify their username and password to enter the
stage of the transaction when user need to commit the transaction the user will receive
SMS with the OTP to be used to commit those transaction.
.
Fig. 3. The process of OTP
2.3
2D Barcode (two-dimensional barcode)
Two-dimensional barcodes [3] are geometric patterns in two dimensions. Twodimensional barcodes can store more data than one-dimensional barcodes while using
the same or smaller space since they can store data in both vertical and horizontal
directions to support information distribution and detection without accessing the
database. Generally, two-dimensional barcodes contain black squares on a white
background and each barcode type is a standard that defines the printed symbol and
how a device such as a barcode scanner reads and decodes the printed symbol. Currently, the two-dimensional barcodes that are common are QR Code [4][5], PDF417
barcode [6], Maxi Code, Aztec Code [7], Data Matrix [8] [9] and HC2D barcode[10]
From Error! Reference source not found., different types of two-dimensional barcodes are created to serve different purposes. When compared with other barcodes,
the QR Code has a high capacity while maintaining a small size and high reading
speed. For these reasons, QR Code is used in public relations, communications, and
applications for data storage.
QR Code is a 2D barcode which consists of a black square pattern on white background. The QR Code barcode contains information in the vertical direction as well as
the horizontal direction. The data capacity can be the maximum of 7,250 numeric
characters, 4,296 ascii characters. QR Code use the Reed-Solomon [11] error correction which can detect and correct multiple errors. QR code can be read by standard
scanners or phone camera.
Table 1. The characteristics and properties of two-dimensional barcodes.
PDF417
Data Matrix
Maxi Code
QR Code
Aztec Code
HC2D barcode
Code type
Capacity
(Characters)
Characteristic
Multi-low
1,850
Matrix
2,355
Matrix
93
Matrix
4,296
Matrix
3,067
Matrix
7,250
High capacity
High capacity,
small
High speed
reader
High capacity
Highcapacity,
small,
Applications
Office
Plant, medical
industry
Industrial
products
import and
export
High capacity, small,
high speed
reader
All industries
Aviation and
transport
industries
Paper-base Document
A HC2D barcode is a 2D barcode which consists of a blacksquare pattern on white
background. The HC2D barcode contains information in the vertical direction as well
as the horizontal direction. The data capacity can be the maximum of 7,250 numeric
characters, 10,100 ascii characters. HC2D barcode use the Reed-Solomon[11] error
correction which can detect and correct multiple errors and HC2D barcode have an
option to compression data it’s powerful for a large of data[12]. HC2D barcode can be
read by standard scanners. The HC2D barcode is a greater capacity than other 2D
barcodes. Moreover, the shape of HC2D barcode is suitable for use with paper documents or print media.
2.4
Secure login for network and web applications: Snap2Pass
Snap2Pass [7] that allows users to login using their mobile phone as credentials although different web base or network. Snap2Pass the process is start from the users
must to share secret key with service provider, then store it on mobile phone to be
used as a tool to log in next time, when a user need to login, user will request to the
service provider, then the user will receive random challenge in the form of QR Code
[9], then the user can take the picture of the QR Code with phone camera through an
application that is set, then the application will perform generates HMAC [2] from the
random challenge by encrypting with a user's shared secret key and sends this information back to the service provider through the Internet when the service provider
receives information and the ability to decipher the information accurate, users easily
log in to the system.
3
Design and Implementation
In this section, the design and an implementation of internet banking authentication
using OTP and QR Code with digital signature on mobile phone is presented by using
the proposed method.
The attacker's purpose is the occupying OTP of the victims for financial crimes
using a variety of methods and forms such as the wireless interception, mobile phone
Trojans or the SIM Swap Attack [14] and so on. So that not safe to send OTP via
SMS, which can be attacked by the method mentioned above. this research was designed to verify an authentication of user using OTP with QR Code and a digital
signature via mobile phone the process is start from the users must to share public key
with bank service provider, then store it in application on mobile phone to be used as
a tool to authentication next time show in Fig. 4., when a user need to do transaction
online with internet banking, user will request to the bank service provider website
and login to user 's account with username and password for do any transaction in
user's account, when user's need to commit the transaction, then the user will receive
OTP in the form of QR Code that signing with bank private key and encrypt with user
public key, then the user can take the picture of the QR Code with phone camera
through an application that is set, then the application will decrypt QR Code with
user's private key for user authentication and then get the OTP by decrypting with a
bank shared public key and put this OTP in the website of internet banking through
the Internet (3G or wifi) when the service provider of internet banking receives OTP
and OTP is accurate, users easily log in to the system show in Fig. 5.
