Introduction
Personal computer users face diverse security consequences due to different malicious software such as spywares and root-kits in their current system usage, especially during internet transaction procedures. This report outlines the procedures for securing personal data through un-trusted internet as addressed by Mohammad Mannan during a security seminar. The presentation took place on February, 22nd 2011 at Concordia University also abbreviated CIISE (Concordia Institute of Information System and Engineering), located in a vibrant cosmopolitan setting in the city of Montreal, Quebec Canada. The “Authentication and Securing Personal Information in an Un-trusted internet” colloquium addressed drawbacks relating to computer and web usability. The session by Mannan mainly addressed semantic attacks for instance phishing, which has become a common in un-trusted host machines as well as through legitimate sites. Today most antivirus software suffers higher vulnerability than non-security software. The increase of untrustworthy environments in the web therefore leads to the question of whether there are measures or tools to control, improve and protect environments for the end-users. How can users continue to engage the online economic transactions safely?
Discussion
Mobile Password Authentication (MP-Auth)
The main way of improving security for the end user is by finding a realistic technology/model that clients can put into operation during valid or virtual global operations. The ability to verify veracity of usage as well as passwords generation and authentication of techniques are some of the mechanisms that can assist end-users to improve transactions’ security. Phishing and session interferences compromise procedures of authenticating integrity of sensitive data even when users practice the most convenient security measures. This is a real concession for user safety during virtual transactions. The intention of most web-based security practices is to provide protection to user, from complex phishing frauds during sensitive web transactions either through a secure PC or through compromised platforms. The security of personal information requires authentication and safeguarding of sensitive information such as application for online banking and other long-term codes/keys.
Mobile Password Authentication (MP-Auth) addresses this issue through use of simple mobile devices such as smart phones or PDA (Personal Digital Assistant) that combine with servers to generate random encryptions through use of the public key, to be relayed through venerable end-user machine terminals. The long-term password can therefore be applied as a single use password since it is concealed from potential phishing sites. The Mobile Password Authentication (MP-Auth) protocol therefore safeguards integrity of transactions through persisted confirmation and transparency to the mobile device in use, as opposed to the two-factor technique.
MP-Auth provides protection and privacy for users such as protecting their passwords against phishing and violation of integrity during transaction. On assumption that the mobile device in use is safe from malware attacks and all users can access correct public key from the bank, installation on the device must involve all targeted websites’ public keys. MP-Auth procedure thus involves a visit to an online banking website from a venerable personal computer, but the browser forwards authentication key prompt to the mobile device. The device in-turn encrypts the password using the website’s public key (loaded at some stage during setup execution). The result (an encrypted password) is then forwarded to the financial site through browser of the venerable personal computer.
Suggestions
The MP-Auth procedure protects against phishing for the reason that spoofed sites are not able to decrypt information. The protocol also prevents pharming by concealing long-term secret information especially when users’ cache is under threat. Protection of transaction procedures are assured since it is easy for a mobile device to detect illegal transactions on the computer. The MP-Auth can easily fail due to overhead writes, involvement of large software and failure of measures to notify users on authentication status. Most attacks on MP-Auth thus occur due to existence of malware, re-use of passwords on different websites especially social sites, lack of Password hashing and submission of passwords during social browsing. In his presentation, Mannan (2011), malwares on personal devices are avoidable by “virtualized Trusted Platform Module (vTPM), TCG’s Mobile Phone Work Group or devices of less functionality or software” (p.18). General user safety tips include keenness throughout confirmation of secure data transactions and use of devices that are free from malware during web transactions.
Mobile devices authentication depends highly on strength of user password. Use of other different options such as graphical (images or binary) instead of plain text may strengthen the password. Various platforms support password encryption through mobile devices such as the add-ons on browsers and current mobile applications such as android.
Conclusion
Common attacks by spy and malwares occur during installation of key-loggers (hardware and software) on personal computers. Today it is possible for phishing sites to install key-loggers on personal computers even when the general user does not direct explicit downloads or follow links to such sites. The main aim is to extract useful information such as usernames or passwords for accessing financial accounts. The malware have access to information when unsuspicious users keys in these long-term secret details on a typical personal machine to access online bank accounts. Current phishing attacks are also able to obtain information from computers that are free from malware by hijacking the domain identities. Safeguard of long-term passwords therefore require encryptions using mobile devices governed by the public key of a server. The long-term access information therefore require transformed to one-time passwords, which are not easily disclosed by key-loggers or phishing sites. This form of password authentication thus causes the personal computer to act as a mare bridge for interaction with websites since it encrypts data and only accesses temporary secret information such as passwords. Mobile devices are thus better since they have limited software compared to personal computers and provide security protocols that involve passwords authentication only.
Reference
Mannan, M. (2011). Authentication and Securing Personal Information in an Untrusted Internet: Security Seminar. Montreal, Quebec Canada: Concordia University.