This increase in e-commerce has driven the need to create an online payment system. Unfortunately, there are a lot of flaws and internet frauds. Cyber-criminals have benefited from on-line banking (OB). We try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black-hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analysed banking and modern payments system security. In this research we review different payment protocols and security methods that are being used to run banking systems. We survey some of the popular systems that are being used today, with a deeper focus on the chips, cards, NFC, authentication etc. In addition, we also discuss the weaknesses in the systems that can compromise the customer's trust.

 

Published In : IJCSN Journal Volume 3, Issue 4

Date of Publication : August 2014

Pages : 266 - 278

Figures : 01

Tables : --

Publication Link : Banks & E-Commerce Network Security Threats and Best Policies in Practice

 

 

 

Adam Ali.Zare Hudaib : Licensed Penetration Tester, CEH , ECSA , LPT , WCNA, "2.MAS" Poland . Lublin 20-032

 

 

 

 

 

 

 

Banking security

authentication

chip and PIN

e-payment

security protocol

bitcoin

NFC

Assessing the security of Internet banking applications requires specialized knowledge on vulnerabilities, attacks and countermeasures, to gain an understanding of the threats, how they are realized and how to address them. The case study in this article demonstrated that the use of the attack tree should facilitate the work of auditors, security consultants or security officers who wish to conduct a security assessment of an Internet banking authentication mechanism. We presented our analysis of banking and modern payments system security, E-payment, as an example of security challenges in third-party service integration. We found serious logic flaws in leading online, mobile, e-commerce etc. banking applications, leading merchant applications, popular online stores and payment providers (i.e., PayPal). We discussed the weaknesses in the systems that can compromise the customer's trust. Although, we showed and analyzed ways of defense from security threats.

 

 

 

 

 

 

 

 

 

[1] Anderson, R.J., Needham, R.M. Robustness principles for public key protocols. CRYPTO 1995. LNCS, vol. 963, pp. 236–247 (1995).

[2] Cyber attacks against banks more severe than most realize. Internet: http://www.reuters.com/article/2013/05/18/us-cyber- summit-banks-idUSBRE94G0ZP20130518 (2014).

[3] APACS: Online banking usage amongst over 55s up fourfold in five years. Internet: http://www.apacs.org.uk/media_centre/press/08_24_0 7.html (Aug, 2007).

[4] APACS announces latest fraud figures. Internet: http://www.apacs.org.uk/APACSannounceslatestfraud figures.htm (Sep, 2008).

[5] Adam Ali.Zare Hudaib. Banking and modern payments system security analysis. International Journal of Computer Science and Security (IJCSS), vol. 8, issue 2 (2014).

[6] Taylor, M. Police think French pair tortured for pin details. The Guardian. Internet: http://www.guardian.co.uk/uk/2008/jul/05/knifecrime. ukcrime (Jun, 2008).

[7] Finn, C. MTN not budging on fraud issue. IOL technology. Internet: http://www.ioltechnology.co.za/article.page.php?iSect ionId=2885&iArticl%eId=4402087 (May, 2008).

[8] Make Card Readers Optiona. Internet: http://www.stopthecardreaders.org/ (2008).

[9] Cronto: Products datasheet. Internet: http://www.cronto.com/download/Cronto_Products_D atasheet.pdf (2010).

[10] Choudary, O. The smart card detective: a hand-held EMV interceptor. Master's thesis, University of Cambridge. Internet: http://www.cl.cam.ac.uk/~osc22/scd/ (June 2010).

[11] CreditCall. EMV.LIB Integration Guide. Internet: http://www.level2kernel.com/emvlibfidocumentation. html (June, 2010).

[12] de Ruiter, J., and Poll, E. Formal analysis of the EMV protocol suite. Theory of Security and Applications (TOSCA 2011), vol. 6693 of LNCS, Springer, pp. 113-129 (March, 2011).

[13] EMVCo. Terminal level 2, test cases. Type Approval (Nov, 2011).

