Countering Phishing with TPM-bound Credentials

  • Ingo Bente
  • Joerg Vieweg
  • Josef von Helden


As electronic banking is one important field in e-commerce, it becomes more and more a target of attackers. The majority of those attacks try to steal credentials, usually pins and tans, from the user. In this paper, we propose to use a machine’s Trusted Platform Module to bind an electronic banking account onto a certain machine. Doing so, an attacker is unable to use stolen credentials for malicious transactions as long as he/she doesn’t control the machine to which the account is bound to. The platform-authentication is based on a non migratable TPM key in conjunction with a client certificate. This client certificate is used for authentication purposes within the SSL/TLS handshake during session establishment of an online banking session.


Banking Account Trust Platform Module Personal Identification Number Authentication Phase Trust Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. S. Balfe. Secure payment architectures and other applications of trusted computing, 2008.Google Scholar
  2. L. Falk, A. Prakash, and K. Borders. Analyzing websites for user-visible security design flaws. In SOUPS ’08: Proceedings of the 4th symposium on Usable privacy and security, pages 117–126, New York, NY, USA, 2008. ACM.CrossRefGoogle Scholar
  3. S. Fox and J. Beier. Online banking 2006., June 2006.
  4. Trusted Computing Group. TNC Architecture for Interoperability., April 2008. Specification Version 1.3 Revision 6.
  5. Trusted Computing Group. TCG Media Room,, April 2009.
  6. S. Rehbock and R. Hunt. Trustworthy clients: Extending tnc to web-based environments. Computer Communications, 32(5):1006–1013, 2009.CrossRefGoogle Scholar
  7. Z. Song, J. Molina, S. Lee, H. Lee, S. Kotani, and R. Masuoka. Trustcube: An infrastructure that builds trust in client. In Future of Trust in Computing, pages 68–79. Vieweg+Teubner, 2008.Google Scholar
  8. F. Stumpf, C. Eckert, and S. Balfe. Towards secure e-commerce based on virtualization and attestation techniques. In Proceedings of the Third International Conference on Availability, Reliability and Security (ARES 2008), pages 376–382, Barcelona, Spain, Mar. 2008. IEEE Computer Society.Google Scholar
  9. C. von Eitzen, Hackers paralyse emissions trading scheme, H-online,, Feb. 2010.
  10. I. Stone, Gone Phishing, twitter Blog,, Jan , 2009
  11. Federal Office for Information Security (BSI), Quartalsbericht 1/2010, ,pages 5–7, Bonn, 2010
  12. B. Krebs, Study: $3.2 Billion Lost to Phishing in 2007, Washington Post,, Dec. 2007

Copyright information

© Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH 2011

Authors and Affiliations

  • Ingo Bente
    • 1
  • Joerg Vieweg
    • 2
  • Josef von Helden
    • 3
  1. 1.Fachhochschule Hannover – University of Applied Sciences and ArtsHannover
  2. 2.Fachhochschule Hannover – University of Applied Sciences and ArtsHannover
  3. 3.Fachhochschule Hannover – University of Applied Sciences and ArtsHannover

Personalised recommendations