Enhanced Security of Internet Banking Authentication with EXtended Honey Encryption (XHE) Scheme
The rapid growth of security incidents and data breaches recently had risen concerns on Internet banking security issues. Existing Internet banking authentication mechanism that primarily relies on the conventional password-only authentication cannot efficiently resist to recent password guessing and password cracking attacks. To address this problem, this paper proposed an eXtended Honey Encryption (XHE) scheme by adding an additional protection mechanism on the existing user authentication mechanism. When the malicious user attempts to unauthorized access to online bank account by entering his guessed password, instead of rejecting the access, the XHE algorithm generates an indistinguishable bogus bank data, subsequently redirects attacker to fake user account, in which the attack could not determine whether the guessed password is working correctly or not. Therefore, increasing the complexity of password guessing and cracking attacks. This paper also provides an in-depth study of attack models on password-based authentication mechanism and their countermeasures. Subsequently, a preliminary study on Malaysian online banking authentication system is presented.
KeywordsInternet banking security Authentication Password-based attack Honey Encryption
This work was by a research grant from Universiti Sains Malaysia (USM) [1001/PKOMP/811334]. The authors also thank the COMPSE 2016, First EAI International Conference on Computer Science and Engineering, NOVEMBER 11–12, 2016, PENANG, MALAYSIA.
- 1.Department of Statistic, Bank Negara Malaysia. (2017). Malaysia’s payment statistics: Internet banking and mobile banking subscribers. Available via BNM. Retrieved March 31, 2017, from http://www.bnm.gov.my/index.php?ch=34&pg=163&ac=4&bb=filed.
- 4.Boonkrong, S. (2017). Internet banking login with multi-factor authentication. KSII Transactions on Internet and Information System, 11(1), 511–535.Google Scholar
- 5.Diffie, W., & Hellman, M. E. (1976). New directions in crytography. IEEE Transactions on Information Theory, 22(6), 644–654. New Jersey: IEEE Press.Google Scholar
- 6.Wang, X., Feng, D., Lai, X., & Yu, H. (2004). Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, Cryptology ePrint Archive Report 2004/199, 16 Aug 2004, revised 17 Aug 2004. Retrieved March 30, 2017, from http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf.
- 7.Stevens, M. (2013). New collision attacks on SHA-1 based on optimal joint local-collision analysis. EUROCRYPT 2013, Lecture Notes in Computer Science (Vol. 7881, pp. 245–261). Springer.Google Scholar
- 8.Juels, A., & Ristenpart, T. (2014) Honey Encryption: Encryption beyond the brute-force barrier. IEEE Security and Privacy, 12(4), 59–62. New York: IEEE Press.Google Scholar
- 9.Juels, A., & Ristenpart, T. (2014). Honey Encryption: Security beyond the brute-force bound. Advances in Cryptology—Eurocrypt, LNCS (Vol. 8841, 293–310). Heidelberg: Springer.Google Scholar
- 10.Verizon 2016 Data breach investigations report. Retrieved March 30, 2017, from http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
- 11.Bonneau, J. (2012) The science of guessing: Analyzing and anonymized corpus of 70 million passwords. In Proceeding of the IEEE Symposium on Security and Privacy (pp. 538–552), California, USA.Google Scholar
- 12.Florencio, D., & Herley, C. (2007). A large-scale study of web password habits. In Proceeding of the 16th ACM International Conference on the World Wide Web (pp. 657–666), Banff, Canada.Google Scholar
- 13.Consumer Survey: Password habits—A study of password habits among American consumers, CSID report 2012. Retrieved March 30, 2017, from https://www.csid.com/wpcontent/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf.
- 14.Hauser, V. Hydra THC. Retrieved April 30, 2017, from https://github.com/vanhauser-thc/thc-hydra.
- 15.Shuanglei, Z. Retrieved April 30, 2017, from http://project-rainbowcrack.com/.
- 17.Gosney, J. M. (2012). Password cracking HPC. In Pawword^12 Security Conference, Olso, Norway. Retrieved April 30, 2017, from http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf.
