Skip to main content
SpringerLink
Log in
Book cover

International Conference on Financial Cryptography and Data Security

FC 2011: Financial Cryptography and Data Security pp 235–249Cite as

hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7035))

Abstract

In this paper, we propose hPIN/hTAN, a low-cost hardware token based PIN/TAN system for protecting e-banking systems against the strong threat model where the adversary has full control over the user’s computer. This threat model covers various kinds of attacks related to untrusted terminal computers, such as keyloggers, screen scrapers, session hijackers, Trojan horses and transaction generators.

The core of hPIN/hTAN is a secure and easy user-computer-token interface. The security is guaranteed by the user-computer-token interface and two underlying security protocols for user/server/transaction authentication. The hPIN/hTAN system is designed as an open framework so that the underlying authentication protocols can be easily reconfigured. To minimize the costs and maximize usability, we chose two security protocols dependent on simple cryptography (a cryptographic hash function).

In contrast to other hardware-based solutions, hPIN/hTAN depends on neither a second trusted channel nor a secure keypad nor external trusted center. Our prototype implementation does not involve cryptography beyond a cryptographic hash function. The minimalistic design can also help increase security because more complicated systems tend to have more security holes. As an important feature, hPIN/hTAN exploits human users’ active involvement in the whole process to compensate security weaknesses caused by careless human behavior.

Companion web page (with a full edition of this paper): http://www.hooklee.com/ default.asp?t=hPIN/hTAN

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AlZomai, M., AlFayyadh, B., Jøsang, A., McCullagh, A.: An exprimental investigation of the usability of transaction authorization in online bank security systems. In: Proc. AISC 2008. pp. 65–73 (2008)

    Google Scholar 

  2. American Bankers Association: ABA survey shows more consumers prefer online banking (2010), http://www.aba.com/Press+Room/093010PreferredBankingMethod.htm

  3. AXSionics AG: Personal AXS-token (2009), http://www.axsionics.ch/tce/frame/main/414.htm

  4. Bank Austria: mobileTAN information, http://www.bankaustria.at/de/19741.html

  5. BBC News: PC stripper helps spam to spread (2007), http://news.bbc.co.uk/2/hi/technology/7067962.stm

  6. Borchert, B.: Open sesame! – immediate access to online accounts via mobile camera phone, http://www2-fs.informatik.uni-tuebingen.de/~borchert/Troja/Open-Sesame/indexEN.php

  7. Borchert, B.: Knick-und-Klick-TAN, oder Permutations-TAN, pTAN (2009), http://www2-fs.informatik.uni-tuebingen.de/~borchert/Troja/pTAN

  8. Borchert, B., Beschke, S.: Cardano-TAN, http://www2-fs.informatik.uni-tuebingen.de/studdipl/beschke

  9. Bosselaers, A., Preneel, B.: SKID. In: Bosselaers, A., Preneel, B. (eds.) RIPE 1992. LNCS, vol. 1007, pp. 169–178. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  10. CEN (European Committee for Standardization): Financial transactional IC card reader (FINREAD). In: CEN Workshop Agreements (CWA) 14174 (2004)

    Google Scholar 

  11. Cronto Limited: Commerzbank and Cronto launch secure online banking with photoTAN – World’s first deployment of visual transaction signing mobile solution (2008), http://www.cronto.com/download/Cronto_Commerzbank_photoTAN.pdf

  12. Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  13. Gühring, P.: Concepts against man-in-the-browser attacks (2007), http://www2.futureware.at/svn/sourcerer/CAcert/SecureClient.pdf

  14. IT-Online: World-first SMS banking scam exposes weaknesses (2009), http://www.it-online.co.za/content/view/1092105/142/

  15. Jackson, C., Boneh, D., Mitchell, J.: Transaction generators: Root kits for web. In: Proc. HotSec 2007. pp. 1–4. USENIX (2007)

