英文摘要 |
One-Time Password (OTP) is widely used to ensure transaction security in internet banking. The OTP is generated by a Passcode-Generation Token in the possession of the user, or is generated on the system side and then is sent as a short message to the user. The user must enter the OTP and send it back to the system for confirmation. One scenario that often causes user inconvenience is that the user carelessly inputs an incorrect OTP which would result in a rejected transaction request. After a given number of rejections, the system will suspend account access, requiring the user to present identification documents in person to the bank to restore access privileges. The differences between correct and incorrect OTP inputs are usually small, and attackers can potentially eavesdrop on OTP inputs and, through speculation and trial-and-error, successfully attack the system. This study proposes an improved OTP scheme that utilizes short message service. The proposed scheme has the following new features: (1) The client device computes the user’s registered mobile phone number and displays it on the device’s screen for inspection by the user to ensure the system is authentic. (2)After the displayed phone number is verified as correct, the user input the OTP which he received on his mobile phone. Next, the input OTP is verified by the client device and only a correct OTP input is transmitted to the system side. This proposed scheme not only offers the user greater convenience but also allows users to verify that the system side is not an imposter. In addition, if the system receives an incorrect OTP, the system can assume it is under attack and take defensive measures. |