Online Banking Authentication System using Mobile-OTP with QR-code Young Sil Lee*, Nack Hyun Kim**, Hyotaek Lim***, HeungKuk Jo***, Hoon Jae Lee*** * Dept. of Ubiquitous and IT Graduate School of Design and IT, Dongseo University Busan, 617-716, South Korea, Tel: +82-51-320-1730 ** Dept. of Ubiquitous and IT Graduate School of General, Dongseo University *** Div. of Computer and Information Engineering, Dongseo University [email protected], hkjo, htlim, hjlee @dongseo.ac.kr Abstract- As a high-speed internet infrastructure is being developed and people are informationized, the financial tasks are also engaged in internet field. However, the existing internet banking system was exposed to the danger of hacking. Recently, the personal information has been leaked by a high-degree method such as Phishing or Pharming beyond snatching a user’s ID and Password. Seeing that most of examples which happened in the domestic financial agencies were caused by the appropriation of ID or Password belonging to others, a safe user confirmation system gets much more essential. In this paper, we propose a new Online Banking Authentication system. This authentication system used Mobile OTP with the combination of QR-code which is a variant of the 2D barcode.

I. INTRODUCTION Online banking is one of the most sensitive tasks performed by general internet user. Most traditional banks new offer online baking with ‘peace of mind’. Although the banks heavily advertise a apparent ‘100% online security guarantee’, typically the fine print makes this conditional a user fulfilling certain security requirements [1]. The number of the users of the domestic banking system has been increased steadily in the first quarter of 2009. The average usage of the service per day was 26,410,000 while the amount of dealings went beyond 26 trillion 950 million won. However, recent banks are becoming increasingly reluctant to reimburse user who fall prey to online scams such as phishing or a pharming. The first hacking incident in Korea in 2005 spurred the FSS (The Korean Financial Supervisory Service) to announce a comprehensive countermeasure. One of the countermeasures that draw high attention of the financial agencies is OTP (One Time Password), one of the user confirmation methods is introduces, and Joint Confirmation Center of OTP is established [2]. The Online financial transaction in the present is apply a security card and public key certificate which are the methods confirming a user, and recently OTP was newly introduced. One-Time Password is a password system where passwords can only be used once and the user has to be authenticated with a new password key each time. This guarantee the safety even if an attacker is tapping password in network or a user loses it. Besides, OTP features anonymity, portability, and extensity, and enables to keep the information from being leaked [3]. The type of OTP generate device is smart card, USB, fingerprint recognition and so on. Our propose Online

Banking Authentication System use Mobile OTP, one of the OTP generate device which has same security as the existing OTP and with the convenience of mobile features, and the used of semi-permanent. This reduction in acquisition costs as well as easy to download the brother deployment, if the introduction of financial. In addition, user does not require a separate cost except for the initial download costs. Meanwhile, the use of electronic banking services is increased gradually in daily life and currently online banking required the use of security card from each banks. However the current service using security card does not suite modern Mobile environment because we do not know when and where online banking and will be used. If there is emergency situation to do online banking, the online baking cannot be done without the security card. In order to overcome such a weaknesses and inconvenient of security card, our propose authentication system use two-dimensional barcodes (2D Barcode) instead of security card. Barcode is fast, easy, accurate and automatic data collection method. Barcode enables products to be tracked efficiently and accurately at speeds net possible using manual data entry system. In this paper, we propose authentication system for online banking which can provide greater security and convenience by mobile OTP with the QR-code, one of the 2D barcode adopted by current international and national standards. The bank generates the QR-code using the user’s enter transfer information, the user then use mobile phone to read the code. After that use to a mobile phone generates the OTP code with the input of transfer information and hashed user’s mobile serial number. Then user enters the generated OTP code, to complete the transfer process. This paper is organized as follows: We introduce OTP (OneTime Password) [4] and QR-code (two-dimensional barcode) [5] in Section 2. In Section 3, we describe our new scheme and analysis of proposed authentication system. And a conclusion section is end the present paper. II. RELATED WORK A. OTP (One-Time Password) An OTP is a generated password which only valid once. The user is given a device that can generate an OTP using an algorithm and cryptographic keys. On the server side, an authentication server can check the validity of the password by sharing the same algorithm and keys.

