Reliability of Internet Banking Authentication Mechanisms

The following post is an excerpt from one of my review papers. Since the domain of the paper was very much applicable and related in current online banking scenarios, I decided to make it a post.

Internet banking is one of many services provided by a financial institution and is most widely used by the customers. Since the usage has increased a lot, internet banking has become a point of exploitation for data breaches. To prevent exploitation, authentication mechanisms are implemented to validate a user’s identity. Though various authentication mechanisms exist adversaries exploit them via the available vulnerabilities. Therefore it’s important to know the reliability/credibility level of different mechanisms to prevent hackers from exploiting the vulnerabilities and can further develop countermeasures for better security mechanisms to provide enhanced authentication experience for end-users.

Introduction

Internet banking or e-banking is around people’s lives for some time now. This service has been popular amongst users because it provides many conveniences to them. With this facility users are allowed to do tasks such as viewing personal details, checking account balances, making payments and fund transfers.

But unfortunately, this facility has come under many kinds of cyber-attacks. Attacks include phishing, espionage, social engineering and many more[1]. All these have resulted in affecting users on their confidence in using the internet banking facility. Therefore, the responsibility and duty of financial institutions to further enhance the existing security mechanisms or implement a new enhanced version of security measures for this facility.

There have been much researches and studies based on finding the various aspects of the reliability of internet banking security. However there have not been many, that emphasize the first line of defense or authentication. Authentication is verifying the identity of the user whom the individual claims to be. It is therefore important to focus on the credibility for the initial protection of internet banking named Authentication[1].

As stated above there have been many cases of attacks on internet banking. But the most commonly used method of attack is made at the beginning of the internet banking process, which is the exploitation of authentication. Vulnerabilities of authentication mechanisms are used to gain illegal access to an individual’s account to perform illegal activities. Furthermore, it is known one-factor authentication using passwords have been widely and only used mechanism by many institutions for authentication. People have forgotten how important the login process is because a lot of personal and financial data can been seen after authentication [1].

The objective of this post is to discuss various available authentication mechanisms, risks, vulnerabilities involved in those, countermeasures taken and its level of reliability in today’s world.

Body

Many of the existing authentication mechanisms mainly depend on a conventional password-only authentication which is also widely known as the one-factor authentication/single factor authentication/knowledge-based authentication. The reason for using this is because of its easy operation, scalability, compatibility [3].

In this simply the user needs to remember a low entropy password while the passwords are stored in the sensitive verifier tables of the server. Even though passwords are stored using a salted hash function, once the server is compromised those will be available for the attackers because user-chosen passwords are highly skewed and the majority isn’t complex enough. So password cracking hardware and algorithms are continuously improved to attack traditional hash functions[3].

In recent years there were many news about data breaches such as Adobe(150 million), Evernote(50 million), Gmail(4.9million)[3]. The thing that makes this worse is that users use the same password to access multiple servers. So a compromise on one server will lead to compromisations of all the other servers. Which is also referred to as the “domino effect” of password reuse.

As stated above existing password-only authentication is not resistant to password guessing and password cracking attacks. However to address this problem research proposes an idea as eXtended Honey Encryption (XHE) scheme [2]. In this when an attacker attempts to log into an unauthorized account to gain illegal access by providing the guessed password, instead of rejection, the XHE algorithm will generate indistinguishable false bank data and redirect the illegal user to a false account by which the attacker cannot determine whether the guessed password was correct or not. Therefore this increases the complexity of password guessing and cracking attacks. This mechanism adds an additional layer of protection on the existing password-only authentication.