- 18.Herley, C., & Florencio, D. (2008). Protecting financial institutions from brute-force attack. In Proceedings of 23rd International Information Security conference (pp. 682–685).Google Scholar
- 19.Herley, C., Florencio, D., & Oorschot, P. C. (2014). An administrator’s guide to internet password research. Journal of Usenix LISA. https://www.microsoft.com/en-us/research/publication/an-administrators-guide-to-internet-password-research/; http://research.microsoft.com/apps/pubs/?id=227130.
- 20.RFC 4949—Internet security glossary, version 2.Google Scholar
- 21.Tan, S. F., & Samsudin, A. (2017). Enhanced security for public cloud storage with honey encryption. Advanced Science Letters, 23(5).Google Scholar
- 22.Pinkas, B., & Sander, T. Securing passwords against dictionary attacks.Google Scholar
- 23.Financial Cyberthreats in 2016. Kaspersky lab report, February 2017. Cited April 30, 2017, Retrieved 30 March 2017, from https://media.scmagazine.com/documents/287/kaspersky_lab_financial_cybert_71527.pdf.
- 24.Dhmija, R., & Tygar, J. D. (2005). The battle against phishing: Dynamic security skins. In Proceedings of the ACM Symposium on Usable Security and Privacy, ACM International Conference Proceedings Series (pp. 77–88). ACM Press.Google Scholar
- 25.PhshSim. InfoSec Institute. Retrieved April 30, 2017, from https://www.infosecinstitute.com/phishsim.
- 26.SecurityIQ. InfoSec Institute. Retrieved April 30, 2017, from https://securityiq.infosecinstitute.com/.
- 27.AwareEd. InfoSec Institute. Retrieved April 30, 2017, from https://www.infosecinstitute.com/aware-ed.
- 28.FireEye. Best defense again spear-phishing: Recognize and defend against the signs of an advanced cyber attack. FireEye resource archive. Retrieved March 30, 2017, from https://www.fireeye.com/current-threats/best-defense-against-spear-phishing-attacks.html.
- 29.Whigham, N. (2016, March). Sophisticated malware detected that steals online banking passwords, thwarts text authentication. Available via News.com.au. Retrieved 30 March 2017, from http://www.news.com.au/technology/online/security/sophisticated-malware-detected-that-steals-online-banking-passwords-thwarts-text-authentication/news-story/afa5cf65dfcd350acc069aaf41545e39.
- 30.Making sense of man-in-the-browser attacks: Threat analysis and mitigation for financial institutions. RSA report. Retrieved March 30, 2017, from https://www.rsa.com/content/dam/rsa/PDF/Making_Sense_of_Man_in_the_browser_attacks.pdf.
- 31.Top banks in Malaysia. Retrieved March 15, 2017, from http://www.relbanks.com/asia/malaysia.
- 32.Marlinspike, M. (2009). More tricks for defeating SSL in practice. Black Hat USA.Google Scholar
- 33.Juels, A., & Ristenpart, T. (2014). Honey Encryption: Security beyond the brute-force bound. Advances in Cryptology—Eurocrypt, LNCS (Vol. 8841, pp. 293–310). Heidelberg: Springer.Google Scholar
- 34.Tyagi, N., Wang, J., Wen, K., & Zuo, D. (2015). Honey Encryption applications. 6.857 Computer and Network Security. Massachusetts Institute of Technology. Available via MIT. Retrieved March 15, 2017, from http://www.mit.edu/~ntyagi/papers/honey-encryption-cc.pdf.
- 35.Huang, Z., Ayday, E., Fellay, J., Hubuax, J.-P., & Juels, A. (2015). GenoGuard: Protecting genomic data against brute-force attacks. In IEEE Symposium on Security and Privacy (pp. 447–462). California: IEEE Press.Google Scholar
- 36.Joseph, J., Ristenpart, T., & Tang, Q. (2016). Honey encryption beyond message recovery security. IACR Cryptology ePrint Archive (pp. 1–28).Google Scholar
- 37.Edwin, M., Samsudin, A., & Tan, S.-F. (2017). Implementing the honey encryption for securing public cloud data storage. In Proceedings of First International Conference on Computer Science and Engineering.Google Scholar