An Implementation of Internet Banking Authentication using OTP and QR Code with Digital signature on Mobile Phone Puchong Subpratatsavee1 and Pramote Kuacharoen2 Department of Computer Science, Graduate School of Applied Statistics National Institute of Development Administration 118 Serithai Rd. Bangkapi, Bangkok 10240 Thailand puchong.sp@gmail.com1, pramote@as.nida.ac.th2 Abstract. The internet banking is becoming popular in financial transactions such as money transfer, pay for goods or services, etc. However, transactions via the internet may be attacked by attacker or criminals such as guessing passwords or social engineering, etc. although some banks are using OTP (one-time password) to be used to verify ownership of the account which the OTP code is used only once and not be reused. OTP code will be sent via SMS (short message service) to the mobile phone number of the registered account holder with the bank. However, the OTP can also trap and attack with attacker as well because of mobile phones nowadays that allows users to install applications manually on a mobile phone which the attacker could attach malware or Trojan come in with those applications, when user do the financial transactions through online banking on the step of the confirmed identity with OTP the malware or Trojan that may be sent SMS OTP code to the attacker. This paper presents the design and the implementation of internet banking authentication with OTP on the mobile phone with a QR Code and digital signature to prevent the attack from the attacker through the wireless interception of SMS that sent from the bank and prevent the attack of malware and Trojan that attached from applications. Keywords: OTP, QR Code, internet banking, authentication, mobile phone, digital signature, Trojan 1 Introduction In financial transactions through online banking is becoming popular due to the convenience and the steps are not complicated, but to make financial transactions over the Internet is vulnerable to attacks and stolen data, though. the bank uses OTP (one time password) via SMS to a mobile phone account that is registered for use in the authentication and authorization of financial transactions online, but SMS can be attacked and captured it by the attacker such as an attack on a wireless interception, namely technology GSM that are not safe because there is no identity of both the sender and the recipient, and research has shown that the communication between the mobile station and signal, the attacker can sneak and decrypt data with the weakness of the protocol [4,5] In addition, the attacker can intercept traffic mobile (GSM) including SMS user specific [20] In addition, the attacker can supply the tools and equipment to be used attack or listen to telephone conversations and secretly read SMS in order to create online crime [19], furthermore attacker can still attack and secretly read SMS from mobile phone users, using a Trojan designed to intercept and robbery SMS from the OTP, the threat is increased by malware was created by criminals for the purpose of financial crimes. By these Trojans will run when the victim received from the OTP by SMS to send SMS to another attacker. Or intercept SMS from the victim turns out to be so. Current capacity and current Trojan that targets for theft OTP are aimed at phones that use practices that are popular both past and present, such as Symbian [3], Android [9], BlackBerry [10] and so on. So researchers are aware of the risks that may arise from the use of the current OTP password. This paper has designed and developed the OTP form using QR Code with a digital signature and mobile phones to help increase stability and security for the authentication and authorization for financial transactions over the Internet safely. This paper consists of five sections. The next section provides background information and related work that is relevant to the paper. Section 3 describes the design and implementation of the proposed barcode. Section 4 presents the experimental results. The last section, Section 5 concludes the paper. 2 Background and Related Work This section provides background information related to this paper such as digital signature, OTP, and the existing two-dimensional barcodes. 2.1 Digital Signature Digital signature is signature electronic that can be used to prove the truth of the senders or the signed document. It can verify the original content of the message or document that has not been altered or modified in transit. A digital signature can be done easily, but cannot mimic, forged or modify the information by unauthorized person because the digital signature is use asymmetric cryptography it Make counterfeiting impossible and sender cannot deny responsibility (Non-Repudiation) the information or document with the signature of their own as well. The process of creating a digital signature is shown in Fig. 1. Fig. 1. The process of creating a digital signature The message to be sent through a mathematical process called hash function to get data with a short called message digest, because the original data are often very long, which makes the encoding process takes longer, then encryption message digest with private key of the sender, which at this point is like a signature of the sender because only the sender has the private key of the sender. Then the encrypted data is called a digital