Working Paper No. 11.pdf

8/18/2019 Working Paper No. 11.pdf

1/12

Working paper No. 11 - Authentication factors for Internet banking 1

IDRBT Working Paper No. 11

Authentication factors for Internet banking

M V N K Prasad and S Ganesh Kumar

ABSTRACT

The all pervasive and continued growth being provided by technology coupled with the increased

use of alternate delivery channels by banks, the need for appropriate authentication of customers

has now gained significant importance for the banking system. Banks in India have been adopting different authentication mechanisms to provide for security during the last few years. In the search

for more effective authentication techniques, an approach which promises substantial benefit

pertains to the use of mutual authentication which can be implemented by providing somechallenge questions. This paper elucidates the various facets of mutual authentication and outlines

the way forward for banks to provide mutual authentication using identifiable pictures, by listing three approaches for storing these pictures, viz: identifiable pictures stored either at the server

end or at the client side or by dividing the picture into two transparencies and implementing Visual Cryptography for ensuring Secure Authentication.

1.0 Introduction

The technological metamorphosis in banking has resulted in a plethora of deliverychannels being now available for customers of banks. The retail customers of banks have perhaps

benefited most by the use of technology based systems such as Core Banking, Clustered systems,

as well as delivery channels such as Automated Teller Machines, Internet banking and mobile

banking, to name a few. In all these new delivery channels the most important requirement pertains to the need for identifying the customer who would no longer be visiting the branch

premises but would be accessing services of the bank through the new delivery channels.Identification in the context of banks happens through a variety of means but the most important

aspects which are checked pertain to the account number of the customer and the name of the

customer. Once the identification process is completed, the next important factor to be validated

pertains to authentication of the customer – to ensure that the person who claims to be the

customer is indeed the one who is the customer.

Authentication plays a vital role especially in the cases where the customer is not present in

front of the banker or its authorized representative. This assumes more significance in online

banking as well, where a public medium of access such as the Internet is used as the means of accessing the bank’s IT systems (and thus ultimately the funds too, by the customer). There are

multiple ways through which banks can authenticate users. These range from the simple systems

such as a combination of the username and password to complex systems such as biometric and /

or one time usage based variable tokens. As technology continues to change, banks need to adapttheir security systems to effectively combat threats posed by malafide intents, imposters, hackers,

thieves, and the like. Selecting the right technologies for each organization cannot be generalized.

However, knowing what authentication techniques are available is the first step in moving over to


2/12


a secure environment. This paper attempts to provide an overview of the appropriate technological

tools available for authentication in Internet based banking.

Internet banking is the service offering by banks, using which customers can gain access tothe financial services offered by the banks through a computer, using the Internet medium and

without the need for going over to the customer’s bank. This means of access to banking services

has gained substantial ground since its introduction in the late nineties and almost all commercial

banks in the country have internet based access facilities offered to their discerning customers.With the large scale usage of Internet banking, the attendant risks of Internet also began to surface

thus exposing the bank as well as the customer to risks, Cases of malafide access to customer accounts, fraudulent withdrawal of funds, phishing, spamming and other such online frauds began

to surface. Authentication has become one of the main factors in internet banking, for banks to

provide secure and safe banking to the users. This prompted the Reserve Bank of India (RBI), as

the regulator of the banking system in the country, to review the entire gamut of Internet Bankingand come out with guidelines for authentication in respect of online banking. A similar approach

was followed in the other countries of the world as well, with the Federal Financial Institutions

Examination Council (FFIEC) in the US also issuing guidance for banks for single factor authentication in 2001 and two factor authentication in 2005 to prevent online fraud. It is

interesting to note that on June 28, 2011, the FFIEC issued a Supplement to the Authentication inan Internet Banking Environment guidance first issued in Oct. 2005, while RBI issued guidelinesfor banks to implement two factor authentication for online banking in 2008 itself. These have, to

some extent, mitigated the risks associated with Internet Banking.

