Security In Existing Online Transaction System

Published Date: 02 Nov 2017

ABSTRACT-

Online Banking has become day to day task of most of the Internet Users. Most major banks now support online banking, as it enables them to serve far more customers than by traditional banking. However, the popularity of online banking system has attracted criminals (Hackers) exploiting (online) banking customers. Attacks have been launched against customers of big and small banks worldwide using methods such as phishing. So the need to increase the security of online Transaction System arises. In this paper we are proposing a safe user confirmation system using Mobile OTP with combination of QR-Code which will authenticate the bank customer.

Keywords

IMEI number, OTP, QR-Code, replay attacks.

INTRODUCTION

Electronic banking is a new industry which is allowing people to interact with their banking accounts via the use of Internet from anywhere in the world. It enables clients to access their banking accounts, review most recent transactions, transfer funds.

The security of information is one of the biggest concerns to the Internet users. For e-banking users who most likely connect to the Internet via dial-up modem, are facing a smaller risk of someone breaking into their computers. Banks with dedicated Internet connections face the risk of someone from the Internet gaining unauthorized access to their computer or network. However, e-banking system users are facing the security risks with unauthorized access into their banking accounts. In addition to this, the e-banking system users are also concern about non-repudiation. For that a reliable identification of both the sender and the receiver of on-line transactions is needed. Even the non-secure electronic transactions can be modified to change the apparent sender.

Therefore, it is extremely important to maintain non-repudiability which requires that the identity of the sender and the receiver will be attested to by a trusted third party who holds the identity certificates.

Recent online banking systems use some countermeasures to reduce problems described above. Uses of security card, public certificates are some of the countermeasures. Recently OTP (one time password) s are also introduced. OTP is password system where passwords are used only once and user is authenticated with new password key every time. This guarantees the safety of password even if it gets tapped by the attacker or if the user loses it. Smart card, USB, fingerprint recognition etc. are some of the OTP generating devices. In our proposed system we are using the Mobile OTP system in which passwords are generated using user’s mobile phones. So no extra device is needed for generating OTP.

Using this authentication system, user will be able to do transactions from anywhere at any time which was not possible with system using security card. If there was any emergency situation, user was unable to do transactions without security card. Loss of security card can also lead to blocking of user account if miss-used by anyone.

In this paper we are proposing an authentication system which will provide greater security & convenience. Here bank generates the QR-Code using user’s mobile’s IMEI number & other details and displays it on user’s PC. User then decodes the QR-Code & generates OTP using his mobile phone. Then he sends the generated OTP through PC to bank. Bank then permits the user to do transaction if received OTP is valid.

This paper is organized as follows: Section 2 introduces OTP & QR-Code. In section 3 we describe our proposed system & its analysis.

II. RELATED WORK

2.1 OTP (One Time Password)

One Time Passwords is a password that is valid for only one session or transaction. They address the shortcomings of static passwords one important of them is that they are not susceptible to replay attacks.  Pseudo randomness or randomness is the main property used for generating OTP. This is very important because without the use of this function it would become easy to predict future OTPs by observing previous ones.

 Various approaches for the generating of OTPs are listed below:

Using time-synchronization  between the authentication server and the client who is providing the password.

Generation of new password based on the previous password using any mathematical algorithm.

Using an algorithm which will produce new password based on a challenge and/or a counter.

There are many ways to provide the user with the next OTP to be used. Some systems use special electronic security tokens (devices) that the user carries. These tokens generate OTPs and show them using a small display. Other systems use software that runs on the user's mobile phone. Some other systems follow the method in which OTPs are generated on the server-side and delivered to the user using an out-of-band channel such as SMS messaging.

Fig. Different ways of providing OTP to user

Although OTPs are in some ways provide more security than a static password, users of OTP systems are still vulnerable to man-in-the-middle attacks. So, OTPs should not be disclosed to any third parties. In addition to that using an OTP as one layer in layered security is safer than using OTP alone. The same idea we have used in our proposed system we have used QR-Codes to increase the power of OTP.

2.2 QR-Code (Quick Response Code)

A QR-Code is a two dimensional barcode invented by the Japanese corporation Denso Wave. In this 2D barcode, information is encoded in both the vertical and horizontal direction. So it holds up to several hundred times more data than the traditional bar code. Data within the QR-code is accessed by capturing a photograph of the code using a camera and processing the image with a QR-code reader.

It can contain 7,089 numeric characters, 4,296 alphabetic characters, 2,953 binary characters or 1817 Kanji characters.

