• Title/Summary/Keyword: MITB

Search Result 7, Processing Time 0.024 seconds

전자금융거래에서의 문서변조 취약점 분석 및 대응방법 고찰

  • Maeng, Young-Jae;Shin, Dong-Oh;Kim, Sung-Ho;Nyang, Dae-Hun
    • Review of KIISC
    • /
    • v.20 no.6
    • /
    • pp.17-27
    • /
    • 2010
  • 전자금융거래는 사용자의 컴퓨터에 악성 프로그램이 설치될 수 있다는 환경에서도 신뢰성 있는 서비스가 요구된다. 하지만 국내의 전자금융거래는 아직까지 MITB(Man-In-The-Browser)공격에 취약한 상태이다. 이 논문에서는 MITB 공격의 동작원리와 그 대응방법에 대해 논의하며, 이를 바탕으로 QR코드를 활용한 승인방법을 제안한다.

A Study on a Secure Internet Service Provider Model Using Smart Secure-Pad (스마트 보안패드를 이용한 안전한 인터넷 서비스 제공 모델에 관한 연구)

  • Lee, Jae-Sik;Kim, Hyung-Joo;Jun, Moon-Seog
    • Journal of the Korea Academia-Industrial cooperation Society
    • /
    • v.14 no.3
    • /
    • pp.1428-1438
    • /
    • 2013
  • Services take place in Internet environment, a formation of the trust relationship between user and service provider for services. Different authentication schemes such as using Certificate of Public Key Infrastructure authentication and using ID/PW for a simple user authentication have been proposed for trust relationship. In addition, in the case of electronic financial transactions, transaction integrity and non-repudiation features are provided. These services are provided in Internet environment, use various measures to ensure service safety. However, it was difficult to prevent attacks using existing security technology because of emergence of MITB attack that manipulate the memory area of the Web browser and social engineering attacks such as phishing/pharming, requires application of new security technologies became. In this paper, we propose a concept of smart secure-pad, and utilize it safely formed a trust relationship between user and service provider, a model has been proposed to ensure safety of data transmission. Proposed model's security evaluation results show security against to MITB attack and phishing/pharming that can't be prevent attack using existing security technology. In addition, service provider can easily apply the model in safe environment can provide Internet service using provided representative services applying the proposed model.

Enhanced Transaction Signing-based Authentication Scheme for Secure Internet Banking (안전한 인터넷 뱅킹을 위한 트랜잭션 서명기법에 관한 연구)

  • Lim, Hyung-Jin;Lee, Jeong-Gun;Kim, Moon-Seong
    • Journal of Internet Computing and Services
    • /
    • v.9 no.6
    • /
    • pp.73-79
    • /
    • 2008
  • Nowadays, all over the world's banks use internet banking through various authentication methods. Although there are strong authentication methods using OTP (One Time Password), there still has vulnerability from sophisticated attacks such as MITM (Man In The Middle). This letter proposes signing-based authentication protocol that copes with attacks, such as MITB (Man In The Browser), and provides non-repudiation function. The protocol shows generic method to prevent the sophisticated attacks through connecting advantages from OTP and PKI (Public Key Infrastructure) certificate, and that can be deployed to various extended form in internet banking.

  • PDF

OTP-Based Transaction Verification Protocol Using PUFs (PUF를 이용한 OTP 기반 거래 검증 프로토콜)

  • Lee, Jonghoon;Park, Minho;Jung, Souhwan
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.38B no.6
    • /
    • pp.492-500
    • /
    • 2013
  • The One-Time Password(OTP) Generator is used as a multi-factor authentication method to ensure secure transaction during e-Financial transaction in the bank and securities company. The OTP based e-Financial Transaction Verification Protocol ensures secure e-financial transaction through confirming the user's identity using OTP authentication information and counters not only Man-in-the-Browser(MITB) attacks but also memory hacking attacks. However, it is possible to generate correct OTPs due to potential of stealing sensitive information of the OTP generator through intelligent phishing, pharming, social engineering attacks. Therefore, it needs another scheme to prevent from above threats, and this paper proposes advanced scheme using Physical Unclonable Functions(PUFs) to solve these problems. First, it is impossible to generate the same OTP values because of the hysically unclonable features of PUFs. In addition, it is impossible to clone OTP generator with hardware techniques. Consequently, the proposed protocol provides stronger and more robust authentication protocol than existing one by adding PUFs in the OTP generator.

Password Authentication and Transaction Confirmation Method Using Secret Puzzle on Mobile Banking (모바일 뱅킹에서 비밀퍼즐을 이용한 비밀증명방법과 거래승인방법)

  • Maeng, Young-Jae;Nyang, Dae-Hun;Lee, Kyung-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.21 no.1
    • /
    • pp.187-199
    • /
    • 2011
  • Securing user authentication and transaction continuation is very critical in mobile banking. Malicious software, which is installed in user's smart phone, can either steal user's password or induce user to confirm manipulated transaction by handling transaction resource. In this paper, we propose schemes, that are aimed to secure user's password or to secure transaction confirmation, based on the security and usability analysis of existing schemes.

The Vulnerability Analysis of CA Arcot VPS (CA Arcot VPS의 취약점 분석)

  • Lee, Sang-Ho;Kim, Sung-Ho;Nyang, Dea-Hun;Lee, Kyung-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.23 no.5
    • /
    • pp.825-830
    • /
    • 2013
  • CA Arcot corporation in U.S.A has secure on-line financial trade solution and patent that verify whether transaction had change using virtual session. But, VPS(Virtual Private Session) has another vulnerability by way to construct CAPTCHA. We can't fully trust safety of VPS, Cause it could be attacked by using color information of CAPTCHA. In this paper, We suggest the method of attack VPS, and also point out the vulnerability of VPS though simulation.

A Method of Enhancing Security of Internet Banking Service using Contents-Based CAPTCHA (콘텐츠 기반 캡차를 이용한 인터넷 뱅킹 서비스의 보안성 향상 기법)

  • Lee, Sang-Ho;Kim, Sung-Ho;Kang, Jeon-Il;Byun, Je-Sung;Nyang, Dea-Hun;Lee, Kyung-Hee
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.23 no.4
    • /
    • pp.571-583
    • /
    • 2013
  • Internet banking service has a advantage that is unrestricted by time. If automated programs are able to attack Internet banking services, a number of accounts can be attacked at the same time and as a result, damage will be considerably increased. To cope with such attacks, two methods, VPS and MS watermark, were introduced by Arcot and MS respectively. The methods use text-based CAPTCHAs in the process of transfer approval to distinguish automated programs from legal human users. In this paper, we point out the security threats of the methods when those are applied to Internet banking services. Especially, we consider the attack that are performed by extract specific string from text-based CAPTCHAs and it's countermeasure. Also we suggest a method of enhancing security of internet banking services. Our method is based on contents-based CAPTCHAs that are consist of known transfer information between user and server.