Towards The Security of User Authentication For Internet Banking
Sites – The Nigerian Situation
Ayei E. Ibor1 , Adebisi W. Adesola2 , Collins E. Udofia3 , Egbe E. Ibi4
1,2
: Department of Computer Science, Cross River University of Technology, Calabar, Nigeria
3,4
: Department of Banking and Finance, University of Calabar, Calabar, Nigeria
Abstract
Internet banking has become a new trend in the Nigerian banking system for a couple of years
now. This has made financial transactions involving intra and interbank debit and credit
transactions to be flexible and on the go. To this end, moving large sums of money between
accounts is seen to be easier and faster with the added security of privacy. However, the
introduction of internet banking has significant security concerns. Since a user is authenticated
with nominal details such as username and password, there is the likelihood of identify spoofing,
brute force and dictionary attacks. Most transactions for internet banking are done on websites
that use the conventional hypertext transfer protocol (HTTP) for communications without
deploying the added security layer of Secure Socket Layer/Transport Layer Security (SSL/TLS),
which ensures the encryption of the packets transmitted between the client and the server. It is a
well known fact that using HTTP transmits contents in the clear, which can be easily intercepted
using man in the middle attacks. There is the need, therefore, to adopt a more secure means of
transmitting transaction information of customers over the Internet such that the transmitting
tunnel makes the contents unintelligible to a malicious user in the event of the interception of the
transmitted data. The focus of this paper will be to discuss the various technologies deployed for
enhancing the secure delivery of online-based transactions with emphasis on the Nigerian
banking system. The paper will also adopt a user authentication method based on a two-factor
authentication mechanism, which allows users to securely log into their online accounts using a
two-factor authentication method.
Keywords: Security, Internet Banking, Nigerian Banking System, Credit, Debit
______________________________________________________________________________
Introduction
The introduction of internet banking in
the Nigerian banking system has been a
good omen for the teeming customers who
are interested in banking services on the go.
The characteristic long queues and network
downtimes for conventional banking halls
are not realistic for real time customer
satisfaction. Ayo et al in [2] assert that the
introduction of internet banking is found to
create convenience for customers including
efficient time management, ease of use and
customer satisfaction.
Though this
technology has brought with it convenience
in transaction processing based on self
service, it is also prone to security incidents
and various forms of attacks including and
not limited to identity spoofing, dictionary
and brute force attacks.
Internet banking allows a customer’s
account to be managed remotely outside the
branch the account is domiciled. This is
usually achieved with the help of internet
MicroWave International Journal of Science and Technology Vol.6 No. 2014
53
connection. As discussed in [13], several
electronic devices such as computers
(desktops, laptops, tablets etc), mobile and
smart phones (blackberry phones, android
phones etc), personal digital assistants
(PDAs), automated teller machines (ATMs),
and point of sales terminals (PoS) can be
used to allow a customer remotely access his
bank account details and effect transactions
in any location provided there is available
and efficient internet connection.
Most users are not conscious of the risks
posed
by unsecure
networks
and
communication channels especially with the
high cost of internet connectivity in Nigeria.
Consequently, they seize every opportunity
that presents to them an internet connection
to render their confidential details over the
internet including banking details and other
personal information.
Most network
communications delivered by the hypertext
transfer protocol (HTTP) are in the clear.
This implies that the use of packet sniffers
such as wireshark, tcpdump etc can reveal
the user names and passwords populated on
web forms if there are not encrypted during
the transmission process [17]. A look at
most websites of Nigerian banks shows
signs of insecurity for sensitive transactions
such as cash payments and money transfers.
Having examined the risks posed by
unsecure networks and communication
channels, this paper will discuss the
available methods of online user identity
verification
and
suggest
ways
of
improvement and hardening of the available
security measures for internet banking based
on a two-factor authentication mechanism.
Internet Banking And Online User
Identification
The directive for internet banking in
Nigeria was initially given by the Central
Bank of Nigeria in its guidelines titled
“Guidelines on Electronic Banking in
Nigeria” [4]. The guidelines, which gave an
overview of the requirements for efficient
internet banking (e-banking as the case may
be) stipulated that it is the responsibility of
banks to disable all services and ports that
may allow intrusions to filter a bank’s
network infrastructure. As contained in
section 1.0 subsection 1.1e of the guidelines,
all network aware devices that have external
access to the bank’s internal network must
be able to address issues concerning nonrepudiation,
data
integrity
and
confidentiality [4].
A critical look at the guidelines reveals
that most of the recommendations put
through to banks for enhancing the fluidity
of internet banking are still to witness
complete
implementation.
The
advancement in technology and the
pervasive nature of the internet also makes
most of these recommendations obsolete to
time and processes. One such instance is the
believe that the authentication of devices
using media access control (MAC)
addresses is efficiently secure. However,
MAC addresses can be spoofed when a man
in the middle attack is staged. As stated in
[3], it is possible for an attacker to intercept
and make modifications to the transmitted
authentication credentials with well formed
man in the middle attacks including IP
spoofing and MAC address spoofing. IP
spoofing can also ensure that the use of
Access Control Lists and firewalls are
deficient in the protection of networks
internal digital assets. A spoofed IP address
is as good as the original IP address intended
for the connection. Spoofing addresses can
lead to impersonation and identity theft
In internet banking, users are required to
register their account information over the
Internet in order that their accounts can be
made accessible from any location provided
there is the availability of internet
connection. As shown in the Figure 1, a
MicroWave International Journal of Science and Technology Vol.6 No. 2014
54
user who registers his bank account over the
Internet is mostly not considering the
security of the connection.
A large
population of online bank account users in
Nigeria and other parts of the world are only
interested in the success of the transaction
and not the means by which such a
transaction is made. Since they trust the
operating bank to provide them with the
needed security, transactions are mostly
made from any computing device that can
allow their account information to be
accessed over the internet. This is a high
risk factor. In [15], a foresight of the
security implications in internet banking
were discussed with specific emphasis on
the tendency for transaction data to be
intercepted by hackers.
Figure 1: Account registration and processing through unsecure network connection
Until this day, the traditional methods of
user authentication including the use of
usernames and passwords are being
deployed for identifying the numerous users
that subscribe to internet banking in most
Nigerian banks. As highlighted in [9] and
[10], using brute force and dictionary attacks
can allow a user to steal the authentication
credentials such as login/password scheme
of users by transmitting random or a
carefully selected list of words to the
authentication server to divulge the
authentication parameters of authorised
users of the system.
Password thefts
through shoulder surfing and piggybacking
are likely possibilities for user identity theft
and impersonation [17], [1]. Most users are
not comfortable with lengthy passwords as
well as passwords that are difficult to
remember.
Consequently, they prefer
simple passwords such as date of births, pet
names, surnames, phone numbers etc, which
at most times are not updated over time.
This creates a security concern as these
static passwords can be stolen by a password
Trojan residing in the memory of the
computing device used for online
transactions.
Most uniform resource locators (URLs)
that point to the IP addresses of web servers
of most Nigerian banks’ websites are based
on the use of the traditional hypertext
transfer protocol (HTTP), which transmits
contents between the server and the client in
the clear [12]. The use of SSL/TLS for
authenticating
the
server
and
cryptographically
protecting
the
communication channel between the server
MicroWave International Journal of Science and Technology Vol.6 No. 2014
55
and the client is not deployed. SSL/TLS is
known for enhancing confidentiality in
transmitted contents [14], [5]. This can lead
to phishing attacks where a bank’s website
can be cloned and used to mislead customers
into feeding their bank details including
account numbers, usernames and passwords
on the fake website. The consequences of
the successful redirection of customers to
the fake website are diverse including loss
of confidential data, loss of revenue, denial
of service, repudiation and the bank’s public
image as well as public trust and integrity.
Technologies For Protecting Online
Transactions
The process of protecting the contents
delivered to customers over the internet
begins with the website that is rendered to
users for authentication. A Google search
for the website URLs of some famous banks
in Nigeria reveal that the hypertext transfer
protocol used to establish the connection
between the client and the server such as a
web browser and a website hosted on a
server does not have the added security layer
implemented through the deployment of
SSL/TLS.
