Abstract
In this project, a cost saving CAPTCHA authentication application is designed to address recent online banking threats, and is focused on enabling safe online banking authentication for a security unconscious user. The prime challenges of a secure online banking system are to enable safe online banking on a compromised host, and to solve the general ignorance of security warning. There are costly hardware solutions proposed, however most of them may not be practical for home users.
Extended CAPTCHA Input System (ECIS) (Leung, 2009a) which offers a low cost software solution is proposed in this paper. Building on previous works (Leung, 2009b,a), the ECIS firstly extended the CAPTCHA idea to defend against Real-Time Man-In-The-Middle (RT-MITM) attack (Schneier, 2005). The trick is to employ a moving CAPTCHA for the input of One Time Password (OTP) with a time restriction, which can depress MITM auto-relaying of information as well as human assisted MITM attack. As ECIS and its session secret are designed to be generated per login session, therefore network and software attack to ECIS are not feasible.
The ECIS solution reuses the large scale shipped OTP token device which can save a huge amount of money. ECIS can also be applied to Second Authentication system in SMS and Dual- Password scenarios as a fully software based solution.
The objectives of this project were to develop 1) Prototype of ECIS; 2) ECIS Derivatives on combinable authentication techniques; 3) Security Model to evaluate an authentication system. All the objectives were matched.