Forum for Science, Industry and Business

Sponsored by:     3M 
Search our Site:

 

New cyber security protocol for online banking, and more

21.02.2005


A new security approach could improve safeguarding of credit card numbers, bank passwords and other sensitive information for those who surf the Internet using wireless connections, researchers told the annual meeting of the American Association for the Advancement of Science (AAAS)on Saturday.



The same protocol could be employed in many computer networks in which two computers, hand-held communication devices or network nodes need to simultaneously verify the identity of each other.

The protocol - called "delayed password disclosure" - was created by Markus Jakobsson and Steve Myers of Indiana University. It may have application in any environment where "mutual identity authentication" is required, the researchers say.


This new security protocol could help to prevent consumers from getting tricked into connecting to a fake wireless hub at an airport, for example. Or the protocol could notify you that the link included in a legitimate-looking e-mail points to a fake website set up to steal your sensitive information, such as passwords and PINs to bank accounts, credit cards numbers and account numbers for online fund-transfer services.

The safety measures also might help stop organized crime and terrorist-funding groups from collecting large numbers of fund-transfer account numbers that could be used for money laundering, the researchers say.

In one possible application, the security protocol could be used to verify that two wireless devices trying to connect to each other don’t mistakenly connect to another device. This is useful to safeguard communications between mobile units, such as between members of emergency crews who are connected through wireless networks built "on the fly."

These so-called "ad hoc" networks hold great potential for military and emergency response applications where network infrastructures have been destroyed or are nonexistent. The flexibility of ad hoc networks, however, opens the door to attack. The new protocol is meant to strengthen such networks, using a type of electronic "interrogation" to ensure they are not compromised.

The protocol also holds promise as on-line banking becomes more prevalent. In one scenario, criminals could "sift" or launder money through a large number of accounts once the system is compromised by an attacker. Each account would maintain the correct balance for the unsuspecting victim, even as the attacker funneled funds through it. If large numbers of accounts are used, and the payment patterns are intricate, then such misbehavior is difficult to trace to the attacker - who might be working for the payer, the final recipient of the funds, or both.

For network attackers to launder money through online fund-transfer accounts of unsuspecting individuals, the criminals must stop email notifications from the fund-transfer company to the account holder. "Denial of service attacks" and other kinds of network attacks could be employed to stop such notification emails, the researchers say. But spotting such maneuvers is not easy.

"It’s difficult to say exactly what tactics network attackers are using right now because many people do not know they are being attacked. Nonetheless, criminals who have no greater passion than money laundering are already intensely thinking about these kinds of projects," Jakobsson explained.

The use of delayed password disclosure or a comparable protocol could help to prevent such crimes. If the protocol were used by an online bank, a technical version of the following dialogue would occur between the bank and the online customer to authenticate the identity of both parties without divulging passwords.

CUSTOMER: Hello bank. I know my banking password. If you really are my bank, then you already know my password. I don’t trust you and you don’t trust me. I’m not going to tell you my password. We’re going to use this authentication protocol called "delayed password disclosure." It allows us to both be sure the other one is not lying about our identity, but without giving out any sensitive information in the process.

BANK: Proceed.

CUSTOMER: Bank, I will send you some information that is encrypted. You can only decrypt it if you know my password. If you don’t know the password, you could of course try all possible passwords (although that is a lot of work!), but you would never know from my message if you picked the right one. Once you have decrypted the message, I want you to send it to me. If it is correctly decrypted, I will know that you know my password already. Once I know that you know my password, I will send it to you so that you can verify that I also know it. Of course, if I am lying about my identity and don’t know the password in the first place, then I will not learn anything about the password from your message, so it is safe in both directions.

For more details on the delayed password disclosure protocol, (patent pending) see the technical document from Markus Jakobsson entitled "Stealth Attacks" which is available at www.stealth-attacks.info

Jakobsson is hoping to have "beta code" for Windows and Mac in spring 2005, and code for common cell phone platforms later in 2005.

