a survey on security solutions of top e-banking providers ...a survey on security solutions of top...

Noname manuscript No.(will be inserted by the editor)

A Survey on Security Solutions of Top e-BankingProviders from an Eastern European Market

Marius Cristea · Bogdan Groza

the date of receipt and acceptance should be inserted later

Abstract We analyse the security of e-banking ser-vices from top e-banking providers on the Romanianmarket. This location is relevant from at least two rea-

sons: it’s a dynamic and diverse market situated at thecrossroads between central and eastern Europe and halfof the providers come from foreign markets (CitiBank,

ING, Raiffeisen, etc.) or are acquired by Western Eu-ropean providers (Societe Generale, Erste Bank, Uni-credit). Therefore, most of the solutions employed here

are not at all different from their foreign counterparts,we do in fact observe to be no correlation between thesecurity level and the origin of the provider. We show

the security mechanisms to be technically sparse: fromsimple password based authentication to stronger au-thentication based on one-time password calculators ordigital certificates installed in browsers. We do conclude

that many of them are insecure against phishing attacksand in fact none of them is completely secure againststronger attacks such as Man-in-the-browser (MitB) at-

tacks. Finally, we conduct a study on user awareness onsecurity threats and preferences for e-banking authen-tication. This shows a significant percentage of users

to be still unaware of attacks but fortunately the vastmajority of users prefer security rather than usabilityin e-banking products.

Keywords e-banking · security · social engineering ·user perception

Marius CristeaDepartment of Automatics and Applied Informatics, Facultyof Automatics and Computers, ”Politehnica” University ofTimisoara, Bd. Vasile Parvan 2, Timisoara, RomaniaTel.: +40 745 647321E-mail: [email protected]

Bogdan GrozaE-mail: [email protected]

1 Introduction and motivation

E-banking solutions have expanded in the last decade

mostly because they don’t require the client to be presentat the bank in order to commit a transaction. Thus, theclient gains time and potentially spears some money.

A survey done by ABA (www.aba.com) in Septem-ber 2010 shows that 36% of consumers prefer Inter-net Banking instead of other solutions. With the devel-

opment of on-line banking, fraud related to e-bankingtransfers started to increase as well, bringing risks asso-ciated to the user benefits. Most of this fraud is caused

by social engineering attacks, such as phishing or pharm-ing [40].

To increase security, several e-banking providers startedto use hand-held devices, such as one-time passwordcomputers, in order to authenticate their users. But

this is not enough when more complex attacks takeplace, such as a mixed attack in which the bank serveris disabled by a DDoS attack and a phishing attack is

mounted on the clients. Practice shows that treatingattacks individually does not always cover the vulnera-bilities of the systems. Thus, even if a Denial of Services

(DoS) attack on the website may appear harmless withrespect to client’s information, this is not the case whenthe attack is followed by a phishing email sent to all

users. This is because, although the users are educated,such messages become more plausible in the absence ofthe genuine bank server.

Phishing can be defined as a form of acquiring sen-sitive information (like user-names, passwords or creditcard details) by impersonating an entity that is trusted

by the user. From a financial point of view, phishingis an ever increasing phenomenon, even if it is not rel-atively new (the term was introduced in [14] 17 years

ago), affecting more and more people around the world.

2 Marius Cristea, Bogdan Groza

According to [26] 3.6 million of persons in the US suf-

fered from a phishing attack, $ 3.2 billion being lostto these attacks in the U.S and £35.4 million in theU.K [11]. Even if phishing targets different industry sec-

tors, the most affected one is the financial sector (42.4%of the phishing attacks target the financial industry [3]).Such attacks are usually deployed by means of e-mail or

instant messaging, where the message sent by the ad-versary contains a link to a fake web site that tries toreproduce the look and feel of the original site. Phishing

is a form of social engineering that exploits vulnerabil-ities present in current web security technologies. Be-cause phishing attacks can be identified by the educated

user, another form of social engineering has evolved:pharming. In this case the adversary redirects the traf-fic for the original web site to a scam website. This can

be achieved by changing the victim’s host files or byexploiting the DNS server used by the victim. To goeven further, the most recent attacks involved infectedbrowsers, also known as Man-in-the Browser Attacks

(MitB), a kind of attack on which even Public-Key In-frastructure (PKI) based mechanism, such SSL/TLS orrelated protocols are completely ineffective.

But the main cause of such attack is that authenti-

cation in e-banking services is one-way, only the clientauthenticates to the site and not vice-versa. In the bestcase, website authentication is left alone to a digital

certificate that is signed by a trusted third party. Butas practice shows, it is possible sometimes for an adver-sary to use a valid certificate or, even more common,

for the client to accept a certificate that is untrusted. Inthis context, at least a minimal effort should be done bye-banking providers to give clients stronger hand-held

devices that can authenticate the e-banking website anduser input as well.

These attacks are relevant from various reasons. Onthe adversary side they are easy to lunch even at alarge scale (in contrast to common physical card theft

which are usually isolated events) and increasingly easyto reproduce (since more and more software tools areavailable on Internet). On the user or legal authorities’

side they are hard to trace back (since adversaries actthrough remote botnets) and hard to be identified bythe users, (a card theft is easy to note, but it is harder

for user to figure out that his browser based transactionwas stolen). These viewpoints are commonly acknowl-edged, for example in [36], the later view point was

recently advocated by Pavı et al. [30].

In what follows we make an analysis of existing so-

lutions on the Romanian market to find their vulner-abilities. To emphasize on the relevance of our studywith respect to foreign markets in Table 1 we make a

brief analysis of the origin of service providers. As it can

be easily seen half of the providers come from foreign

markets, and more than half of the remaining banksare already acquired by other western European banks.As it results from the analysis that follows, there is no

correlation between the security level and the origin ofthe provider; national e-banking providers do not relyon mechanisms that are necessarily weaker.

An older comparative analysis of the security of e-commerce providers is presented by Ureche and Pla-mondon [33]. But, since the time of their analysis, the

solutions in the e-banking sector, as well as the attacks,have evolved radically.

The paper is organized as follows. In the secondsection we make a brief overview of related work on

e-banking authentication and we give some details onphishing, pharming, DoS and MitB attacks. In the thirdsection we survey the e-banking solutions provided by:

ING, BCR Erste, CitiBank, ProCredit Bank, Raiffaisen,BRD Societe Generalle, Bancpost, Millennium, Tran-silvania, CEC, Alpha and Unicredit Tiriac Bank. The

forth Section holds the conclusions of our paper.

2 Existing solutions

We start by investigating solutions related to e-bankingauthentication. Then we give a brief overview on phish-

ing, pharming, DoS and MitB attack. These attacks arerelevant as none of the solutions that we analyse in theforthcoming section is completely resilient to such at-

tacks in the sense that an adversary may compromiseat least in part a legitimate session.

2.1 E-Banking authentication

The main security objective of e-banking providers is

authentication, that’s why in most cases e-banking ap-plications don’t offer a dedicated anti-phishing solution.But they tend to educate the user [6] about what infor-

mation to keep private from any site, for example PINcodes. For phishing alone, there are a few banks thatuse third party anti-phishing applications like Verifica-

tionEngine from Comodo [39].

In order to assure authentication, solutions are usu-ally divided in two categories [19]: short-time passwords

and certificate based solutions. Short-time passwordsare using scratch lists or one time passwords generatedby tokens. The use of scratch lists is insecure because of-

ten the client stores these lists on his PC making the listvulnerable to anybody that gains access to his PC. Toovercome this problem, banks have started to issue to-

kens that are either time-synchronized with the bank or

A Survey on Security Solutions of Top e-Banking Providers from an Eastern European Market 3

Name Share Headquarter and miscellaneous info Founded1 BCR 20.12% Bucharest, Romania (majority (61%) aquired by Erste

Bank in 2006 Vienna, Austria)1990

2 BRD 13.57% Bucharest, Romania (majority (59%) held by Societe Gen-erale Paris, France)

1923

3 Transilvania Bank 7.27% Cluj-Napoca, Romania 19934 CEC Bank 6.99% Bucharest, Romania (Romanian national bank) 18655 Raiffeisen Bank 6.69% Vienna, Austria 19276 UniCredit Tiriac Bank 6.31% Bucharest, Romania (part of Unicredit (Rome, Italy), fu-

sioned with HVB bank Munich, Germany)1991

7 Alpha Bank 4.67% Athens, Greece 18798 ING 4.04% Amsterdam, Netherlands 19919 Bancpost Romania 3.47% Bucharest, Romania 199110 CitiBank 1.62% New York, USA 181211 Millennium Bank 0.59% Athens, Greece 200012 ProCredit Bank 0.32% Frankfurt, Germany 1998

Table 1 Studied Banks: headquarters, history and market-share (as reported on 18.02.2012 by Hostiuc [20])

they use a challenge-response mechanism. The main is-

sue with all these devices is that almost always they relyon security-by-obscurity, which is not a recommendedpractice. Even if this method is more secure than the

previous one, it is still susceptible to active eavesdrop-ping attacks like Man-In-The-Middle (MITM) if the ad-versary places itself between the client and the bank

server. This type of eavesdropping can be avoided ifSSL/TLS is used, but the adversary can use social en-gineering attacks (phishing/pharming) to remove the

SSL encryption between the bank and the client. Cer-tificate based solutions require the bank to make useof the PKI to create a second factor of authentication

together with user-name/passwords, PIN numbers orsecurity questions. In this case the client receives a cer-tificate that is stored on a smart card or a tamper proof

USB stick. But one must avoid a solution that is toodifficult for the client to use since, as shown in severalresearch papers, in this case the solution will fail to

meet its purpose. Thus making a correct trade-off be-tween the actual security, user’s perception on securityand the usability of solution is a difficult task [17], [21],

[28], [38].But the gap between usability and security isstill an open issue in e-banking security as clearly notedin [25]. More, even well-established solutions such as

SSL/TLS are not always correctly used [18] and users’perceptions over security are oftenly wrong, especiallyin the case of novice users [12]. Thus relying on users’

choice while unavoidable it is not the best option.

An excellent hierarchy of e-banking authenticationtechniques is presented in [19]. The solutions are di-vided between the following categories:

– Solutions that are not resistant to malicious soft-ware attacks, these solutions are based on: no se-curity (level 0), static passwords (level 1), digital

certificates (level 2),

– Solutions that are not resistant to social engineer-

ing, these solutions use: one-time passwords (level3),

– Solutions that are resistant to social engineering,

these solutions require: short-time passwords basedon timers (level 4), short-time passwords based onchallenges (level 5), SSL/TLS authentication with

hard token PKI (level 6), and transaction signingon trusted platforms (level 7).

Also, according to [19], the e-banking solutions thathave a security level smaller than 5 are considered to beinsecure against off-line credential stealing attacks, only

two from the analysed banks have a security level equalto 5. All e-banking applications that have a securitylevel smaller than 6 are considered to be insecure to on-

line attacks, none of the analysed banks has a securitylevel greater than 5.

2.2 Phishing, pharming, DoS and MitB

Usually software based solutions are employed againstphishing, requiring a program or a browser plugin tobe installed so that the user is warned when he tries

to access a site that is suspicious of being a phishingsite. A common taxonomy, also employed in [7], is todivide these solutions in two categories: list-based and

heuristic-based.

The list-based solutions use either black-lists (only

the sites from the list are blocked) or white-lists (onlythe sites from the lists are allowed) to block the userfrom accessing a phishing site. These solutions are very

popular among web browsers. Still, this approach relieson the completeness of different sources, like PhishThank(http://www.phishtank.com/), and thus it cannot be

always effective because it takes some time for a phish-


ing site to be added on a list. In practice, most of the

phishing sites get disabled before they are even addedto a list [27]. Also this type of protection cannot detecttargeted attacks.

