Towards The Security of User Authentication For Internet Banking Sites – The Nigerian Situation

Towards The Security of User Authentication For Internet Banking Sites – The Nigerian Situation Ayei E. Ibor1 , Adebisi W. Adesola2 , Collins E. Udofia3 , Egbe E. Ibi4 1,2 : Department of Computer Science, Cross River University of Technology, Calabar, Nigeria 3,4 : Department of Banking and Finance, University of Calabar, Calabar, Nigeria Abstract Internet banking has become a new trend in the Nigerian banking system for a couple of years now. This has made financial transactions involving intra and interbank debit and credit transactions to be flexible and on the go. To this end, moving large sums of money between accounts is seen to be easier and faster with the added security of privacy. However, the introduction of internet banking has significant security concerns. Since a user is authenticated with nominal details such as username and password, there is the likelihood of identify spoofing, brute force and dictionary attacks. Most transactions for internet banking are done on websites that use the conventional hypertext transfer protocol (HTTP) for communications without deploying the added security layer of Secure Socket Layer/Transport Layer Security (SSL/TLS), which ensures the encryption of the packets transmitted between the client and the server. It is a well known fact that using HTTP transmits contents in the clear, which can be easily intercepted using man in the middle attacks. There is the need, therefore, to adopt a more secure means of transmitting transaction information of customers over the Internet such that the transmitting tunnel makes the contents unintelligible to a malicious user in the event of the interception of the transmitted data. The focus of this paper will be to discuss the various technologies deployed for enhancing the secure delivery of online-based transactions with emphasis on the Nigerian banking system. The paper will also adopt a user authentication method based on a two-factor authentication mechanism, which allows users to securely log into their online accounts using a two-factor authentication method. Keywords: Security, Internet Banking, Nigerian Banking System, Credit, Debit ______________________________________________________________________________ Introduction The introduction of internet banking in the Nigerian banking system has been a good omen for the teeming customers who are interested in banking services on the go. The characteristic long queues and network downtimes for conventional banking halls are not realistic for real time customer satisfaction. Ayo et al in [2] assert that the introduction of internet banking is found to create convenience for customers including efficient time management, ease of use and customer satisfaction. Though this technology has brought with it convenience in transaction processing based on self service, it is also prone to security incidents and various forms of attacks including and not limited to identity spoofing, dictionary and brute force attacks. Internet banking allows a customer’s account to be managed remotely outside the branch the account is domiciled. This is usually achieved with the help of internet MicroWave International Journal of Science and Technology Vol.6 No. 2014 53 connection. As discussed in [13], several electronic devices such as computers (desktops, laptops, tablets etc), mobile and smart phones (blackberry phones, android phones etc), personal digital assistants (PDAs), automated teller machines (ATMs), and point of sales terminals (PoS) can be used to allow a customer remotely access his bank account details and effect transactions in any location provided there is available and efficient internet connection. Most users are not conscious of the risks posed by unsecure networks and communication channels especially with the high cost of internet connectivity in Nigeria. Consequently, they seize every opportunity that presents to them an internet connection to render their confidential details over the internet including banking details and other personal information. Most network communications delivered by the hypertext transfer protocol (HTTP) are in the clear. This implies that the use of packet sniffers such as wireshark, tcpdump etc can reveal the user names and passwords populated on web forms if there are not encrypted during the transmission process [17]. A look at most websites of Nigerian banks shows signs of insecurity for sensitive transactions such as cash payments and money transfers. Having examined the risks posed by unsecure networks and communication channels, this paper will discuss the available methods of online user identity verification and suggest ways of improvement and hardening of the available security measures for internet banking based on a two-factor authentication mechanism. Internet Banking And Online User Identification