Countering Phishing with TPM-bound Credentials
As electronic banking is one important field in e-commerce, it becomes more and more a target of attackers. The majority of those attacks try to steal credentials, usually pins and tans, from the user. In this paper, we propose to use a machine’s Trusted Platform Module to bind an electronic banking account onto a certain machine. Doing so, an attacker is unable to use stolen credentials for malicious transactions as long as he/she doesn’t control the machine to which the account is bound to. The platform-authentication is based on a non migratable TPM key in conjunction with a client certificate. This client certificate is used for authentication purposes within the SSL/TLS handshake during session establishment of an online banking session.
KeywordsBanking Account Trust Platform Module Personal Identification Number Authentication Phase Trust Network
Unable to display preview. Download preview PDF.
- S. Balfe. Secure payment architectures and other applications of trusted computing, 2008.Google Scholar
- S. Fox and J. Beier. Online banking 2006. http://www.pewinternet.org/Reports/2006/Online-Banking-2006.aspx?r=1, June 2006.
- Trusted Computing Group. TNC Architecture for Interoperability. http://www.trustedcomputinggroup.org/resources/tnc_architecture_for_interoperability_version_13, April 2008. Specification Version 1.3 Revision 6.
- Trusted Computing Group. TCG Media Room, http://www.trustedcomputinggroup.org/media_room/news/95, April 2009.
- Z. Song, J. Molina, S. Lee, H. Lee, S. Kotani, and R. Masuoka. Trustcube: An infrastructure that builds trust in client. In Future of Trust in Computing, pages 68–79. Vieweg+Teubner, 2008.Google Scholar
- F. Stumpf, C. Eckert, and S. Balfe. Towards secure e-commerce based on virtualization and attestation techniques. In Proceedings of the Third International Conference on Availability, Reliability and Security (ARES 2008), pages 376–382, Barcelona, Spain, Mar. 2008. IEEE Computer Society.Google Scholar
- C. von Eitzen, Hackers paralyse emissions trading scheme, H-online, http://www.h-online.com/security/news/item/Hackers-paralyse-emissions-trading-scheme-921075.html, Feb. 2010.
- I. Stone, Gone Phishing, twitter Blog, http://blog.twitter.com/2009/01/gone-phishing.html, Jan , 2009
- Federal Office for Information Security (BSI), Quartalsbericht 1/2010, https://www.bsi.bund.de/cae/servlet/contentblob/1117344/publicationFile/89792/Quartalslagebericht_1_2010_pdf.pdf ,pages 5–7, Bonn, 2010
- B. Krebs, Study: $3.2 Billion Lost to Phishing in 2007, Washington Post, http://blog.washingtonpost.com/securityfix/2007/12/study_32_billion_lost_to_phish_1.html, Dec. 2007