This implies that the data
exchange between a client device and the
server can be subject to eavesdropping. As
described in [3] and [9], eavesdropping
involves the physical use of a listening
device such as a packet grabber to intercept
packet
transmission
between
two
communicating parties. SSL/TLS creates a
secure communication tunnel between the
client (a customer that uses internet banking)
and the server (the bank’s internet
bankingsite) using strong ciphers such as
RSA (Rivest, Shamir and Adleman) for the
encryption of the messages exchanged [7].
In this way, a temporary session for
exchanging secret messages is established.
Visual signs of the use of SSL/TLS over
HTTP include the replacement of http with
https in the website’s URL as well as a
padlock icon shown in the address bar of the
browser for that site.
The security of SSL/TLS authentication is
based on the authenticity, integrity and
confidentiality provided by the protocol
[14], [19]. Djuric in [7] agrees that the
flexibility and protocol independence of
SSL is leveraged by its operation at the
TCP/IP transport level. The cryptographic
features of SSL/TLS make the protocol
suitable for client-server authentication.
SSL/TLS authentication is achieved as
follows:
(i) The server initially authenticates
itself with a public key certificate
(ii) A pseudo-random secret key is
generated by the client for the temporary
session during
which communication is established
and transmission of data effected
(iii)The client encrypts the secret key
using the server’s public key
(iv) The encrypted key is then
transmitted to the server
(v) The
established
cryptographic
session is then used for message
transmission
The security provided
by the
implementation of SSL/TLS over HTTP
(HTTPS) makes it pertinent for Nigerian
banking websites to tilt towards this
technology in order to provide enhanced
security for the contents that are transmitted
across the Internet. Hajjeh et al in [11]
believes that SSL/TLS has found
widespread use over the internet as it is
easily integrated in web servers. Other
technologies for user authentication in
internet banking include the use of
authorisation numbers, one time passwords,
and challenge-response systems [6],[14].
MicroWave International Journal of Science and Technology Vol.6 No. 2014
56
of mobile phones and services in Nigeria is
the biometric registration of subscribers to
mobile networks. This makes easy to easily
map the real identity of a user to his mobile
phone number.
With this technology, we will discuss here
an authentication mechanism for internet
banking users that is underpinned by the
unique identification of mobile network
subscribers in Nigeria. As shown in Figure
2, users are authenticated into their online
bank accounts using both a computing
device (PC, laptop, iPad etc) and a mobile or
smart phone.
The Proposed Two-Factor Authentication
Method
Two-factor authentication has been in
used in some developed countries and
regions such as the United States, United
Kingdom, Asia, Middle East etc. Some of
the existing two-factor authentication
methods
include
RSA’s
SecureID,
BestBuy’s
BestToken,
and
Secure
Computing’s Safeword [1].
The
proliferation of the use of mobile services in
Nigeria
has
witnessed
continuous
improvement, which can be exploited to
allow for secure banking services in the
country. One important element in the use
Figure 2: Proposed authentication mechanism for user identification in internet banking
Components Of The Proposed Design
We have chosen the following
components for our design:
•
A mobile phone with a registered SIM card:
it is assumed that almost (if not all) users of
internet banking have mobile phones. A
MicroWave International Journal of Science and Technology Vol.6 No. 2014
57
•
•
•
•
smart phone is also considered here as a
mobile phone. It is also assumed that every
owner of a mobile phone in Nigeria has a
registered SIM card mapped to his
physiological traits (biometric data) such as
fingerprints.
A computing device: A user needs a
computing device such as a personal
computer (PC), laptop, iPad, smart phone
etc to log into his online bank account.
Transaction server:
this is the bank’s
transaction server for day-to-day transaction
processing
Authentication server: the authentication
server is used to generate the one time
password or authentication code that is used
to verify the identity of the user at every
login session
Mobile network operator:
the mobile
network operator that registers the user on
subscription to its network.
Discussion Of The Design
• User registration: the user registers with
the bank offering the internet banking
services. The user must provide his mobile
number
alongside
other
personal
information during registration. A username
and password is chosen by the user for
logging into the online account.
• Login request:
the user provides a
username and password, which he enters
into a browser to have access to the
o .
transaction server. It is assumed that the
user’s access is through an unsecure
channel, which is subject to eavesdropping.
The transaction server receives the request
and opens a secure connection between the
user’s browser and the server. The secure
connection is based on SSL/TLS
authentication that requests for an
authentication code from the user.