    Google Scholar 

  16. Jakobsson, M., Myers, S. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. John Wiley & Sons, Inc. (2007)

    Google Scholar 

  17. Li, S., Shah, S.A.H., Khan, M.A.U., Khayam, S.A., Sadeghi, A.R., Schmitz, R.: Breaking e-banking CAPTCHAs. In: Proc. ACSAC 2010. pp. 171–180 (2010)

    Google Scholar 

  18. Mannan, M., van Oorschot, P.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007 and USEC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  19. Naor, M., Pinkas, B.: Visual Authentication and Identification. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 322–336. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  20. Oppliger, R., Rytz, R., Holderegger, T.: Internet banking: Client-side attacks and protection mechanisms. Computer 42(6), 27–33 (2009)

    Article  Google Scholar 

  21. PC World: Nokia: We don’t know why criminals want our old phones (2009), http://www.pcworld.com/businesscenter/article/163515/nokia_we_dont_know_why_criminals_want_our_old_phones.html

  22. Postbank: mTAN now free for all customers (2008), http://www.postbank.com/pbcom_ag_home/pbcom_pr_press/pbcom_pr_press_archives/pbcom_pr_press_archives_2008/pbcom_pr_pm1063_19_05_08.html

  23. Saturday Star: Victim’s SIM swop fraud nightmare (2008), http://www.iol.co.za/index.php?art_id=vn20080112083836189C511499

  24. Schneier, B.: Two-factor authentication: Too little, too late. Comm. ACM 48(4), 136 (2005)

    Article  Google Scholar 

  25. Starnberger, G., Froihofer, L., Goeschka, K.M.: QR-TAN: Secure mobile transaction authentication. In: Proc. ARES 2009, pp. 578–583. IEEE (2009)

    Google Scholar 

  26. Szydlowski, M., Kruegel, C., Kirda, E.: Secure input for web applications. In: Proc. ACSAC 2007. pp. 375–384. IEEE (2007)

    Google Scholar 

  27. The Financial Express: Russian phone virus that ‘steals money’ may spread global (2009), http://www.financialexpress.com/news/russian-phone-virus-that-steals-money-may-spread-global/420770

  28. Toorani, M., Shirazi, A.A.B.: Solutions to the GSM security weaknesses. In: Proc. NGMAST 2008, pp. 576–581. IEEE (2008)

    Google Scholar 

  29. Volksbank Freiburg eG: iTANplus – mehr Sicherheit mit der indizierten TAN, http://www.volksbank-freiburg.de/itan.cfm?CFID=10869033&CFTOKEN=34249989&rand=1246061956151

  30. Volksbank Rhein-Ruhr eG: Bankgeschäfte online abwickeln: Mit Sm@rtTAN optic bequem und sicher im Netz, http://www.voba-rhein-ruhr.de/privatkunden/ebank/SMTop.html

  31. Volksbank Solling eG: Sm@rt-TAN-plus, http://www.volksbank-solling.de/flycms/de/html/913/-/Smart+TAN+plus.html

  32. Weigold, T., Kramp, T., Hermann, R., Höring, F., Buhler, P., Baentsch, M.: The Zurich Trusted Information Channel – An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Konstanz, Germany

    Shujun Li & Junaid Jameel Ahmad

  2. Darmstadt University of Technology and Fraunhofer SIT, Darmstadt, Germany

    Ahmad-Reza Sadeghi

  3. Ruhr-University of Bochum, Germany

    Ahmad-Reza Sadeghi & Sören Heisrath

  4. Stuttgart Media University, Germany

    Roland Schmitz

Authors
  1. Shujun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sören Heisrath
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roland Schmitz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Junaid Jameel Ahmad
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

George Danezis

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Li, S., Sadeghi, AR., Heisrath, S., Schmitz, R., Ahmad, J.J. (2012). hPIN/hTAN: A Lightweight and Low-Cost E-Banking Solution against Untrusted Computers. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27576-0_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27575-3

  • Online ISBN: 978-3-642-27576-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation