Enhanced web security application for online financial transactions
Table Of Contents
- <p> TITLE PAGE ……………………………………………………………………………………………………………… ii<br>DECLARATION ………………………………………………………………………………………………………..iii<br>CERTIFICATION ……………………………………………………………………………………………………… iv<br>DEDICATION ……………………………………………………………………………………………………………. v<br>ACKNOWLEDGEMENT …………………………………………………………………………………………… vi<br>ABSTRACT ………………………………………………………………………………………………………………. ix<br>TABLE OF CONTENTS ……………………………………………………………………………………………… x<br>LIST OF FIGURES ………………………………………………………………………………………………….. xiv<br>LIST OF TABLES …………………………………………………………………………………………………….. xv<br>LIST OF ABBREVIATIONS …………………………………………………………………………………….. xvi<br>
Chapter ONE
INTRODUCTION
- …………………………………………………………………………………………………………. 1<br>INTRODUCTION ………………………………………………………………………………………………………. 1<br>
- 1.1Background of the Study ……………………………………………………………………………………… 1<br>
- 1.2Research Motivation …………………………………………………………………………………………… 2<br>
- 1.3Research Aim and Objectives ………………………………………………………………………………. 3<br>
- 1.4Research Methodology …………………………………………………………………………………………… 4<br>
- 1.5Contribution to Knowledge ………………………………………………………………………………….. 4<br>
- 1.6Organization of the Dissertation …………………………………………………………………………… 4<br>
Chapter TWO
LITERATURE REVIEW
- ………………………………………………………………………………………………………… 5<br>LITERATURE REVIEW …………………………………………………………………………………………….. 5<br>xi<br>
- 2.1Introduction …………………………………………………………………………………………………… 5<br>
- 2.2History of the Web …………………………………………………………………………………………. 5<br>2.
- 2.1Online banking ………………………………………………………………………………………… 5<br>2.
- 2.2History of Online Banking ………………………………………………………………………… 6<br>2.
- 2.3Security ………………………………………………………………………………………………….. 8<br>
- 2.3Online Attacks ……………………………………………………………………………………………… 10<br>2.
- 3.1MAN-IN THE-BROWSER ATTACK ……………………………………………………… 11<br>2.
- 3.2Other Threats ………………………………………………………………………………………… 12<br>
- 2.4Security Features ………………………………………………………………………………………….. 14<br>2.
- 4.1SALT……………………………………………………………………………………………………. 14 2.
- 4.2HASHING…………………………………………………………………………………………….. 15<br>2.
- 4.3SESSIONS ……………………………………………………………………………………………. 15<br>2.
- 4.4DYNAMIC JAVASCRIPT ……………………………………………………………………… 16
- 2.5Technologies Used ……………………………………………………………………………………….. 17 2.
- 5.1Server Side Scripting Language……………………………………………………………….. 17<br>2.
- 5.2Client Side Scripting Language ……………………………………………………………….. 17<br>2.
- 5.3HTML ………………………………………………………………………………………………….. 18<br>2.
- 5.4MySQL ………………………………………………………………………………………………… 18<br>
- 2.6Literature Review …………………………………………………………………………………………. 19<br>
Chapter THREE
SYSTEM DESIGN AND IMPLEMENTATION
- …………………………………………………………………………………………………… 22<br>MATERIALS AND METHODS …………………………………………………………………………………. 22<br>xii<br>
- 3.1Introduction …………………………………………………………………………………………………. 22<br>
- 3.2The Proposed Enhanced Security System ………………………………………………………… 22<br>3.
- 2.1Functionalities of the System …………………………………………………………………… 23<br>3.
- 2.2System Architecture ……………………………………………………………………………….. 24<br>3.
- 2.3System Flow Chart …………………………………………………………………………………. 26<br>
- 3.3The Security Model Mitigating MITB …………………………………………………………….. 28<br>3.
- 3.1The Anti-Form Grabbing Technique ………………………………………………………… 28<br>3.
- 3.2Token Generation…………………………………………………………………………………… 31<br>3.
- 3.3JSON Web Token (JWT) ………………………………………………………………………… 32<br>3.
- 3.4Email Verification Service ………………………………………………………………………. 32<br>
- 3.4Theoretical Evaluation of the Security Model ………………………………………………….. 33<br>
Chapter FOUR
SYSTEM TESTING AND EVALUATION
- ……………………………………………………………………………………………………… 38<br>IMPLEMENTATION AND DISCUSSION …………………………………………………………………. 38<br>
- 4.1Introduction …………………………………………………………………………………………………. 38<br>
- 4.2Code Implementation ……………………………………………………………………………………. 38<br>4.
- 2.1Coding the proposed algorithm ………………………………………………………………… 38<br>4.
- 2.3Email authentication handler …………………………………………………………………… 42<br>
- 4.3Discussion of Results…………………………………………………………………………………. 42<br>
- 4.4Model Comparison Analysis ………………………………………………………………………….. 46<br>
Chapter FIVE
SUMMARY, CONCLUSION AND RECOMMENDATIONS
- …………………………………………………………………………………………………….. 50<br>SUMMARY, CONCLUSION AND RECOMMENDATION ……………………………………… 50<br>xiii<br>
- 5.1Summary …………………………………………………………………………………………………….. 50<br>
- 5.2Conclusion …………………………………………………………………………………………………… 51<br>
- 5.3Recommendation ………………………………………………………………………………………….. 51<br>REFERENCES …………………………………………………………………………………………………………. 52 <br></p>
Project Abstract
<p> </p><p>Online users now make use of internet banking as a major platform of making payments of products online. Cybercriminals are using newer and more advanced methods to target online users. One of the fastest growing threats and attacks in the world today is Man-in-the-Browser (MITB) attacks. As the advance in technology continues to influence the way society makes payment for goods and services, then more advanced security approach is required for transaction authentication on the internet. This dissertation provides a more secure authentication for online transaction using an enhanced security approach that uses an Anti-form grabbing technique to encode user inputs to random characters, JSON Web Token (JWT) to provide and secure safe passage of information between two parties, a One Time Password (OTP) token for authentication and the use of Email as another verification channel from the server to combat MitB attacks.</p><p> </p> <br><p></p>
Project Overview
<p>
INTRODUCTION<br>1.1 Background of the Study<br>When using services in a web environment, security is of great importance especially for both the user and the provider. The information in use must be handled in a way that does not compromise its security. Passwords are only secured as long as the user keeps them secret. Not everyone is aware of the risk that comes with compromised passwords and other security leaks (Nilsson, 2012).<br>Lately, client side attacks on online banking and electronic commerce are on the rise due to inadequate security awareness amongst end users. As a result, end user would not be aware if there is vulnerability on their machine or platform that might lead to client side attack such as man-in-the-browser (MitB) attacks. For instance, man-in-the-middle (MitM) attack techniques which are mainly targeting the information flow between a client and a server have now evolved to become man-in-the-browser (MitB) attack. MitM attack occurs when someone manages to eavesdrop on web traffic by fooling the other connections (Web Server and Client Server) to connect to the attacker instead of connecting to each other. One of the common ways to counter these attacks is to use secure channel like SSL(Secured Socket Layer) when sensitive data is transmitted between the client and the server. MitB attack is designed to infiltrate the client software such as the internet browser and manipulate or steal any sensitive information. It takes place on the client side of the connection. The ability of these trojans to perform Man-in-the-Middle-Attacks/ Man-in-the-Browser-Attacks on valid transactions is most worrying since they silently change the information from the client such as the user’s bank details or sensitive information to the attacker’s account details(Fazli et al., 2012).<br>2<br>The password remains the most popular authentication mechanism in use today. In order to complete any web-based transaction exchange, the online user will be required to enter his/her password into an online system.<br>As technological advances continue to influence the way society makes payment for goods and services, the requirement for more advanced security approaches for transaction verification in the online environment increases.<br>In order to mitigate these security issues, this proposed dissertation proffers a solution to the problem by integrating different authentications and methods to provide an improved and secure online transaction between the client and the server. The thesis introduces an anti-form grabbing technique which disallows the attacker from “grabbing” sensitive information and modifying it when they are being sent to the server by the client and also protects the web contents through JSON Web Token (JWT) which is a safe means of transferring information between two parties. The system also minimizes the risk of man-in-the-browser (MitB) by using One Time Password (OTP), a password that is valid for only one login session or transaction within a limited time along with the use of Email as a different verification channel.<br>1.2 Research Motivation<br>Cyber criminals are using newer and more advanced methods to target online users and one of the fastest growing threats in the world today is man-in-the-browser (MitB) Trojan attacks (RSA, 2011). What makes MitB attacks difficult to detect from the client side is that any activity performed seems as though it is originating from the legitimate user’s web browser and with this, it silently changes the information of the user’s account details to the attacker’s account details which is most worrying.<br>The losses attributed to financial fraud are alarming. The financial services industry has become a primary target of cyber-attacks on a global scale and, in 2009 alone, suffered losses totalling $54 billion – an increase from $48 billion in 2008 (SafeNet, 2010).<br>3<br>In 2010, there has been an exponential increase in the number of these attacks against financial institutions including the European consumer banking and U.S. corporate banking markets (RSA, 2011).<br>The hackers target the most sensitive information such as the account number and the amount and alter it for their own benefit. One must be able to trust the data that is transmitted to the bank server which is why an enhanced web security application will be developed to tackle the online security threat.<br>1.3 Research Aim and Objectives<br>The aim of this dissertation is to develop mechanisms for preventing Man-in-the-Browser (MitB) attacks on online financial transaction. The research objectives of this proposed dissertation are to:<br>a) Develop anti-form grabbing technique to encode the user inputs as they are being entered.<br>b) Implement an authentication mechanism using One Time Password (OTP).<br>c) Develop a medium that make use of Email from the server for identity verification.<br>4<br>1.4 Research Methodology<br>The following are methods that were adopted for this research:<br>a) Develop the anti-form grabbing algorithm to encode user inputs.<br>b) Develop the OTP algorithm to authenticate the user.<br>c) Develop a medium that make use of Email from the server for identity verification.<br>d) Design the proposed system architecture to mitigate MitB attack.<br>e) Implement the proposed system.<br>f) Assess performance of the proposed system.<br>1.5 Contribution to Knowledge<br>The Enhanced Web Security Application was developed to tackle MitB attacks and in doing that, the following contributions were made to this dissertation:<br>a) The Anti-form grabbing algorithm was developed to tackle form grabbing which is a technique of MitB attack.<br>b) The web contents were encrypted with JWT to protect the information exchange between two parties.<br>c) The use of Email for verification channel.<br>1.6 Organization of the Dissertation<br>The organization of the rest of the dissertation with a brief outline of the chapters is as follows. In chapter 2, history of online banking will be discussed and also related works on MitB will be carried out. In chapter 3, the proposed design of the enhanced security application will be discussed, especially the security components; Anti-form grabbing, JWT, OTP and the use of Email which makes up the system architecture. Chapter 4 will involve the implementation of the design proposed in chapter 3. Chapter 5 will summarize the dissertation and outlining of the future work.<br>5
<br></p>