ABSTRACT
Online users now make use of internet banking as a major platform of making payments of products online. Cybercriminals are using newer and more advanced methods to target online users. One of the fastest growing threats and attacks in the world today is Man-in-the-Browser (MITB) attacks. As the advance in technology continues to influence the way society makes payment for goods and services, then more advanced security approach is required for transaction authentication on the internet. This dissertation provides a more secure authentication for online transaction using an enhanced security approach that uses an Anti-form grabbing technique to encode user inputs to random characters, JSON Web Token (JWT) to provide and secure safe passage of information between two parties, a One Time Password (OTP) token for authentication and the use of Email as another verification channel from the server to combat MitB attacks.
TABLE OF CONTENTS
TITLE PAGE ……………………………………………………………………………………………………………… ii
DECLARATION ………………………………………………………………………………………………………..iii
CERTIFICATION ……………………………………………………………………………………………………… iv
DEDICATION ……………………………………………………………………………………………………………. v
ACKNOWLEDGEMENT …………………………………………………………………………………………… vi
ABSTRACT ………………………………………………………………………………………………………………. ix
TABLE OF CONTENTS ……………………………………………………………………………………………… x
LIST OF FIGURES ………………………………………………………………………………………………….. xiv
LIST OF TABLES …………………………………………………………………………………………………….. xv
LIST OF ABBREVIATIONS …………………………………………………………………………………….. xvi
CHAPTER ONE …………………………………………………………………………………………………………. 1
INTRODUCTION ………………………………………………………………………………………………………. 1
1.1 Background of the Study ……………………………………………………………………………………… 1
1.2 Research Motivation …………………………………………………………………………………………… 2
1.3 Research Aim and Objectives ………………………………………………………………………………. 3
1.4 Research Methodology …………………………………………………………………………………………… 4
1.5 Contribution to Knowledge ………………………………………………………………………………….. 4
1.6 Organization of the Dissertation …………………………………………………………………………… 4
CHAPTER TWO ………………………………………………………………………………………………………… 5
LITERATURE REVIEW …………………………………………………………………………………………….. 5
xi
2.1 Introduction …………………………………………………………………………………………………… 5
2.2 History of the Web …………………………………………………………………………………………. 5
2.2.1 Online banking ………………………………………………………………………………………… 5
2.2.2 History of Online Banking ………………………………………………………………………… 6
2.2.3 Security ………………………………………………………………………………………………….. 8
2.3 Online Attacks ……………………………………………………………………………………………… 10
2.3.1 MAN-IN THE-BROWSER ATTACK ……………………………………………………… 11
2.3.2 Other Threats ………………………………………………………………………………………… 12
2.4 Security Features ………………………………………………………………………………………….. 14
2.4.1 SALT……………………………………………………………………………………………………. 14 2.4.2 HASHING…………………………………………………………………………………………….. 15
2.4.3 SESSIONS ……………………………………………………………………………………………. 15
2.4.4 DYNAMIC JAVASCRIPT ……………………………………………………………………… 16 2.5 Technologies Used ……………………………………………………………………………………….. 17 2.5.1 Server Side Scripting Language……………………………………………………………….. 17
2.5.2 Client Side Scripting Language ……………………………………………………………….. 17
2.5.3 HTML ………………………………………………………………………………………………….. 18
2.5.4 MySQL ………………………………………………………………………………………………… 18
2.6 Literature Review …………………………………………………………………………………………. 19
CHAPTER THREE …………………………………………………………………………………………………… 22
MATERIALS AND METHODS …………………………………………………………………………………. 22
xii
3.1 Introduction …………………………………………………………………………………………………. 22
3.2 The Proposed Enhanced Security System ………………………………………………………… 22
3.2.1 Functionalities of the System …………………………………………………………………… 23
3.2.2 System Architecture ……………………………………………………………………………….. 24
3.2.3 System Flow Chart …………………………………………………………………………………. 26
3.3 The Security Model Mitigating MITB …………………………………………………………….. 28
3.3.1 The Anti-Form Grabbing Technique ………………………………………………………… 28
3.3.2 Token Generation…………………………………………………………………………………… 31
3.3.3 JSON Web Token (JWT) ………………………………………………………………………… 32
3.3.4 Email Verification Service ………………………………………………………………………. 32
3.4 Theoretical Evaluation of the Security Model ………………………………………………….. 33
CHAPTER FOUR ……………………………………………………………………………………………………… 38
IMPLEMENTATION AND DISCUSSION …………………………………………………………………. 38
4.1 Introduction …………………………………………………………………………………………………. 38
4.2 Code Implementation ……………………………………………………………………………………. 38
4.2.1 Coding the proposed algorithm ………………………………………………………………… 38
4.2.3 Email authentication handler …………………………………………………………………… 42
4.3 Discussion of Results…………………………………………………………………………………. 42
4.4 Model Comparison Analysis ………………………………………………………………………….. 46
CHAPTER FIVE …………………………………………………………………………………………………….. 50
SUMMARY, CONCLUSION AND RECOMMENDATION ……………………………………… 50
xiii
5.1 Summary …………………………………………………………………………………………………….. 50
5.2 Conclusion …………………………………………………………………………………………………… 51
5.3 Recommendation ………………………………………………………………………………………….. 51
REFERENCES …………………………………………………………………………………………………………. 52
CHAPTER ONE
INTRODUCTION
1.1 Background of the Study
When using services in a web environment, security is of great importance especially for both the user and the provider. The information in use must be handled in a way that does not compromise its security. Passwords are only secured as long as the user keeps them secret. Not everyone is aware of the risk that comes with compromised passwords and other security leaks (Nilsson, 2012).
