Shortcuts

Introduction

Today's banking systems have been highly digitized esp. since the advent of the Internet and the Web. While in the past the majority of bank customers only experienced e-banking via the use of ATMs, in recent years online banking through the Internet becomes more and more popular and mobile banking has also start seeing its growth thanks to the rapid penetration of personal mobile devices in the general population. According to annual surveys of the American Banks Association (ABA), since 2009 Internet banking has become the most preferred choice of banking for the most bank customers. The ABA Survey released on 9 October 2012 shows that 39% bank customers interviewed prefer Internet banking (via a laptop or a PC) the most and 6% prefer mobile banking the most. Even for the most conservative group of customers who are of age 55+, Internet banking has become the first choice of banking since 2011 according to the ABA Surveys 2011 and 2012. Although the ABA surveys focus on American banking sector only, a similar pattern of the increased use of Internet banking has been observed in many other countries.

The rapid growth of online banking all over the world does bring a great amount of convenience to bank customers and a lot of opportunities for new businesses (e.g. online payment platforms and credit card free online shopping). However, cyber criminals are also benefiting from the same level of convenience since now they are able to attempt many new kinds of attacks which were either impossible or limited to a very small scale due to the need to be physically present around a bank branch, an ATM or a POS terminal. To counter these new cyber threats, many new security measures have been developed and deployed by financial institutions. Unfortunately, not all security measures work(ed) well and we keep witnessing successful attacks to financial institutions and their customers.

The cyber battle between us and cyber criminals is not a purely technical problem in the computer security field, but also involves many other disciplines such as human computer interface, psychology, economics, law, politics, management and anthropology. In addition to the well-known balance between security and usability of all human-involved computer security systems (e-banking being not an exception), some recent research work also revealed how different stakeholders behave according to customer protection laws, banking regulations, their own modeling of (economic and legal) risks and competition among different entities.

What is Shujun Li working on?

Shujun Li's main research interests on e-banking include (but not limited to) the following:

• CAPTCHAs used for protecting e-banking systems: Security analysis and Captchæcker
• New hardware based security measures for protecting e-banking systems such as hPIN/hTAN and its enhanced editions
• Cross-nation and cross-institute comparative study on e-banking security measures and how different financial institutions manage those measures
• Anti-phishing solutions that can help financial institutions and the law enforcement agencies to better fight against phishers: Honeypots based anti-phishing framework
• Human user authentication schemes that secure against observation attacks (shoulder surfers, hidden cameras, phishers, man-in-the-middle, malware, etc.) which can find applications in e-banking systems: SecHCI
• Security of password security of ATMs
• Role of legislation and regulations on cyber attacks on e-banking systems and payment-as-a-services (PaaSs)
• Underground economy and how it links to the overground economy

e-Banking Solutions

• e-banking CAPTCHAs: insecure against automated attacks [Li et al., Breaking e-Banking CAPTCHAs, ACSAC 2010]
• iTAN (indexed TAN): insecure against MitM (Man-in-the-Middle) attacks
• mTAN (mobile TAN) or smsTAN or TAC-SMS: insecure against mobile malware; require a trusted OOB channel; unavoidable additional costs (SMSs); untrusted telecommunication service provider (click here to see a recent news report)
• photoTAN: insecure against mobile malware
• Sm@rt-TAN plus or chipTAN: not very portable (with trusted keypad); repeated data input; expensive; require banking card
• sm@rt-TAN optic: not very portable (with trusted keypad); require optical sensors; expensive; require banking card
• AGSES Card: require optical sensors; expensive (including fingerprint recognition system); dependency on third-party website (AGSES Server)
• Smart card readers with both a trusted display and a trusted keypad like FINREAD/FinTS/HBCI Class-3 readers and EMV-CAP readers (e.g. VASCO DIGIPASS 920 WYSIWYS Connected Card Reader): not very portable (with trusted keypad); expensive; require banking card
• WYSIWYS USB Tokens (e.g., IBM ZTIC, KOBIL mIdentity visual, Seal One® USB): without PIN entry protection; complicated design (encryption + TLS/SSL + HTTPS)
• hPIN/hTAN: Shujun Li and his collaborators' solution with a better balance between security and usability
• ...

You are interested?

Please contact Shujun Li for possible collaborations! There are plenty of ideas but short of hands! :-)

General Resources

Portals: L. Jean Camp's Economics of Information Security Page (UK) Banks around the World European Banking Resources FindSortCodes.co.uk BLZ Suche Deutschland IBAN-Rechner

Standards and Standardization Bodies: ISO/TC 68, Financial Services (ISO 20022 Universal financial industry message scheme) FINREAD - Financial transactional IC card reader