[14] Murdoch, S. J. Reliability of chip & PIN evidence in banking disputes. Digital Evidence and Electronic Signature Law Review, vol. 6, Pario Communications, pp. 98-115 (Nov, 2010).

[15] Murdoch, S. J., Drimer, S., Anderson, R., and Bond, M. Chip and PIN is broken. IEEE Symposium on Security and Privacy (Oakland) (May, 2010).

[16] Needham, R. M., and Schroeder, M. D. Using encryption for authentication in large networks of computers. Commun. ACM 21, pp. 993-999 (Dec. 1978).

[17] 3-D Secure system overview. Internet: https://partnernetwork.visa.com/vpn/global/retrieve_d ocument.do?documentRetrievalId=119 (2011).

[18] RBS Secure Terms of Use. Internet: https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_us e.jsp (Dec, 2009).

[19] Cronto. Internet: http://www.cronto.com/download/Cronto_Products_D atasheet.pdf (2012).

[20] Adam Ali.Zare Hudaib. E-payment Security Analysis In Depth. International Journal of Computer Science and Security (IJCSS), vol. 8, issue 1 (2014).

[21] S. Murdoch and R. Anderson. Verified by Visa and MasterCard SecureCode: or, How Not to Design Authentication. Financial Cryptography and Data Security, Jan. 2010, pp. 42-45.

[22] PayPal. PayPal - Data Security and Encryption. Internet: http://www.paypal.com/cgi-bin/webscr?cmd=p/gen/s ecurity-outside (Dec, 2013).

[23] Rui Wang, Shuo Chen, XiaoFeng Wang, Shaz Qadeer. How to Shop for Free Online Security Analysis of Cashier-as-a-Service Based Web Stores. Internet: http://research.microsoft.com/pubs/145858/caas-oakl and-final.pdf (Dec, 2013).

[24] The Secure Sockets Layer Protocol. Internet: http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapt er4.html (Nov, 2013).

[25] SearchSecurity.com. Internet: http://searchsecurity.techtarget.com/sDefinition/0%2C %2Csid14_gci214006%2C00.html (Dec, 2013).

[26] Alex Hern. Bitcoin me: How to make your own digital currency. Internet: http://www.theguardian.com/technology/2014/jan/07/ bitcoin-me-how-to-make-your-own-digital-curren cy (Dec, 2013).

[27] Bitcoin. Internet: http://en.wikipedia.org/wiki/Bitcoin.html (Dec, 2013).

[28] Bitcoins. Internet: http://www.weusecoins.com/en/ (Dec, 2013).

[29] Near field communication. Internet: http://en.wikipedia.org/wiki/Near_field_communicati on (Dec, 2013).

[30] Mike Clark. Inside Secure adds sales agents. Internet: http://www.nfcworld.com/2012/12/05/321436/inside- secure-adds-sales-agents (Dec, 2013).

[31] NFC and Contactless Technologies. Internet: http://nfc-forum.org/what-is-nfc/about-the-technolo gy/ (Dec, 2013).

[32] Important Information Regarding Use of the Microsoft Internet Explorer Web Browser. Internet: http://www.consumer.ftc.gov/articles/0155-free-credi t-reports (2014).

[33] Heartbleed. Internet: http://heartbleed.com (2014).

[34] Abhishek Gandhi. Advanced Online Banking Authentication System Using One Time Passwords Embedded in Q-R Code. International Journal of Computer Science and Information Technologies, Vol. 5 (2) , 2014, pp. 1327-1329.

[35] Terry Hartmann. Multi-Factor Authentication for Era of Zero Trust. Internet: http://www.bai.org/bankingstrategies/Risk-Managem ent-and-Fraud/Security/Fraud/Multi-Factor-Authent ication-for-Era-of-Zero-Trust (Apr, 2014).

[36] Response to the European Central Bank – Recommendations for the Security of Internet Payments. Internet: ttp://www.ecb.europa.eu/paym/pol/activ/instr/shared/f iles/PayPal.pdf (2014).