To improve on this, heuristic-based solutions try tofind different patterns of phishing in a site. These pat-terns can be found in the URL of the page, in the HTML

or JavaScript code, or in the embedded content.In [29]a solution based on webpage anomalies is proposed.These anomalies are found based on an identity of the

webpage that it is extracted from its Document ObjectModel (DOM). A solution based on the information ex-tracted from the HTML code and from the URL of the

page is presented in [24]. A heuristic solution, basedonly on URL patterns, is proposed in [13].

Usually, all data used by the heuristics is based onthe text that it is contained on the webpage, but most ofthe phishing sites use images. To overcome this problem

Dunlop et el. [7] propose a similar solution that usesOptical Character Recognition (OCR) to convert theimages from the page into text that is further used as

heuristic.

Regarding e-banking phishing websites detection,in [1], a solution based on fuzzy data mining is pro-

posed, the solution uses the URL and the domain keysfor phishing identification. Data mining is also used byWei et al. [35] to identify patterns of fraudulent behav-

ior in online banking applications. The solution pre-sented in [23] tries to solve the phishing problem byachieving a stronger authentication through the usage

of the TPM (trusted platform module). Even if the ad-versary obtains personal information from the victimthrough phishing, it doesn’t have the required hardware

for a successful authentication.

In order to alleviate the damage of a successful phish-

ing attack, a solution based on trusted email servers,which only works for soft products, is proposed in [2].Anyhow, the solution fails if the user’s email (used for

registration on the trusted mail server) is compromisedand email accounts are known to be increasingly vul-nerable due to weak password choices, poor secret ques-

tions, etc.

Most of these solutions are hard to deploy becausethere is a need of changing the existing infrastructure or

they are based on URLs failing, thus, against a pharm-ing attack.

Regarding pharming attacks,In [15] a solution basedon a DNS request to a third party DNS server is sug-gested. If the response is not identical to the one of-

fered by the normal DNS, a page analysis is conductedbased on the HTML content of the page. This solutionis not effective if the adversary can determine the user

to connect through a proxy that the adversary controls

because in this way the third party DNS request can be

redirected to the rogue DNS server.

DoS attacks are commonly reported against vari-

ous servers, including e-banking servers. A recent reportconfirms a DDoS attack that forced a Dutch bank togo offline [4]. Because DDoS/DoS attack against bank

servers are real threats, these servers must be resilientto DoS attacks. Man-in-the-Browser (MitB) is an ad-vanced form of attacks that are very hard to detect,

because the adversary can hijack a genuine user sessionand the user’s machine [8] making device identificationinefficient against such an attack. MitB attacks are de-

ployed by using Trojans. This Trojans come in form ofbrowser extension, and a review of existing Trojans forInternet Explorer and Firefox is presented in [34].

In order to prevent such attacks user awareness isvery important, a model of assuring user awareness is

presented in [22]. Besides this there are also severaltools for MitB attacks mitigation [16]. Also, researchhas focused on MitB prevention, leading to some inter-

esting solution. Stahlberg instructs the banks to iden-tify a MitB attack by analysing users’ behavior in thecontext of e-banking applications [32]. A cost-efficient

solution against MitB attacks, called ZTIC, is intro-duced by Weigold et al. [37]. The solution is based ona USB device with a display; the device is responsible

for the authentication and encryption of all the criticalinformation, the PC deals only with IP packets trans-mission and reception.

3 Overview of the security solutions

We now survey the security of the top e-banking providersfrom the Romanian market. According to [5], 27% of

the Romanian Internet users haven’t heard of phishing.Possibly, that’s why Romania was the second issuer ofcredit cards that were used to commit electronic fraud

in 2010, with 17% of all the issued credit cards thatwere fraudulently used worldwide [10]. Also, 32% of allthe electronic fraud in 2010 had originated from Roma-

nia [10], being the number one source country for thiskind of fraud.

The authentication mechanism together with thetransaction authorization (the process of allowing a banktransfer from the user’s account to another account) is

summarized in Table 2. As general notations we useU for the user, B for the bank website, Adv for theadversary and Signtoken for a signature done with the

token. We note that Signtoken does not refer to a digi-tal signature in the common sense of cryptography, anddenotes a tag that is computed with the password cal-

culator. We used the word Signtoken as these tags are


commonly referred as signatures in the technical docu-

mentations of the tokens. Notations from Table 2 canbe summarized as follows:

– user-name or passwords: userB/userU which is theuser-name as given by the bank or chosen by theuser, passwordtoken is a 6 digit password obtained

from the Vasco digipass (http://www.vasco.com/),protected by a PIN code, while passwordB/passwordUrepresents a password given by the bank or chosen

by the user;– personal information: iban4

R which represents thelast 4 digits of the receiver’s iban (the bank account

number), amntR is the amount of money for the re-ceiver, cnp2U are two random digits from the user’spersonal number, pass13U /pass23U are three random

characters from the 1st/2nd user defined password;– process data: authorizeU which represents an user

initiated authorization request for a transaction, nonceUis the nonce created by the bank for the user’s au-thorization request, Signtoken(x) is the digital signa-ture on input x using the digipass - 8 digits long, t

represents the time, cnt is the counter used by thedigipass to generate unique passwords, authcodeSMS

B

is the user initiated transaction authentication code

sent by the bank via SMS, authcodePCB is the au-

thentication code for the user’s transaction sent viaPC, certU represents the user’s client certificate signed

by the bank.

3.1 Mechanisms and Vulnerabilities

For the security analysis that follows we discuss vari-ous attacks: stolen credentials, channel break and con-

tent manipulation. These three scenarios are relevantas the first one corresponds to the case in which theuser credential are stolen (e.g., by some malware on its

computer), the second to the case of a regular phishingsite in which the adversary has access to the commu-nication channel (e.g., an insecure certificate) and the

third one in which the input of the user can be modi-fied (e.g, a MitB attack). Under these three attacks weanalyse whether an adversary can successfully login or

even perform an authorization.

