Enhanced Web Security Application for Online Financial Transactions
Chapter One
Research Aim and Objectives
The aim of this dissertation is to develop mechanisms for preventing Man-in-the-Browser (MitB) attacks on online financial transactions. The research objectives of this proposed dissertation are to:
- Develop an anti-form grabbing technique to encode the user inputs as they are being entered.
- Implement an authentication mechanism using One Time Password(OTP).
- Develop a medium that makes use of Email from the server for identity verification.
CHAPTER TWO
LITERATURE REVIEW
Introduction
This chapter presents an overview of internet banking and the threats associated with it. The encryption being employed in this work and the technologies used will be discussed with some of the related works done in the past.
History of the Web
The World Wide Web was officially introduced to the world on August 6, 1991 by Sir Tim Berners-Lee. In the late 1980’s, a CERN (European Organization for Nuclear Research) scientist named Tim Berners-Lee came up with the idea of hypertext, information that was “linked” to another set of information. His idea was for the researchers at CERN to be able to communicate more easily via a single informational network, instead of many smaller networks that were not linked with one another in any sort of universal way. This hypertext technology included hyperlinks, which enabled users to peruse information from any linked network merely by clicking on a link. Although invented many years earlier, Mr Berners- Lee’s invention married hypertext with the Internet and also made available all of the files necessary for people to replicate his invention. (Boswell, 2014)
Online banking
Online banking is a system allowing individuals to perform banking activities at home, via the Internet. Some online banks are traditional banks which also offer online banking, while others are online only and have no physical presence. Online banking through traditional banks enable customers to perform all routine transactions, such as account transfers, balance inquiries, bill payments, and stop-payment requests, and some even offer online loan and credit card applications. Account information can be accessed anytime, day or night, and can be done from anywhere. A few online banks update information in real-time, while others do it daily. Once information has been entered, it doesn’t need to be re-entered for similar subsequent checks, and future payments can be scheduled to occur automatically. Many banks allow for file transfer between their program and popular accounting software packages, to simplify record keeping. Despite the advantages, there are a few drawbacks. It does take some time to set up and get used to an online account. Also, some banks only offer online banking in a limited area. Online-only banks have a few additional drawbacks: an account holder has to mail in deposits (other than direct deposits), and some services that traditional banks offer are difficult or impossible for online-only banks to offer, such as traveller’s cheques and cashier’s cheques (Batchelor, 2014).
Online banking is also known as “Internet banking” or “Web banking.” A good online bank will offer customers just about every service traditionally available through a local branch, including accepting deposits (which is done online or through the mail), paying interest on savings and providing an online bill payment system (Nilsson, 2012).
CHAPTER THREE
MATERIALS AND METHODS
Introduction
This chapter looks into the main research especially the proposed security system, the implementation with the functionalities of the system. The breakdown of the system architecture and all its components will be discussed. Furthermore, this chapter will explain the system architecture and its component together with the flow chart and as well demonstrate the working technique of the Anti-Form grabbing method of securing the web, how the JWT is securing the information exchange, how the OTP authenticates the client side for adequate security and also show how the email verification service will be employed. Finally, the design of the database shall be considered and also the enumeration of required tools and technologies during implementation.
The Proposed Enhanced Security System
In this section, the modelling strategy employed in achieving the proposed enhanced security system is considered. First, the system architecture and the flow diagram chart or the workflow shall be considered. Predominantly, during the implementation of the work, the workability of the security features will be actualised, but in this section, we seek to consider the theoretical functionalities of the various components of the enhanced security system. This contains two separate solutions which are discussed later on. One will be showing how the data would be gathered and transmitted in a login session and one showing how the transaction could be verified. PHP will be used as server side scripting language and JavaScript will be used for the client side scripting. Apache will be used as web server software. A MySQL server will also be used on the server machine.
CHAPTER FOUR
IMPLEMENTATION AND DISCUSSION
Introduction
First of all, the code written for this work especially the algorithm will be implemented. The information flow between the client and the server will also be encrypted and also encoded in JWT. The session variable will be discussed as well as the function of the Email Authentication Handler. How the dynamic java script was created will be shown and screen snapshots of our intended program will be provided with the results being discussed.
CHAPTER FIVE
SUMMARY, CONCLUSION AND RECOMMENDATION
Summary
The main aim of this dissertation is to develop mechanisms for preventing MitB attacks or make these attacks difficult in online financial transactions. The review of the literature pertaining to the work was discussed and also how MitB attack operates. The work also gives insight on the design of the Enhanced Web Security Application Security, the implementation and functionalities as well. The design of the system architecture was thoroughly discussed which demonstrates the working technique of the Anti-Form grabbing method of securing the web, how the JWT is securing the information exchange, how the OTP authenticates the client side for adequate security and also show how the email verification service was employed. The algorithm of both the Anti-Form grabbing technique and Token generation were developed. The information exchange between the client and the server was protected by introducing Anti-form grabbing in which the user inputs are immediately captured and encoded by a dynamically generated JavaScript from the server side making what is displayed on the screen different from what is being typed so even if the attacker “grabs” the form input of the user, the user has only “grabbed” combination of meaningless symbols which the attacker cannot decode. During the information exchange, a token is sent to the user’s email and at this time, the user logs in to his email to get the token which will be entered correctly. The email service serves as a way of identity verification by rerouting the verification from the server instead of the same session which the attacker might see and modify to his own. The JSON Web Token will take care of the web content as well which is the “Account Number” and the “Amount” in the entry fields. The information is sent through JWT as part of the headers to the server. The performance of the work was assessed and showed comparative security analysis against previous literature review to show clearly that the enhanced security approach used in this work is stronger with the help of a table and a chart.
Conclusion
With these security challenges discussed earlier, this dissertation proffers solution to two key areas that MitB penetrates which is the login in aspect and the verification aspect. In order to mitigate these security issues, this research proffers a solution to the problem by introducing an anti-form grabbing technique which disallows the attacker from “grabbing” sensitive information, JWT is used in transferring information which can be verified and trusted with digital signature and Token which was used as an OTP for verification through email which are part of the aim and objectives of this work and we have successfully been able to achieve that.
Recommendation
In future research, some other threats of MitB like keylogger can be looked into since the proposed work encodes what is being seen but doesn’t provide security against what is being logged by the keylogger through the keystrokes that the user typed. By so doing, adding this security will make the work all-encompassing to deal with MitB.
REFERENCES
- Abbasi, A.G., Muftic, S., and Hotamov, I. (2010). Web Contents Protection, Secure Execution and Authorized Distribution, Computing in the Global Information Technology, Fifth International Multi-conference on Computing in the Global Information Technology, International Multi-Conference on, pp. 157- 162.
- Akinwale, T. A., Adekoya, F. A., and Ooju, E. O. (2011). Multi-Level Cryptographic Functions for the Functionalities of Open Database System, Department of Computer Science, University of Agriculture, Abeokuta, Nigeria, pp. 730-735.
- Association of German Banks. (2007). Online banking security. Berlin: Bundesverband deutsher Banken.
- Batchelor, B., The History of E-Banking. Retrieved August 11 2014 from http://www.ehow.com/about_5109945_history-ebanking.html
- Boswell, W. (2014)., The History of the Web. Retrieved August 10 2014 from http://websearch.about.com/od/searchingtheweb/a/webhistory.htm
- Canali, D., and Balzarotti, D. (2013). Behind the Scenes of Online Attacks: an Analysis of Exploitation Behaviors on the Web. 20th Annual Network and Distributed System Security Symposium, San Diego, CA, United States.