The directive for internet banking in Nigeria was initially given by the Central Bank of Nigeria in its guidelines titled “Guidelines on Electronic Banking in Nigeria” [4]. The guidelines, which gave an overview of the requirements for efficient internet banking (e-banking as the case may be) stipulated that it is the responsibility of banks to disable all services and ports that may allow intrusions to filter a bank’s network infrastructure. As contained in section 1.0 subsection 1.1e of the guidelines, all network aware devices that have external access to the bank’s internal network must be able to address issues concerning nonrepudiation, data integrity and confidentiality [4]. A critical look at the guidelines reveals that most of the recommendations put through to banks for enhancing the fluidity of internet banking are still to witness complete implementation. The advancement in technology and the pervasive nature of the internet also makes most of these recommendations obsolete to time and processes. One such instance is the believe that the authentication of devices using media access control (MAC) addresses is efficiently secure. However, MAC addresses can be spoofed when a man in the middle attack is staged. As stated in [3], it is possible for an attacker to intercept and make modifications to the transmitted authentication credentials with well formed man in the middle attacks including IP spoofing and MAC address spoofing. IP spoofing can also ensure that the use of Access Control Lists and firewalls are deficient in the protection of networks internal digital assets. A spoofed IP address is as good as the original IP address intended for the connection. Spoofing addresses can lead to impersonation and identity theft In internet banking, users are required to register their account information over the Internet in order that their accounts can be made accessible from any location provided there is the availability of internet connection. As shown in the Figure 1, a MicroWave International Journal of Science and Technology Vol.6 No. 2014 54 user who registers his bank account over the Internet is mostly not considering the security of the connection. A large population of online bank account users in Nigeria and other parts of the world are only interested in the success of the transaction and not the means by which such a transaction is made. Since they trust the operating bank to provide them with the needed security, transactions are mostly made from any computing device that can allow their account information to be accessed over the internet. This is a high risk factor. In [15], a foresight of the security implications in internet banking were discussed with specific emphasis on the tendency for transaction data to be intercepted by hackers. Figure 1: Account registration and processing through unsecure network connection Until this day, the traditional methods of user authentication including the use of usernames and passwords are being deployed for identifying the numerous users that subscribe to internet banking in most Nigerian banks. As highlighted in [9] and [10], using brute force and dictionary attacks can allow a user to steal the authentication credentials such as login/password scheme of users by transmitting random or a carefully selected list of words to the authentication server to divulge the authentication parameters of authorised users of the system. Password thefts through shoulder surfing and piggybacking are likely possibilities for user identity theft and impersonation [17], [1]. Most users are not comfortable with lengthy passwords as well as passwords that are difficult to remember. Consequently, they prefer simple passwords such as date of births, pet names, surnames, phone numbers etc, which at most times are not updated over time. This creates a security concern as these static passwords can be stolen by a password Trojan residing in the memory of the computing device used for online transactions. Most uniform resource locators (URLs) that point to the IP addresses of web servers of most Nigerian banks’ websites are based on the use of the traditional hypertext transfer protocol (HTTP), which transmits contents between the server and the client in the clear [12]. The use of SSL/TLS for authenticating the server and cryptographically protecting the communication channel between the server MicroWave International Journal of Science and Technology Vol.6 No. 2014 55 and the client is not deployed. SSL/TLS is known for enhancing confidentiality in transmitted contents [14], [5]. This can lead to phishing attacks where a bank’s website can be cloned and used to mislead customers into feeding their bank details including account numbers, usernames and passwords on the fake website. The consequences of the successful redirection of customers to the fake website are diverse including loss of confidential data, loss of