1. BCR Erste Bank: uses a one-time password calcula-tor based on a time-stamp. An active eavesdropper

can monitor the connection between the user andthe bank’s server during an authentication attempt,from the user and capture the token generated pass-

word, but this can be used only for a brief periodof time later (for all banks that we analysed thelife-time of the password was around 30 seconds).

A phishing site that replicates the BCR home page

can work for this purpose and an adversary may gain

access to the user’s financial situation. To authorizea false transaction it is not very feasible since theadversary must either create an account that has

the same last 4 characters from the iban as the onethat is used as a destination by the user. However aMitB will be successful since the adversary can ma-

nipulate the last 4 characters from the destinationiban. In both ways the adversary can only success-fully authorize the amount of money the user wants

to transfer, because this is signed by the user.2. BRD Bank - Groupe Societe Generale: The on-line

system of BRD Bank has one of the simplest and

most insecure authentication/authorization mecha-nisms which is based only on a user defined pass-word and user-name chosen by the bank. The pass-

word characters must be entered in a virtual key-board. Both the user-name and the password can becaptured easily by a phishing site, and then reused

to get inside the on-line account and to authorizetransactions. In particular this mechanism is vul-nerable to any of the three attacks.

3. Transilvania Bank: has three types of authentica-

tion. The first type uses a digital certificate installedin the browser, a user-name set by the bank andpassword chosen by the user. For the authentication

process the password is introduced via a virtual key-board. After the process is completed, the user canview its account status and make transfers. Because

the client certificate request can be made on-line,a two stage attack is feasible. First, the adversaryacts as a passive eavesdropper to capture the in-

formation needed to create such a request, i.e., thePIN of the client. Second, he makes a request us-ing the client’s PIN to obtain the client’s certificate

for himself. Once the adversary has all the creden-tials and the client certificate he can authenticate tothe user’s account and authorize transactions in its

own interest. Indeed, in a third stage the adversary(acting as the banking server, e.g., via a pharmingattack) can send the acquired certificate to the client

misleading him to believe that he is the only ownerof this certificate. The e-banking solution offered byTransilvania Bank is annoying to many users be-

cause of the need to install digital certificates inthe browser. Beside this, the application needs toconnect to another port than 80, which is used for

HTTP, making it unusable for employees of somecompanies that use firewalls.The second method of authentication is by using a

code sent by the bank to the client via SMS. Theadversary can capture the code sent by the bank us-ing a phishing web site but it has a limited life time


Bank Authentication Transaction authorization

BCR Erste Bank 1. U → B : userB , passwordtoken(t)1. U → B : authorizeU2. B → U : iban4

R, amntR3. U → B : Signtoken(iban4

R, amntR, t)BRD Bank - GSG 1. U → B : userB , passwordU not required

Transilvania Bank

1a. U → B : userB , passwordU , certU or

1ab. U → B : authorizeU , passwordU or1b. UHTTPS−−−−−−→ B : userB , passwordU

2b. BGSM−−−−→ U : authcodeSMS

B

3b. UHTTPS−−−−−−→ B : authcodePC

B or1c. U → B : userB , passwordtoken(t) 1c. U → B : authorizeU , passwordtoken(t)

CEC Bank 1. U → B : userB , passwordtoken(t) 1. U → B : authorizeU , passwordtoken(t)

Raffeisen Bank 1. U → B : userU , passwordtoken(cnt)1. U → B : authorizeU2. B → U : iban4

R, amntR3. U → B : Signtoken(iban4

R, amntR, t)UniCredit Tiriac Bank 1. U → B : userB , passwordtoken(t) 1. U → B : authorizeU , passwordtoken(t)Alpha Bank 1. U → B : userB , passwordU , certU not required

ING Bank 1. U → B : userB , passwordtoken(t)1. U → B : authorizeU2. B → U : nonceU3. U → B : Signtoken(nonceU )

Bancpost Bank

1. U → B : userB , passwordU

not required

2a. B → U : nonceU3a. U → B : Signtoken(nonceU ) or2b. U → B : passwordtoken(t) or

2c. BGSM−−−−→ U : authcodeSMS

B

3c. UHTTPS−−−−−−→ B : authcodePC

B

CitiBank 1. U → B : userU , passwordU , questionU

1’. UHTTPS−−−−−−→ B : addR

2’. BGSM−−−−→ U : authcodeSMS

B

3’. UHTTPS−−−−−−→ B : authcodePC

B

1. UHTTPS−−−−−−→ B : authorizeU , passwordU

Millennium Bank 1. U → B : userB , passwordU , cnp2U

1a. U → B : authorizeU , pass13U |pass23U or

1b. UHTTPS−−−−−−→ B : authorizeU

2b BGSM−−−−→ U : authcodeSMS

B

3b. UHTTPS−−−−−−→ B : authcodePC

B

ProCredit Bank 1. U → B : userU , passwordU , passwordtoken(t) 1.U → B :authorizeU , passwordU , passwordtoken(t)

Table 2 Authentication and transaction authorization for the Romanian banks (providers are in the order of market shares)

(around 30 seconds). To authorize money transfers,in the first and second case, the user only needs to

enter his password which can be captured by theadversary through social engineering.The third method of authentication is a stronger

one, requiring a token generated code, like in thecase of BCR. For the authorization the bank re-quires also a code from the token, if this code is

captured by the adversary, it can be used to autho-rize any transaction regardless of the amount, butthe code has only a limited life time (≈ 30 sec.), and

can be used only once. While credential stolen is in-effective, a channel break or content manipulationwill succeed against this service, thus the solution is

not resilient against MitB attacks.4. CEC Bank: Being one of the most emerging banks

on the Romanian market, CEC uses a token au-

thentication/authorization mechanism which is sim-

ilar with the third solution from Transilvania Bank,having the same vulnerabilities.

