Web application security in un-trusted client scenarios
Web applications are commonly used for authorizing payments and financial transactions. As an example, home banking services allow users to transfer funds as well as authorizing payments of almost any kind.
Current solutions for user authentication and channel cryptography ensure a good degree of security when: 1. the network is un-trusted, 2. the server is trusted, 3. the user's client computer is trusted. Unfortunately, it may happen that the last assumption is not reasonable.
A malicious user who has a complete control over the user's client computer (due to some kind of malware installed on the victim's client) could use the legitimate user's credentials for authorizing an illegitimate operation. Bruce Schneier's article (“The Failure of Two-Factor Authentication”, March 2005, http://www.schneier.com/blog/archives/2005/03/the_failure_of.html) perfectly describes this threat as well as the reasons why two-factor authentication, by itself, cannot mitigate the problem.
As an example, let us suppose to provide our users with a USB token equipped with a LCD display and a “OK” button. The user can log into the Web application through a standard SSL/TLS handshake with client authentication. Before performing found transfers of any kind, the application is required to generate a simple message containing a summary of the operation being authorized. The message is transferred to the USB token that will show it on the LCD display. The user is then asked to check the message and press the “OK” button on the USB token if he agrees to authorize that operation. If the user confirms the operation, the USB token electronically signs the message and gives it back to the Web application. As soon as the USB token is a trusted environment, the entire process is secure, even if user's client computer is not trusted. Find out more by downlaoding the full article at the link above.