User-friendly Manual Transfer of Authenticated Online Banking Transaction Data - A Case Study that Applies the What You Enter Is What You Sign Transaction Authorization Information Scheme

摘要

Online banking relies on user-owned home computers and mobile devices, all vulnerable to man-in-the-middle attacks which are used to steal money from bank accounts. Banks mitigate this by letting users verify information that originates from these untrusted devices. This is not user-friendly since the user has to process the same information twice. It also makes the user an unnecessary critical factor and risk in the security process. This paper concerns a case study of an information scheme which allows the user to enter critical information in a trusted device, which adds data necessary for the recipient to verify its integrity and authenticity. The output of the device is a code that contains the information and the additional verification data, which the user enters in the computer used for online banking. With this, the bank receives the information in a secure manner without requiring an additional check by the user, since the data is protected from the moment the user entered it in the trusted device. This proposal shows that mundane tasks for the user in online banking can be automated, which improves both security and usability.