University of Tartu - ©2011 Rafik Chaabouni - Last update: 19.09.2012 16:06
Date: 26/09/2012 Location: J. Liivi 2, room 317 (next to the coffee room)
Title:
Security Analysis of
Internet Bank Authentication Protocols and their Implementations
Abstract:
In some European countries banks have taken the role of identity providers, providing identity services to external entities. The aim of this study is to define security properties required for protocols and processes used in this type of federated authentication, and assess the security of implementations employed in practice. The objects of this study are 11 major banks in Estonia and Latvia and their respective service providers. The findings show that required security properties are not provided in practice, thus making Internet bank authentication extremely insecure. Most of the banks were found to be using protocols vulnerable by their design. Security issues were discovered in nearly all of the implementations of service providers, and some implementations were even found to be vulnerable to a complete Internet bank authentication bypass.