signature and the digital signature is then sent to the recipient along with the original data. To check the validity of digital signatures can be made by the recipient to verify that the data has not been modified in transit. The original data was derived through a hash function to message digest. The digital signature is decrypted with the sender's public key to message digest. Then compare the two message digest, if that both same is shown the data has not been modified and will be sent from the real sender and the sender cannot deny that the sender of this message, However, if the data is different, it indicates that the received data is changes during transport. The process of verify a digital signature is shown in Fig. 2. Fig. 2. The process of verify a digital signature 2.2 One-Time Passwords via SMS One-Time Passwords (OTP) is being used as additional factors in the authorization and authentication because the OTP is accurate only one allowed or requests verification and OTP can avoid the password list and authentication it is very simple. Usually OTP will be sent via SMS to the phone number of the user who is required to register for the service via SMS OTP for authentication or authorization. OTP is popular nowadays, while allowing more or factor authentication in a Web-based service that would normally just use the password only do the same, for example. Users need to log on to the particular program or work, some important user needs OTP valid to prove the identity of the person in order to access the web or access the company's network, rather than using only a password traditional alone [8,21,26,24] and the OTP can be limited to a very short period of time and cannot be recycled so difficult to attack OTP has also been applied to web applications such as Google Mail [13] For convenience and stability even more protection and to use in web applications such as online banking, users need to verify their username and password to enter the stage of the transaction when user need to commit the transaction the user will receive SMS with the OTP to be used to commit those transaction. . Fig. 3. The process of OTP 2.3 2D Barcode (two-dimensional barcode) Two-dimensional barcodes [3] are geometric patterns in two dimensions. Twodimensional barcodes can store more data than one-dimensional barcodes while using the same or smaller space since they can store data in both vertical and horizontal directions to support information distribution and detection without accessing the database. Generally, two-dimensional barcodes contain black squares on a white background and each barcode type is a standard that defines the printed symbol and how a device such as a barcode scanner reads and decodes the printed symbol. Currently, the two-dimensional barcodes that are common are QR Code [4][5], PDF417 barcode [6], Maxi Code, Aztec Code [7], Data Matrix [8] [9] and HC2D barcode[10] From Error! Reference source not found., different types of two-dimensional barcodes are created to serve different purposes. When compared with other barcodes, the QR Code has a high capacity while maintaining a small size and high reading speed. For these reasons, QR Code is used in public relations, communications, and applications for data storage. QR Code is a 2D barcode which consists of a black square pattern on white background. The QR Code barcode contains information in the vertical direction as well as the horizontal direction. The data capacity can be the maximum of 7,250 numeric characters, 4,296 ascii characters. QR Code use the Reed-Solomon [11] error correction which can detect and correct multiple errors. QR code can be read by standard scanners or phone camera. Table 1. The characteristics and properties of two-dimensional barcodes. PDF417 Data Matrix Maxi Code QR Code Aztec Code HC2D barcode Code type Capacity (Characters) Characteristic Multi-low 1,850 Matrix 2,355 Matrix 93 Matrix 4,296 Matrix 3,067 Matrix 7,250 High capacity High capacity, small High speed reader High capacity Highcapacity, small, Applications Office Plant, medical industry Industrial products import and export High capacity, small, high speed reader All industries Aviation and transport industries Paper-base Document A HC2D barcode is a 2D barcode which consists of a blacksquare pattern on white background. The HC2D barcode contains information in the vertical direction as well as the horizontal direction. The data capacity can be the maximum of 7,250 numeric characters, 10,100 ascii characters. HC2D barcode use the Reed-Solomon[11] error correction which can detect and correct multiple errors and HC2D barcode have an option to compression data it’s powerful for a large of data[12]. HC2D barcode can be read by standard scanners. The HC2D barcode is a greater capacity than other 2D barcodes. Moreover, the shape of HC2D barcode is suitable for use with paper documents or print media. 2.4 Secure login for network and web applications: Snap2Pass Snap2Pass [7] that allows users to login using their mobile phone as credentials although different web base or network. Snap2Pass the process is start from the users must to share secret key with service provider, then store it on mobile phone to be used as a tool to log in next time, when a user need to login, user will request to the service provider, then the user will receive random challenge in the form of QR Code [9], then the user can take the picture of the QR Code with phone camera through an application that is set, then the application will perform generates HMAC [2] from the random challenge by encrypting with a user's shared secret key and sends this information back to the service provider through the Internet when the service provider receives information and the ability to decipher the information accurate, users easily log in to the system. 