- 644 -

Several software or devices can be used to generate the OTP, for example personal digital assistants, mobile phones, dedicated hardware tokens as it the most secure smart cards is devices among all the OTP generator provide tamper-resistant two-factor authentication: a PIN to unlock the OTP generator (something you know), and the OTP smart card itself (something you have). Figure 1 illustrates the three steps that required to generate an OTP: the collection of some external data, such as the time for synchronous OTP or a challenge for an asynchronous OTP, a ciphering algorithm with secret keys shared by the device and the authentication server, and finally a formatting step that sets the size of the OTP to typically six to eight digits.

code (ISO/IEC 18004:2000) [8]. There is no license fee to be paid to use neither DataMatrix nor QR-code. Even though a study comparing them quote by explained the superiority encoding, QR-codes are most common in Asia and particularly popular in Japan.

Figure 2. The development of QR-code A QR-code is a two-dimensional barcode introduced by the Japanese company Denso-Wave in 1994. This kind of barcode was initially used for tracking inventory in vehicle parts manufacturing and now is widely used in a variety of industries. QR stands for “Quick Response” as the creator intended the code to allow its contents to be decoded at high speed. Figure 1. The generation of One-Time passwords Until recently, OTP solutions were based on proprietary and often patented time-based or event-based algorithms. In 2005, OATH-HOTP [6] was defined as an open standard by major actors in the industry. This open standard allows multisourcing of the OTP generating devices and authentication servers from different vendors. The HOTP algorithm is based on a secret key and a counter shared by the device and the server, and uses standard algorithms such as SHA-1 and HMAC. OTP has carried more advantages over PKI as it does not require the deployment of smart card readers, drivers and PC software. However in terms of features, OTP only provides identification and authentication, whereas PKI provides addition encryption and signature. OTP being a passwordbased authentication is also vulnerable to man-in-the-middle attacks, such as phishing scams. Since there is no mutual authentication of the PC and the internet service provider server, an attacker can intercept an OTP using a mock-up site, and impersonate the user to the real internet web site. B. QR-code (two-dimensional barcode) The two-dimensional barcodes (2D barcode) are open standards while others are proprietary such as Somacodes, Spotcodes, Rohs’visualcodes, ColorCode, Cybercode, MobileTag, VeriCode, ShotCode, eZcodes, HotScan, Codablock F, Aztec, FP CCode (Fine Picture Code – Fujitsu) and BeeTagg (connVision). PDF417 (Portable Data File) and MaxiCode are used under AIM International ISO standardization. The two most well known 2D barcode standers are DataMatrix (ISO/IEC 16022:2000) [7] and QR-

Figure 3. The structure of QR-code Each QR-code symbol consists of an encoding region and function patterns, as show in Fig 2. Function patterns include finder, separator, timing patterns and alignment patterns. The finder patterns located at three comers of the symbol intended to assist in easy location of its position, size and inclination. A QR-code is a matrix code developed and released primarily to be a symbol that is easily interpreted by scanner equipment. It contains information in both vertical and horizontal directions, whereas a classical barcode has only one direction of data (usually the vertical one). Compared to a 1D barcode, a QR-code can hold a considerably greater volume of information: 7,089 characters for numeric, 4,296 characters for alphanumeric data, 2,953 bytes of binary (8bits) and 1,817 characters of Japanese Kanji/Kana symbols. Besides this, QRcode also has error correction capability. Data can be restored even when substantial parts of the code are distorted or damaged. In the QR-code standard, comers are marked and estimated so that the inside-code can be scanned [9]. The barcode recognition process has 5 steps: (1) edge detection, (2) shape detection, (3) identification of barcode control bar, (4)

- 645 -

identification of the barcode orientation, dimensions and bit density using the control bar, and lastly, (5) calculation the value of the barcode [10]. For camera phones and PDAs (Personal Digital Assistant) that are not equipped with QR-code readers, there are some add-on tools that decode QR-codes simply by positioning the device in front of the code. This is done automatically within the streaming flow and the user does not have to take a picture of the QR-code. QuickMark [11] and 1-nigma [12] readers are good examples of free tools using this technique that are available for many manufactured models and devices. QuickMark provides extension functionalities to QR-codes, by allowing partial or entire encryption of codes. Another interesting feature is the “Magic Jigsaw”: this option encodes binary data (a picture for example) as a chain of QR-codes that the user can scan to retrieve the original content. Alternatively, if there is no network connection is available, the code management will have to be done by the mobile device in an autonomous way. If the final user only needs to scan codes and see the result messages, the software mentioned above are sufficient enough. However the developers, who have to manage QR-codes, some SDKs (Software Development kit) are announced and some are already available in the market. For instants Microsoft Windows Live Barcode project, OpenNetCF, QRCode Library for .NET Compact Framework and Google ZXing (Zebra Crossing) project will be available soon. Twit88 [13] provides an open source project on QR-codes.

