Outflanking and securely using the PIN/TAN-System

The PIN/TAN-system is an authentication and authorization scheme used in e-business. Like other similar schemes it is successfully attacked by criminals. After shortly classifying the various kinds of attacks we accomplish malicious code attacks on real World Wide Web transaction systems. In doing so we find that it is really easy to outflank these systems. This is even supported by the users' behavior. We give a few simple behavior rules to improve this situation. But their impact is limited. Also the providers support the attacks by having implementation flaws in their installations. Finally we show that the PIN/TAN-system is not suitable for usage in highly secure applications.Comment: 7 pages; 2 figures; IEEE style; final versio

The quest to replace passwords: A framework for comparative evaluation of web authentication schemes

Abstract—We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that an ideal scheme might provide. The scope of proposals we survey is also extensive, including password management software, federated login protocols, graphical password schemes, cognitive authentication schemes, one-time passwords, hardware tokens, phone-aided schemes and biometrics. Our comprehensive approach leads to key insights about the difficulty of replacing passwords. Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide. In particular, there is a wide range from schemes offering minor security benefits beyond legacy passwords, to those offering significant security benefits in return for being more costly to deploy or more difficult to use. We conclude that many academic proposals have failed to gain traction because researchers rarely consider a sufficiently wide range of real-world constraints. Beyond our analysis of current schemes, our framework provides an evaluation methodology and benchmark for future web authentication proposals. Keywords-authentication; computer security; human computer interaction; security and usability; deployability; economics; software engineering. I

Secure entity authentication

According to Wikipedia, authentication is the act of confirming the truth of an attribute of a single piece of a datum claimed true by an entity. Specifically, entity authentication is the process by which an agent in a distributed system gains confidence in the identity of a communicating partner (Bellare et al.). Legacy password authentication is still the most popular one, however, it suffers from many limitations, such as hacking through social engineering techniques, dictionary attack or database leak. To address the security concerns in legacy password-based authentication, many new authentication factors are introduced, such as PINs (Personal Identification Numbers) delivered through out-of-band channels, human biometrics and hardware tokens. However, each of these authentication factors has its own inherent weaknesses and security limitations. For example, phishing is still effective even when using out-of-band-channels to deliver PINs (Personal Identification Numbers). In this dissertation, three types of secure entity authentication schemes are developed to alleviate the weaknesses and limitations of existing authentication mechanisms: (1) End user authentication scheme based on Network Round-Trip Time (NRTT) to complement location based authentication mechanisms; (2) Apache Hadoop authentication mechanism based on Trusted Platform Module (TPM) technology; and (3) Web server authentication mechanism for phishing detection with a new detection factor NRTT. In the first work, a new authentication factor based on NRTT is presented. Two research challenges (i.e., the secure measurement of NRTT and the network instabilities) are addressed to show that NRTT can be used to uniquely and securely identify login locations and hence can support location-based web authentication mechanisms. The experiments and analysis show that NRTT has superior usability, deploy-ability, security, and performance properties compared to the state-of-the-art web authentication factors. In the second work, departing from the Kerb eros-centric approach, an authentication framework for Hadoop that utilizes Trusted Platform Module (TPM) technology is proposed. It is proven that pushing the security down to the hardware level in conjunction with software techniques provides better protection over software only solutions. The proposed approach provides significant security guarantees against insider threats, which manipulate the execution environment without the consent of legitimate clients. Extensive experiments are conducted to validate the performance and the security properties of the proposed approach. Moreover, the correctness and the security guarantees are formally proved via Burrows-Abadi-Needham (BAN) logic. In the third work, together with a phishing victim identification algorithm, NRTT is used as a new phishing detection feature to improve the detection accuracy of existing phishing detection approaches. The state-of-art phishing detection methods fall into two categories: heuristics and blacklist. The experiments show that the combination of NRTT with existing heuristics can improve the overall detection accuracy while maintaining a low false positive rate. In the future, to develop a more robust and efficient phishing detection scheme, it is paramount for phishing detection approaches to carefully select the features that strike the right balance between detection accuracy and robustness in the face of potential manipulations. In addition, leveraging Deep Learning (DL) algorithms to improve the performance of phishing detection schemes could be a viable alternative to traditional machine learning algorithms (e.g., SVM, LR), especially when handling complex and large scale datasets

Not invented here: Power and politics in public key infrastructure (PKI) institutionalisation at two global organisations.

