Threat Analysis of Software Agents in Online Banking and Payments

Software agents are the delegated subcontractors essential to connect the end-user to the bank and payment providers in a distributed service offering. This paper evaluates the key role that the different software agent types play to facilitate collaboration between clients and banks to perform online transactions. It highlights the threats and imminent risks that these software agents introduce in the chain as well as how these threats affect the trust relationship between principals. The discussed threats and resulting risks suggest vulnerabilities in the current software agent model which are beyond the bank and end user's control. Both principals, the client and the service provider, are open to potential legal, security, quality of service, confidentiality and privacy compromises which influence the overarching trust relationship. There is resounding literature to illustrate advances that have been made to address the exposed challenges. However, a gap of misfortune remains where the software agent can act on its own accord exposing the contracting principals to internal and externally engineered threats thus tainting the trust relationship between these parties.

[1]  Zhang Xiong,et al.  Social Aware Mobile Payment Service Popularity Analysis: The Case of WeChat Payment in China , 2015, APSCC.

[2]  Jing Yu,et al.  Access Control to Prevent Attacks Exploiting Vulnerabilities of WebView in Android OS , 2013, 2013 IEEE 10th International Conference on High Performance Computing and Communications & 2013 IEEE International Conference on Embedded and Ubiquitous Computing.

[3]  Alireza Sadeghi,et al.  Analysis of Android Inter-App Security Vulnerabilities Using COVERT , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Zhimin Yang,et al.  The Study on Resolutions of STRIDE Threat Model , 2007, 2007 First IEEE International Symposium on Information Technologies and Applications in Education.

[5]  Jing-Chiou Liou,et al.  A feasible and cost effective two-factor authentication for online transactions , 2010, The 2nd International Conference on Software Engineering and Data Mining.

[6]  Hyacinth S. Nwana,et al.  Software agents: an overview , 1996, The Knowledge Engineering Review.

[7]  Bruce Schneier,et al.  Two-factor authentication: too little, too late , 2005, CACM.

[8]  Amir Massoud Bidgoli,et al.  Security assessment of mobile- banking , 2015, 2015 International Conference and Workshop on Computing and Communication (IEMCON).

[9]  Matthew Smith,et al.  Hey, You, Get Off of My Clipboard - On How Usability Trumps Security in Android Password Managers , 2013, Financial Cryptography.

[10]  Arun Vishwanath,et al.  Habitual Facebook Use and its Impact on Getting Deceived on Social Media , 2015, J. Comput. Mediat. Commun..

[11]  Ibrahim M. Al-Jabri,et al.  Attitudes towards mobile banking: are there any differences between users and non-users? , 2014, Behav. Inf. Technol..

[12]  Jianhui Zhu,et al.  User Agent and Privacy Compromise , 2015, C3S2E.

[13]  Mike Just,et al.  On the security and usability of dual credential authentication in UK online banking , 2012, 2012 International Conference for Internet Technology and Secured Transactions.

[14]  Chamseddine Talhi,et al.  CaptureMe: Attacking the User Credential in Mobile Banking Applications , 2015, TrustCom 2015.

[15]  Barry Leiba,et al.  OAuth Web Authorization Protocol , 2012, IEEE Internet Computing.

[16]  Cecilia Mascolo,et al.  Don't kill my ads!: balancing privacy in an ad-supported mobile application market , 2012, HotMobile '12.

[17]  Stephen D. Wolthusen,et al.  Threat analysis model of an agent-based vulnerability mitigation mechanism using Bayesian Belief Networks , 2011, 2011 IEEE Network Science Workshop.

[18]  Yuh-Jong Hu Some thoughts on agent trust and delegation , 2001, AGENTS '01.

[19]  Bruce Christianson,et al.  Delegation and Not-So Smart Cards (Position Paper) , 1998, Security Protocols Workshop.

[20]  Sarvapali D. Ramchurn,et al.  Trust in multi-agent systems , 2004, The Knowledge Engineering Review.

[21]  Paul F. Syverson A peel of onion , 2011, ACSAC '11.