Review of KIISC (정보보호학회지)

Korea Institute of Information Security and Cryptology (한국정보보호학회)
권호 표지

전자 금융 거래 환경의 인증 기술 동향 분석

  • 임형진 (금융보안연구원 인증관리팀) ;
  • 심희원 (금융보안연구원 인증관리팀) ;
  • 서승현 (금융보안연구원 인증관리팀) ;
  • 강우진 (금융보안연구원 인증관리팀)
  • Published : 2008.10.30
Download PDF
⟨ Previous Next ⟩

Abstract

인터넷의 보편화와 사용자 증가는 현실 생활들의 대부분에 활동을 인터넷에서 가능토록하고 있다. 특히, 인터넷 뱅킹은 자금이 전자적으로 이동하는 중요 행위로서, 지속적으로 증가하는 보안위협으로부터 대응하기 위해 수많은 인증방법이 고안되어 사용되고 있다. 인터넷 뱅킹의 전체적인 보안성을 향상하기 위해서 사용자 인증 방법으로부터, 안전한 전송방법에 이르기까지 다양한 보안 솔루션들이 종단간 유기적으로 구성되어 제공되고 있다. 본 논문에서는 이러한 기술들 중 국내외에서 사용되는 다양한 인증 기법들을 조사하여 분석하고, 지속적으로 증가하는 보안위협에 효과적으로 대응할 수 있는 대응 기술에 대한 사례를 제시한다.

Keywords

References

  1. Security Standards Council, 'Payment Card Industry (PCI) Data Security Standard', http://www.pcisecuritystandards.org/, Sep. 2006
  2. Office of the Comptroller of the Currency (OCC), http://www.occ.treas.gov/netbank/netbank.htm, 'Electronic Banking Guidance'
  3. Federal Financial Institutions Examination Council, http://www.ffiec.gov, 'FIEC Guidance on Electronic Financial Services and Consumer Compliance'
  4. Federal Trade Commission, http://www.ftc. gov/
  5. 금융보안연구원 보안 기술팀, '전자금융 사고현황 및 방지대책(안)' , 2007. 03
  6. George Tubin, 'The Sky is Falling:The Need for Stronger Consumer Online Banking Authentication', Market Research Report, TowerGroup, Apr 2005
  7. Richard E. Smith, 'Authentication:From Passwords to Public Keys', Addison Wesley, 2002
  8. Candid W., 'Phishing In The Middle of the stream'-Today's Threats to Online Banking', Symantec Security Response, 2006
  9. Christian Ludl, Sean McAllister, Engin Kirda, and Christopher Kruegel, 'On the Effectiveness of Techniques to Detect Phishing Sites', LNCS 4579, Springer, 2007
  10. Rolf Oppliger, and Sebastian Gajek, 'Effective Protection Against Phishing and Web Spoofing', LNCS 3677, Springer, 2005
  11. State Services Commission, 'Guidance on Multifactor Authentication', http://www.e.govt.nz, 2006
  12. Hole, J, K. J., and Moen. V, 'Case Study:Online Banking Security', IEEE Security & Privacy, 2006
  13. Hiltgen, A, Kramp, T. and Weigold, T., 'Secure Internet Banking Authentication' , IEEE Security & Privacy, 2006
  14. Committee on National Security Systems(CNSS) Instruction No. 4009, National Information Assurance (IA) Glossary, published by the United States Federal Government, Revised June, 2006
  15. Roshen Chandran, 'Partial Passwords and Keystroke Loggers', http://plynt.com/blog/2005/08/partial-passwords-and-keystrok/, 2005
  16. Forrester Research, 'ForrTel:Online Banking Customer Authentication:Review of Two-Factor Authentication Mechanisms In Use Today', 2005
  17. Oppliger R. Gajek S., 'Effective protection against phishing and web spoofing' ,9th IFIP TC-11 Conference, 2005
  18. Plosni K., Federrath H., Nowey T., 'Protection Mechanisms Against Phishing Attacks', LNCS 3592, Springer, 2005
  19. Tieyan Li, and Wu Yongdong, 'Trust on Web Browser:Attack vs. Defense', International Conference on Applied Cryptography and Network Security (ACNS'03), 2003
  20. Amir Herzberg, and Ahmad Jbara, 'Security and Identification Indicators for Browsers against Spoofing and Phshing attacks', Cryptology ePrint Archive, 2006
  21. Markham, G. 'Phishing-Browser-based Defences', http://www.gerv.net/security/phishing-browser-defences. html, 2005
  22. Rachna Dhamija, 'The battle against phishing:Dynamic Security Skins', '05:Proceedings of the 2005 symposium on Usable privacy and security (SOUPS), 2005
  23. 금융감독원, http://www.fss.or.kr
  24. 최동현, 김승주, 원동호, '일회용 패스워드(OTP:One-Time Password) 기술 분석및 표준화 동향', 정보보호학회 논문지 17권 제 3호, 2007. 06
  25. ComputerWorld Security, 'Another new Trojan intercepts online banking information' http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9057240
  26. Candid W., 'Threats to Online Banking', Symantec Security Response, 2005
  27. URL, 'Security Technologies:Authentication parts', www.isg.rhul.ac.uk/files/IY5522_2006-07_Lec_07.pdf.,
  28. Beker, Henry J., Halliden, Paul W., Friend, and John M. K., 'US Patent 4890323-Data communication systems and methods', http://www. freepatentsonline.com/4890323.html
  29. 김기영, '일회용 패스워드를 기반으로 한 인증시스템에 대한 고찰', 정보보호학회논문지 제17권 3호, 2007. 06
  30. RSA, 'RSA, Fighting Emerging Threats:How to Compat Man-In-The-Middle And Trojan Attacks', 2007
  31. Verisign, 'A Guide to Providing Proactive Protection to Consumer Online Transactions', Whitepaper, 2008
  32. George Tubin, 'Emergence of Risk-Based Authentication in Online Financial Services;You Can't Hide Your Lyin' IPs', TowerGroup Industry Report, May 2005
  33. United States federal law, 'The Fair and Accurate Credit Transactions Act', 2003
  34. David M'Raihi, Sharon Boeyen, Michael Grandcolas, and Siddharth Bajaj, 'How to Share Transaction Fraud (Thraud) Report Data', IETF Internet draft(in progress), http://www.ietf.org/internetdrafts/draft-mraihi-inch-thraud-04.txt, Feb. 2008
  35. Actimize, http://www.actimize.com/
  36. Cyota, http://www.rsa.com/
  37. 41st, http://the41stparameter.com
  38. Fair Isacs, http://www.fairisaac.com
  39. Quova, http://www.quova.com/
  40. Iovation, http://www.iovation.com/
  41. Entrust, http://www.entrust.com/
  42. Digital Resolv, http://www.digitalenvoy.net/