Lately, client side attacks on online banking and electronic commerce are on the rise due to inadequate security awareness amongst end users. As a result, end user would not be aware if there is vulnerability on their machine or platform that might lead to client side attack such as man-in-the-browser (MitB) attacks. For instance, man-in-the-middle (MitM) attack techniques which are mainly targeting the information flow between a client and a server have now evolved to become man-in-the-browser (MitB) attack. MitM attack occurs when someone manages to eavesdrop on web traffic by fooling the other connections (Web Server and Client Server) to connect to the attacker instead of connecting to each other. One of the common ways to counter these attacks is to use secure channel like SSL(Secured Socket Layer) when sensitive data is transmitted between the client and the server. MitB attack is designed to infiltrate the client software such as the internet browser and manipulate or steal any sensitive information. It takes place on the client side of the connection. The ability of these trojans to perform Man-in-the-Middle-Attacks/ Man-in-the-Browser-Attacks on valid transactions is most worrying since they silently change the information from the client such as the user’s bank details or sensitive information to the attacker’s account details(Fazli et al., 2012).
2
The password remains the most popular authentication mechanism in use today. In order to complete any web-based transaction exchange, the online user will be required to enter his/her password into an online system.
As technological advances continue to influence the way society makes payment for goods and services, the requirement for more advanced security approaches for transaction verification in the online environment increases.
In order to mitigate these security issues, this proposed dissertation proffers a solution to the problem by integrating different authentications and methods to provide an improved and secure online transaction between the client and the server. The thesis introduces an anti-form grabbing technique which disallows the attacker from “grabbing” sensitive information and modifying it when they are being sent to the server by the client and also protects the web contents through JSON Web Token (JWT) which is a safe means of transferring information between two parties. The system also minimizes the risk of man-in-the-browser (MitB) by using One Time Password (OTP), a password that is valid for only one login session or transaction within a limited time along with the use of Email as a different verification channel.
1.2 Research Motivation
Cyber criminals are using newer and more advanced methods to target online users and one of the fastest growing threats in the world today is man-in-the-browser (MitB) Trojan attacks (RSA, 2011). What makes MitB attacks difficult to detect from the client side is that any activity performed seems as though it is originating from the legitimate user’s web browser and with this, it silently changes the information of the user’s account details to the attacker’s account details which is most worrying.
The losses attributed to financial fraud are alarming. The financial services industry has become a primary target of cyber-attacks on a global scale and, in 2009 alone, suffered losses totalling $54 billion – an increase from $48 billion in 2008 (SafeNet, 2010).
3
In 2010, there has been an exponential increase in the number of these attacks against financial institutions including the European consumer banking and U.S. corporate banking markets (RSA, 2011).
The hackers target the most sensitive information such as the account number and the amount and alter it for their own benefit. One must be able to trust the data that is transmitted to the bank server which is why an enhanced web security application will be developed to tackle the online security threat.
1.3 Research Aim and Objectives
The aim of this dissertation is to develop mechanisms for preventing Man-in-the-Browser (MitB) attacks on online financial transaction. The research objectives of this proposed dissertation are to:
a) Develop anti-form grabbing technique to encode the user inputs as they are being entered.
b) Implement an authentication mechanism using One Time Password (OTP).
c) Develop a medium that make use of Email from the server for identity verification.
4
1.4 Research Methodology
The following are methods that were adopted for this research:
a) Develop the anti-form grabbing algorithm to encode user inputs.
b) Develop the OTP algorithm to authenticate the user.
c) Develop a medium that make use of Email from the server for identity verification.
d) Design the proposed system architecture to mitigate MitB attack.
e) Implement the proposed system.
f) Assess performance of the proposed system.
1.5 Contribution to Knowledge
The Enhanced Web Security Application was developed to tackle MitB attacks and in doing that, the following contributions were made to this dissertation:
a) The Anti-form grabbing algorithm was developed to tackle form grabbing which is a technique of MitB attack.
b) The web contents were encrypted with JWT to protect the information exchange between two parties.
c) The use of Email for verification channel.
1.6 Organization of the Dissertation
The organization of the rest of the dissertation with a brief outline of the chapters is as follows. In chapter 2, history of online banking will be discussed and also related works on MitB will be carried out. In chapter 3, the proposed design of the enhanced security application will be discussed, especially the security components; Anti-form grabbing, JWT, OTP and the use of Email which makes up the system architecture. Chapter 4 will involve the implementation of the design proposed in chapter 3. Chapter 5 will summarize the dissertation and outlining of the future work.
5
IF YOU CAN'T FIND YOUR TOPIC, CLICK HERE TO HIRE A WRITER»