• Review of KIISC
• /
• v.20 no.6
• /
• pp.17-27
• /
• 2010

전자금융거래는 사용자의 컴퓨터에 악성 프로그램이 설치될 수 있다는 환경에서도 신뢰성 있는 서비스가 요구된다. 하지만 국내의 전자금융거래는 아직까지 MITB(Man-In-The-Browser)공격에 취약한 상태이다. 이 논문에서는 MITB 공격의 동작원리와 그 대응방법에 대해 논의하며, 이를 바탕으로 QR코드를 활용한 승인방법을 제안한다.

• Journal of the Korea Academia-Industrial cooperation Society
• /
• v.14 no.3
• /
• pp.1428-1438
• /
• 2013

Services take place in Internet environment, a formation of the trust relationship between user and service provider for services. Different authentication schemes such as using Certificate of Public Key Infrastructure authentication and using ID/PW for a simple user authentication have been proposed for trust relationship. In addition, in the case of electronic financial transactions, transaction integrity and non-repudiation features are provided. These services are provided in Internet environment, use various measures to ensure service safety. However, it was difficult to prevent attacks using existing security technology because of emergence of MITB attack that manipulate the memory area of the Web browser and social engineering attacks such as phishing/pharming, requires application of new security technologies became. In this paper, we propose a concept of smart secure-pad, and utilize it safely formed a trust relationship between user and service provider, a model has been proposed to ensure safety of data transmission. Proposed model's security evaluation results show security against to MITB attack and phishing/pharming that can't be prevent attack using existing security technology. In addition, service provider can easily apply the model in safe environment can provide Internet service using provided representative services applying the proposed model.

• Journal of Internet Computing and Services
• /
• v.9 no.6
• /
• pp.73-79
• /
• 2008

Nowadays, all over the world's banks use internet banking through various authentication methods. Although there are strong authentication methods using OTP (One Time Password), there still has vulnerability from sophisticated attacks such as MITM (Man In The Middle). This letter proposes signing-based authentication protocol that copes with attacks, such as MITB (Man In The Browser), and provides non-repudiation function. The protocol shows generic method to prevent the sophisticated attacks through connecting advantages from OTP and PKI (Public Key Infrastructure) certificate, and that can be deployed to various extended form in internet banking.

• The Journal of Korean Institute of Communications and Information Sciences
• /
• v.38B no.6
• /
• pp.492-500
• /
• 2013

The One-Time Password(OTP) Generator is used as a multi-factor authentication method to ensure secure transaction during e-Financial transaction in the bank and securities company. The OTP based e-Financial Transaction Verification Protocol ensures secure e-financial transaction through confirming the user's identity using OTP authentication information and counters not only Man-in-the-Browser(MITB) attacks but also memory hacking attacks. However, it is possible to generate correct OTPs due to potential of stealing sensitive information of the OTP generator through intelligent phishing, pharming, social engineering attacks. Therefore, it needs another scheme to prevent from above threats, and this paper proposes advanced scheme using Physical Unclonable Functions(PUFs) to solve these problems. First, it is impossible to generate the same OTP values because of the hysically unclonable features of PUFs. In addition, it is impossible to clone OTP generator with hardware techniques. Consequently, the proposed protocol provides stronger and more robust authentication protocol than existing one by adding PUFs in the OTP generator.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.1
• /
• pp.187-199
• /
• 2011

Securing user authentication and transaction continuation is very critical in mobile banking. Malicious software, which is installed in user's smart phone, can either steal user's password or induce user to confirm manipulated transaction by handling transaction resource. In this paper, we propose schemes, that are aimed to secure user's password or to secure transaction confirmation, based on the security and usability analysis of existing schemes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.5
• /
• pp.825-830
• /
• 2013

CA Arcot corporation in U.S.A has secure on-line financial trade solution and patent that verify whether transaction had change using virtual session. But, VPS(Virtual Private Session) has another vulnerability by way to construct CAPTCHA. We can't fully trust safety of VPS, Cause it could be attacked by using color information of CAPTCHA. In this paper, We suggest the method of attack VPS, and also point out the vulnerability of VPS though simulation.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.4
• /
• pp.571-583
• /
• 2013

Internet banking service has a advantage that is unrestricted by time. If automated programs are able to attack Internet banking services, a number of accounts can be attacked at the same time and as a result, damage will be considerably increased. To cope with such attacks, two methods, VPS and MS watermark, were introduced by Arcot and MS respectively. The methods use text-based CAPTCHAs in the process of transfer approval to distinguish automated programs from legal human users. In this paper, we point out the security threats of the methods when those are applied to Internet banking services. Especially, we consider the attack that are performed by extract specific string from text-based CAPTCHAs and it's countermeasure. Also we suggest a method of enhancing security of internet banking services. Our method is based on contents-based CAPTCHAs that are consist of known transfer information between user and server.