【 Weak current College 】 China online banking security analysis of a dynamic code lock

If you want to know what kind of online banking system is secure, it is first necessary to know which online banking system is not secure.

My point is, all without an authentication token hardware devices online banking system is not secure.

These systems include a variety of "Community Edition" online banking, as well as some of the so-called "digital certificate" Professional Edition ", because they essentially speaking, all the running code are in the computer memory to run, the user all the actions are likely to be intercepted by the Trojan. In theory, a hacker can forge user performs system logon. Only from the user's computer system, independent of authentication hardware devices, you can construct the security of online banking system.

There are two popular authentication hardware products can achieve more secure online banking system logon.

The first authentication product called "dynamic password lock".

Dynamic password (DynamicPassword) also known as a one-time passwords, it means the user's password in accordance with the time or the number of changes applied continuously, each password use only once. A dynamic password called dynamic token of dedicated hardware, a built-in power supply, password generation chip and display. The following figure is the appearance of the product, with the number keys to enter the user PIN code, the display shows the one-time password. Each time you enter the correct PIN code, you can get a currently available dynamic password at once.

This product of password generation chips run dedicated password algorithm, according to the current time and number of the current password is generated and displayed on the screen. Authentication servers using the same algorithm to calculate the current valid password. Because each use of the password must consist of dynamic token to generate only legitimate users hold the hardware, so long as password authentication, the system can view the user's identity is reliable. But each time they use passwords are not the same, even if a hacker intercepts a password, you cannot use this password to imitated the legitimate user's identity, because the next time you log on must use another dynamic password.

Dynamic password lock system has two elements, a password is static PIN code, the user configuration, custody. Another factor is the dynamic password, generated dynamically by the password token, unpredictable, and the background server access control is synchronized by the background server performs inspection. Therefore, the user must enter the correct PIN code of the static and dynamic password in order to pass authentication.

Dynamic password lock itself will need to enter the PIN code before you can use static PIN security feature is that this PIN is not entered on the computer, but is password locked entered so that all the hacker Trojans in theory are all fail because these Trojan horses simply impossible in addition a hardware password locked.

Hackers to crack the password for the user, it is first necessary to physically obtain user dynamic password lock, secondly to obtain the user's PIN, so the hacker must sneak into the user's home (computer hackers had to learn the skills of ordinary thief), theft of a dynamic code lock, and then explains the PIN code. No user PIN code still does not apply, but typically a dynamic password lock itself has certain security features, input pin code incorrectly ten times automatically locked and cannot be used. This also guarantees a dynamic password lock physical security.

Dynamic password can be used to find the perfect handling client user security questions, because hackers no matter what the main points, used or easy to steal a user's password, even if hackers steal a password and cannot log on using.

From the skills, the skills of dynamic password is perfect, but unfortunately, dynamic password lock cost is too high, most costs are higher than 100, is not very conducive to large-scale use. China currently has some Bank figure cheap, use a text card types of so-called "dynamic password card" is also used to achieve a more original dynamic password skills. In fact, such a low cost card has a defect is obvious, card content can easily be copied and not defend the PIN code, someone stealing or copying this card you can fake login, its security is far less true dynamic password lock authentication system.

Although dynamic password lock security's all well and good, but a dynamic password skills also have a security risk, it is a server-side security. Dynamic password is essentially single-key encryption, there is only one key. In the server-side authentication system, you can calculate all dynamic password, therefore hackers if you focus on solving banking authentication server system, so it is possible to cause some of the banking system, and security threats of the system is also dependent on the network administrator, network administrator can modify dynamic server-side password lock, also has a security risk.