Hardened client platforms for secure internet banking

Abstract

We review the security of c-banking platforms with particular attention to the exploitable attack vectors of three main attack categories: Man-in-the-Middle, Man-in-the-PC and Man-in-the-Browser. It will be shown that the most serious threats come from combination attacks capable of hacking any transaction without the need to control the authentication process. Using this approach, the security of any authentication system can be bypassed, including those using SecureID Tokens, OTP Tokens, Biometric Sensors and Smart Cards. We will describe and compare two recently proposed c-banking platforms, the ZTIC and the USPD, both of which are based on the use of dedicated client devices, but with diverging approaches with respect to the need of hardening the Web client application. It will be shown that the use of a Hardened Browser (or H-Browser) component is critical to force attackers to employ complex and expensive techniques and to reduce the strength and variety of social engineering attacks down to physiological fraud levels. © 2009 Vieweg+Teubner | GWV Fachverlage GmbH, Wiesbaden.