Enhanced Security of Internet Banking Authentication with EXtended Honey Encryption (XHE) Scheme

  • Soo Fun TanEmail author
  • Azman Samsudin
Part of the Studies in Computational Intelligence book series (SCI, volume 741)


The rapid growth of security incidents and data breaches recently had risen concerns on Internet banking security issues. Existing Internet banking authentication mechanism that primarily relies on the conventional password-only authentication cannot efficiently resist to recent password guessing and password cracking attacks. To address this problem, this paper proposed an eXtended Honey Encryption (XHE) scheme by adding an additional protection mechanism on the existing user authentication mechanism. When the malicious user attempts to unauthorized access to online bank account by entering his guessed password, instead of rejecting the access, the XHE algorithm generates an indistinguishable bogus bank data, subsequently redirects attacker to fake user account, in which the attack could not determine whether the guessed password is working correctly or not. Therefore, increasing the complexity of password guessing and cracking attacks. This paper also provides an in-depth study of attack models on password-based authentication mechanism and their countermeasures. Subsequently, a preliminary study on Malaysian online banking authentication system is presented.


Internet banking security Authentication Password-based attack Honey Encryption 



This work was by a research grant from Universiti Sains Malaysia (USM) [1001/PKOMP/811334]. The authors also thank the COMPSE 2016, First EAI International Conference on Computer Science and Engineering, NOVEMBER 11–12, 2016, PENANG, MALAYSIA.


