Advertisement

Secure Communication Protocol Between a Human and a Bank Server for Preventing Man-in-the-Browser Attacks

  • Takashi Tsuchiya
  • Masahiro Fujita
  • Kenta Takahashi
  • Takehisa Kato
  • Fumihiko Magata
  • Yoshimi Teshigawara
  • Ryoichi Sasaki
  • Masakatsu NishigakiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9750)

Abstract

Man-in-the-Browser (MITB) attacks are caused by malware that infects a web browser; hence, conventional secure communication channels between a machine (bank server) and a machine (web browser) such as SSL cannot prevent the attacks. In this paper, we propose an approach to preventing MITB attacks by constructing secure communication channels between a machine (bank server) and a human (end user). Our approach uses the user as a computational resource and requests the user to process an end side of the channel. Developing a challenge and response protocol that achieves the proposed channel, we conducted a safety evaluation of the protocol. The result shows that the protocol works safely under the assumption that the bank server can send a “challenge that malware in the browser cannot see” to the user. We also show that sending the challenge is feasible by applying CAPTCHA technology.

Keywords

Man-in-the-Browser attacks Secure communication channel CAPTCHA 

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
    The Official CAPTCHA Site. http://www.captcha.net
  7. 7.
    Yan, J., Ahmad, A.S.E.: Breaking visual CAPTCHAs with naïve pattern recognition algorithms. In: 2007 Computer Security Applications Conference, pp. 279–291 (2007)Google Scholar
  8. 8.
    Golle, P.: Machine learning attacks against the ASIRRA CAPTCHA. In: 2008 ACM CSS, pp. 535–542 (2008)Google Scholar
  9. 9.
    Ross, S.A., Alex Halderman, J., Finkelstein, A.: Sketcha: A captcha based on line drawings of 3D models. In: Proceedings of the 19th International Conference on World Wide Web, pp. 821–830 (2010)Google Scholar
  10. 10.
  11. 11.
  12. 12.
  13. 13.
    Saisudheer, A.: M. TECH: smart phone as software token for generating digital signature code for signing in online banking transaction. IJCES 3(12), 1–4 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Takashi Tsuchiya
    • 1
  • Masahiro Fujita
    • 1
  • Kenta Takahashi
    • 2
  • Takehisa Kato
    • 3
  • Fumihiko Magata
    • 4
  • Yoshimi Teshigawara
    • 5
  • Ryoichi Sasaki
    • 5
  • Masakatsu Nishigaki
    • 1
    Email author
  1. 1.Shizuoka UniversityHamamatsuJapan
  2. 2.Hitachi, Ltd.TotsukaJapan
  3. 3.Toshiba Corporation Industrial ICT Solutions CompanyFuchuJapan
  4. 4.NTT Secure Platform LaboratoriesMusashinoJapan
  5. 5.Tokyo Denki UniversityAdachiJapan

Personalised recommendations