How to Secure Web Authentication
-
Upload
arpit-garg -
Category
Documents
-
view
225 -
download
0
Transcript of How to Secure Web Authentication
-
8/8/2019 How to Secure Web Authentication
1/20
Secure Web Authentication Using
Cell Phones
Presented By:
Arpit Garg
MBA IB(IT)
A1802007095 (E11)
Batch: 2007-2009
-
8/8/2019 How to Secure Web Authentication
2/20
Objectives of Thesis:
To provide secure wireless environment to the users.
To increase faith of the users in online financial web transactions using mobile devices.
What is Authentication?
Authentication is the process of verifying that a person is who they claim to be.
This can be done by using any of the following factors:
something you know password or PIN
something you have token or smart card (two-factor authentication)
something you are biometrics, such as a fingerprint (three-factor authentication)
-
8/8/2019 How to Secure Web Authentication
3/20
As computing becomes persistent, people increasingly rely their business over the
Internet by using e-commerce. Now, the Internet is a preferred source to avail online e-
services such as e-commerce, e-voting, e-banking, e-governance, etc.
O
nline applications require a strong security element to protect user confidentialdata which is a major concern in internet based online payment system. There are
various internet threats which affect the security system of internet and increase
the risk for electronic transaction.
Most of the authentication system relies on passwords, personal identification
numbers & keys to access their personal account information. This type ofauthentication system actually can not verify or authenticate the identity of the users
who he or she claims to be.
-
8/8/2019 How to Secure Web Authentication
4/20
The above observation calls for the need of Multifactor Authenticationtechniques for securing financial web transactions.
To do so, we recommend an authentication system based on:
TICs (Transaction Identification code) and
SMS (Short Message Service)
Features of TICs:
1. TICS are issued by bank authorities or financial institutions to the
user and not by the web server.2. TIC is similar to OTP (One time password) and one code is used only
on one occasion.
3. It eliminates the risk of attack against traditional passwords.
-
8/8/2019 How to Secure Web Authentication
5/20
1. Account-based payment systems
in which each customer has a valid account maintained by a Trusted Third
Party. The user can initiate pre-paid or post-paid financial transaction using
Smart Cards or Credit cards
2. E-wallet or E-cash In this method customers stores digital cash in their E-wallet from a debit
card, credit card or virtual check. Digital cash is like electronic cash in virtual
savings account where the user can make payment for their purchases. E-
wallets are frequently used in payments or small payments.
3. Personal Wallet
A personal wallet is a software or hardware installed on users machine.
There is no need of server, because payment transaction does not require
any wallet server. The users credit information is stored locally on the user
device.
-
8/8/2019 How to Secure Web Authentication
6/20
Merchant
Agent (MA) Merchants Bank
CustomersAgent(CA)
1. User make
purchase
request
2. Merchants
Payment Info.
3. Client Order
and payment
Informationwith certificate
8. Response
4. Request for Authorization, payment with order
information and both certificates
Customers
Bank
7. Payment Ack.
5. Request forpayment
approval
6. Authorization
response for
payment
-
8/8/2019 How to Secure Web Authentication
7/20
Disadvantages of SET
1. SET is designed for wired networks and does not meet all the
challenges of wireless network.
2. It is vulnerable to various attacks like merchant can modify
transactions data by changing the balance.
3. Transaction flow is from Customer to Merchant so all the details of
users credit cards/debit cards must flow via merchants side.
4. There is no notification to the Customer from the customers Bank
after the successful transfer. The user has to check his/her balance
after logging on to bank website again.
5. SET is only for card based (credit or debit) transactions.
Disadvantages of SET
1. SET is designed for wired networks and does not meet all the
challenges of wireless network.
2. It is vulnerable to various attacks like merchant can modify
transactions data by changing the balance.
3. Transaction flow is from Customer to Merchant so all the details of
users credit cards/debit cards must flow via merchants side.
4. There is no notification to the Customer from the customers Bank
after the successful transfer. The user has to check his/her balance
after logging on to bank website again.
5. SET is only for card based (credit or debit) transactions.
-
8/8/2019 How to Secure Web Authentication
8/20
-
8/8/2019 How to Secure Web Authentication
9/20
Login Authentication Login Successful
-
8/8/2019 How to Secure Web Authentication
10/20
Selection of Balance Enquiry option Balance Enquiry
-
8/8/2019 How to Secure Web Authentication
11/20
Selection of Credit Card Transfer Selection of Bank Name and Branch
Code
-
8/8/2019 How to Secure Web Authentication
12/20
Selection of Credit Card Type Fill up Requisite Details
-
8/8/2019 How to Secure Web Authentication
13/20
Selection of Electronic Transfer Selection of Bank Name and Branch
Code
-
8/8/2019 How to Secure Web Authentication
14/20
Fill Up Requisite Information TIC Password to Open TICs list
-
8/8/2019 How to Secure Web Authentication
15/20
Entering Password for TICs Selection of encrypted TIC
-
8/8/2019 How to Secure Web Authentication
16/20
Selected TIC is attached with the
Credit Card Transfer Form
Acknowledgment from the Web
Server Showing Successful
Authentication
-
8/8/2019 How to Secure Web Authentication
17/20
SMS Received from Bank
Authentication Server
SMS showing details of Submitted
Transaction
-
8/8/2019 How to Secure Web Authentication
18/20
Reply SMS with YES Response from the Server if user say
YES
-
8/8/2019 How to Secure Web Authentication
19/20
Reply SMS with No Response from the Server if user say
No
-
8/8/2019 How to Secure Web Authentication
20/20
1. GSM calls even more secure - A5/3 Algorithm ETSI, 2002,
http://www.gsmworld.com/news/press_2002/press_15.shtml
2. http://www.cellular.co.za
3. Website on bouncy castle package:
http://www.bouncycastle.org
4. Article on internet attacks: www.educause.edu/ir/library/pdf/CSD4433.pdf5. Article on attacks on mobile phones:
http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1232051,00.html
6. Article on security threats of mobile phones:
http://news.zdnet.com/2100-1009_22-5602919.html
7. Website on Wireless development tool kit 2.3:http://java.sun.com/products/sjwtoolkit
8. Website on Web Server:
http://tomcat.apache.org/
1. GSM calls even more secure - A5/3 Algorithm ETSI, 2002,
http://www.gsmworld.com/news/press_2002/press_15.shtml
2. http://www.cellular.co.za
3. Website on bouncy castle package:
http://www.bouncycastle.org
4. Article on internet attacks: www.educause.edu/ir/library/pdf/CSD4433.pdf5. Article on attacks on mobile phones:
http://searchsecurity.techtarget.com/qna/0,289202,sid14_gci1232051,00.html
6. Article on security threats of mobile phones:
http://news.zdnet.com/2100-1009_22-5602919.html
7. Website on Wireless development tool kit 2.3:http://java.sun.com/products/sjwtoolkit
8. Website on Web Server:
http://tomcat.apache.org/