• User authentication: the transaction server
sends an authentication request consisting of
a unique identifier generated based on the
hashing of the user’s bio-data and the user’s
mobile phone number. The combination of
the user’s bio-data used for generating the
hash is hidden from the user. The hashing
algorithm is randomly chosen from a
collection of stored hashing algorithms,
which are invoked at user login requests.
Hashing algorithms that can be used include
MD5, SHA 1 etc [8]. The authentication
server then does the following:
o It confirms the user’s identity from the
mobile network using the mobile phone
number sent to it by the transaction server.
We suggest that the bank and the mobile
network operator can synchronise their
servers to quicken the process of user
identification
Figure 3: Server synchronisation for user identification
MicroWave International Journal of Science and Technology Vol.6 No. 2014
58
o On the successful confirmation of the user’s
identity,
the
authentication
server
implements a time-based one time password
algorithm to generate a pseudo-random
number, which changes on every login
request and can be used only once (one time
password - OTP). This will be a check
against replay and guessing attacks [16],
[18].
o The generated one time password
(authentication code) is then sent to the
mobile phone number of the requesting user.
The same code is mapped to the user’s
record in the transaction server to enable the
transaction server identify the user in the
final login stage. This transmission is done
through secure channels. The code is set to
expire after a specified period of time, say
thirty (30) seconds within which the user has
to feed it into the browser’s text box
displayed.
• User Login: the user receives a short
message (SMS) in his mobile phone with the
authentication code requested for login
during the initial login request stage. This
code is then entered by the user on the
browser to complete a successful login
session. The final stage of the login process
is done through a secure channel. The user
remains on the secure channel for all
transactions until he logs out of his online
account.
• Login failure: in the event of the expiration
of the 30-second count for the user to supply
the authentication code, the login session
times out and the user is redirected back to
the login page where he will have to supply
his username and password as a login
request to the transaction server.
The
authentication process is repeated to
generate the authentication code needed to
complete the login session.
Conclusion
Spoofing, replay and password guessing
attacks are on the increase. Many users
have lost so much of their savings and have
had their transactions intercepted by
intruders leading to loss of trust in internet
banking services. Not many customers of
banks in Nigeria are comfortable with the
idea of managing their bank accounts over
the internet. This is because they have heard
a lot of stories and some have witnessed the
misuse of the internet for fraud. Operating
an online account creates a lot of
convenience for its users. Apart from the
user’s ability to access funds without having
to physically visit a branch of the operating
bank, he can buy goods and services over
the internet from any part of the world
easily. Also, funds transfer can be done
within a few seconds as compared to the
delay witnessed in conventional banking
halls.
One key issue in user acceptance of
internet banking is authentication. In this
paper, we have proposed a two-factor
authentication method that combines the
user’s login parameters such as the
username
and
password
with
an
authentication code, also called a one-time
password to verify the identity of the user as
the owner of the online bank account he is
requesting access to. The deployment of
mobile phones for the transmission of the
authentication codes is based on the fact that
subscribers to mobile networks in Nigeria
are subject to biometric registration of their
SIM cards. This registration is leveraged by
fingerprint scans and personal data, which
uniquely identifies a user as the owner of the
mobile phone number he purchases. The
SIM card registration is done at the point of
purchase. We anticipate that this two-factor
authentication will help to control identity
spoofing and impersonation on internet
banking sites.
MicroWave International Journal of Science and Technology Vol.6 No. 2014
59
passwords. Although we anticipate that this
Future research will be directed towards
may be an expensive approach to user
biometric authentication processes, which
authentication, we believe that its
allow users to log into their online accounts
deployment will enhance internet banking
securely using a separate biometric
security in Nigeria
authentication device in combination with
other login details such as usernames and
.
