Edinburgh Napier University

  The rapid growth of e-commerce has many associated security concerns. Thus, several studies to develop secure online authentication systems have emerged. Most studies begin with the premise that the intermediate network is the primary point of compromise. In this thesis, we assume that the point of compromise lies within the end-host or browser; this security threat is called the man-in-the-browser (MITB) attack. MITB attacks can bypass security measures of public key infrastructures (PKI), as well as encryption mechanisms for secure socket layers and transport layer security (SSL/TLS) protocol. This thesis focuses on developing a system that can circumvent MITB attacks using a two-phase secure-user authentication system, with phases that include challenge and response generation. The proposed system represents the first step in conducting an online business transaction.
The proposed authentication system design contributes to protect the confidentiality of the initiating client by requesting minimal and non-confidential information to bypass the MITB attack and transition the authentication mechanism from the infected browser to a mobile-based system via a challenge/response mechanism. The challenge and response generation process depends on validating the submitted information and ensuring the mobile phone legitimacy. Both phases within the MUAS context mitigate the denial-of-service (DOS) attack via registration information, which includes the client’s mobile number and the International Mobile Equipment Identity (IMEI) of the client’s mobile phone.
This novel authentication scheme circumvents the MITB attack by utilising the legitimate client’s personal mobile phone as a detached platform to generate the challenge response and conduct business transactions. Although the MITB attacker may have taken over the challenge generation phase by failing to satisfy the required security properties, the response generation phase generates a secure response from the registered legitimate mobile phone by employing security attributes from both phases. Thus, the detached challenge- and response generation phases are logically linked.