This dissertation explores the impact of power and politics in Public Key Infrastructure (PKI) institutionalisation. We argue that this process can be understood in power and politics terms because the infrastructure skews the control of organisational action in favour of dominant individuals and groups. Indeed, as our case studies show, shifting power balances is not only a desired outcome of PKI deployment, power drives institutionalisation. Therefore, despite the rational goals of improving security and reducing the total cost of ownership for IT, the PKIs in our field organisations have actually been catalysts for power and politics. Although current research focuses on external technical interoperation, we believe emphasis should be on the interaction between the at once restrictive and flexible PKI technical features, organisational structures, goals of sponsors and potential user resistance. We use the Circuits of Power (CoP) framework to explain how a PKI conditions and is conditioned by power and politics. Drawing on the concepts of infrastructure and institution, we submit that PKIs are politically explosive in pluralistic, distributed global organisations because by limiting freedom of action in favour of stability and security, they set a stage for disaffection. The result of antipathy towards the infrastructure would not be a major concern if public key cryptography, which underpins PKI, had a centralised mechanism for enforcing the user discipline it relies on to work properly. However, since this discipline is not automatic, a PKI bereft of support from existing power arrangements faces considerable institutionalisation challenges. We assess these ideas in two case studies in London and Switzerland. In London, we explain how an oil company used its institutional structures to implement PKI as part of a desktop standard covering 105,000 employees. In Zurich and London, we give a power analysis of attempts by a global financial services firm to roll out PKI to over 70,000 users. Our dissertation makes an important contribution by showing that where PKI supporters engage in a shrewdly orchestrated campaign to knit the infrastructure with the existing institutional order, it becomes an accepted part of organisational life without much ceremony. In sum, we both fill gaps in information security literature and extend knowledge on the efficacy of the Circuits of Power framework in conducting IS institutionalisation studies

Serviços de iniciação de pagamentos

The present thesis is focused on identified issues from the banking industry, namely the absence of a common interface for all banks; issues related to security; or the intermediaries’ dependency for purchases. Several bodies are significantly investing in order to resolve these challenges. Among them, one may highlight the European Commission, which proposes the use of an Application Program Interface (API) centralised for all e-banking services. This API was suggested through the Revised Payment Service Directive (PSD2). In this thesis, the issues identified were taken into account, and an effort was made to overcome them through the use of the PSD2. The PSD2 directive was introduced by the European Commission to resolve many issues in the banking industry. We explored the PSD2 directive through a case study focused on creating an intermediary payment, and its incorporation in an e-commerce website. An payment system called NearSoft Payment Provider (NPP) was implemented. It is easily integrable into a website through a set of widgets, which allows payments through a transactions’ request under the PSD2 directive. In addition, other features such as payment management between different accounts, purchase history visualization, and payment security mechanisms were added. During the development we had the concern of making the platform as easy as possible when it comes to its expansion, integration and maintenance. There was as well the concerb on properly documenting all the developed code. The approach taken was tested according to its usability (8 participants) and ease of integration (2 programmers/developers), producing encouraging results. However, additional tests will be needed in order to prove the validity of the solution proposed.Esta tese foca-se em problemas amplamente identificado no sector bancário, a inexistência de uma interface comum para todos os bancos, problemas relacionados com segurança ou a dependência de intermediários para realização de compras. Diversas entidades estão a investir significativamente para a solução dos mesmos. Entre ela a comissão Europeia, que com o Revised Payment Service Diretive (PSD2), propôs a utilização de uma Aplication Program Interface (API) centralizada para todo os serviços de e-baking. Nesta tese foram tidos em conta os problemas identificados, e realizado um esforço para ultrapassalos, através da utilização da norma PSD2. A norma PSD2 foi apresentada pela Comissão Europeia com intuito de resolver diversos problemas no sector bancário. Nesta tese o PSD2 foi explorado, através de um estudo de caso focado na criação de um intermediário de pagamento e sua integração num site de e-commerce. Foi implementado um serviço de pagamentos ao qual denominamos de NearSoft Payment Provider, este serviço é facilmente integrável nas aplicações de e-commerce através de um conjunto de widgets, que permitem realizar pagamentos através de um pedido de inicialização de transações, utilizando a norma PSD2. Adicionalmente foram adicionadas outras funcionalidades como gestão de pagamentos entre diferentes contas, visualização de históricos de compras e mecanismos de segurança de pagamento. Durante o desenvolvimento tivemos a preocupação de tornar a plataforma o mais, fácil de expandir, integrar e manter possível, houve também um foco em documentar apropriadamente todo o código desenvolvido. Ao sistema desenvolvido foi realizada uma avaliação, de acordo com a usabilidade (utilizando 8 participantes) e facilidade de integração (utilizando 2 desenvolvedores) ambos os testes produziram resultados encorajadores, contudo novos testes serão obviamente necessários para provar a validade da solução apresentada