revenue, denial of service, repudiation and the bank’s public image as well as public trust and integrity. Technologies For Protecting Online Transactions The process of protecting the contents delivered to customers over the internet begins with the website that is rendered to users for authentication. A Google search for the website URLs of some famous banks in Nigeria reveal that the hypertext transfer protocol used to establish the connection between the client and the server such as a web browser and a website hosted on a server does not have the added security layer implemented through the deployment of SSL/TLS. This implies that the data exchange between a client device and the server can be subject to eavesdropping. As described in [3] and [9], eavesdropping involves the physical use of a listening device such as a packet grabber to intercept packet transmission between two communicating parties. SSL/TLS creates a secure communication tunnel between the client (a customer that uses internet banking) and the server (the bank’s internet bankingsite) using strong ciphers such as RSA (Rivest, Shamir and Adleman) for the encryption of the messages exchanged [7]. In this way, a temporary session for exchanging secret messages is established. Visual signs of the use of SSL/TLS over HTTP include the replacement of http with https in the website’s URL as well as a padlock icon shown in the address bar of the browser for that site. The security of SSL/TLS authentication is based on the authenticity, integrity and confidentiality provided by the protocol [14], [19]. Djuric in [7] agrees that the flexibility and protocol independence of SSL is leveraged by its operation at the TCP/IP transport level. The cryptographic features of SSL/TLS make the protocol suitable for client-server authentication. SSL/TLS authentication is achieved as follows: (i) The server initially authenticates itself with a public key certificate (ii) A pseudo-random secret key is generated by the client for the temporary session during which communication is established and transmission of data effected (iii)The client encrypts the secret key using the server’s public key (iv) The encrypted key is then transmitted to the server (v) The established cryptographic session is then used for message transmission The security provided by the implementation of SSL/TLS over HTTP (HTTPS) makes it pertinent for Nigerian banking websites to tilt towards this technology in order to provide enhanced security for the contents that are transmitted across the Internet. Hajjeh et al in [11] believes that SSL/TLS has found widespread use over the internet as it is easily integrated in web servers. Other technologies for user authentication in internet banking include the use of authorisation numbers, one time passwords, and challenge-response systems [6],[14]. MicroWave International Journal of Science and Technology Vol.6 No. 2014 56 of mobile phones and services in Nigeria is the biometric registration of subscribers to mobile networks. This makes easy to easily map the real identity of a user to his mobile phone number. With this technology, we will discuss here an authentication mechanism for internet banking users that is underpinned by the unique identification of mobile network subscribers in Nigeria. As shown in Figure 2, users are authenticated into their online bank accounts using both a computing device (PC, laptop, iPad etc) and a mobile or smart phone. The Proposed Two-Factor Authentication Method Two-factor authentication has been in used in some developed countries and regions such as the United States, United Kingdom, Asia, Middle East etc. Some of the existing two-factor authentication methods include RSA’s SecureID, BestBuy’s BestToken, and Secure Computing’s Safeword [1]. The proliferation of the use of mobile services in Nigeria has witnessed continuous improvement, which can be exploited to allow for secure banking services in the country. One important element in the use Figure 2: Proposed authentication mechanism for user identification in internet banking Components Of The Proposed Design We have chosen the following components for our design: • A mobile phone with a registered SIM card: it is assumed that almost (if not all) users of internet banking have mobile phones. A MicroWave International Journal of Science and Technology Vol.6 No. 2014 57 • • • • smart phone is also considered here as a mobile phone. It is also assumed that every owner of a mobile phone in Nigeria has a registered SIM card mapped to his physiological traits (biometric data) such as fingerprints. A computing device: A user needs a computing device such as a personal computer (PC), laptop, iPad, smart phone etc to log into his online bank account. Transaction server: this is the bank’s transaction server for day-to-day transaction processing Authentication server: the authentication server is used to generate the one time