2.0 Authentication - Overview

Authentication is the process of verifying a claim made by a subject that it should beallowed to act on behalf of a given person, computer, process, etc. Authentication process is

preceded by Authorization, which in the banking context, is preceded by Identification.

Authorization, involves verifying that an authenticated subject has permission to perform certain

operations or access specific resources. Authentication procedures are based on three factors

related to the user – i.e. the person who is authenticating, say a transaction in Internet Banking.They are

1. User knows2. User possesses and

3. User is.

The following are the various options used under each of the three factors.

User knows User possesses User Is

UsernamePassword

PINCard No.CVV 2

3D Secure/ VbV

Identifiable picture

USB TokenSmart Card

OTP bySMS/tokenSwipe cards

Mobile Signature

FingerprintPalm print

IRISVoiceVein pattern

Table 1: Authentication Factors

2.1 Types of Authentication

http://en.wikipedia.org/wiki/Subject_(access_control)http://en.wikipedia.org/wiki/Subject_(access_control)


3/12


Authentication mechanisms are of three kinds based on the authentication factors as shown in Table1. Those include

2.1.1 Single Factor Authentication

An authentication mechanism that utilizes any one of the factors is called single factor

authentication. This is the basic authentication method. (For example, a User id and password comesunder this category).

2.1.2 Two Factor Authentication

An authentication mechanism that utilizes a combination of two factors i.e. (User knows, User possesses). This method is used by various banks for authentication for online banking.

E.g. User using a password as the first factor (User knows) and a One-Time Password (OTP) asthe second factor (User possesses) to perform say, a funds transfer transaction.

2.1.3 Multi Factor Authentication

An authentication mechanism where two or more factors are used in which one of the factors is

necessarily pertaining to ‘the user is’.

(For example, a large value transaction authorized in a bank by using a combination of the person’s

user id, a smart card and his biometric authentication factor).

2.2 Authentication factors used by banks

2.2.1 Authentication factors used by Indian banks

Indian banks generally resort to the use of two factor authentication by seeking the username,

password and OTP’s to authenticate the users in online banking. Most of the banks in India resort toOTP’s by means of SMS or hard tokens as a second factor of authentication. After logging into the

net banking using id, password, for making any transaction banks provide OTP’s and ask password

(same as login password or different) to provide security and reduce fraud. Some of the banks useOTP’s as a second layer of authentication immediately after logging in by id, password and also use

these OTP for doing transactions. It may be mentioned that this has been implemented based on the

regulatory requirements.

2.2.2 Authentication factors used by foreign banks

Foreign banks also use two factor authentication for online banking. Most of banks use the basic

user name, pass code and OTP’s through a mobile device or OTP’s provided by a security device or

by a hard token. There are also instances of certain banks providing an extra layer of authentication by introducing a site key, by means of which the user-customer can identify the fake websites. Some

banks provide hard tokens or security device for getting dynamic OTP’s. Some banks use security

tokens or mobile phones to generate these OTP’s.From the above, it can be seen that although there is no specific pattern in respect of uniformity in

the use of authentication factors for online banking, the approaches seem to follow a general trend,

which pertains to the use of two factor authentication.


4/12


Some of the facilities available in this area are described below

3.0 Mutual authentication

Mutual authentication or two way authentication can be provided between the user and the

Organization. It refers to two parties authenticating each other. When describing onlineauthentication processes, mutual authentication is referred to as website-to-user authentication. Bymeans of this authentication, the user knows that he/she is on the valid banking website. Mutual

authentication can be implemented by providing some challenge questions. The customer selects the

image (identifiable pictures), image title and a text phrase (optional) from a collection of imageswhich are provided in the banking website at the time of enrollment. The customer can further

change this image during his first login. Further when customer enters login id and before entering

the password, the site randomly asks these challenge questions and when the user answers it, it

displays the image, title and phrase. If the displayed image is correct then customer can enter the password and can login in. If not the customer can stop logging in and can contact the bank. This

makes the customer to know whether it is a real banking website or fake website. This facility

provides the customer and server to authenticate mutually so that we can reduce phishing attacks.Identifiable pictures (images) are one of the authentication factors that can be used to provide

website authentication. These identifiable pictures act as an extra layer of authentication to prevent

unauthorized access to the accounts and assure that the customer is at the valid online banking site.Identifiable pictures used for web authentication can be stored in three different ways. They are

1. Images stored at server side (web server),

2. Images stored at client side, and3. Images can be divided into two shares, storing one share at server side and the other share

at client side and merging the two shares using visual cryptography.