5. Raiffeisen Bank: For the authentication mechanismRaiffeisen uses the same authentication scheme asCEC Bank, but a counter is used instead of a time

stamp for the password generation process. Thispassword, if it is captured, can be used at any pointin time by the adversary (note that there is no time-

stamp associated with this password). For the caseof transaction authorization they use the same methodas the one from BCR Bank, exposing the same secu-

rity risks as from the other bank. We also note thatthe on-line application of Raiffeisen Bank doesn’tuse obfuscated JavaScript code and contains a lot

of commented code which can contain useful indi-cations for an adversary.

6. UniCredit Tiriac Bank: Here the same authentica-

tion mechanism as for BCR is used. For the transac-tion authorization process, the same method as the


one from CEC is used thus the same vulnerabilities

are inherited.7. Alpha Bank: The e-banking application of Alpha

Bank uses a certificate based authentication mecha-

nism which is similar with the one from TransilvaniaBank, exposing the same security risks and has alsothe same usability problems. Regarding transactions

Alpha doesn’t use any authorization mechanism.8. ING Bank: In the case of ING Bank the authentica-

tion mechanism is the same as for BCR, having the

same vulnerabilities. For a transaction authoriza-tion, the adversary must wait until the user wantsto authorize a transfer of his own and then change

the value of the nonce with the one needed by him.9. Bancpost Bank: In this case the authentication is

done in two steps. First, the user needs to enter

a user-name provided by the bank and its chosenpassword. In the second step, the user can choosewhat type of authentication he wants. The possible

types of authentication are: challenge-response to-ken authentication, token generated code, or codesent by the bank via SMS. In all three cases even ifthe adversary captures a valid authentication code,

it can used only once in a limited time interval. But,this code is required only once during a session, soan adversary can authorize transfers once authenti-

cated.10. CitiBank: has a simple authentication mechanism,

based on user chosen password and user-name, and

an answer to a random chosen question (questionU )from a list of 8 standard questions. All this infor-mation can be easily captured using a phishing site.

The user’s password is used also for transactionsauthorization, but transactions can be made onlyto predefined bank accounts. In order to define a

bank account (addR) the user must validate it byentering a code sent by the bank via SMS. By usinga MitB attack the bank account can be modified by

the adversary, but this can be noticed by a carefuluser.

11. Millennium Bank: The Internet banking applica-

tion of Millennium Bank uses personal informationabout the user to authenticate him or to authorizea money transfer. But this information can be cap-

tured using a phishing site and used by the adver-sary afterwards to authenticate and authorize itsown transactions. For the SMS based authorization

the adversary must act as an active eavesdropper,between the user and the bank, at the moment whenthe user wants to authorize a transaction. The ad-

versary needs to change the transaction informationin its own interest and then use a phishing web siteto capture the code from the client.

4 1 4 4 4 4 2 4 5 1 1 40

5

10

15

20

25

Banks comparison

Market Share [%]

Security Level

Fig. 2 Comparison between the market share and the au-thentication security level

12. ProCredit Bank: This bank uses for authentication,

besides user chosen password and user-name, a to-ken generated code. Even if this information is cap-tured by an adversary, the code generated by the

token can be used only in a very small time inter-val, before it expires. For transactions authorizationthe user’s password is required and a new code gen-

erated by the token. Content manipulation attacks,such as MitB, will succeed against this solution.

3.2 A hierarchy of security levels

Figure 1 presents a hierarchy of the security of authenti-cation and transaction authorization mechanisms of thee-banking applications. The hierarchy used in Figure 1

is based on the security levels defined in [19].

Note however that their placement in the taxon-

omy for authentication and transaction authorizationis not always similar. For example, in the case of trans-action authorization, ING uses a challenge response

mechanism to authenticate transactions. Although thisis challenge based and not timer based as in the caseof BCR and Raiffeissen this is less secure because the

amount of money and iban account are not signed, mak-ing it possible for an adversary to change these values.Because of this, we downgraded the security from ING

to level 4 and upgraded the security level of BCR andRaiffeisen to level 5.

As a partial conclusion to our survey, we present achart (Figure 2) with a comparison between the Roma-

nian market share of the banks, as of 2012 [20], andthe security level of the e-banking applications againstfraudulent money transfer. We need to mention, that

the security of e-banking applications has evolved since2012, and that banks haven’t made public the figuresregarding the electronic fraud on their systems, rein-

forcing the idea that they rely on security-by-obscurity.


Fig. 1 Possible security [S] and usability [U] hierarchy of authentication/authorization mechanism in e-banking

3.3 A hierarchy of usability

First we enumerate some attributes of the devices in

Table 3. For each of the bank we outline if the au-thentication device (absent in case of passwords anddenoted by ”*”) offers input or output and rank it for

cost and convenience. We consider that mobile phonesare more expensive than hard tokens while passwordsare the cheapest. Also, passwords offer the highest con-

venience followed by phones which are frequently car-ried by users, hard tokens have lower convenience sincethey are an additional device that has to be taken by

the user. Hard token based solutions that use more thanone input are even less usable. The certificate based so-lution is the least usable since all clients in our usability

study rejected this solution.

A hierarchy of usability, which not surprisingly is al-most the upside-down security, is suggested in Figure 1.

Besides building a hierarchy of usability, we alsomade a user study that involved more than 100 indi-viduals. The group was balanced around gender 55%

males and 45% females at age between mostly between18 and 40. The results are presented in Figures 4 and 5.

We roughly separated between questions that ad-dress attack awareness and security versus usability.The results showed that the large majority of the in-

dividuals does not open messages that are marked asspam. Also half of the individuals are aware of whatsecurity indicators in a browser are and will not accept

certificates that are not signed by trusted providers.We believe these results are fine but they are not thebest possible since they clearly show there are lots of

individuals that do not know what phishing or signed


certificates are. On the brighter side, it seems that the

large majority of users are concerned more about secu-rity than usability and prefers hard tokens or at leasta confirmation over the mobile phone which is more se-

cure than simple passwords. This confirms the fact thatignoring security in e-banking applications is a criticalshortcoming [9] since it represents a major concern for

most of the customers. It is our opinion that passwordscan be secure enough for users that are aware of whata trusted site is and use only clean computers to estab-

lish connections. The large majority of users from ourstudy were Windows based and kept antivirus softwarethat was up to date.