password or authentication code that is used to verify the identity of the user at every login session Mobile network operator: the mobile network operator that registers the user on subscription to its network. Discussion Of The Design • User registration: the user registers with the bank offering the internet banking services. The user must provide his mobile number alongside other personal information during registration. A username and password is chosen by the user for logging into the online account. • Login request: the user provides a username and password, which he enters into a browser to have access to the o . transaction server. It is assumed that the user’s access is through an unsecure channel, which is subject to eavesdropping. The transaction server receives the request and opens a secure connection between the user’s browser and the server. The secure connection is based on SSL/TLS authentication that requests for an authentication code from the user. • User authentication: the transaction server sends an authentication request consisting of a unique identifier generated based on the hashing of the user’s bio-data and the user’s mobile phone number. The combination of the user’s bio-data used for generating the hash is hidden from the user. The hashing algorithm is randomly chosen from a collection of stored hashing algorithms, which are invoked at user login requests. Hashing algorithms that can be used include MD5, SHA 1 etc [8]. The authentication server then does the following: o It confirms the user’s identity from the mobile network using the mobile phone number sent to it by the transaction server. We suggest that the bank and the mobile network operator can synchronise their servers to quicken the process of user identification Figure 3: Server synchronisation for user identification MicroWave International Journal of Science and Technology Vol.6 No. 2014 58 o On the successful confirmation of the user’s identity, the authentication server implements a time-based one time password algorithm to generate a pseudo-random number, which changes on every login request and can be used only once (one time password - OTP). This will be a check against replay and guessing attacks [16], [18]. o The generated one time password (authentication code) is then sent to the mobile phone number of the requesting user. The same code is mapped to the user’s record in the transaction server to enable the transaction server identify the user in the final login stage. This transmission is done through secure channels. The code is set to expire after a specified period of time, say thirty (30) seconds within which the user has to feed it into the browser’s text box displayed. • User Login: the user receives a short message (SMS) in his mobile phone with the authentication code requested for login during the initial login request stage. This code is then entered by the user on the browser to complete a successful login session. The final stage of the login process is done through a secure channel. The user remains on the secure channel for all transactions until he logs out of his online account. • Login failure: in the event of the expiration of the 30-second count for the user to supply the authentication code, the login session times out and the user is redirected back to the login page where he will have to supply his username and password as a login request to the transaction server. The authentication process is repeated to generate the authentication code needed to complete the login session. Conclusion Spoofing, replay and password guessing attacks are on the increase. Many users have lost so much of their savings and have had their transactions intercepted by intruders leading to loss of trust in internet banking services. Not many customers of banks in Nigeria are comfortable with the idea of managing their bank accounts over the internet. This is because they have heard a lot of stories and some have witnessed the misuse of the internet for fraud. Operating an online account creates a lot of convenience for its users. Apart from the user’s ability to access funds without having to physically visit a branch of the operating bank, he can buy goods and services over the internet from any part of the world easily. Also, funds transfer can be done within a few seconds as compared to the delay witnessed in conventional banking halls. One key issue in user acceptance of internet banking is authentication. In this paper, we have proposed a two-factor authentication method that combines the user’s login parameters such as the username and password with an authentication code, also called a one-time password to verify the identity of the user as the owner of the online bank account he is requesting access to. The deployment of mobile phones for the transmission of the authentication codes is based on the fact that subscribers to mobile networks in Nigeria are subject