The above three mechanisms have been explained in the ANNEXURE –I.

3.1 Challenge-Response mechanism

Challenge –Response mechanism can be implemented for the high value transactions which exceed

some threshold. This threshold value depends on the bank. While the customer initiates thetransaction beyond the threshold value, the bank site can pose challenge question and if the customer answers it, he/she can proceed with the transaction. This facility provides an extra layer of

authentication for two factor authentication (password and OTP).

4.0 Multi factor authentication

Mutual authentication requires two or more of the three factors used for authenticating the user.

Multi factor authentication provides users higher levels of protection for online banking fraud. Multifactor authentication includes biometrics (something the user is) as one factor; hence it improves

security for online banking customers and reduces online fraud. This authentication can be provided

for the customers (corporate or individual customers) who make transactions beyond the thresholdvalue that was set up by the bank.


5/12


5.0 SMS alert

SMS can be sent to the customer immediately after the transaction.

SMS sent to the customer after logging onto the online banking website. This can make the

customer aware, in the case of unauthorized login or access to his/her account.

SMS alerts tend to, as the name suggest only alert the customer. They can complement the

authentication factors listed above.

6.0 Identifiable pictures used as authentication factor

Identifiable pictures can also be used as password for authentication. These pictures can be used togenerate a graphical password every time the user logins from a set of images stored in the client’s

computer. These images can act as one of the authentication factors (password).

7.0 Suggestions

The following table outlines the broad levels of authentication suggested for enhancing the level of

security in the authentication process for online banking in the Indian context.

Suggestions Risk

Mitigation

Ease of use Cost Strengths/Weakness

Mutual

Authentication

between the user and

the Organizationusing identifiablefeatures – such as

specific picturesselected by the user-

customer.

Reduces the

risks associated

with phishing

attacks.

User friendly

and easy to use,

remember and

implement;there are nomajor

overheads for the bank either.

Minor

Costs for

the banks;

no costimplicationfor the

customer

Strength: It provides an extra

layer of user authentication and

helps the user identifying the

real website.Weakness: If the entirerepository of information

storing the user features iscompromised or breached, then

the factor loses its significance.


6/12


Challenge-Response

Mechanism for high

value transactionswhich exceed a

particular threshold

level.

Reduces

phishing type

attacks;incidents

arising out

MIM attacks,and easy

patternrecognition.

Reduces therisk of

Unauthorized

access of accounts; and

enhances

safety of largevalue

transactions.

Easy to use by

simply

answeringquestions and

can be

implementedfor transactions

which cross thethreshold.

Cost is

involved at

the bank end for

posing the

challengequestions.

No cost isinvolved as

far as thecustomer is

concerned.

Strength: This can be used as

an extra layer of

authentication to reduceonline fraud and improves

security.

Weakness: It becomesdifficult for a customer to

remember many challengequestions for different types

of authentications. This mayentice him to use the same

question across multiple

locations and not changingthem at all for long periods of

time. The weaknesses

associated with passwordsmay apply to this factor as

well.

Multi factor authentication can be

provided for thetransactions which

exceed a specific

threshold level.

Reduces therisks related to

identity theftand man in the

middle attacks

etc.

Easy to use. As biometrics

is used costwill be

involved

for the bank as

well as the

customer.