______________________________________________________________________________
References
1. Aloul, F.; Zahidi, S.& El-Hajj, W. (2009) "Two factor authentication using mobile
phones," Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International
Conference on , vol., no., pp.641,644
2. Ayo, C. K.; Adewoye, J. O. & Oni, A. A. (2010) “The state of e-banking implementation in
Nigeria: A post-consolidation review,” Journal of emerging trends in economics and
management sciences, vol. 1, no. 1 pp. 37,45
3. Butcher, D.; Xiangyang L. & Jinhua G. (2007) "Security Challenge and Defense in VoIP
Infrastructures," Systems, Man, and Cybernetics, Part C: Applications and Reviews, IEEE
Transactions on, vol. 37, pp. 1152-1162
4. Central Bank of Nigeria (2003) “Guidelines on Electronic Banking in Nigeria”
5. de la Puente, F.; Sandoval, J.D. & Hernandez, P. (2003) "Personal digital signer for Internet
banking," Communications, Computers and signal Processing, 2003. PACRIM. 2003 IEEE
Pacific Rim Conference on , vol.2, no., pp.700,703 vol.2
6. de la Puente, F.; Sandoval, J.D. & Hernandez, P. (2003) "Pocket device for authentication and
data integrity on Internet banking applications," Security Technology, 2003. Proceedings. IEEE
37th Annual 2003 International Carnahan Conference on , vol., no., pp.43,50
7. Djuric, Z. (2005) "IPS - secure Internet payment system," Information Technology: Coding and
Computing, 2005. ITCC 2005. International Conference on , vol.1, no., pp.425,430 Vol. 1
8. Eldefrawy, M.H.; Alghathbar, K. & Khan, M.K. (2011) "OTP-Based Two-Factor Authentication
Using Mobile Phones," Information Technology: New Generations (ITNG), 2011 Eighth
International Conference on , vol., no., pp.327,331
9. Goyal, V.; Kumar, V.; Singh, M.; Abraham, A. & Sanyal, S. (2005) "CompChall: addressing
password guessing attacks," Information Technology: Coding and Computing, 2005. ITCC 2005.
International Conference on , vol.1, no., pp.739,744
10. Gruber, M.; Fankhauser, F.; Taber, S.; Schanes C.; & Grechenig, T. (2011) "Security status of
VoIP based on the observation of real-world attacks on a honeynet," in Privacy, Security, Risk
and Trust (Passat), 2011 Ieee Third International Conference on Social Computing (Socialcom),
2011, pp. 1041-1047.
11. Hajjeh, I.; Serhrouchni, A. & Tastet, F. (2003) "ISAKMP handshake for SSL/TLS," Global
Telecommunications Conference, 2003. GLOBECOM '03. IEEE , vol.3, no., pp.1481,1485
12. Kumar, D. & Venkata, B. (2012) “An Overview of Hypertext Transfer Protocol service Security
on Business Domain,” International Proceedings of Economics Development \& Research, vol
37, pp. 285,289
13. Okechi, O. & Kepeghom, O. M. (2013) “Empirical Evaluation of Customers’ Use of Electronic
Banking Systems in Nigeria,” African Journal of Computing & ICT, vol. 6, no. 1 pp. 7 – 20
MicroWave International Journal of Science and Technology Vol.6 No. 2014
60
14. Oppliger, R.; Rytz, R. & Holderegger, T. (2009) "Internet Banking: Client-Side Attacks and
Protection Mechanisms," Computer , vol.42, no.6, pp.27,33
15. Ovia, J. (2001) “Banking: practices and potentials in Nigeria,” A paper presented at Seminar
organized by The Institute of Chartered Accountants of Nigeria, September 2001
16. Shuren Liao; Qiuyan Zhang; Chao Chen; Yiqi Dai (2009) "A unidirectional one-time password
authentication scheme without counter desynchronization," Computing, Communication,
Control, and Management, 2009. CCCM 2009. ISECS International Colloquium on , vol.4, no.,
pp.361,364
17. Simpson, M.T., Backman, K. & Corley, J.E. (2013) Hands on ethical hacking and network
defense. Boston, USA: Course Technology.
18. Huang, WJ; Guo, L. & Wei Du; Huang, L. (2010) "Electronic Trading Systems in Several
Authentication Methods Commonly Used Comparison," Information Engineering (ICIE), 2010
WASE International Conference on , vol.2, no., pp.251,254
19. Yasinsac, A. & Childs, J. (2001) "Analyzing Internet security protocols," High Assurance
Systems Engineering, 2001. Sixth IEEE International Symposium on , vol., no., pp.149,159
MicroWave International Journal of Science and Technology Vol.6 No. 2014
61