Fig. 4. A sequence diagram for register the internet banking web application
Fig. 5. A sequence diagram for authentication in to the web application for commit transaction
4
Experimental Results
To verify our design, we implemented the test application in java programming
language on android OS. The results are described below.
5
Conclusion
This paper presents an implementation of an internet banking authentication using
OTP and QR Code with digital signature on mobile phone to confirm their stability
and security of the user's online banking. By preventing theft OTP of attacker both
mobile Trojan defense and caught SMS storage OTP from them by using the bank
private key encryption OTP and then encrypt again with public key of user that request OTP and converted OTP into QR Code. When user need to submit transaction
on internet banking user will reads QR Code from web browser with the phone camera and then decrypt the data with private key of the user and the public key of the
bank respectively, if accurate, user will get the OTP put in the web browser for authentication. The attacker will not be able to catch OTP via wireless interception and
mobile Trojan longer.
References
1. Gao, J.Z., Prakash, L., Jagatesan, R.: Understanding 2D-Barcode Technology and Applications in M Commerce–Design and Implementation of a 2D Barcode Processing Solution.
In: 31st Annual International Conference on Computer Software and Applications, pp.4956, vol. 2, (2007)
2. Warasart, M., Kuacharoen, P.: Paper-Based Document Authentication Using Digital Signature and QR Code. In: Juan S.: 4th International Conference on Computer Engineering
and Technology. International Proceedings of Computer Science and Information Technology, vol. 40, pp. 94-98 (2012)
3. QR Code, http://www.denso-wave.com/qrcode/
4. Singh, J., Singh, J.: A Comparative Study of Error Detection and Correction Coding Techniques. In: 2nd International Conference on Advanced Computing and Communication
Technologies, pp. 187-189 (2012)
5. Zhang, Y., Yuan, Q.: A Multiple Bits Error Correction Method Based on Cyclic Redundancy Check Codes. In. 9th International Conference on Signal Processing, pp. 18081810 (2008)
6. Mamidi, S. et al.: Instruction Set Extensions for Reed-Solomon Encoding and Decoding.
In: 16th IEEE International Conference on Application-Specific Systems, Architecture
Processors, pp. 364-369 (2005)
7. Islam, M.R., Ahsan Rajon, S.A.: An Enhanced for Lossless Compression of Short Text for
Resource Constrained Devices. In: 14th International Conference on Computer and Information Technology, pp. 292-297 (2011)
8. Rong, C. et al.: Coding Principle and Implementation of Two-Dimensional PDF417 Bar
code. In: 6th IEEE Conference on Industrial Electronics and Applications, pp. 466-468
(2011)
9. Ke, H., Zhang, G.: An Algorithm Correcting Flex Distortion of Aztec Code. In: 2nd IEEE
International Conference on Information Management and Engineering, pp. 457-460
(2010)
10. Biao, L. (2007), A DataMatrix-based mutant code design and recognition method research.
In: Proceedings of the 4th international conference on image and graphics, pp. 570-574,
2007
11. Data Matrix, http://en.wikipedia.org/wiki/Data_Matrix
12. GNU Gzip, http://www.gnu.org/software/gzip/manual/gzip.html
Related documents
GO TO www.motherteresawomenuniv.ac.in
GO TO www.motherteresawomenuniv.ac.in
P&L responsibility for all Amtrak Long Distance services
P&L responsibility for all Amtrak Long Distance services
Abstract
Abstract
HOW TO CONFIGURE CM AS SMS GATEWAY IN SECURENVOY
HOW TO CONFIGURE CM AS SMS GATEWAY IN SECURENVOY
1 .introduction - Academic Science,International Journal of
1 .introduction - Academic Science,International Journal of
XOTP: Mitigating Emerging Man-in-the
XOTP: Mitigating Emerging Man-in-the
Clinical Agency Specific Orientation
Clinical Agency Specific Orientation
Application for Research Funding - The University of Tennessee at
Application for Research Funding - The University of Tennessee at
Download
advertisement