Also, we considered the response time of the sitesas part of our usability study. The main reason behindthis is that individuals usually have accounts from more

than one provider and they can be tempted to drop onsites that work inappropriately. As can be seen in Fig-ure 3, the response times are the same with low peaks

at lunch time and after work due to an obvious in-crease in the response traffic. Only CitiBank had a sig-nificantly slower response time which is visible to theuser but shouldn’t be troublesome. The measurements

were done by using a script that ran for 24 hours, wedid these over several days and the results were similar.

4 Discussion and conclusions

We further tried to find a potential correlation betweenthe security level and the financial profit of the providerbut we couldn’t find any. One assumption would be that

banks with higher security levels will have the high-est profits, but BRD (controlled by Societe GeneraleFrance) has the highest profit for 2011 (472 million

lei) at the weakest security level - a simple passwordof at least 6 digits. Another assumption would be thatbanks with low security levels will have a decrease in

the profit, indeed BRD is declining in the last 3 years,but Transilvania Bank, with a security level of just 2(a simple certificate in the browser and a password)

is increasing. On the other hand, BCR (controlled byERSTE bank Austria) with one of the highest secu-rity levels (password token) has a loss of 327 million lei

(indeed, this could be part of bank strategy since itsmarket share increased with more than 1% during thesame financial losses). But even if we considered the

market share we couldn’t find any notable correlationwith the security level. In fact, Banc Post which hasthe highest security level on our study appears to be

in continuous decline for the last 3 years both in termsof market share and income. This will not hold for thebanks that follow as security level, ING and Raiffeisen,

which were in a continuous increase both as market

0

0.2

0.4

0.6

0.8

1

1.2

raiffeisen dif

ing dif

aplha dif

millenium dif

brd dif

bcr dif

unicredit dif

cec dif

transilvania dif

bancpost dif

procredit dif

citibank dif

Fig. 3 SSL connection response time

share and income for the last 3 years. Thus, the secu-rity level appears to be no predictor for income or mar-

ket share of a bank. We could not even conclude thatbanks with an increasing revenue will invest more ontheir security since BRD, which has the highest income

in 2011 didn’t change its security (a simple password)for at least 5 years (indeed however its market sharedeclined from 14% to 13.57% in the last three years).

Indeed, security was previously shown to be a criticalfactor for the success of e-banking, e.g., [31]. Our con-clusion does not contradict this since the answers from

our scrutiny confirm as well that the large majority ofusers are concerned with security, notably even beforeusability. However, we believe that the explanation for

the increased market share of banks that provide onlyweak security is a consequence of both poor user aware-ness on the security level (a conclusion supported by

the fact that the majority of users do not have a propertechnical education) and of the bank’s publicity com-plement by various incentives that it offers. Indeed, a

complete answer to this question may be offered by fu-ture research.

The provided analysis of the top e-banking providersfrom the Romanian market showed that the solutions

used by them are technically sparse: from simple pass-words chosen by users to more advanced one-time pass-word calculators or digital certificates. These solutions

are vulnerable in part or entirely to phishing/pharmingattacks which become more dangerous when correlatedto DoS/DDoS attacks. To improve resilience against

such attacks we recommend a mixed solution in whichsmart cards are used for mutual authentication betweenthe user and the website. As a general policy, increasing

the number of authentication factors, as long as the so-lution does not become too complex, is convenient. Forthis purpose, using handy devices, such as smart-cards

and mobile phones, to authenticate a website, can proveto be an easy to use and efficient solution in the nearbyfuture. At present time, the employed solutions are not

completely secure against modern attacks.


Raiff

eisen

Bank

ING

AlphaBank

Millennium

Bank

BRD

BCR

UniC

redit

TiriacBank

CEC

Bank

Tra

nsilvania

Bank

Bancpost

Romania

Pro

Credit

Romania

CitiB

ankRomania

Input Y Y * N * Y Y Y Y Y Y *Output Y Y * Y * Y Y Y Y Y Y *Cost Medium Medium Low High Low Medium Medium Medium Low Medium Medium LowConvenience Low Low Low Medium High Medium Medium Medium Low Medium Low High

Table 3 Attributes of the authentication solutions: input, output, convenience and cost

Acknowledgment

This work is partially supported by the strategic grantPOSDRU/88/1.5/S/50783, Project ID50783 (2009) andPOSDRU/21/1.5/G/13798, co-financed by the Euro-

pean Social Fund Investing in People, within the Sec-toral Operational Program Human Resources Develop-ment 2007/2013 and by national research grant CNCSIS-

UEFISCDI project number PNII-IDEI 940/2008.

References

1. Aburrous, M., Hossain, M., Dahal, K., Thab-tah, F.: Intelligent phishing detection systemfor e-banking using fuzzy data mining. ExpertSystems with Applications 37(12), 7913 – 7921(2010). DOI 10.1016/j.eswa.2010.04.044. URLhttp://www.sciencedirect.com/science/article/pii/S0957417410003441

2. Alfuraih, S., Sui (Alsawi), N., McLeod, D.: Us-ing trusted email to prevent credit card frauds inmultimedia products. World Wide Web 5, 245–256 (2002). DOI 10.1023/A:1020940830716. URLhttp://dx.doi.org/10.1023/A:A1020940830716

3. APWG: Phishing activity trends re-port @Antiphishing (2012). URLhttp://www.antiphishing.org/reports/apwg trends reporth2 2011.pdf. Accessed: 25/04/2013

4. Bakker, J.: Ddos attack forces dutchbank offline @CSO Online (2011). URLhttp://www.csoonline.com/article/668169/ddos-attack-forces-dutch-bank-offline. Accessed: 25/04/2013

