Abstract
As electronic banking is one important field in e-commerce, it becomes more and more a target of attackers. The majority of those attacks try to steal credentials, usually pins and tans, from the user. In this paper, we propose to use a machine’s Trusted Platform Module to bind an electronic banking account onto a certain machine. Doing so, an attacker is unable to use stolen credentials for malicious transactions as long as he/she doesn’t control the machine to which the account is bound to. The platform-authentication is based on a non migratable TPM key in conjunction with a client certificate. This client certificate is used for authentication purposes within the SSL/TLS handshake during session establishment of an online banking session.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
S. Balfe. Secure payment architectures and other applications of trusted computing, 2008.
L. Falk, A. Prakash, and K. Borders. Analyzing websites for user-visible security design flaws. In SOUPS ’08: Proceedings of the 4th symposium on Usable privacy and security, pages 117–126, New York, NY, USA, 2008. ACM.
S. Fox and J. Beier. Online banking 2006. http://www.pewinternet.org/Reports/2006/Online-Banking-2006.aspx?r=1, June 2006.
Trusted Computing Group. TNC Architecture for Interoperability. http://www.trustedcomputinggroup.org/resources/tnc_architecture_for_interoperability_version_13, April 2008. Specification Version 1.3 Revision 6.
Trusted Computing Group. TCG Media Room, http://www.trustedcomputinggroup.org/media_room/news/95, April 2009.
S. Rehbock and R. Hunt. Trustworthy clients: Extending tnc to web-based environments. Computer Communications, 32(5):1006–1013, 2009.
Z. Song, J. Molina, S. Lee, H. Lee, S. Kotani, and R. Masuoka. Trustcube: An infrastructure that builds trust in client. In Future of Trust in Computing, pages 68–79. Vieweg+Teubner, 2008.
F. Stumpf, C. Eckert, and S. Balfe. Towards secure e-commerce based on virtualization and attestation techniques. In Proceedings of the Third International Conference on Availability, Reliability and Security (ARES 2008), pages 376–382, Barcelona, Spain, Mar. 2008. IEEE Computer Society.
C. von Eitzen, Hackers paralyse emissions trading scheme, H-online, http://www.h-online.com/security/news/item/Hackers-paralyse-emissions-trading-scheme-921075.html, Feb. 2010.
I. Stone, Gone Phishing, twitter Blog, http://blog.twitter.com/2009/01/gone-phishing.html, Jan , 2009
Federal Office for Information Security (BSI), Quartalsbericht 1/2010, https://www.bsi.bund.de/cae/servlet/contentblob/1117344/publicationFile/89792/Quartalslagebericht_1_2010_pdf.pdf ,pages 5–7, Bonn, 2010
B. Krebs, Study: $3.2 Billion Lost to Phishing in 2007, Washington Post, http://blog.washingtonpost.com/securityfix/2007/12/study_32_billion_lost_to_phish_1.html, Dec. 2007
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH
About this chapter
Cite this chapter
Bente, I., Vieweg, J., Helden, J.v. (2011). Countering Phishing with TPM-bound Credentials. In: Pohlmann, N., Reimer, H., Schneider, W. (eds) ISSE 2010 Securing Electronic Business Processes. Vieweg+Teubner. https://doi.org/10.1007/978-3-8348-9788-6_23
Download citation
DOI: https://doi.org/10.1007/978-3-8348-9788-6_23
Publisher Name: Vieweg+Teubner
Print ISBN: 978-3-8348-1438-8
Online ISBN: 978-3-8348-9788-6
eBook Packages: EngineeringEngineering (R0)