MEDIA NOTE: A news briefing on this research will take place at 8:30 a.m. Eastern Time, Saturday, 19 February, during the AAAS Annual Meeting in Washington, DC, in Wilson A of the Marriott Wardman Park Hotel. During the briefing, symposium moderator Susanne Wetzel will set up an ad hoc wireless network and then attack it using a denial of service method. She will show how an "evil node" in the network can quickly drain the battery of a personal digital assistant (PDA). Further, these and other speakers will take part in a symposium titled, "Attacks on and Security Measures for Ad Hoc Wireless Networks," set to take place Saturday at 9:45 a.m. in the Omni Shoreham Hotel, Level 2B, Empire.

Ginger Pinholster | EurekAlert!
Further information:
http://www.stealth-attacks.info
http://www.aaas.org
http://www.sciencemag.org

More articles from Information Technology:

nachricht Metamolds: Molding a mold
20.08.2018 | Institute of Science and Technology Austria

nachricht Robots as Tools and Partners in Rehabilitation
17.08.2018 | Albert-Ludwigs-Universität Freiburg im Breisgau

All articles from Information Technology >>>

The most recent press releases about innovation >>>

Die letzten 5 Focus-News des innovations-reports im Überblick:

Im Focus: It’s All in the Mix: Jülich Researchers are Developing Fast-Charging Solid-State Batteries

There are currently great hopes for solid-state batteries. They contain no liquid parts that could leak or catch fire. For this reason, they do not require cooling and are considered to be much safer, more reliable, and longer lasting than traditional lithium-ion batteries. Jülich scientists have now introduced a new concept that allows currents up to ten times greater during charging and discharging than previously described in the literature. The improvement was achieved by a “clever” choice of materials with a focus on consistently good compatibility. All components were made from phosphate compounds, which are well matched both chemically and mechanically.

The low current is considered one of the biggest hurdles in the development of solid-state batteries. It is the reason why the batteries take a relatively long...

Im Focus: Color effects from transparent 3D-printed nanostructures

New design tool automatically creates nanostructure 3D-print templates for user-given colors
Scientists present work at prestigious SIGGRAPH conference

Most of the objects we see are colored by pigments, but using pigments has disadvantages: such colors can fade, industrial pigments are often toxic, and...

Im Focus: Unraveling the nature of 'whistlers' from space in the lab

A new study sheds light on how ultralow frequency radio waves and plasmas interact

Scientists at the University of California, Los Angeles present new research on a curious cosmic phenomenon known as "whistlers" -- very low frequency packets...

Im Focus: New interactive machine learning tool makes car designs more aerodynamic

Scientists develop first tool to use machine learning methods to compute flow around interactively designable 3D objects. Tool will be presented at this year’s prestigious SIGGRAPH conference.

When engineers or designers want to test the aerodynamic properties of the newly designed shape of a car, airplane, or other object, they would normally model...

Im Focus: Robots as 'pump attendants': TU Graz develops robot-controlled rapid charging system for e-vehicles

Researchers from TU Graz and their industry partners have unveiled a world first: the prototype of a robot-controlled, high-speed combined charging system (CCS) for electric vehicles that enables series charging of cars in various parking positions.

Global demand for electric vehicles is forecast to rise sharply: by 2025, the number of new vehicle registrations is expected to reach 25 million per year....

All Focus news of the innovation-report >>>

Anzeige

Anzeige

VideoLinks
Industry & Economy
Event News

LaserForum 2018 deals with 3D production of components

17.08.2018 | Event News

Within reach of the Universe

08.08.2018 | Event News

A journey through the history of microscopy – new exhibition opens at the MDC

27.07.2018 | Event News

 
Latest News

A novel synthetic antibody enables conditional “protein knockdown” in vertebrates

20.08.2018 | Life Sciences

Metamolds: Molding a mold

20.08.2018 | Information Technology

It’s All in the Mix: Jülich Researchers are Developing Fast-Charging Solid-State Batteries

20.08.2018 | Power and Electrical Engineering

VideoLinks
Science & Research
Overview of more VideoLinks >>>