An Empirical Study of the Internet Banking Web Encryption in Thailand
Article Sidebar
Main Article Content
Abstract
With Thailand rapidly moving to a full internet banking ecosystem, the demand for online security has never been needed more than it is today. As the security and privacy of internet users depend on HTTPS, a web encryption protocol, for securing communication between users and web servers, HTTPS is essentially the center of the web ecosystem today. Unfortunately, despite the increasing number of HTTPS adoptions, numerous studies have shown that a large number of websites have adopted HTTPS incorrectly, rendering users vulnerable to information leakages e.g., eavesdropping and man-in-the-middle attacks. The correctness of HTTPS deployment is even far greater for internet banking services due to carrying user’s sensitive information and being prime targets for criminal activities. In this paper, we present WEAPONS, a novel black-box testing tool for evaluating the completeness and correctness of web encryption deployment including the deployment of HTTPS, and web encryption-related mechanisms i.e., HSTS, secure cookie, HTTPS redirect, HSTS preload. We use WEAPONS to conduct an assessment of 8 popular internet banking websites in Thailand. We demonstrate that WEAPONS is able to find HTTPS deployment incorrectness. Several of these weaknesses can expose the affected services to man-in-the-middle attacks and sensitive data exposure.
Article Details
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
References
Aboobucker, I. and Y. Bao. 2018. What obstruct customer acceptance of internet banking? Security and privacy, risk, trust and website usability and the role of moderators. The Journal of High Technology Management Research. 29(1), 109-123.
Acar, G., C. Eubank, S. Englehardt, M. Juarez, A. Narayanan and C. Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.
Bangkok Business. 2021. Attack on mobile banking in ASEAN, up 60%!! 5 Pinning Methods for Minimizing Transactions. https://www.bangkokbiznews.com/tech/960865. Accessed August 27, 2021.
Bareño-Gutierrez, R., A. López-Sevillano, F. Piraquive and R. Gonzalez Crespo. 2020. Analysis of WEB browsers of HSTS security under a man attack in the MITM environment. Proceedings of the 5th International Conference on Knowledge Management in Organisations.
Bhargavan, K., A. Delignat-Lavaud, C. Fournet, A. Pironti and P.Y. Strub. 2014. Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. Proceedings of the 2014 IEEE Symposium on Security and Privacy.
Bortz, A., A. Barth and A. Czeskis. 2011. Origin cookies: Session integrity for web applications. Proceedings of the Web 2.0 Security and Privacy 2011 Workshop.
Capital One. 2019. Information on the Capital One Cyber Incident. Retrieved August 27, 2022, from https://www.capitalone.com/facts2019/
Castelluccia, C., E. De Cristofaro and D. Perito. 2010. Private Information Disclosure from Web Searches. Privacy Enhancing Technologies.
Chen, P., N. Nikiforakis, C. Huygens and L. Desmet. 2013. A Dangerous Mix: Large-scale Analysis of Mixed-content Websites. Proceedings of the 16th Information Security Conference.
Chromium Blog. 2021. A safer default for navigation: HTTPS. https://blog.chromium.org/2021/03/ a-safer-default-for-navigation-https.html. Accessed August 27, 2022.
Clark, J. and P.C. van Oorschot. 2013. SoK: SSL and HTTPS: Revisiting Past Challenges and Evaluating Certificate Trust Model Enhancements. Proceedings of the 2013 IEEE Symposium on Security and Privacy.
Englehardt, S., D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan and E.W. Felten. 2015. Cookies That Give You Away: The Surveillance Implications of Web Tracking. Proceedings of the 24th International Conference on World Wide Web.
Google Transparency Report. 2022. HTTPS encryption on the web -- HTTPS Encryption by Chrome platform. https://transparencyreport.google.com/https/overview?hl=en. Accessed August 27, 2022.
Hamid, R., A. Hamid, H. Amin, S. Lada and N. Ahmad. 2010. A Comparative Analysis of Internet Banking in Malaysia and Thailand. Journal of Internet Business. No. 4.
Jackson, C. and A. Barth. 2008. ForceHTTPS: Protecting High-security Web Sites from Network Attacks. Proceedings of the 17th International World Wide Web Conference.
Kasemsan, K. and N. Hunngam. 2011. Internet Banking Security Guideline Model for Banking in Thailand. Communications of the IBIMA. DOI: 10.5171/2011.787725.
Khattak, S., S. Jan, I. Ahmad, Z. Wadud and F.Q. Khan. 2021. An Effective Security Assessment Approach for Internet Banking Services via Deep Analysis of Multimedia Data. Multimedia Systems 27: 733-751.
Kranch, M. and J. Bonneau. 2015. Upgrading HTTPS in Mid-Air: An Empirical Study of Strict Transport Security and Key Pinning. Proceedings of the Network and Distributed System Security Symposium.
Leelapongprasut, P., P. Praneetpolgrang and N. Paopun. 2005. A Quality Study of Internet Banking in Thailand. Proceedings of the 4th International Conference on eBusiness.
Liu, Y., Song, H. H., Bermudez, I., Mislove, A., Baldi, M., and Tongaonkar, A. 2015. Identifying Personal Information in Internet Traffic. Proceedings of the 3rd ACM Conference on Online Social Networks.
Marlinspike, M. 2009. New Tricks For Defeating SSL In Practice. BlackHat USA.
Namahoot, K. S., and T. Laohavichien. 2018. Assessing the Intentions to Use Internet Banking: The Role of Perceived Risk and Trust as Mediating Factors. International Journal of Bank Marketing. 36(2): 256-276.
Posttoday. 2015. Four banks prepare to deal with hackers. https://www.posttoday.com/finance stock/news/396588. Accessed August 27, 2021.
PrachachatTurakit. 2021. Launching the trend of cybersecurity in Thailand in the year 65 “Government and banks” are the most targeted attacks. https://www.prachachat.net/ict/ news-826506. Accessed August 27, 2021.
Selvi, J. 2014. Bypassing HTTP Strict Transport Security. BlackHat EU.
Silver-Greenberg, J., M. Goldstein and N. Perlroth. 2014. The New York Times. JPMorgan Chase Hacking Affects 76 Million Households. https://dealbook.nytimes.com/2014/10/02/jpmor gandiscovers-further-cyber-security-issues/. Accessed August 1, 2021.
Sivakorn, S., I. Polakis and A.D. Keromytis. 2016. The Cracked Cookie Jar: HTTP Cookie Hijacking and the Exposure of Private Information. Proceedings of the 2016 IEEE Symposium on Security and Privacy: 724-742.
Sivakorn, S., I. Polakis and A.D. Keromytis. 2016. I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs. Proceedings of the 1st IEEE European Symposium on Security and Privacy.
Sivakorn, S., A.D. Keromytis and I. Polakis. 2016. That’s the Way the Cookie Crumbles: Evaluating HTTPS Enforcing Mechanisms. Proceedings of the 2016 ACM on Workshop on Privacy in the Electronic Society: 71-81.
Sivakorn, S., P. Sirawongphatsara and N. Rujiratanapat. 2020. Web Encryption Analysis of Internet Banking Websites in Thailand. Proceedings of 17th International Joint Conference on Computer Science and Software Engineering: 139-144.
Subsorn, P. and S. Limwiriyakul. 2012. A Comparative Analysis of Internet Banking Security in Thailand: A Customer Perspective. Procedia Engineering, 32: 260-272.