5. BitDefender: 27% of romanian internet users haven’theard of phishing @bitdefender (2011). URLhttp://www.bitdefender.ro/NW2110-ro–27-dintre-utilizatorii-de-internet-nu-au-auzit-de-phishing.html.Accessed: 25/04/2013

6. CECBank: Personal protection for accessing internetbanking at cec bank @CEC bank (2008). URLhttps://www.ceconline.ro/smartoffice/docs/RO/ SECU-RITY.pdf. Accessed: 25/04/2013

7. Dunlop, M., Groat, S., Shelly, D.: Goldphish: Usingimages for content-based phishing analysis. In: Pro-ceedings of the 2010 Fifth International Conference onInternet Monitoring and Protection, ICIMP ’10, pp.123–128. IEEE Computer Society, Washington, DC,

USA (2010). DOI 10.1109/ICIMP.2010.24. URLhttp://dx.doi.org/10.1109/ICIMP.2010.24

8. Eisen, O.: Catching the fraudulent man-in-the-middleand man-in-the-browser. Network Security 2010(4),11 – 12 (2010). DOI 10.1016/S1353-4858(10)70046-5.URL http://www.sciencedirect.com/science/article/pii/S1353485810700465

9. Enos, L.: Report: Critical errors in onlinebanking @Ecommerce Times (2011). URLhttp://www.ecommercetimes.com/story/8867.html.Accessed: 25/04/2013

10. Epayment: Rates of attempted online payment frauddecreased by 50% in 2010 @epayment (2011). URLhttp://www.epayment.ro/noutati/tentative-fraude-online-2010.html. Accessed: 01/08/2011

11. FFA: Fraud - the facts 2012 @Finan-cial Fraud Auction UK (2012). URLhttp://www.financialfraudaction.org.uk/Publications/#/1/. Accessed: 25/04/2013

12. Furnell, S., Tsaganidi, V., Phippen, A.: Se-curity beliefs and barriers for novice internetusers. Computers & Security 27(78), 235 – 240(2008). DOI 10.1016/j.cose.2008.01.001. URLhttp://www.sciencedirect.com/science/article/pii/S0167404808000370

13. Garera, S., Provos, N., Chew, M., Rubin, A.D.: A frame-work for detection and measurement of phishing attacks.In: Proceedings of the 2007 ACM workshop on Recur-ring malcode, WORM ’07, pp. 1–8. ACM, New York,NY, USA (2007). DOI 10.1145/1314389.1314391. URLhttp://doi.acm.org/10.1145/1314389.1314391

14. Garfinkel, S.L.: Aohell @The Boston Globe (1995). URLhttp://catless.ncl.ac.uk/Risks/17.10.html#subj3. Ac-cessed: 25/04/2013

15. Gastellier-Prevost, S., Granadillo, G., Laurent, M.: Adual approach to detect pharming attacks at the client-side. In: New Technologies, Mobility and Security(NTMS), 2011 4th IFIP International Conference on, pp.1 –5 (2011). DOI 10.1109/NTMS.2011.5721063

16. Guhring, P.: Concepts against man-in-the-browser attacks (2006). URLhttp://www.cacert.at/svn/sourcerer/CAcert/ Se-cureClient.pdf. Accessed: 25/04/2013

17. Gunson, N., Marshall, D., Morton, H., Jack, M.:User perceptions of security and usability of single-factor and two-factor authentication in automatedtelephone banking. Computers &; Security 30(4),208 – 220 (2011). DOI 10.1016/j.cose.2010.12.001.URL http://www.sciencedirect.com/science/article/pii/S0167404810001148


18. Herzberg, A.: Why johnny can’t surf (safely)? attacksand defenses for web users. Computers & Security28(12), 63 – 71 (2009). DOI 10.1016/j.cose.2008.09.007.URL http://www.sciencedirect.com/science/article/pii/S0167404808000916

19. Hiltgen, A., Kramp, T., Weigold, T.: Secure internetbanking authentication. IEEE Security and Privacy4(2), 21–29 (2006). DOI 10.1109/MSP.2006.50. URLhttp://dx.doi.org/10.1109/MSP.2006.50

20. Hostiuc, C.: Top banks in 2011 @Ziarul Financiar (2012).URL http://www.zf.ro/banci-si-asigurari/topul-integral-al-bancilor-pe-2011-ce-active-detin-si-ce-profit-pierdere-au-avut-9241764. Accessed: 25/04/2013

21. Kim, C., Tao, W., Shin, N., Kim, K.S.: An em-pirical study of customers perceptions of securityand trust in e-payment systems. Electronic Com-merce Research and Applications 9(1), 84 – 95(2010). DOI 10.1016/j.elerap.2009.04.014. URLhttp://www.sciencedirect.com/science/article/pii/S1567422309000283. Special Issue: Social Networks andWeb 2.0

22. Kritzinger, E., von Solms, S.: Cyber security forhome users: A new way of protection through aware-ness enforcement. Computers & Security 29(8),840 – 847 (2010). DOI 10.1016/j.cose.2010.08.001.URL http://www.sciencedirect.com/science/article/pii/S0167404810000775

23. Latze, C., Ultes-Nitsche, U.: Stronger authentication in e-commerce: how to protect even naive user against phish-ing, pharming, and mitm attacks. In: Proceedings ofthe IASTED International Conference on Communica-tion Systems, Networks, and Applications, CSNA ’07, pp.111–116. ACTA Press, Anaheim, CA, USA (2007). URLhttp://dl.acm.org/citation.cfm?id=1650270.1650294

24. Ludl, C., Mcallister, S., Kirda, E., Kruegel, C.: On the ef-fectiveness of techniques to detect phishing sites. In: Pro-ceedings of the 4th international conference on Detectionof Intrusions and Malware, and Vulnerability Assessment,DIMVA ’07, pp. 20–39. Springer-Verlag, Berlin, Heidel-berg (2007). DOI 10.1007/978-3-540-73614-1 2. URLhttp://dx.doi.org/10.1007/978-3-540-73614-1 2

