On App-based Matrix Code Authentication in Online Banking

Vincent Haupert; Tilo Müller

doi:10.5220/0006650501490160

On App-based Matrix Code Authentication in Online Banking

Vincent Haupert, Tilo Müller

2018

Abstract

Owing to their growing popularity, smartphones have made two-step authentication schemes not only accessible to everybody but also inexpensive for both the provider and the end user. Although app-based two-factor methods provide an additional element of authentication, they pose a risk if they are used as a replacement for an authentication system that is already secured by two-factor authentication. This particularly affects digital banking. Unlike methods backed by dedicated hardware to securely legitimize transactions, authentication apps run on multi-purpose devices such as smartphones and tablets, and are thus exposed to the threat of malware. This vulnerability becomes particularly damaging if the online banking app and the authentication app are both running on the same device. In order to emphasize the risks that single-device mobile banking poses, we show a transaction manipulation attack on the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank. Furthermore, we evaluate whether the matrix code authentication method that these banks and Comdirect implement—widely known as photoTAN—is compliant with the upcoming Revised Payment Service Directive (PSD2) of the European Banking Authority (EBA).

Download

Paper Citation

in Harvard Style

Haupert V. and Müller T. (2018). On App-based Matrix Code Authentication in Online Banking.In Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-282-0, pages 149-160. DOI: 10.5220/0006650501490160

in Bibtex Style

@conference{icissp18,
author={Vincent Haupert and Tilo Müller},
title={On App-based Matrix Code Authentication in Online Banking},
booktitle={Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2018},
pages={149-160},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006650501490160},
isbn={978-989-758-282-0},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 4th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - On App-based Matrix Code Authentication in Online Banking
SN - 978-989-758-282-0
AU - Haupert V.
AU - Müller T.
PY - 2018
SP - 149
EP - 160
DO - 10.5220/0006650501490160