Online Banking Security Series 3: dynamic password lock for China's online banking security analysis

The previous article ("online banking security: China's online banking system security analysis") has put forward a general description of a security net banking system. Today we will discuss how to construct this secure online banking system.
To know what kind of online banking system is safe, you must first know which online banking systems are insecure.

In my opinion, all online banking systems without authentication tokens are insecure.

These systems include various "Public edition" online banking and some so-called digital certificates "Professional Edition", because in essence, all the running code is run in the computer memory, all user operations may be intercepted by Trojans. In theory, hackers can forge users to log on to the system. A secure online banking system can be constructed only when an independent identity authentication hardware device is used out of the user's computer system.

There are currently two popular Identity Authentication hardware products that can achieve safer online banking system login.

The first authentication product is called "dynamic password lock ".

A Dynamic Password, also known as a one-time Password, means that the user's Password is constantly changing by time or number of times, and each Password is used only once. The dynamic password uses a dedicated hardware called a dynamic token. It has built-in power supply, a chip generated by the password, and a display screen. Is the appearance of this product, where the number key is used to enter the user's PIN code, the display is used to display a one-time password. Each time you enter the Correct PIN code, you can get a one-time dynamic password that is currently available.

The password generation chip of this product runs a dedicated password algorithm to generate the current password based on the current time and usage and display it on the display screen. The authentication server uses the same algorithm to calculate the current valid password. Because the password used each time must be generated by a dynamic token, only valid users can hold the hardware. As long as the password passes verification, the system can think that the user's identity is reliable. The password used by the user is different each time. Even if the hacker intercepts the password once, the user cannot use the password to impersonate the legitimate user's identity, because another dynamic password must be used for the next login.

The dynamic password lock system requires two key elements. One is the static PIN code, which is set and kept by the user. Another factor is the dynamic password, which is dynamically generated by the password token and unpredictable. It is synchronized with the access control of the background server and verified by the background server. Therefore, you must enter the correct static PIN and dynamic password to pass identity authentication.

A dynamic password lock can be used only by entering a PIN code. The security factor of a static PIN code is that it is not entered on a computer, but on a password lock, in theory, all hacker Trojans are ineffective because they cannot run on another hardware lock.

To crack a user's password, a hacker must first obtain the user's dynamic password lock physically, and then the user's PIN code, hackers must intrude into the user's home (computer hackers also need to learn the technology of common thieves), steal the dynamic password lock, and then crack the PIN code. No user PIN code can still be used, but the dynamic password lock usually has a certain security function. If the entered PIN code is incorrectly entered for 10 times, it will be automatically locked and cannot be used. This also ensures the physical security of the dynamic password lock.

Dynamic Password Technology perfectly solves the security issues of client users, because hackers cannot easily steal user passwords no matter what method they use. Even if hackers steal a password once, they cannot log on to the client.

Technically, the dynamic password technology is a perfect solution. However, it is a pity that the cost of the dynamic password lock is too high, and most of the costs are higher than 100 yuan, which is not conducive to large-scale use. Currently, some banks in China use a text card type called "dynamic password card", which is also used to implement the original dynamic password technology. In fact, this low-cost card has obvious defects. The card content can be easily copied without protecting the PIN code. If someone else steals or copies this card, they can log on with a fake name, its security is far from the real dynamic password lock Identity Authentication System.

Although the security of the dynamic password lock is indeed good, the dynamic password technology also has a security risk, that is, the security of the server. The essence of a dynamic password is single-key encryption, with only one key. All dynamic passwords can be calculated in the server-side authentication system. Therefore, if hackers focus on cracking the bank authentication server system, it may pose a certain security threat to the banking system, in addition, the system also relies on the administrator of the online banking system. The administrator of the online banking system can modify the dynamic password lock rules on the server side, which also has certain security risks.

Next, we will introduce another low-cost Identity Authentication hardware product, which can implement Security Authentication through the two-key encryption technology, and can make up for some security risks of the dynamic password lock.