Strength: This provides asecure environment since

multiple factors are used.Weakness: The customer has

to navigate through multiple

levels of complexity making itcumbersome. Challenges

associated with rejection of

certain factors such as biometrics for some target

population groups do exist

thus resulting in customer difficulties.


7/12


8.0 Various Authenticating mechanisms categorized into this matrix, so that

banks can offer multiple options and customers choose what is right for

them

E a s y t o

c r a c k - - - - - - - D i f f i c u l t t o

c r a c k

1. Mutual authentication by identifiable

pictures provides easy access andsomewhat difficult to crack, provides

extra layer of site authentication

beyond two factor authentication.

2. Username, password along with OTP

(by SMS or hard token)easy to use

and difficult to crack

1. Authentication using smart cards and hard

tokens (security devices) is difficult to useand difficult to crack.

2. Biometric authentication is also difficult to

crack and difficult to use.

3. Multi factor authentication also provides

strong authentication but at high cost.

1. Username, password is easy to use

and also easy to crack.

Easy to implement --------------------------------------------------Difficult to implement-----


8/12


ANNEXURE –I

The three different mechanisms of storing the identifiable pictures and authenticating the users to

provide online security are:

1. Authentication using identifiable pictures (images) stored at server side2. Authentication using identifiable pictures stored at client side

3. Authentication using Visual cryptography

1.0 Authentication using identifiable pictures (images) stored at server side

(web server)

Users can select their desired images (identifiable picture) displayed on the bank’s site and the bank’s server stores the image in its database. If the bank’s server displays the customer’s image

while logging in, before entering the password, the customer can be assured that he/she is at the

original online bank website.For example, in the site key mechanism [1], the bank’s site stores an image and text in the bank’s

server and displays it when the customer . This assures the customer that he is at the valid bankingsite.

1.1 Advantages

1. It helps the customers to recognize whether they are at the valid banking site or at the

fraudulent site.

2. It adds another layer of online security to online banking and prevents unauthorized accessto the accounts.

3. It lowers the risk of identity theft and fraud.

4. Reduces the risks related to phishing attacks.

1.2 Disadvantages

1. This does not reduce the man- in- the- middle attacks fully.

2.0 Authentication using identifiable pictures stored at client side

Identifiable pictures can also be stored at client side computer for assuring the user that he is on the

real site and not on a phishing site. In this, the user himself provides some images and the server randomly takes some parts of the images and displays the image and then the user enters the

password.

Picture password mechanism is a novel integration of client side secrets and graphical passwords[2] [3]. It will ask user to create a graphical password by choosing four images in a particular

order from a set of twelve. This set of twelve images which are taken from a large set of images

are stored in the client’s computer. Every time the user logins, he/she has to enter the particular four images in the same order to get a graphical password. It is impossible to the phisher to know

the twelve images set and getting the right set of images, in the right order.


9/12


2.1 Advantages

1. This method makes users fail to reveal even a single image from their password during the phishing attempt and, in a blind test, none revealed the entire password.

2. This feature reduces the brute force attacks and search attacks when compared to site key.

2.2 Disadvantages

1. This method can be used only when the users login from the computer from which theyregistered.

2. It doesn’t recognize the phishing site when the user logins from the other device or

computer.

3.0 Authentication using Visual cryptography

Visual cryptography is a cryptographic technique which allows visual information (pictures, text,

etc.) to be encrypted in such a way that the decryption can be performed by the human visualsystem [4, 5]. It is a visual secret sharing scheme, where an image is broken up into N shares so

that only someone with all N shares could decrypt the image, while any N-1 shares revealed no

information about the original image. It is as if each share was printed on a separate transparency,and decryption performed by overlaying the shares. Only when all N shares were overlaid, theoriginal image would appear.

The concept of Visual Cryptography can be used in internet banking. The picture is divided intotwo shares and one share can be stored at bank’s server and the other share can be stored at client

side. The customer is already provided with one share image and when he/she logs in, the bank’s

server provides the other secret shared image and by using visual cryptographic technique, the twotransparencies are overlaid and display the decrypted image. It is not possible to retrieve the secret

information from one of the shares. Images can be of any format. jpg, png or bitmap images can be

used.

