IBIMA Publishing Journal of Information Assurance & Cyber security http://ibimapublishing.com/articles/JIACS/2018/415339/ Vol. 2018 (2018), Article ID 415339, 15 pages DOI: 10.5171/2018. 415339
Research Article
Improving Malware Mitigation For Online Bitcoin Wallets
Sabreen MohammedSiraj Ahmadjee
Umm Al-Qura university, Makkah, Saudi Arabia
Received date: 22 August 2017; Accepted date: 18 December 2017; Published date: 26 February 2018
Academic Editor: Ramlah Hussein
Copyright © 2018. Sabreen MohammedSiraj Ahmadjee. Distributed under Creative Commons CC-BY 4.0
Abstract
Bitcoin cryptocurrency has risen in popularity. Therefore, it not only attracts users to use it, but also it attracts the malware developers to attack it. While online Bitcoin wallets allow users to conveniently store and manage their bitcoins, they are vulnerable to several attacks. There are several existing solutions that attempt to provide Bitcoin wallet security. We analysed them and compared them based on several criteria and determined that the existing solutions for securing online Bitcoin wallets used by individuals are vulnerable. We described the threat models for a Bitcoin two-factor wallet, analysed the risk, and presented the risk-treatment plan. We proposed a Bitcoin three-factor wallet that provides several security features on both the server and the client sides. This new proposed wallet is secured against some attacks. It takes a reasonable time to perform the transactions and is convenient to use.
Keywords: Bitcoin, Cryptocurrency, Online Wallet, Threshold Signatures.
Introduction peak at around $1120 (blockchain.info, 2016). Users such as the online shops need to Bitcoin is a decentralised cryptocurrency, protect their bitcoins against attackers who which means it does not need a central attempt to steal them. In other words, they trusted financial network, such as a bank, to need to protect the wallets that store their check the identity of the payer or the payee, bitcoins. They need to keep their private key or to verify and confirm the transactions. safe because stealing a Bitcoin private key Bitcoin popularity has grown slowly in the permits attackers to steal the money. years since it was introduced in 2009 Attackers can exploit the vulnerabilities of (Narayanan et al., 2016). However, in 2013, the wallet – where users store their private major merchants started accepting bitcoins key - in order to steal the user’s bitcoins. as an official payment for goods (Hill, 2014). Importantly, in 2014, bitcoin value reached a Thieves can attack the wallets using several ______
Cite this Article as: Sabreen MohammedSiraj Ahmadjee (2018), “Improving Malware Mitigation for Online Bitcoin Wallets", Journal of Information Assurance & Cyber security, Vol. 2018 (2018), Article ID 415339, DOI: 10.5171/2018. 415339 Journal of Information Assurance & Cyber security ______
types of attacks involving malware. Wallet Security Commonly, malware compromises bitcoins when they are stored on devices that Approaches for Wallet Security frequently connect to the Internet in order to extract and transfer the private keys that Storing private keys in a single place will lead used to accomplish the bitcoin transactions. to a single point of failure which allows the Therefore, the attackers can spend the attackers to compromise this storage place. money. Indeed, malware attacks on Bitcoin Fortunately, different approaches to tackle wallets have increased significantly. this problem are presented in the following Recently, researchers have reported sections. discovering more than 140 forms of malware programs designed to exploit the weaknesses Multi-signature in Bitcoins wallets in order to steal their contents (Hill, 2014),(Goldfeder et al., This security approach is used to avoid a 2015),(STEWART, 2014). Therefore, it is single point of failure. As the name suggests, necessary to improve the existing methods of to spend bitcoins, more than one signature is protecting and securing Bitcoin wallets to required to prove valid possession of the tackle malware attacks. money. This means multiple secret keys,
which should be stored in different places, The aim of this research is to investigate and are needed to generate the necessary analyse the existing methods used for signatures. A multi-signature transaction can protecting and securing online Bitcoin be signed independently by each party in a wallets that are accessed over the Internet. non-interactive manner. This is one This kind of wallet needs to be defended advantage of this approach over threshold against malware attacks. This analysis is signature because threshold signature followed by suggested methods for requires more than one round of interaction effectively improving malware mitigation for (Gennaro et al., 2016). online Bitcoin wallets.
