With the evolution of communications technology and the internet, the number of functions performed by users over an online environment has increased manifold. To perform these functions, users need access to system resources and interact with the system by providing and partaking of information in an interactive yet secure manner. This information is increasingly prone to attack and misuse in online environments. Secure authentication mechanisms are a pressing need.
The most widely prevalent user authentication mechanism is the username and password approach. This method is however, highly vulnerable to attack by malicious programs resident on various systems in the network, especially the system used by the user to access the network example keyboard sniffers. The problem is further exacerbated by the fact that most users tend to use a single user name and password for a variety of applications.
Another single factor mechanism involves the usage of captcha images. The user analyzes the image and types in the information to be sent and authenticated by the authentication system. As with any password or token, these can be intercepted by malicious programs at the time of input by the user. Using the intercepted captcha during input, attacker can establish the session either from the same terminal or from a remote terminal.
To prevent key loggers from keyboard sniffing, Virtual Keyboard method is adopted by many of the applications. User uses mouse to enter the keypad on screen, attacker can still intercept the entered data from memory of the application directly and equally vulnerable like password based authentication and transactions systems.
Hardware or software based One Time Password (OTP) Authentication Systems provide a second factor in the form of a random number password that changes every minute or so; this method has been adopted to prevent password cracking and stealing. Of course, this random number can be intercepted by keyboard sniffers. During the period the OTP is valid, the system is vulnerable to attack. Both software and hardware tokens are vulnerable in this respect.
To eliminate key logging, there are hardware OTP generators (including ones that use smart card) that allow the applications to fetch the OTP from the device and send it to the authenticating server. However, malware can read this OTP from the memory of the application that queries the OTP. During the period the OTP is valid, the system is vulnerable to attack.
Multi-factor authentication systems have been proposed in prior art (e.g. U.S. Pat. App. No. 20070067642A1) to provide multiple lines of defense. These typically involve the use of different types of factors in addition to what you know (password) and what you have (token), namely who you are (biometric parameters such as fingerprint or retinal image) and where you are (user geo-location parameters). These factors can either be generated in the user terminal or in a device connected to the user terminal. Devices that store secure credentials usually also have an authentication mechanism to verify if the device is valid and is connected to the network (e.g. U.S. Pat. App. No. 20070011452A1). If so, operations utilizing secure credentials stored on such devices are authorized by the server.
However, these operations can be intercepted by malware in the user terminal from the memory of the application.
Even if these authentication factors are encrypted in a secure device and sent to user terminal such that they are not readable by malware, malware can send them in encrypted form along with its own fraudulent request. The server, in such a scenario will not be able to ascertain that the requested operation is fraudulent. To be able to do this, the server has to verify the data or information in the operation request sent from user terminal, in addition to the authentication factors.
Information can be signed using digital certificates. Irrespective of whether the digital certificate is stored on the user terminal or on a read-only USB drive, malware can modify the information in the operation request before signing. The server will not be able to distinguish between a valid request and fraudulent request because both will be signed with a valid digital certificate.
Another mechanism proposed for secure authentication involves the use of multiple channels, such as the internet and the telephone network, be it circuit-switched or packet based. The request for performing an operation is sent over one channel (e.g. from user terminal over the internet), and the request is partially or fully authenticated on another channel (code entered or SMS sent from handheld device over telephone or internet channel, or information sent over IVR). Sophisticated malware today is capable of executing synchronized attacks across multiple channels e.g. malware resident on both user terminals intercepts and modifies information in step with the flow of the requested operation.
Given these vulnerabilities, it has been proposed in prior art to have the user, as part of the operation request, confirm the operation in a secure environment having a secure display and secure mechanism for user to provide confirmation. The environment also has capability to securely exchange information with the server.
U.S. Pat. No. 7,962,742 describes a secure terminal device with a secure display and secure keyboard to which a user can seamlessly switch over to perform sensitive tasks such as online transactions.
U.S. Pat. No. 6,895,502 describes a method for secure transactions using a server-initiated challenge response mechanism and a secure user device where challenge is displayed to the user on a secure display and the user can confirm his response to the challenge using a secure input mechanism.
Pat. App. No. WO2009066217A2 describes a method for secure transactions where the user operation request is first sent to a secure device which displays the same to the user on a secure display and on user confirmation using a secure input mechanism, securely sends the request to the server.
Independent of whether the user confirmation step is triggered from server or client side, information related to every operation has to be displayed on the secure display and confirmed using a secure input mechanism by the user. The onus of security therefore is completely passed on to the user. The user has to read every operation request and manually confirm or reject the operation.
U.S. Pat. No. 6,895,502 also discusses the possibility of requesting user confirmation only for operations that qualify above a pre-determined threshold or single confirmation step for a set of similar operations based on cached information. However, these operations that do not go through manual user confirmation step are no longer guaranteed to be secure.
As per methods in prior art, to prevent a transaction from getting hi-jacked by malware, the transaction must be confirmed in a separate secure environment i.e. an environment which has Secure Display and Secure Keyboard, and encryption capabilities. Usually, the secure environment is provided in a small portable device with a small display and small keyboard, typically with just an Accept and a Reject button. This leaves a definite possibility of an inadvertent error on the part of the user. More complex confirmation codes that can prevent inadvertent user error need a larger set of keys that is difficult to support on a small portable device, and tedious for the user as well.
Also as per prior art, to prevent fraudulent transactions, the user must manually authorize every transaction in a secure environment.
Over a period of time, given that a majority of transactions are not fraudulent, there is a possibility that the user might get used to providing confirmation for a transaction without reading the full data displayed on Secure Display.
There is a clear need for systems and methods that do not require manual intervention from the user to authenticate each and every transaction. Also, there is a need for systems and methods that allow the user to provide manual confirmation using regular and comfortable input mechanisms such as a full-sized keyboard attached to an insecure environment without compromising on authentication validity and transaction security.