IJCA Special Issue on “Computational Science - New Dimensions & Perspectives” NCCSE, 2011 118 Using Mobile Phones as Software Token for Generating Digital Signature Code – Digitally Signing an Online Banking Transaction Abin Oommen Philip M-Tech Computer Science Specialization in Data Security TocH Institute of Science & Technology Arakkunam, Kerala, India ABSTRACT Nowadays, Online banking security mechanisms focus on safe authentication mechanisms, but all these mechanisms are rendered useless if we are unable to ensure the integrity of the transactions made. Of late a new threat has emerged known as Man In The Browser attack, its capable of modifying a transaction in real time without the users notice, after the user has successfully logged in using safe authentication mechanisms. In this paper we analyze the Man In the Browser attack and propose a solution based upon Digitally signing a transaction and using the mobile phones as a software token for Digital Signature code generation. General Terms Online Banking, Security, Digital Signature. Keywords Online Transactions, Man In Browser Attack, Digital Signature, Mobile Phones as Software Token. 1. INTRODUCTION Online banking grew by 50 percent in 2009. As impressive as this statement is, it is dwarfed by the growth rate of banking Trojans and password-stealing malware, which was estimated to grow by over 180 percent in the same time period. In fact, intelligence agencies report that the speed and sophistication of such malware is outpacing most anti-virus and firewall updates. These Trojans can infect a user’s PC, and then launch man-in- the-browser attacks that can completely circumvent even the strongest user authentication measures. Once inside, fraudsters can do significant damage to both consumer and corporate online banking accounts – for example by wiring money externally, or transferring funds via automated clearing house (ACH) or bill payment systems. The success of the Man In The Browser (MITB) and Man In The Middle (MITM) attacks [1] highlight the false sense of security that many types of authentication solutions can give IT/Security teams within organizations. In the case of MITM, deploying advanced two factor authentication solutions [2] like smartcards, hardware tokens, One Time Password’s [3] or PKI have long been considered sufficient protection against identity theft techniques. However, since the MITB attack piggybacks on authenticated sessions rather than trying to steal or impersonate an identity, most authentication technologies are incapable of preventing its success. In this paper we take a brief look into how the MITB attack takes place how it is capable of modifying an online transaction. We propose a solution based on using mobile phones as software token for Digital signature code generation. Digital signature is known to ensure the authenticity and integrity of a transaction. Mobile phones have become a daily part of our life, thus we can use the mobile phone as software token to generate Digital Signature code. 2. MAN IN THE BROWSER ATTACK SCENARIO A new threat is emerging that attacks browsers by means of Trojan horses. The new breed of new Trojan horses can modify the transactions on-the-fly, as they are formed in browsers, and still display the user's intended transaction to him. Fraudster writes malicious code (often hidden in e-mail spam scams etc.), which infects account holders’ computers with a Trojan capable of executing man-in-the-browser attacks. Structurally they are a man-in-the-middle attack between the user and the security mechanisms of the browser. Distinct from Phishing attacks [4] which rely upon similar but fraudulent websites, these new attacks cannot be detected by the user at all, as they are using real services, the user is correctly logged-in as normal, and there is no difference to be seen. The MITB threat utilizes a malware Trojan [5] on a victim’s computer that is able to modify Web transactions as they occur in real time. The Trojan does not intervene until after a user has authenticated himself with his financial institution using any authentication technology, including OTP tokens, smartcards and PKI. Once connected to the legitimate site it ‘piggybacks’ on a legitimate authenticated session between the user and the financial institution, the MITB attack alters the appearance of