Recently I read an article about phishing attack.
Most of the international banks use various level of security not just your username and password to get into your account through online banking.
Levels they use for authentication:
1) The first level authentication used to enter was the user name and password.
problem-> If the webpage is not secured i.e is not using ssl it is vulnerable to packet sniffing.
Solution-> Bank used encrypted channel using SSL.
2) The second level authentication used is to enter the security pin.
3) Bank introduced another level of security by providing a place to enter your security word or number which is different from the username and pin number.
Attacker was intelligent and found a attack called phishing.
As we already knew, phishing is a fake webpage which is a mimic of the original webpage. Now the attacker try to bring the victim to this mimic webpage some how and the user will enter all this details, since it looks similar and also the webpage is SSL secured the user don't have any doubt. Now the attacker has all his information.
Problem-> How to identify the phishing site
Solution -> Always check the certificate issued by the CA where you can find in the url with a symbol of lock, some time it would have been highlighted in green color. This solution is for computer savvy but for normal people??? ok there is an another solution this solution just in case you get into those web page through some link which u get through your email, Ok now always type all your details wrongly and check whether it is authenticating or not, if it is authenticating with your wrong account details or username and password it is sure that this web page is fake.
No matter how many pin and password or security question we implemet, still its going to be same. The attacker will get it if you don't identify the fake web page.
At the end of the day the bank need to save your money, so they have brought a final level of security to protect your money being transferred to the hacker account. They have decided to design a device which will be given out in free of cost to all their customer. This device will be used only in the time of transferring the money, when the client need to transfer the money to a person it will ask the detail of the receiver and also a special key which you can get only from the device. This device will generate a key and you have to enter this key in the details of the receiver, on next time when u need to send money to that user it will ask the user to enter a particular number in your device and that device will generate a different number and you have to enter that number, now the bank will verify this key and the set of keys which is already created with the help of key which you gave during the time of creating the receiver details.
In this situation the attacker though has the full access to the online banking he can't transfer the money to his account. This device will be unique from other and to activate this device you need to have your debit or credit card and you have to enter the pin same as you do in the ATM machine.
By this way you can improve the security and stop hackers from stealing you money.
To add further security we can use finger print authentication for online authentication, and to put this final authentication process as first so the pin number will be keep changing each and every time and even the attacker gets his pin detail on next log in he has to type another pin which can only be done with the device.
I can understand it's going to take long time just to transfer some money but this is all for your security to your hard earn money.
My solution is to deploy this method in developing countries.
Thank you for reading. comments and suggestions are welcome.
Most of the international banks use various level of security not just your username and password to get into your account through online banking.
Levels they use for authentication:
1) The first level authentication used to enter was the user name and password.
problem-> If the webpage is not secured i.e is not using ssl it is vulnerable to packet sniffing.
Solution-> Bank used encrypted channel using SSL.
2) The second level authentication used is to enter the security pin.
3) Bank introduced another level of security by providing a place to enter your security word or number which is different from the username and pin number.
Attacker was intelligent and found a attack called phishing.
As we already knew, phishing is a fake webpage which is a mimic of the original webpage. Now the attacker try to bring the victim to this mimic webpage some how and the user will enter all this details, since it looks similar and also the webpage is SSL secured the user don't have any doubt. Now the attacker has all his information.
Problem-> How to identify the phishing site
Solution -> Always check the certificate issued by the CA where you can find in the url with a symbol of lock, some time it would have been highlighted in green color. This solution is for computer savvy but for normal people??? ok there is an another solution this solution just in case you get into those web page through some link which u get through your email, Ok now always type all your details wrongly and check whether it is authenticating or not, if it is authenticating with your wrong account details or username and password it is sure that this web page is fake.
No matter how many pin and password or security question we implemet, still its going to be same. The attacker will get it if you don't identify the fake web page.
At the end of the day the bank need to save your money, so they have brought a final level of security to protect your money being transferred to the hacker account. They have decided to design a device which will be given out in free of cost to all their customer. This device will be used only in the time of transferring the money, when the client need to transfer the money to a person it will ask the detail of the receiver and also a special key which you can get only from the device. This device will generate a key and you have to enter this key in the details of the receiver, on next time when u need to send money to that user it will ask the user to enter a particular number in your device and that device will generate a different number and you have to enter that number, now the bank will verify this key and the set of keys which is already created with the help of key which you gave during the time of creating the receiver details.
In this situation the attacker though has the full access to the online banking he can't transfer the money to his account. This device will be unique from other and to activate this device you need to have your debit or credit card and you have to enter the pin same as you do in the ATM machine.
By this way you can improve the security and stop hackers from stealing you money.
To add further security we can use finger print authentication for online authentication, and to put this final authentication process as first so the pin number will be keep changing each and every time and even the attacker gets his pin detail on next log in he has to type another pin which can only be done with the device.
I can understand it's going to take long time just to transfer some money but this is all for your security to your hard earn money.
My solution is to deploy this method in developing countries.
Thank you for reading. comments and suggestions are welcome.
No comments:
Post a Comment