The structure of QR-Code is as shown in figure below:

Fig. Structure of QR-Code

(1) Finder Pattern: It contains of three identical structures that are located in upper left, upper right & bottom left corners of the QR Code except . Each pattern is made up of a 3x3 matrix which is formed by black modules surrounded by white modules that are again surrounded by black modules. These patterns help the decoder software to recognize the QR Code and determine the correct orientation.

(2) Separators : The white separators having a width of one pixel improve the recognizability of the Finder Patters as they separate them from the actual data.

(3) Timing Pattern: Timing pattern made up of alternating black and white modules helps the decoder software to determine the width of a single module.

(4) Alignment Patterns: These patterns help the decoder software in compensating for moderate image distortions.

(5) Format Information: This Section stores information about the error correction level of the QR Code and the chosen masking pattern.

(6) Data: Data to be stored is converted into a bit stream and stored in 8 bit parts (i.e. code words) in the data section.

(7) Error Correction: Error correction codes are stored in 8 bit long code words in this section.

(8) Remainder Bits: The remainder bits are empty, if data and error correction bits cannot be divided into 8 bit code words without remainder.

The QR code has a special ability which enables you to recover contents of QR-code even if you lose a part of the code.

There are four error correction levels:

Level L 7% of code words can be restored.

Level M 15% of code words can be restored.

Level Q 25% of code words can be restored.

Level H 30% of code words can be restored.

PROPOSED SYSTEM

In this system, whenever the user wants to do transaction at first he enters username & password & logs in his account using web browser. When user requests any transaction, bank generates the QR-Code and displays it on the user’s screen. User then decodes the QR-Code & generates OTP using his mobile phone. He then enters the OTP on screen. At the same time bank server also generates the OTP. If the OTP entered by user matches with OTP generated by bank Server then transaction requested by the user is permitted otherwise transaction request is rejected.

A] Assumptions

Following assumptions are considered for our authentication system:

User & bank should share the number using any secure transmission system.

User should have QR-Code recognizer application to decode the QR-Code & generate the OTP.

Communication between user’s PC & bank should be made through secure SSL/TLS handshaking.

B] Proposed Authentication System

The proposed authentication system authorizes the user by digital signals from authorized certificates as the same technique used in traditional system. We generate the mobile OTP code into a two-dimensional barcode using user’s transfer information (TI), requested transfer time (T) and the IMEI number (SN) of user’s mobile device instead of security card. The authentication process of proposed system is shown below the Fig.

Fig. Proposed Authentication system

We omitted the digital certificate transfer & registration of user’s certificate as they are same as existing online transaction system.

Client uses his/her own public certificate and username, password provided by bank to login and then enters the fund transfer information to start the transfer transaction.

Transfer Information (TI) = TB|| TA || TM

TB => Transfer_Bank (Bank code)

TA =>Transfer_Account

TM => Transfer_Money

Using the transfer information (TI), the requested time of transfer (T) server generates one random value (RN`),Then encodes it into QR-code & display on the user’s screen. At the same time, the server sends the information of transfer (TI) and the requested time of transfer (T) to certification authority (CA).

Certification authority (CA) generates the OTP by using received the transfer information (TI), the requested time of transfer (T) and the user’s mobile’s IMEI number(SN).

User will decode the QR-code on the screen using their mobile device and will generate the OTP.

When user generates OTP, the transfer information (TI), perceived value of time (T) and mobile’s IMEI number (SN) of user’s mobile device are shared with the certification authority (CA).

User input the generated OTP code from mobile device on the screen.

Server (Bank) sends OTP entered by client to certification authority (CA).

Certification authority (CA) compares the received OTP code (OTP1) and generated the OTP code (OTP2) and sends approval.

When the server (Bank) receives approval of OTP from certification authority (CA), it will verify the entered OTP code with user consistent value and user digital signature. If the approve of OTP value does not received, the transfer will be canceled.

SECURITY ANALYSIS

Our proposed system assumes the secure communication through SSL/TLS tunnel. So, malicious user cannot analyze the contents of communication between user’s PC and Bank Server and Certified Authority. Also the IMEI number of user’s mobile will be shared by user and bank through secure process, so there is no possibility of leaking it out. If any counterfeit or alteration of PIN occurs, OTP values will not match.

Even our system will not be affected by the man-in-the middle attack since it contains two layers of security.

CONCLUSION

This paper presented an online transaction system using two new concepts such as OTP & QR-Code.OTP which is dynamic password will make it difficult for the hacker to guess the password. And use of QR-Code provided has reduced the chances of leakage of OTP while transferring through network. Because, OTP can be generated only after decoding of the QR-Code and QR-Code can be decoded only with user’s own phone. So anyone else cannot access the client’s account in any way. In this way our approach has tried to add additional layer of security to existing transaction system.