With the available threats to one-factor authentication, many institutions have started to adopt two-factor authentication or token-based authentication. These mechanisms still requires the user to enter a password and a temporary password will be sent to the user’s mobile device as SMS at the login instance as a secondary confirmation, which is known as one-time password(OTP). Though this method seems to be much more secure than the one-factor authentication the disadvantage is that the user needs to always possess an extra device during authentication[1]. Moreover, receiving a temporary password through SMS is also a threat these days because the mobile device to which the SMS is being sent can also be vulnerable due to malware installed on mobile devices. [1]

Another proposed two-factor authentication was to make the user’s mobile device as the second factor of authentication [1]. So rather than entering the temporary password on the system password will be entered on the user’s mobile device. The password will be encrypted before transmission via wi-fi. However, this also has its issues. As discussed earlier the user needs to possess a mobile device at the time of authentication. Secondly, the communication channel to transmit the password from the mobile device should be secured, hence it increases much more work and complexity. Finally, if the mobile device is affected by malware, attackers can get access to the entered plaintext password.

It can be seen that much researches are being done to improve the reliability of authentication mechanisms. Researchers are working on adding several more factors to this process to make it robust. So another such mechanism is multi-factor authentication [1]. One such study proposes a four-factor authentication mechanism. Those factors comprises of a long term password, one-time password, cryptographic key and biometric. In this users have to validate themselves by providing all of them. This scheme is much secure because an adversary needs to exploit all four to get access. But still, this scheme has a burden on the end-users of having an additional mobile device and a smart card.

Security which is given by knowledge-based authentication and token-based authentication can be violated when the password is compromised from the server or tokens are stolen. Therefore this again opens up the problem of reliability in authentication mechanisms. To overcome these authentication mechanisms biometrics are being researched and implemented [5]. The biometrics authentication can be divided into two categories namely unimodal biometrics and multimodal biometrics. Unimodal biometrics rely on single biometric details such as fingerprint, iris pattern. However, this approach is also much compromisable by various spoofing attacks, noisy data[5].

To provide much better security during authentication multiple (face, fingerprint, finger vein pattern, iris and voice ) biometrics information is used for the login process. This would help solve traditional vulnerabilities and provides a more robust and secure authentication mechanism. A multimodal authentication is considered to be the most efficient out of all authentication mechanisms till the date [5]. Specific attacks like hacking, phishing can also be prevented when multimodal authentication has been implemented for authentication purposes. Multimodal biometric system permits a greater level of assurance for accurates match in verification by utilizing different forms of biometrics. Another important use of this is making use of multiple methods of identification, a system can use higher limit recognition settings and system administrator can vary the decision on the level of needed accuracy on those biometrics to tighten security [4]. We can use up to three biometric information for extreme security and lower security can require any two factors. Skin spectroscopy, knuckles texture and nail plates are the emerging trends in biometric security [4]. When compared to other biometrics these can be utilized with less cost and low limitations.

Conclusion

Authentication is one of many key activities in an online banking process. This is provided by financial institutions with one-factor authentication. This post has given insights into how it can be vulnerable to threats. Even two -factor authentications doesn’t provide the required security

However, reliability and security in authentication is utmost important for users in online banking since it deals with many customers’ data. The authentication mechanism should be robust and reliable for financial institutions. Above reviewed mechanisms depict the reliability/credibility of each mechanism. Out of all mentioned mechanisms, presently multimodal biometric authentication is the most efficient and secure mechanism for authentication over unimodal biometric systems or traditional systems and it’s also the emerging field in security with new researches.

References

[1] “Internet Banking Login with Multi-Factor Authentication,” KSII Transactions on Internet and Information Systems, vol. 11, no. 1, 2016.

[2] S. F. Tan and A. Samsudin, “Enhanced Security of Internet Banking Authentication with EXtended Honey Encryption (XHE) Scheme,” Innovative Computing, Optimization and Its Applications Studies in Computational Intelligence, pp. 201–216, 2017.

[3] D. Wang and P. Wang, “Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound,” in IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 4, pp. 708–722, 2018.

[4] L. T. Premakumari and A. S. Jothi, “Multimodal Biometric Endorsement for Secure Internet Banking using Skin Spectroscopy, Knuckles Texture and Finger Nail Recognition,” International Research Journal of Engineering and Technology, vol. 3, no. 2, pp. 1086–1090, 2016.

[5] H. Venugopal and N. Viswanath, “A robust and secure authentication mechanism in online banking,” 2016 Online International Conference on Green Engineering and Technologies (IC-GET), 2016.