Pocket device for authentication and data integrity on Internet banking applications

摘要

During the last decades we have witnessed an exponential growth of the number of computer viruses. However, the real threat we are now facing is not so much the fact that a virus can make thousands of copies of itself in our computer, but the wide range of things they can do with the data stored or processed in it. One field in which this fact should be considered with special care is electronic banking. These online services are normally accessed from personal computers with low protection. The operating systems used on these computers tend to sacrifice the security on behalf of the commodity of the user. Under such circumstances, it would be rather easy to implement a man-in-the-middle attack in order to intercept the data exchanged with the bank. This way an attacker could end up controlling the money in our bank accounts. In order to illustrate this assertion, we outline some possible attacks that can break the security of several security systems, from passwords authentication to smart cards. The conclusion that we extract from here is that we cannot trust our computers: The data we input on the computer can be stolen, the data exchanged with other computers on the Web can also be intercepted and even modified, and the output we get from the computer monitor may not correspond to the data it is about to process and send in our name. Therefore, an trusted device is needed when performing banking operations over the Internet. Here we propose a digital signer device that not only provides a tamper proof storage for the digital signature but also provides its own display and keyboard. This system improves the security of smart cards by avoiding its dependence on the computer to interface with the user, making it immune to virus attacks.