25. Mannan, M., van Oorschot, P.C.: Security and us-ability: the gap in real-world online banking. In:Proceedings of the 2007 Workshop on New SecurityParadigms, NSPW ’07, pp. 1–14. ACM, New York,NY, USA (2008). DOI 10.1145/1600176.1600178. URLhttp://doi.acm.org/10.1145/1600176.1600178

26. McCall, T.: Gartner survey shows phishing at-tacks escalated in 2007; more than $3 billionlost to these attacks @Gartner (2007). URLhttp://www.gartner.com/it/page.jsp?id=565125. Ac-cessed: 25/04/2013

27. Moore, T., Clayton, R.: The impact of incentives on no-tice and take-down. In: In proceedings of the 7th Work-shop on Economics of Information Security, pp. 1 – 24(2008)

28. Murdoch, S.J., Anderson, R.: Verified by visa and mas-tercard securecode: or, how not to design authentica-tion. In: Proceedings of the 14th international con-ference on Financial Cryptography and Data Security,FC’10, pp. 336–342. Springer-Verlag, Berlin, Heidel-berg (2010). DOI 10.1007/978-3-642-14577-3 27. URLhttp://dx.doi.org/10.1007/978-3-642-14577-3 27

29. Pan, Y., Ding, X.: Anomaly based web phishing pagedetection. In: Proceedings of the 22nd Annual Com-puter Security Applications Conference, ACSAC ’06,pp. 381–392. IEEE Computer Society, Washington, DC,

USA (2006). DOI 10.1109/ACSAC.2006.13. URLhttp://dx.doi.org/10.1109/ACSAC.2006.13

30. Pavıa, J.M., Veres-Ferrer, E.J., Foix-Escura, G.:Credit card incidents and control systems. Inter-national Journal of Information Management pp. –(2012). DOI 10.1016/j.ijinfomgt.2012.03.003. URLhttp://www.sciencedirect.com/science/article/pii/S0268401212000436

31. Shah, M.H., Braganza, A., Morabito, V.: A surveyof critical success factors in e-banking: an organisa-tional perspective. EJIS 16(4), 511–524 (2007). URLhttp://dx.doi.org/10.1057/palgrave.ejis.3000693

32. Stahlberg, M.: The trojan money spinner. In:Proceedings of virus bulletin conference, pp. 1–7(2007). URL http://www.f-secure.com/weblog/archives/VB2007 TheTrojanMoneySpinner.pdf

33. Ureche, O., Plamondon, R.: Digital payment systems forinternet commerce: The state of the art. World Wide Web3, 1–11 (2000). DOI 10.1023/A:1019217210183. URLhttp://dx.doi.org/10.1023/A:A1019217210183

34. Utakrit, N.: A review of browser extensions, aman-in-the-browser phishing techniques target-ing bank customers. In: Proceedings of the 7thAustralian Information Security Management Con-ference, AISM ’09, pp. 110–119 (2009). URLhttp://ro.ecu.edu.au/cgi/viewcontent.cgi?article=1014&context=ism

35. Wei, W., Li, J., Cao, L., Ou, Y., Chen, J.: Effec-tive detection of sophisticated online banking fraud onextremely imbalanced data. World Wide Web pp.1–27 (2012). DOI 10.1007/s11280-012-0178-0. URLhttp://dx.doi.org/10.1007/s11280-012-0178-0

36. Weigold, T., Hiltgen, A.: Secure confirmation of sensitivetransaction data in modern internet banking services. In:Internet Security (WorldCIS), 2011 World Congress on,pp. 125 –132 (2011)

37. Weigold, T., Kramp, T., Hermann, R., Horing, F.,Buhler, P., Baentsch, M.: The zurich trusted infor-mation channel — an efficient defence against man-in-the-middle and malicious software attacks. In:Proceedings of the 1st international conference onTrusted Computing and Trust in Information Technolo-gies: Trusted Computing - Challenges and Applications,Trust ’08, pp. 75–91. Springer-Verlag, Berlin, Heidel-berg (2008). DOI 10.1007/978-3-540-68979-9 6. URLhttp://dx.doi.org/10.1007/978-3-540-68979-9 6

38. Weir, C.S., Douglas, G., Carruthers, M., Jack, M.: Userperceptions of security, convenience and usability forebanking authentication tokens. Computers & Security28(12), 47 – 62 (2009). DOI 10.1016/j.cose.2008.09.008.URL http://www.sciencedirect.com/science/article/pii/S0167404808000941

39. WindsorFederal: Online banking secu-rity anti-phishing solution from comodo@Windsor Federal Savings (2011). URLhttp://www.windsorfederal.com/online banking cvccomodo.htm. Accessed: 25/04/2013

40. Zhang, Y., Egelman, S., Cranor, L., Hong, J.: Phindingphish: Evaluating anti-phishing tools. In: In Proceedingsof the 14th Annual Network and Distributed System Se-curity Symposium (NDSS 2007), pp. 1 – 16 (2007)


Do you know what SSL/TLS is? Do you know the difference between HTTP and HTTPS?

Do you know what a phishing attack is? Do you know what a pharming attack is?

Do you know what a DoS attack is? Do you know what a Man-in-the-Browser attack is?

Do you usually open spam messages? Do you accept certificates that are not signed by a trusted authority?

Do you use antivirus software? Do you keep your antivirus updated?

Fig. 4 Attack and defence awareness questions


Do you use more than one antivirus solution? Do you use e-banking services?

What browser do you use for e-banking? What OS do you use for e-banking?

How often do you change your e-banking password? What is more important for you security or usability?

What authentication do you prefer for e-banking? Do you check security indicators in browser?

I consider that my security policy is correct. What is your education level?

Fig. 5 E-banking security/usability questions and miscellaneous questions

a survey on security solutions of top e-banking providers ...a survey on security solutions of top...

Documents