4,357 research outputs found
Quick response code secure: a cryptographically secure anti-phishing tool for QR code attacks.
The two-dimensional quick response (QR) codes can be misleading due to the difficulty in differentiating a genuine QR code from a malicious one. Since, the vulnerability is practically part of their design, scanning a malicious QR code can direct the user to cloned malicious sites resulting in revealing sensitive information. In order, to evaluate the vulnerabilities and propose subsequent countermeasures, we demonstrate this type of attack through a simulated experiment, where a malicious QR code directs a user to a phishing site. For our experiment, we cloned Google's web page providing access to their email service (Gmail). Since, the URL is masqueraded into the QR code the unsuspecting user who opens the URL is directed to the malicious site. Our results proved that hackers could easily leverage QR codes into phishing attack vectors targeted at smartphone users, even bypassing web browsers safe browsing feature. In addition, the second part of our paper presents adequate countermeasures and introduces QRCS (Quick Response Code Secure). QRCS is a universal efficient and effective solution focusing exclusively on the authenticity of the originator and consequently, the integrity of QR code by using digital signatures
A Survey on Securing Personally Identifiable Information on Smartphones
With an ever-increasing footprint, already topping 3 billion devices, smartphones have become a huge cybersecurity concern. The portability of smartphones makes them convenient for users to access and store personally identifiable information (PII); this also makes them a popular target for hackers. This survey shares practical insights derived from analyzing 16 real-life case studies that exemplify: the vulnerabilities that leave smartphones open to cybersecurity attacks; the mechanisms and attack vectors typically used to steal PII from smartphones; the potential impact of PII breaches upon all parties involved; and recommended defenses to help prevent future PII losses. The contribution of this research is recommending proactive measures to dramatically decrease the frequency of PII loss involving smartphones
An Examination of E-Banking Fraud Prevention and Detection in Nigerian Banks
E-banking offers a number of advantages to financial institutions, including convenience in terms of time and money. However, criminal activities in the information age have changed the way banking operations are performed. This has made e-banking an area of interest. The growth of cybercrime – particularly hacking, identity theft, phishing, Trojans, service denial attacks and account takeover– has created several challenges for financial institutions, especially regarding how they protect their assets and prevent their customers from becoming victims of cyber fraud. These criminal activities have remained prevalent due to certain features of cyber, such as the borderless nature of the internet and the continuous growth of the computer networks. Following these identified challenges for financial institutions, this study examines e-banking fraud prevention and detection in the Nigerian banking sector; particularly the current nature, impacts, contributing factors, and prevention and detection mechanisms of e-banking fraud in Nigerian banking institutions. This study adopts mixed research methods with the aid of descriptive and inferential analysis, which comprised exploratory factor analysis (EFA) and confirmatory factor analysis (CFA) for the quantitative data analysis, whilst thematic analysis was used for the qualitative data analysis. The theoretical framework was informed by Routine Activity Theory (RAT) and Fraud Management Lifecycle Theory (FMLT). The findings show that the factors contributing to the increase in e-banking fraud in Nigeria include ineffective banking operations, internal control issues, lack of customer awareness and bank staff training and education, inadequate infrastructure, presence of sophisticated technological tools in the hands of fraudsters, negligence of banks’ customers concerning their e-banking account devices, lack of compliance with the banking rules and regulations, and ineffective legal procedure and law enforcement. In addition, the enforcement of rules and regulations in relation to the prosecution of financial fraudsters has been passive in
Nigeria. Moreover, the findings also show that the activities of each stage of fraud management lifecycle theory are interdependent and have a collective and considerable influence on combating e-banking fraud. The results of the findings confirm that routine activity theory is a real-world theoretical framework while applied to e-banking fraud. Also, from the analysis of the findings, this research offers a new model for e-banking fraud prevention and detection within the Nigerian banking sector. This new model confirms that to have perfect prevention and detection of e-banking fraud, there must be a presence of technological mechanisms, fraud monitoring, effective internal controls, customer complaints, whistle-blowing, surveillance mechanisms, staff-customer awareness and education, legal and judicial controls, institutional synergy mechanisms of in the banking systems. Finally, the findings from the analyses of this study have some significant implications; not only for academic researchers or scholars and accounting practitioners, but also for policymakers in the financial institutions and anti-fraud agencies in both the private and public sectors
Age Verification in the 21st Century: Swiping Away Your Privacy, 23 J. Marshall J. Computer & Info. L. 363 (2005)