£ User and the certification authority (CA) has been shared the hashed the serial number (SN) of user’s mobile device through a secure process. ¤ User can recognize the QR-code by their mobile device and it can decode of the code. ¥ Assume the secure communication through SSL/TLS handshaking between the user (PC) and the certification authority (CA) and the service providers (Bank). ¦ User to download the mobile OTP program (algorithm) provided by certification authority (CA) or the service providers (Bank) and used it. § Generates the OTP algorithm between the user and the certification authority (CA) is synchronized by TimeEvent combinations method. B. Proposed Authentication System The proposed authentication system performed the user authentication and digital signatures using authorized certificates in the same way as the existing authentication. To recognize and convert the code, we generate the mobile OTP code into a two-dimensional barcode using user’s transfer information (TI), requested transfer time (T) and the hashed serial number (SN) of user’s mobile device instead of security card. The authentication process of proposed system is shown below the Fig. 4.

III. PROPOSED AUTHENTICATION SYSTEM Security is one of the most important elements for requirements of the authentication system. Identification through a secure process where only legitimate user should be able to provide services, when they receive authorization from the server using the generated information from the user’s mobile device. Also, convenience is very important as well as safety because inconvenience of the authentication system has possible to make renounce the use of the system. Therefore, the authentication system should provide convenience with maximum safety. Therefore an important approach proposed in this paper is currently being used to generate a QR-code instead of use to security card from the bank and use the mobile OTP. The bank generates the QR-code using entered by user’s transfer information and the user has to recognize as to read the code using their mobile phone and generate the OTP code using transfer information and the hashed user’s mobile device serial number in their mobile phone. Finally, execute the transfer by user input the generated OTP code on the screen. In our propose scheme, we assume the secure communication between the user (PC) ȧ service providers and service providers ȧcertification authority. A. Assumptions The proposed authentication system is the promise of the following assumptions.

- 646 -

Figure 4. A propose Authentication System

¬ Authorized user signed his certificates to complete the transfer. ­ Server (Bank) to verify the digital signature and final approve of transfer.

We omitted the qualified issuance and registration of user’s certificate and details of the digital signature process in the same as the exiting online banking authentication system for simplify the certification process.

IV. SECURITY ANALYSIS £ User uses his/her own public certificate to login and then transfer information to start the transfer transaction. Transfer Information (TI) = TB ” TA ” TM TB : Transfer_Bank (Bank code) TA : Transfer_Account TM : Transfer_Money ¤ Server indicates and then converted the information to a QR-code with random value (RN`) on the screen using user enters the transfer information (TI), the requested time of transfer (T) and random value (RN). At the same time, the server sent it to certification authority (CA) to inputted information of transfer (TI) and the requested time of transfer (T). ¥ Certification authority (CA) generated the OTP by received the transfer information (TI), the requested time of transfer (T) and the user’s hashed serial number (SN). ¦ User will convert the QR-code on the screen using their mobile device and it is divided into two phases. First, user uses their mobile device (phones) to read the random value (RN) which show on the screen to verify the random value (RN`). If the random value is accurate, user will proceed to the next step. And then confirm the converted the information of transfer. If the information is accurate, user will generate OTP code in the mobile device. If the information does not match, the transfer will be canceled. § When user execute the generated OTP, mobile device generate the OTP by reads the transfer information (TI), perceived value of time (T) and hashed serial number (SN) of user’s mobile device are shared with the certification authority (CA). And output the generated OTP on the screen of mobile devices. ¨ User input the generated OTP code from mobile device on the screen. © Server (Bank) sent OTP to certification authority (CA) to received OTP from user. ª Certification authority (CA) compared by received OTP code (OTP1) and generated the OTP code (OTP2), sent to server (Bank) to for OTP code approval. « When the server (Bank) received approve of OTP from certification authority (CA), it will verify the entered OTP code with user consistent value and user digital signature. If the approve of OTP value does not receive, the transfer will be canceled.