3.1 Image Decryption using visual Cryptography

In this mechanism, share 1 image is stored at server side and share 2 images are stored at clientside, i.e. at the client’s computer. When the customer logs in to the banking site, the server side

image transparency is merged through visual Cryptographic technique with client side stored

image and displays the overlapped decrypted image as shown in figure 1, so that the customer can proceed with further login process.

http://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Cryptography


10/12

Working paper No. 11 - Authentication fact

Figure 1: i

3.2 Text decryption using Visu

Figure 2 shows the text encrypti

message has been split into two

have full black and white pixelsresult is light-colored block wit

second share can be crafted to

information about the original i

ors for Internet banking

Share 1

Share 2

age decryption using visual cryptography

al Cryptography

on using visual cryptography. In the below fig

shares. The original logo is split into two of th

. When these two blocks are overlaid, they alih half white and half black pixels. If only on

reveal any possible image; hence, individua

age [4].

Share

10

ure 2, IDRBT text

e same blocks that

gn exactly and the share is given, a

l shares reveal no

1 + Share 2


11/12


Share 1

IDRBT

Share 2

Share 1 + Share 2

Figure 2: Text decryption using visual cryptography

3.3 Advantages of visual cryptography

1. An essential advantage of visual cryptography is that there is no need for any previous

knowledge or experience in the field of cryptography in order to apply it.2. It's impossible to retrieve the information when one share is intercepted.

3. Visual cryptography is performed only with the combination of two shares. Hence it can

reduce phishing attacks to some extent.

3.4 Disadvantages

1. If the customer logs in from any other device or computer, this system does not assure for

phishing site, as the client side secret is stored within the registered computer.

3.5 Challenges in implementation

1. An image has to be split into two shares and merging the shares and displaying a decryptedimage should be in very less time.

2. While storing one share in client’s computer, i.e. the customer can login only from the

registered computer. He is not able to login from any other unregistered computer.


12/12


4.0 Conclusion

This paper describes the use of identifiable pictures for authentication in internet banking. These

pictures or images can be used for website authentication and to identify phishing website so that

can reduce fraud and phishing. We explained the three ways of storing these pictures, storing

images at server side, storing images at client side and storing one image share in server and theother share in the client’s computer and merging the shares using the concept of visual

cryptography. In this concept, either one share can’t reveal the image only with the combination of two shares reveal the decrypted image; hence reduce phishing attacks, man in the middle attacks.

5.0 References

1. Fraud Vulnerabilities in Site Key Security at Bank of America, Review draft to Bank of America/RSA: June 26, 2006, Cambridge, MA, July 18, 2006

http://www.redforcelabs.com/Documents/SiteKey.pdf

2. Picture password protects your account from phishing,4 November 2011http://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.html

3. PhorceField: A Phish-Proof Password Ceremonyhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdf

4. Visual Cryptography Wikipediahttp://en.wikipedia.org/wiki/Visual_cryptography

5. Visual Cryptography Deze pagina in het Nederlandshttp://users.telenet.be/d.rijmenants/en/visualcrypto.htm
http://www.redforcelabs.com/Documents/SiteKey.pdfhttp://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.htmlhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdfhttp://en.wikipedia.org/wiki/Visual_cryptographyhttp://users.telenet.be/d.rijmenants/nl/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/en/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/en/visualcrypto.htmhttp://users.telenet.be/d.rijmenants/nl/visualcrypto.htmhttp://en.wikipedia.org/wiki/Visual_cryptographyhttp://www.cs.sunysb.edu/~rob/papers/phorcefield.pdfhttp://www.newscientist.com/blogs/onepercent/2011/11/forgettable-password-protects.htmlhttp://www.redforcelabs.com/Documents/SiteKey.pdf

Working Paper No. 11.pdf

Documents

Transcript of Working Paper No. 11.pdf