Today a lot of private businesses have adopted the practice of driver\u27s license swiping where proof of age or security issues arise. This practice has beneficial uses for both private entities, in identifying underage persons and those with fake identification, and law enforcement. However, the problem arise when the private sector, businesses are not using the information to merely identify underage customers or those with fake identification but store the information encoded on the barcode in a computer database. No federal laws and very few state laws regulate the collection and use of this information while the private sector is not following the basic guidelines to make people aware that their information is being collected electronically and to alert them to how it is being used. This comment argues that United States citizens have a right to privacy with regard to the information contained on their identification cards. First, the background of how personal information is being stored on Driver’s license is presented and a more detailed description of how swiping technology works follows. Next the author examines the state and federal regulations currently existing to govern this practice of driver\u27s license swiping. The Fair Information Practice Principles are also being presented and a brief history of their application is given. Then, all the current applications of swiping, including law enforcement and private enterprise use is examined and a more detailed analysis of the potential costs and benefits of scanning and data retention is given to determine whether the practice should continue to be unregulated in private enterprises. It is argued that a person should have the right to purchase something that is legal without having to exchange his or her sensitive information for this item and that people should be aware that their information is being collected and receive notice as to how it could be used. In conclusion, it is suggested that legislation be put in place to regulate the practice of scanning and storing patron\u27s personal information since it is almost inevitable that once the practice of swiping becomes widespread among private enterprises that must check for proof of age, this information may fall into the wrong person\u27s hands
Identifying and combating cyber-threats in the field of online banking
This thesis has been carried out in the industrial environment external to the University, as an industrial PhD. The results of this PhD have been tested, validated, and implemented in the production environment of Caixabank and have been used as models for others who have followed the same ideas.
The most burning threats against banks throughout the Internet environment are based on software tools developed by criminal groups, applications running on web environment either on the computer of the victim (Malware) or on their mobile device itself through downloading rogue applications (fake app's with Malware APP).
Method of the thesis has been used is an approximation of qualitative exploratory research on the problem, the answer to this problem and the use of preventive methods to this problem like used authentication systems.
This method is based on samples, events, surveys, laboratory tests, experiments, proof of concept; ultimately actual data that has been able to deduce the thesis proposal, using both laboratory research and grounded theory methods of data pilot experiments conducted in real environments.
I've been researching the various aspects related to e-crime following a line of research focusing on intrinsically related topics:
- The methods, means and systems of attack: Malware, Malware families of banker Trojans, Malware cases of use, Zeus as case of use.
- The fixed platforms, mobile applications and as a means for malware attacks.
- forensic methods to analyze the malware and infrastructure attacks.
- Continuous improvement of methods of authentication of customers and users as a first line of defense anti- malware.
- Using biometrics as innovative factor authentication.The line investigating Malware and attack systems intrinsically is closed related to authentication methods and systems to infect customer (executables, APP's, etc.), because the main purpose of malware is precisely steal data entered in the "logon "authentication system, to operate and thus, fraudulently, steal money from online banking customers.
Experiments in the Malware allowed establishing a new method of decryption establishing guidelines to combat its effects describing his fraudulent scheme and operation infection.
I propose a general methodology to break the encryption communications malware (keystream), extracting the system used to encrypt such communications and a general approach of the Keystream technique.
We show that this methodology can be used to respond to the threat of Zeus and finally provide lessons learned highlighting some general principles of Malware (in general) and in particular proposing Zeus Cronus, an IDS that specifically seeks the Zeus malware, testing it experimentally in a network production and providing an effective skills to combat the Malware are discussed.
The thesis is a research interrelated progressive evolution between malware infection systems and authentication methods, reflected in the research work cumulatively, showing an evolution of research output and looking for a progressive improvement of methods authentication and recommendations for prevention and preventing infections, a review of the main app stores for mobile financial services and a proposal to these stores.