The Role of Archers, Slingers and Other Light-Armed Infantry in Greek Warfare From the Mycenaean Period to 362 B.C

Abstract Not Provided

Through Combat: 314th Infantry Regiment

Foreword The history of our regiment has been written in this book long after the fighting ceased. It does not tell the complete story. A book many times its thickness could not do that. The story of the Falcon Regiment is written on the fields, the valleys, the hills and the forests of France and Germany with the blood of the dead and wounded, and the sweat of those who lived. The history is complete in detail and will linger on as fear in the mind of Germany and as gratitude in the heart of America forever. In deeds, not words, is the history of tlle 314th Infantry written. We are proud of the accomplishments of our fine regiment. It is a story of American men who gave their all that the country they called home might live. I desire to express my appreciation to each indiyidual for the part he played in making final victory possible. Some contributions were large, some were small, but the combination makes an epic of a brave regiment of a grand division that was given an important mission to perform, and performed that mission in the highest tradition of the United States Army. May the comradeship, the self-sacrifice and the devotion to duty displayed while wearing the Cross of Lorraine never die. May your lives and the lives of those around you be richer for this experience. W.A. Robinson, Colonel 314th Infantry, Commandinghttps://digicom.bpl.lib.me.us/ww_reg_his/1224/thumbnail.jp

Culturally aligned security in banking. A system for rural banking in Ghana.

This thesis is an investigation into the unique rural banking system in Ghana and the role of information systems in fraud control. It presents a robust information security and internal control model to deal with fraud for the banking system. The rural banking industry has been noted for poor internal control leading to fraud. This has resulted in poor performance and even the collapse of some banks. The Focus of the study was on the processes used to deliver banking services. To design a protection system, a number of rural banks were visited. This was to understand the environment, regulatory regimes and the structure and banking processes of the industry and banks. Systemic vulnerabilities within the industry which could be exploited for fraud were found. The lack of structures like an address system and unreliable identification documents makes it difficult to use conventional identification processes. Also the lack of adequate controls, small staff numbers and the cross organisational nature of some transactions among other cultural issues reduces the ability to implement transaction controls. Twenty fraud scenarios were derived to illustrate the manifestation of these vulnerabilities. The rural banking integrity model was developed to deal with these observations. This protection model was developed using existing information security models and banking control mechanisms but incorporating the nature of the rural banking industry and culture of its environment. The fraud protection model was tested against the fraud scenarios and was shown to meet the needs of the rural banking industry in dealing with its systemic vulnerabilities. The proposed community-based identification scheme deals with identification weaknesses as an alternative to conventional identity verification mechanisms. The Transaction Authentication Code uses traditional adinkra symbols. Whilst other mechanisms like the Transaction Verification Code design v internal controls into the banking processes. This deals with various process control weaknesses and avoids human discretion in complying with controls. Object based separation of duties is also introduced as a means of controlling conflicting tasks which could lead to fraud

Outflanking and Securely Using the PIN/TAN-System

The PIN/TAN--system is an authentication and authorization scheme used in e--business. Like other similar schemes it is successfully attacked by criminals. After shortly classifying the various kinds of attacks we accomplish malicious code attacks on real World Wide Web transaction systems. In doing so we find that it is really easy to outflank these systems. This is even supported by the users' behavior. We give a few simple behavior rules to improve this situation. But their impact is limited. Also the providers support the attacks by having implementation flaws in their installations. Finally we show that the PIN/TAN--system is not suitable for usage in highly secure applications