Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

New cyber security protocol for online banking, and more

21.02.2005


A new security approach could improve safeguarding of credit card numbers, bank passwords and other sensitive information for those who surf the Internet using wireless connections, researchers told the annual meeting of the American Association for the Advancement of Science (AAAS)on Saturday.



The same protocol could be employed in many computer networks in which two computers, hand-held communication devices or network nodes need to simultaneously verify the identity of each other.

The protocol - called "delayed password disclosure" - was created by Markus Jakobsson and Steve Myers of Indiana University. It may have application in any environment where "mutual identity authentication" is required, the researchers say.


This new security protocol could help to prevent consumers from getting tricked into connecting to a fake wireless hub at an airport, for example. Or the protocol could notify you that the link included in a legitimate-looking e-mail points to a fake website set up to steal your sensitive information, such as passwords and PINs to bank accounts, credit cards numbers and account numbers for online fund-transfer services.

The safety measures also might help stop organized crime and terrorist-funding groups from collecting large numbers of fund-transfer account numbers that could be used for money laundering, the researchers say.

In one possible application, the security protocol could be used to verify that two wireless devices trying to connect to each other don’t mistakenly connect to another device. This is useful to safeguard communications between mobile units, such as between members of emergency crews who are connected through wireless networks built "on the fly."

These so-called "ad hoc" networks hold great potential for military and emergency response applications where network infrastructures have been destroyed or are nonexistent. The flexibility of ad hoc networks, however, opens the door to attack. The new protocol is meant to strengthen such networks, using a type of electronic "interrogation" to ensure they are not compromised.

The protocol also holds promise as on-line banking becomes more prevalent. In one scenario, criminals could "sift" or launder money through a large number of accounts once the system is compromised by an attacker. Each account would maintain the correct balance for the unsuspecting victim, even as the attacker funneled funds through it. If large numbers of accounts are used, and the payment patterns are intricate, then such misbehavior is difficult to trace to the attacker - who might be working for the payer, the final recipient of the funds, or both.

For network attackers to launder money through online fund-transfer accounts of unsuspecting individuals, the criminals must stop email notifications from the fund-transfer company to the account holder. "Denial of service attacks" and other kinds of network attacks could be employed to stop such notification emails, the researchers say. But spotting such maneuvers is not easy.

"It’s difficult to say exactly what tactics network attackers are using right now because many people do not know they are being attacked. Nonetheless, criminals who have no greater passion than money laundering are already intensely thinking about these kinds of projects," Jakobsson explained.

The use of delayed password disclosure or a comparable protocol could help to prevent such crimes. If the protocol were used by an online bank, a technical version of the following dialogue would occur between the bank and the online customer to authenticate the identity of both parties without divulging passwords.

CUSTOMER: Hello bank. I know my banking password. If you really are my bank, then you already know my password. I don’t trust you and you don’t trust me. I’m not going to tell you my password. We’re going to use this authentication protocol called "delayed password disclosure." It allows us to both be sure the other one is not lying about our identity, but without giving out any sensitive information in the process.

BANK: Proceed.

CUSTOMER: Bank, I will send you some information that is encrypted. You can only decrypt it if you know my password. If you don’t know the password, you could of course try all possible passwords (although that is a lot of work!), but you would never know from my message if you picked the right one. Once you have decrypted the message, I want you to send it to me. If it is correctly decrypted, I will know that you know my password already. Once I know that you know my password, I will send it to you so that you can verify that I also know it. Of course, if I am lying about my identity and don’t know the password in the first place, then I will not learn anything about the password from your message, so it is safe in both directions.

For more details on the delayed password disclosure protocol, (patent pending) see the technical document from Markus Jakobsson entitled "Stealth Attacks" which is available at www.stealth-attacks.info

Jakobsson is hoping to have "beta code" for Windows and Mac in spring 2005, and code for common cell phone platforms later in 2005.

MEDIA NOTE: A news briefing on this research will take place at 8:30 a.m. Eastern Time, Saturday, 19 February, during the AAAS Annual Meeting in Washington, DC, in Wilson A of the Marriott Wardman Park Hotel. During the briefing, symposium moderator Susanne Wetzel will set up an ad hoc wireless network and then attack it using a denial of service method. She will show how an "evil node" in the network can quickly drain the battery of a personal digital assistant (PDA). Further, these and other speakers will take part in a symposium titled, "Attacks on and Security Measures for Ad Hoc Wireless Networks," set to take place Saturday at 9:45 a.m. in the Omni Shoreham Hotel, Level 2B, Empire.

Ginger Pinholster | EurekAlert!
Further information:
http://www.stealth-attacks.info
http://www.aaas.org
http://www.sciencemag.org

More articles from Information Technology:

nachricht Gecko adhesion technology moves closer to industrial uses
13.12.2017 | Georgia Institute of Technology

nachricht New silicon structure opens the gate to quantum computers
12.12.2017 | Princeton University

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: Long-lived storage of a photonic qubit for worldwide teleportation

MPQ scientists achieve long storage times for photonic quantum bits which break the lower bound for direct teleportation in a global quantum network.

Concerning the development of quantum memories for the realization of global quantum networks, scientists of the Quantum Dynamics Division led by Professor...

Im Focus: Electromagnetic water cloak eliminates drag and wake

Detailed calculations show water cloaks are feasible with today's technology

Researchers have developed a water cloaking concept based on electromagnetic forces that could eliminate an object's wake, greatly reducing its drag while...

Im Focus: Scientists channel graphene to understand filtration and ion transport into cells

Tiny pores at a cell's entryway act as miniature bouncers, letting in some electrically charged atoms--ions--but blocking others. Operating as exquisitely sensitive filters, these "ion channels" play a critical role in biological functions such as muscle contraction and the firing of brain cells.

To rapidly transport the right ions through the cell membrane, the tiny channels rely on a complex interplay between the ions and surrounding molecules,...

Im Focus: Towards data storage at the single molecule level

The miniaturization of the current technology of storage media is hindered by fundamental limits of quantum mechanics. A new approach consists in using so-called spin-crossover molecules as the smallest possible storage unit. Similar to normal hard drives, these special molecules can save information via their magnetic state. A research team from Kiel University has now managed to successfully place a new class of spin-crossover molecules onto a surface and to improve the molecule’s storage capacity. The storage density of conventional hard drives could therefore theoretically be increased by more than one hundred fold. The study has been published in the scientific journal Nano Letters.

Over the past few years, the building blocks of storage media have gotten ever smaller. But further miniaturization of the current technology is hindered by...

Im Focus: Successful Mechanical Testing of Nanowires

With innovative experiments, researchers at the Helmholtz-Zentrums Geesthacht and the Technical University Hamburg unravel why tiny metallic structures are extremely strong

Light-weight and simultaneously strong – porous metallic nanomaterials promise interesting applications as, for instance, for future aeroplanes with enhanced...

All Focus news of the innovation-report >>>

Anzeige

Anzeige

Event News

See, understand and experience the work of the future

11.12.2017 | Event News

Innovative strategies to tackle parasitic worms

08.12.2017 | Event News

AKL’18: The opportunities and challenges of digitalization in the laser industry

07.12.2017 | Event News

 
Latest News

A whole-body approach to understanding chemosensory cells

13.12.2017 | Health and Medicine

Water without windows: Capturing water vapor inside an electron microscope

13.12.2017 | Physics and Astronomy

Cellular Self-Digestion Process Triggers Autoimmune Disease

13.12.2017 | Life Sciences

VideoLinks
B2B-VideoLinks
More VideoLinks >>>