Abstract
Prior to accepting and executing an online transaction, e-commerce systems must allow the consumer to express an informed and deliberate consent to the transaction. Currently, a widely accepted way of letting the consumer express his consent to execute a transaction is the Short Message Service-based One-Time Password (SMS-based OTP) scheme. In this scheme, when the system receives the required and unambiguous information for an on-line transaction from a consumer, it sends a short message containing a one-time password to the consumer's mobile phone. The consumer expresses his consent by entering the password on his client device which then sends the entry back to the system for confirmation. Although the one-time password can prevent the password from unauthorized reuse, an attacker can still launch a series of password guesses that finally leads to either a successful attack or account suspension. This paper presents a system design to improve the SMS-based OTP scheme by enabling the client device to verify the correctness of the OTP entry. In this scheme, a password entry is sent to the system only if it is correct and captured within the permitted time interval. In terms of security, the new feature not only reduces the risk of successful guessing attacks, but also alerts the system to take necessary defensive measures against possible cyber attacks whenever an incorrect or expired OTP entry is received by the system. A quantitative analysis revealed the relative benefit of the proposed scheme.
Original language | English |
---|---|
Pages (from-to) | 69-75 |
Number of pages | 7 |
Journal | Journal of Digital Information Management |
Volume | 13 |
Issue number | 2 |
State | Published - 01 04 2015 |
Keywords
- Client-side verification on password entry
- E-commerce
- One time password
- Short Message Service
- Transaction confirmation