Assume the secure communication through SSL/TLS tunnel between user (PC) and certification authority (CA) and service providers (Bank). So a malicious user cannot analyze the content of communications as our proposed system use the camera of mobile device to recognize of QR-code, does not separate to communicate between the user’s PC and mobile devices. Also the user and certification authority (CA) has been shared the hashed the serial number (SN) of user’s mobile device through a secure process in the initial registration phase. If a counterfeit or altered the PIN, the OTP value is change. In our proposed system, the user to prevent Phishing attacks by identifying the value of random number (RN) before to verify the information of transaction when the conversion of QR-code. After confirming a legitimate service provider, information of transaction is converted. If a counterfeit or altered the random number (RN) and the information of transaction, the generation of OTP can be stopped by discretion of the user. Meanwhile, our proposed system require a prerequisite input of transaction information using QR-code and authorized authentication by the public certificate for the generation of OTP. Through this process, identified as legitimate users and can block the use of malicious user. Also the time value used to generate the OTP code is not possible to change arbitrarily because we used the user’s requested time of transfer. V. CONCLUSION The use of electronic banking services is increased gradually in daily life and existing online banking required the usage of security card from each bank which does not match modern mobile environment because we do not know when and where online banking will be used. If there is emergency situation to do online banking, the online banking cannot be done without the security card. In order to overcome such discomfort of security card, online banking authentication system using 2D barcode instead of security card is proposed. The bank generates the QR-code using user input transfer information and then user need to recognize as to read the code using their mobile phone, after generate the OTP code using transfer information and the hashed user’s mobile device number in their mobile phone. Finally, terminate the transfer by user typing of generated OTP code on the screen. In this paper, we propose new authentication system for online banking can provide greater security and convenience by using mobile OTP with the QR-code, one of the 2D barcode adopted by current international and national standards.

- 647 -

In electronic financial services, the importance of security and ease of use is like two side of a coin. It cannot be provided considering that show up on one side. Therefore, we should be sought safety devices to meet all ease and security of electronic financial services. ACKNOWLEDGMENT This research was supported by the 2010 National Research Foundation Project and 2009 Dongseo Frontier Project.

REFERENCES [1]

[2] [3]

[4] [5]

[6] [7] [8]

[9]

[10]

[11] [12] [13]

Mohammad Mannan, P. C. Van Oorschot, “Security and Usability: The Gap in Real-World Online Banking”, NSPW’07, North Conway, NH, USA, Sep. 18-21, 2007. AntiPhishingGroup, “Phishing Activity Trends Report”, from: http://www.antiphishing.org, Dec. 2008. Sang-Il Cho, HoonJae Lee, Hyo-Taek Lim, Sang-Gon Lee, “OTP Authentication Protocol Using Stream Cipher with Clock-Counter”, October, 2009. Jean-Daniel Aussel, “Smart Cards and Digital Identity”, Telektronikk 3/4. 2007. ISSN 0085-7130. Jose Rouillard, “Contextual QR Codes”, Proceedidngs of the Third International Multi-Conference on Computing in the Global Information Technology (ICCCGI2008), Athens, Greece, July 27-Augst 1, 2008. IETF RFC 4226, HOTP: An HMAC-Based One-Time Password Algorithm, Dec. 2005, ISO/IEC 16022:2000 – Information Technology – International Symbology Specification – Data Matrix, 2000. ISO/IEC 18004:2000 – Information Technology – Automatic Identification and Data Capture Techniques – BarCode Symbology – QR Code, 2000. Ohbuchi, E., Hanaizumi., H., Hock, L.A, “Barcode Readers using the Camera Device in Mobile Phones”, in Proc. of 2004 International Conference on Cyberworlds, pp.260-265, 2004. Reilly, D., Smolyn, G. and Chen, H., “Toward fluid, mobile and ubiquitous interaction with paper using recursive 2D barcodes”, Pervasive Mobile Interaction Devices 2007 (PerMID2007), workshop at Pervasive 2007, Toronto, Canada, 2007. QuickMark, Retrieved March 2008, from: http://www.quickmark.com.tw/ I-Nigma: Retrieved March 2008, from: http://www.i-nigma.com Twit88, Retrieved March 2008, from: http://www.twit88.com/home/opensource/qrcode

- 648 -