The most common methods eIDAMS (authentication methods and electronic identification) implemented in Europe and its robustness are analyzed. An analysis of adequacy is presented in terms of efficiency, usability, costs, types of operations and segments including possibilities of use as authentication method with biometrics as innovation.Este trabajo de tesis se ha realizado en el entorno industrial externo a la Universidad como un PhD industrial Los resultados de este PhD han sido testeados, validados, e implementados en el entorno de producciĂłn de Caixabank y han sido utilizados como modelos por otras que han seguido las mismas ideas. Las amenazas más candentes contra los bancos en todo el entorno Internet, se basan en herramientas software desarrolladas por los grupos delincuentes, aplicaciones que se ejecutan tanto en entornos web ya sea en el propio ordenador de la vĂctima (Malware) o en sus dispositivos mĂłviles mediante la descarga de falsas aplicaciones (APP falsa con Malware). Como mĂ©todo se ha utilizado una aproximaciĂłn de investigaciĂłn exploratoria cualitativa sobre el problema, la respuesta a este problema y el uso de mĂ©todos preventivos a este problema a travĂ©s de la autenticaciĂłn. Este mĂ©todo se ha basado en muestras, hechos, encuestas, pruebas de laboratorio, experimentos, pruebas de concepto; en definitiva datos reales de los que se ha podido deducir la tesis propuesta, utilizando tanto investigaciĂłn de laboratorio como mĂ©todos de teorĂa fundamentada en datos de experimentos pilotos realizados en entornos reales. He estado investigando los diversos aspectos relacionados con e-crime siguiendo una lĂnea de investigaciĂłn focalizada en temas intrĂnsecamente relacionadas: - Los mĂ©todos, medios y sistemas de ataque: Malware, familias de Malware de troyanos bancarios, casos de usos de Malware, Zeus como caso de uso. - Las plataformas fijas, los mĂłviles y sus aplicaciones como medio para realizar los ataques de Malware. - MĂ©todos forenses para analizar el Malware y su infraestructura de ataque. - Mejora continuada de los mĂ©todos de autenticaciĂłn de los clientes y usuarios como primera barrera de defensa anti- malware. - Uso de la biometrĂa como factor de autenticaciĂłn innovador. La lĂnea investiga el Malware y sus sistemas de ataque intrĂnsecamente relacionada con los mĂ©todos de autenticaciĂłn y los sistemas para infectar al cliente (ejecutables, APP's, etc.) porque el objetivo principal del malware es robar precisamente los datos que se introducen en el "logon" del sistema de autenticaciĂłn para operar de forma fraudulenta y sustraer asĂ el dinero de los clientes de banca electrĂłnica. Los experimentos realizados en el Malware permitieron establecer un mĂ©todo novedoso de descifrado que estableciĂł pautas para combatir sus efectos fraudulentos describiendo su esquema de infecciĂłn y funcionamiento Propongo una metodologĂa general para romper el cifrado de comunicaciones del malware (keystream) extrayendo el sistema utilizado para cifrar dichas comunicaciones y una generalizaciĂłn de la tĂ©cnica de Keystream. Se demuestra que esta metodologĂa puede usarse para responder a la amenaza de Zeus y finalmente proveemos lecciones aprendidas resaltando algunos principios generales del Malware (en general) y Zeus en particular proponiendo Cronus, un IDS que persigue especĂficamente el Malware Zeus, probándolo experimentalmente en una red de producciĂłn y se discuten sus habilidades y efectividad. En la tesis hay una evoluciĂłn investigativa progresiva interrelacionada entre el Malware, sistemas de infecciĂłn y los mĂ©todos de autenticaciĂłn, que se refleja en los trabajos de investigaciĂłn de manera acumulativa, mostrando una evoluciĂłn del output de investigaciĂłn y buscando una mejora progresiva de los mĂ©todos de autenticaciĂłn y de la prevenciĂłn y recomendaciones para evitar las infecciones, una revisiĂłn de las principales tiendas de Apps para servicios financieros para mĂłviles y una propuesta para estas tiendas. Se analizan los mĂ©todos más comunes eIDAMS (MĂ©todos de AutenticaciĂłn e IdentificaciĂłn electrĂłnica) implementados en Europa y su robustez y presentamos un análisis de adecuaciĂłn en funciĂłn de eficiencia, usabilidad, costes, tipos de operaciĂłn y segmentos incluyendo un análisis de posibilidades con mĂ©todos biomĂ©tricos como innovaciĂłn.Postprint (published version
Cyber-crime Science = Crime Science + Information Security