to biometric registration of their SIM cards. This registration is leveraged by fingerprint scans and personal data, which uniquely identifies a user as the owner of the mobile phone number he purchases. The SIM card registration is done at the point of purchase. We anticipate that this two-factor authentication will help to control identity spoofing and impersonation on internet banking sites. MicroWave International Journal of Science and Technology Vol.6 No. 2014 59 passwords. Although we anticipate that this Future research will be directed towards may be an expensive approach to user biometric authentication processes, which authentication, we believe that its allow users to log into their online accounts deployment will enhance internet banking securely using a separate biometric security in Nigeria authentication device in combination with other login details such as usernames and . ______________________________________________________________________________ References 1. Aloul, F.; Zahidi, S.& El-Hajj, W. (2009) "Two factor authentication using mobile phones," Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on , vol., no., pp.641,644 2. Ayo, C. K.; Adewoye, J. O. & Oni, A. A. (2010) “The state of e-banking implementation in Nigeria: A post-consolidation review,” Journal of emerging trends in economics and management sciences, vol. 1, no. 1 pp. 37,45 3. Butcher, D.; Xiangyang L. & Jinhua G. (2007) "Security Challenge and Defense in VoIP Infrastructures," Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE Transactions on, vol. 37, pp. 1152-1162 4. Central Bank of Nigeria (2003) “Guidelines on Electronic Banking in Nigeria” 5. de la Puente, F.; Sandoval, J.D. & Hernandez, P. (2003) "Personal digital signer for Internet banking," Communications, Computers and signal Processing, 2003. PACRIM. 2003 IEEE Pacific Rim Conference on , vol.2, no., pp.700,703 vol.2 6. de la Puente, F.; Sandoval, J.D. & Hernandez, P. (2003) "Pocket device for authentication and data integrity on Internet banking applications," Security Technology, 2003. Proceedings. IEEE 37th Annual 2003 International Carnahan Conference on , vol., no., pp.43,50 7. Djuric, Z. (2005) "IPS - secure Internet payment system," Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on , vol.1, no., pp.425,430 Vol. 1 8. Eldefrawy, M.H.; Alghathbar, K. & Khan, M.K. (2011) "OTP-Based Two-Factor Authentication Using Mobile Phones," Information Technology: New Generations (ITNG), 2011 Eighth International Conference on , vol., no., pp.327,331 9. Goyal, V.; Kumar, V.; Singh, M.; Abraham, A. & Sanyal, S. (2005) "CompChall: addressing password guessing attacks," Information Technology: Coding and Computing, 2005. ITCC 2005. International Conference on , vol.1, no., pp.739,744 10. Gruber, M.; Fankhauser, F.; Taber, S.; Schanes C.; & Grechenig, T. (2011) "Security status of VoIP based on the observation of real-world attacks on a honeynet," in Privacy, Security, Risk and Trust (Passat), 2011 Ieee Third International Conference on Social Computing (Socialcom), 2011, pp. 1041-1047. 11. Hajjeh, I.; Serhrouchni, A. & Tastet, F. (2003) "ISAKMP handshake for SSL/TLS," Global Telecommunications Conference, 2003. GLOBECOM '03. IEEE , vol.3, no., pp.1481,1485 12. Kumar, D. & Venkata, B. (2012) “An Overview of Hypertext Transfer Protocol service Security on Business Domain,” International Proceedings of Economics Development \& Research, vol 37, pp. 285,289 13. Okechi, O. & Kepeghom, O. M. (2013) “Empirical Evaluation of Customers’ Use of Electronic Banking Systems in Nigeria,” African Journal of Computing & ICT, vol. 6, no. 1 pp. 7 – 20 MicroWave International Journal of Science and Technology Vol.6 No. 2014 60 14. Oppliger, R.; Rytz, R. & Holderegger, T. (2009) "Internet Banking: Client-Side Attacks and Protection Mechanisms," Computer , vol.42, no.6, pp.27,33 15. Ovia, J. (2001) “Banking: practices and potentials in Nigeria,” A paper presented at Seminar organized by The Institute of Chartered Accountants of Nigeria, September 2001 16. Shuren Liao; Qiuyan Zhang; Chao Chen; Yiqi Dai (2009) "A unidirectional one-time password authentication scheme without counter desynchronization," Computing, Communication, Control, and Management, 2009. CCCM 2009. ISECS International Colloquium on , vol.4, no., pp.361,364 17. Simpson, M.T., Backman, K. & Corley, J.E. (2013) Hands on ethical hacking and network defense. Boston, USA: Course Technology. 18. Huang, WJ; Guo, L. & Wei Du; Huang, L. (2010) "Electronic Trading Systems in Several Authentication Methods Commonly Used Comparison," Information Engineering (ICIE), 2010 WASE International Conference on , vol.2, no., pp.251,254 19. Yasinsac, A. & Childs, J. (2001) "Analyzing Internet security protocols," High Assurance Systems Engineering, 2001. Sixth IEEE International Symposium on , vol., no., pp.149,159 MicroWave International Journal of Science and Technology Vol.6 No. 2014 61