Enhancing Online Security: Qr Code-based Authentication for Banking

This work contributes in implementation and designs of an inventive secure authentication method which utilizes a QR code; an open source proof of a concept authentication system that uses a two way authentication by combining a password and a mobile phone, acting as an authentication token. QR code is extremely secure as all the sensitive information stored and transmitted is encrypted; however it is also an easy to use and cost-efficient solution. In the QR code a complex password is stored. Smart phone is used for scanning the QR code. The code is scanned with the QR code scanner. Scanning result generate one string which is the combination of IMEI number of a phone which is register by the user and the random number, where random number is generated by the random number function which is pre. If the network is available on the smart phone then that generated string is automatically entered into the login page and homepage of bank is open. Otherwise six digit pin code is generated and it has to manually enter in the login page and home page of bank is open for transactions.[1]

In a modern world where we are able to do almost everything on-line, it is nowadays a critical matter to be able to access these services in the most secured manner. Indeed, as viruses and cracking methods become more complex and powerful by the day, the available security techniques must improve as well, allowing users to protect their data and communications with the maximum confidence. The aim is to develop an authentication method using a two factor authentication: a trusted device (a mobile phone) that will read a QR code and that will act as a token, and a password known by the user.

Introduction

Now a day’s almost all the things we are able to do online (like banking, shopping, communicating) and in this the challenge is that while doing this things online our information is not get damaged. Indeed, as the method of cracking the security code get more complex and powerful. These powerful applications allow user to work on untrusted computers confidently. This work is based on the two way authentication system. In this the QR code provides security. The existing system having security methods such as password, username, finger prints, and face detection. But in these methods security is not up to the mark, so there is need to develop such security system which provides high security. The recent interest in the use of visual tags in everyday life is a natural consequence of the technological advances found in modern mobile Phones.[2] The QR code is a matrix consisting of an array of nominally square modules arranged in an overall square pattern, including a unique pattern located at three corners of the symbol and intended to assist in easy location of its position, size and inclination. A wide range of sizes of symbols is provided together with four levels of error correction. There are two sections in this system. In the encoding section conversion of input data to a QR Code symbol takes place. In this the data analysis and encoding is done then after Error correction coding the final message is structures. Decode section contains decoding of the input QR Code image and displays the data contain that QR code. The decoding procedure starts with the reorganization of black and white module then Decode format information.

Literature Survey

In the literature survey we did the survey of certain systems which are common used. To eliminate threat of phishing and to confirm user identity, QR-code which would be scanned by user mobile device can be used and weakness of traditional password based system can be improved by one time password (OTP) which can be calculated by user transaction information and data unique at user side like imei number of the user mobile device. We just studied their working and tried to add unique features and disadvantages about them and tried to learn something new from each system.

Proposed System

To design a system which replaces the current OTP based two factor authentication system The QR based authentication system lets the user input the password, if the user is authenticated then an encrypted string consisting of IMEI number of the user is displayed in the form of QR code. The user uses his phone to scan the QR code and if the encrypted string is same as the IMEI number of the device the user is authenticated. To design a system for visually impaired persons in which the person uses his phone to scan the QR code and after the scan is complete the code is spoken out. The visually impaired can enter the code via text-to-speech to the web application. Paper Name Disadvantages OTP Encryption Techniques in Mobiles for Authentication and Transaction Security Most OTP systems are susceptible to real-time replay and social engineering attacks. OTPs are also indirectly susceptible to man in the middle (MITM) and man in the browser (MITB) attacks.