  1. 1.
    Department of Statistic, Bank Negara Malaysia. (2017). Malaysia’s payment statistics: Internet banking and mobile banking subscribers. Available via BNM. Retrieved March 31, 2017, from
  2. 2.
    Hiltgen, A., Kramp, T., & Weigold, T. (2006). Secure internet banking authentication. IEEE Security and Privacy, 4(2), 21–29.CrossRefGoogle Scholar
  3. 3.
    Hutchinson, D., & Warren, M. (2003). Security for internet banking: A framework. Logistics Information Management, 16(1), 64–73.CrossRefGoogle Scholar
  4. 4.
    Boonkrong, S. (2017). Internet banking login with multi-factor authentication. KSII Transactions on Internet and Information System, 11(1), 511–535.Google Scholar
  5. 5.
    Diffie, W., & Hellman, M. E. (1976). New directions in crytography. IEEE Transactions on Information Theory, 22(6), 644–654. New Jersey: IEEE Press.Google Scholar
  6. 6.
    Wang, X., Feng, D., Lai, X., & Yu, H. (2004). Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive Report 2004/199, 16 Aug 2004, revised 17 Aug 2004. Retrieved March 30, 2017, from
  7. 7.
    Stevens, M. (2013). New collision attacks on SHA-1 based on optimal joint local-collision analysis. EUROCRYPT 2013, Lecture Notes in Computer Science (Vol. 7881, pp. 245–261). Springer.Google Scholar
  8. 8.
    Juels, A., & Ristenpart, T. (2014) Honey Encryption: Encryption beyond the brute-force barrier. IEEE Security and Privacy, 12(4), 59–62. New York: IEEE Press.Google Scholar
  9. 9.
    Juels, A., & Ristenpart, T. (2014). Honey Encryption: Security beyond the brute-force bound. Advances in Cryptology—Eurocrypt, LNCS (Vol. 8841, 293–310). Heidelberg: Springer.Google Scholar
  10. 10.
    Verizon 2016 Data breach investigations report. Retrieved March 30, 2017, from
  11. 11.
    Bonneau, J. (2012) The science of guessing: Analyzing and anonymized corpus of 70 million passwords. In Proceeding of the IEEE Symposium on Security and Privacy (pp. 538–552), California, USA.Google Scholar
  12. 12.
    Florencio, D., & Herley, C. (2007). A large-scale study of web password habits. In Proceeding of the 16th ACM International Conference on the World Wide Web (pp. 657–666), Banff, Canada.Google Scholar
  13. 13.
    Consumer Survey: Password habits—A study of password habits among American consumers, CSID report 2012. Retrieved March 30, 2017, from
  14. 14.
    Hauser, V. Hydra THC. Retrieved April 30, 2017, from
  15. 15.
    Shuanglei, Z. Retrieved April 30, 2017, from
  16. 16.
    Hole, K. J., Moen, V., & Tjostheim, T. (2006). Case study: Online banking security. IEEE Security and Privacy, 4(2), 14–20.CrossRefGoogle Scholar
  17. 17.
    Gosney, J. M. (2012). Password cracking HPC. In Pawword^12 Security Conference, Olso, Norway. Retrieved April 30, 2017, from
  18. 18.
    Herley, C., & Florencio, D. (2008). Protecting financial institutions from brute-force attack. In Proceedings of 23rd International Information Security conference (pp. 682–685).Google Scholar
  19. 19.
    Herley, C., Florencio, D., & Oorschot, P. C. (2014). An administrator’s guide to internet password research. Journal of Usenix LISA.;
  20. 20.
    RFC 4949—Internet security glossary, version 2.Google Scholar
  21. 21.
    Tan, S. F., & Samsudin, A. (2017). Enhanced security for public cloud storage with honey encryption. Advanced Science Letters, 23(5).Google Scholar
  22. 22.
    Pinkas, B., & Sander, T. Securing passwords against dictionary attacks.Google Scholar
  23. 23.
    Financial Cyberthreats in 2016. Kaspersky lab report, February 2017. Cited April 30, 2017, Retrieved 30 March 2017, from
  24. 24.
    Dhmija, R., & Tygar, J. D. (2005). The battle against phishing: Dynamic security skins. In Proceedings of the ACM Symposium on Usable Security and Privacy, ACM International Conference Proceedings Series (pp. 77–88). ACM Press.Google Scholar
  25. 25.
    PhshSim. InfoSec Institute. Retrieved April 30, 2017, from
  26. 26.
    SecurityIQ. InfoSec Institute. Retrieved April 30, 2017, from
  27. 27.
    AwareEd. InfoSec Institute. Retrieved April 30, 2017, from
  28. 28.
    FireEye. Best defense again spear-phishing: Recognize and defend against the signs of an advanced cyber attack. FireEye resource archive. Retrieved March 30, 2017, from
  29. 29.
    Whigham, N. (2016, March). Sophisticated malware detected that steals online banking passwords, thwarts text authentication. Available via Retrieved 30 March 2017, from
  30. 30.
    Making sense of man-in-the-browser attacks: Threat analysis and mitigation for financial institutions. RSA report. Retrieved March 30, 2017, from
  31. 31.
    Top banks in Malaysia. Retrieved March 15, 2017, from
  32. 32.
    Marlinspike, M. (2009). More tricks for defeating SSL in practice. Black Hat USA.Google Scholar
  33. 33.
    Juels, A., & Ristenpart, T. (2014). Honey Encryption: Security beyond the brute-force bound. Advances in Cryptology—Eurocrypt, LNCS (Vol. 8841, pp. 293–310). Heidelberg: Springer.Google Scholar
  34. 34.
    Tyagi, N., Wang, J., Wen, K., & Zuo, D. (2015). Honey Encryption applications. 6.857 Computer and Network Security. Massachusetts Institute of Technology. Available via MIT. Retrieved March 15, 2017, from
  35. 35.
    Huang, Z., Ayday, E., Fellay, J., Hubuax, J.-P., & Juels, A. (2015). GenoGuard: Protecting genomic data against brute-force attacks. In IEEE Symposium on Security and Privacy (pp. 447–462). California: IEEE Press.Google Scholar
  36. 36.
    Joseph, J., Ristenpart, T., & Tang, Q. (2016). Honey encryption beyond message recovery security. IACR Cryptology ePrint Archive (pp. 1–28).Google Scholar
  37. 37.
    Edwin, M., Samsudin, A., & Tan, S.-F. (2017). Implementing the honey encryption for securing public cloud data storage. In Proceedings of First International Conference on Computer Science and Engineering.Google Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.School of Computer SciencesUnversiti Sains MalaysiaPenangMalaysia

Personalised recommendations