Cyber-crime Science is an emerging area of study aiming to prevent cyber-crime by combining security protection techniques from Information Security with empirical research methods used in Crime Science. Information security research has developed techniques for protecting the confidentiality, integrity, and availability of information assets but is less strong on the empirical study of the effectiveness of these techniques. Crime Science studies the effect of crime prevention techniques empirically in the real world, and proposes improvements to these techniques based on this. Combining both approaches, Cyber-crime Science transfers and further develops Information Security techniques to prevent cyber-crime, and empirically studies the effectiveness of these techniques in the real world. In this paper we review the main contributions of Crime Science as of today, illustrate its application to a typical Information Security problem, namely phishing, explore the interdisciplinary structure of Cyber-crime Science, and present an agenda for research in Cyber-crime Science in the form of a set of suggested research questions
Recommended from our members
Phishing website detection using intelligent data mining techniques. Design and development of an intelligent association classification mining fuzzy based scheme for phishing website detection with an emphasis on E-banking.
Phishing techniques have not only grown in number, but also in sophistication. Phishers might
have a lot of approaches and tactics to conduct a well-designed phishing attack. The targets of
the phishing attacks, which are mainly on-line banking consumers and payment service
providers, are facing substantial financial loss and lack of trust in Internet-based services. In
order to overcome these, there is an urgent need to find solutions to combat phishing attacks.
Detecting phishing website is a complex task which requires significant expert knowledge and
experience. So far, various solutions have been proposed and developed to address these
problems. Most of these approaches are not able to make a decision dynamically on whether the
site is in fact phished, giving rise to a large number of false positives. This is mainly due to
limitation of the previously proposed approaches, for example depending only on fixed black
and white listing database, missing of human intelligence and experts, poor scalability and their
timeliness.
In this research we investigated and developed the application of an intelligent fuzzy-based
classification system for e-banking phishing website detection. The main aim of the proposed
system is to provide protection to users from phishers deception tricks, giving them the ability
to detect the legitimacy of the websites. The proposed intelligent phishing detection system
employed Fuzzy Logic (FL) model with association classification mining algorithms. The
approach combined the capabilities of fuzzy reasoning in measuring imprecise and dynamic
phishing features, with the capability to classify the phishing fuzzy rules. Different phishing experiments which cover all phishing attacks, motivations and deception
behaviour techniques have been conducted to cover all phishing concerns. A layered fuzzy
structure has been constructed for all gathered and extracted phishing website features and
patterns. These have been divided into 6 criteria and distributed to 3 layers, based on their attack
type. To reduce human knowledge intervention, Different classification and association
algorithms have been implemented to generate fuzzy phishing rules automatically, to be
integrated inside the fuzzy inference engine for the final phishing detection.
Experimental results demonstrated that the ability of the learning approach to identify all
relevant fuzzy rules from the training data set. A comparative study and analysis showed that
the proposed learning approach has a higher degree of predictive and detective capability than
existing models. Experiments also showed significance of some important phishing criteria like
URL & Domain Identity, Security & Encryption to the final phishing detection rate.
Finally, our proposed intelligent phishing website detection system was developed, tested and
validated by incorporating the scheme as a web based plug-ins phishing toolbar. The results
obtained are promising and showed that our intelligent fuzzy based classification detection
system can provide an effective help for real-time phishing website detection. The toolbar
successfully recognized and detected approximately 92% of the phishing websites selected from
our test data set, avoiding many miss-classified websites and false phishing alarms
- …