Survey On Information Hiding Techniques Using Barcode

They Can Breakdown Label damage. Scratched or crumpled barcodes may cause problems A Secure Credit Card Protocol over NFC

1. Security problems.
2. Sensitive data can be accessed if card is lost.

QR Code

QR code is the Quick Response code. Before the QR code there are some authentication methods are available that are-User name and password, Bar code, Finger prints, Face identity. But user name and password are not providing more security. And the Bar codes have some limitations like bar code only stored up to 20 digits. So in bar code we are not able to stored very complex password there for bar code is not more secure method.[3] Figure 4. Bar Code Finger prints and the face identity methods are very costly and not affordable by common users. For overcome all the drawbacks of existing system the QR code is introduce. QR codes (Quick Response codes) were introduced in 1994 by Denso-Wave, a Japanese company subsidiary of Toyota. QR codes are two-dimensional bar codes, so they can be read from any direction in 360. It can store up to 4,296 alphanumeric characters. So it is much more than the barcode can stored. QR code’s structure is shown in the figure below: Advantages of QR code QR code is two dimensional and readable at any direction. Storage capacity of QR code is up to 4,296 alphanumeric characters. It is readable if they are partially damage. It is easy to scan with camera based device. QR codes are not readable by person. QR code can stores data which is stored in one dimensional bar code in one-tenth the space. QR code is providing information correctly if it is damage up to 30%. It can handle many types of data like numeric, alphabetic.

System Overview

Registration System

The following steps give the information on how to complete the registration process: The first user would go into the registration section in the web application and would submit her/his username, password and IMEI number of the phone. After validating the data which is user enter is stored in to database. The data which is in the database server produce the public and private key and stored into the server. After this, the user would proceed to download and install the application on her phone. When user first time run the application the class files of public key and private are created and stored into the internal storage of mobile phone.[4] In a registration if the user not enter all the values like username, password, IMEI number, mobile number, and email address then registration process is not get completed. Validation is most important part in registration process; if validation is not successful then user is not able to login.

Online Authentication System

First IMEI number and random number are encrypted using the public key. This encrypted string generates the QR code using the QR code generation function which is present in java. Now this QR code image is display on the client machine. User scans this QR code using mobile phone. After scanning, in online mode means net is available on phone the generated string (IMEI number and random number) is automatically get entered into the login page. After successful login the home page of the bank is get open. So in our system there is no need to remember the password that is combination of your IMEI number and the random number. The server decrypts the string using the user public key and verifies that a row exists in the transactions table with our random number, and then updates the row of transaction table.[5] The server checks then that the IMEI is correct or not and assigned that IMEI to the correct user. If the login is get successful the transaction row is deleted. It means every time the generated QR code image is different. Now the PHP session is created and when user gets logoff the session is destroyed.

Offline Authentication System

Using pin code generation algorithm, a unique six-digit number is generated from the encrypted string (IMEI number and random number). This pin code user has to enter on login page manually with his username. For enter the pin code the keypad is available on screen. So there is no need to enter the pin code using systems keypad. Here our system provides more security. After entering the pin code server verify the IMEI number of user which is stored in the database. If the IMEI number is present then user is valid and then homepage Of bank is gets open. Sequence diagram of Offline authentication The timestamp is also checked. If the random number is generated before the 5 minutes ago then session is destroyed. And user is not able to login.

Security

In our system the security is more powerful because of the QR code and encryption algorithm. A man-in-the-middle attack is not gets successful in our system because communication between the server and user is always encrypted. Username is not gets reuse or copies because username is get deleted after the user logout.[6] For mobile application person also need the password so there is no way for any attack because the file is not easily accessible and it is encrypted. If the untrusted person knows how to handle the internal storage then only the security problem is created. A phishing attack on the mobile phone is possible by replacing the application by another application. And the password is also get covered but without the certificate it still not possible. Another security part is timestamp, if user is not able to login in given timestamp then login is not successful.

Future Scope

In future we would like to improve many aspects of our project. We would like to add voice input command feature to our website and android application. It will help the user to do his work comfortably. We would like to use some advanced encryption and decryption algorithm, better than AES.

Conclusion

This work provides additional security with the traditional way of online authentication of banking; which includes username and password. However, by adding QR code authentication the security measures for banking are enhanced. Two factor authentications are considered in this system.[7] With the help of this QR code security is increased during the login of the particular bank. Depending on the authentication only the client will be able to perform the transaction.