3 Design and Implementation In this section, the design and an implementation of internet banking authentication using OTP and QR Code with digital signature on mobile phone is presented by using the proposed method. The attacker's purpose is the occupying OTP of the victims for financial crimes using a variety of methods and forms such as the wireless interception, mobile phone Trojans or the SIM Swap Attack [14] and so on. So that not safe to send OTP via SMS, which can be attacked by the method mentioned above. this research was designed to verify an authentication of user using OTP with QR Code and a digital signature via mobile phone the process is start from the users must to share public key with bank service provider, then store it in application on mobile phone to be used as a tool to authentication next time show in Fig. 4., when a user need to do transaction online with internet banking, user will request to the bank service provider website and login to user 's account with username and password for do any transaction in user's account, when user's need to commit the transaction, then the user will receive OTP in the form of QR Code that signing with bank private key and encrypt with user public key, then the user can take the picture of the QR Code with phone camera through an application that is set, then the application will decrypt QR Code with user's private key for user authentication and then get the OTP by decrypting with a bank shared public key and put this OTP in the website of internet banking through the Internet (3G or wifi) when the service provider of internet banking receives OTP and OTP is accurate, users easily log in to the system show in Fig. 5. Fig. 4. A sequence diagram for register the internet banking web application Fig. 5. A sequence diagram for authentication in to the web application for commit transaction 4 Experimental Results To verify our design, we implemented the test application in java programming language on android OS. The results are described below. 5 Conclusion This paper presents an implementation of an internet banking authentication using OTP and QR Code with digital signature on mobile phone to confirm their stability and security of the user's online banking. By preventing theft OTP of attacker both mobile Trojan defense and caught SMS storage OTP from them by using the bank private key encryption OTP and then encrypt again with public key of user that request OTP and converted OTP into QR Code. When user need to submit transaction on internet banking user will reads QR Code from web browser with the phone camera and then decrypt the data with private key of the user and the public key of the bank respectively, if accurate, user will get the OTP put in the web browser for authentication. The attacker will not be able to catch OTP via wireless interception and mobile Trojan longer. References 1. Gao, J.Z., Prakash, L., Jagatesan, R.: Understanding 2D-Barcode Technology and Applications in M Commerce–Design and Implementation of a 2D Barcode Processing Solution. In: 31st Annual International Conference on Computer Software and Applications, pp.4956, vol. 2, (2007) 2. Warasart, M., Kuacharoen, P.: Paper-Based Document Authentication Using Digital Signature and QR Code. In: Juan S.: 4th International Conference on Computer Engineering and Technology. International Proceedings of Computer Science and Information Technology, vol. 40, pp. 94-98 (2012) 3. QR Code, http://www.denso-wave.com/qrcode/ 4. Singh, J., Singh, J.: A Comparative Study of Error Detection and Correction Coding Techniques. In: 2nd International Conference on Advanced Computing and Communication Technologies, pp. 187-189 (2012) 5. Zhang, Y., Yuan, Q.: A Multiple Bits Error Correction Method Based on Cyclic Redundancy Check Codes. In. 9th International Conference on Signal Processing, pp. 18081810 (2008) 6. Mamidi, S. et al.: Instruction Set Extensions for Reed-Solomon Encoding and Decoding. In: 16th IEEE International Conference on Application-Specific Systems, Architecture Processors, pp. 364-369 (2005) 7. Islam, M.R., Ahsan Rajon, S.A.: An Enhanced for Lossless Compression of Short Text for Resource Constrained Devices. In: 14th International Conference on Computer and Information Technology, pp. 292-297 (2011) 8. Rong, C. et al.: Coding Principle and Implementation of Two-Dimensional PDF417 Bar code. In: 6th IEEE Conference on Industrial Electronics and Applications, pp. 466-468 (2011) 9. Ke, H., Zhang, G.: An Algorithm Correcting Flex Distortion of Aztec Code. In: 2nd IEEE International Conference on Information Management and Engineering, pp. 457-460 (2010) 10. Biao, L. (2007), A DataMatrix-based mutant code design and recognition method research. In: Proceedings of the 4th international conference on image and graphics, pp. 570-574, 2007 11. Data Matrix, http://en.wikipedia.org/wiki/Data_Matrix 12. GNU Gzip, http://www.gnu.org/software/gzip/manual/gzip.html