However, it has pointed out several Background disadvantages of the multi- signature scheme (Gennaro et al., 2016). Firstly, there is a lack Elliptic Curve Digital Signature and of confidentiality because multi-signature Bitcoin transactions are distinguishable in the public
blockchain from regular transactions. ECDSA algorithms Secondly, anonymity is harder to achieve. To
provide better anonymity, a new change The Bitcoin system utilises a digital signature address that does not simply link to the input scheme, which is called Elliptic Curve Digital address should be utilised. Thirdly, the Signature (ECDSA). It works in the group transaction’s public keys and valid signatures ), which is a group of elliptic curve. �(�� M lead to increasing the transaction’s size. ECDSA, like any digital signature scheme, Therefore, transaction fees will increase as consists of three algorithms: key generation, they are based on transaction size. Lastly, a signing, and verification algorithms (Johnson multi-signature transaction is not flexible et al., 2001). ECDSA explained in details in because inserting multi-signature security (Johnson et al., 2001) literature. into an already existing address is not easy because the syntax of the two kinds of addresses differ. Because of these drawbacks, a multi-signature scheme is not used for the proposed solution.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
Threshold Signatures Two-Party Signature
The main difference between threshold In order to apply 2-out-of-2 signature cases scheme and multi-signature scheme is that and use an optimal number of participants, the threshold signature scheme allows (MacKenzie and Reiter, 2001) built a multiple parties to participate in signing a specialised scheme that is called “two-party transaction without using multiple private signature scheme for DSA”. They use a Pailler keys (Narayanan et al., 2016). A single cryptosystem, which is a homomorphic private key is split into shares that are cipher allowing one participant to do the distributed among the participants. computation using the ciphertexts of another Specifically, any subset of these secret shares participant’s share secret without the ability can be used to reconstruct the private key, as to learn these share secrets. The final long as the subset’s size is greater than or encrypted signature is decrypted by the equal to a specific threshold. Any subset that homomorphic decryption key which is held is smaller than this specific threshold will not by one party. This scheme is close to ideal for reveal any information about the private key. two-party signatures (Gennaro et al., 2016). A key property of the threshold scheme is (Mann and Loebenberger, 2015) apply this that generating a signature does not require scheme to ECDSA and use it to their two- reconstructing the private key on any single factor wallet. (Gennaro et al., 2016)’s machine (Narayanan et al., 2016). appendix articulates their attempts to extend two-party signature schemes to multiple- The threshold signature scheme has several party signature schemes. They found it quite key advantages (Gennaro et al., 2016). This inefficient when the large numbers of parties scheme preserves the user’s confidentiality are involved, such as when employed in a because it allows the participants to generate company. This inefficiency arises because it a single signature. Therefore, it will be requires 3� − 1 rounds of interactions. invisible in the public blockchain that this Additionally, when the number of players kind of signature is used. Additionally, the increases, the computation time and the threshold scheme increases anonymity storage increase exponentially. because the change address provides the same benefit in the threshold scheme Two-Factor Wallet transaction as in a regular single key address. Therefore, the change address will be unlikable to the sending address when they (Mann and Loebenberger, 2015) and are specified in sending transaction. (Gennaro et al., 2016) implemented a two- factor wallet for individuals by applying Also, threshold signatures schemes provide (MacKenzie and Reiter, 2001)’s two-party flexibility because it is possible to add signature scheme; as discussed, this scheme threshold security scheme to an existing is optimal and nearly ideal for two-party address because this scheme permits signature. This kind of wallet requires splitting up the key of the existing address as control to be split over two personal devices opposite to multi-signature. Also, the in the user’s possession, such as a desktop threshold signature scheme easily allows an and a smartphone. The secret key shares are arbitrary number of participants to be added distributed between these devices. because, unlike multi-signature transactions, they do not require a new address to be Importantly, at no point during the generated. Moreover, the threshold communication is the private key transaction is scalable because it maintains a reconstructed neither in the desktop nor on constant transaction size even if the number the smartphone. This security makes the of shares is increased; therefore, fees will not attacker’s job much harder and avoids the be increased. vulnerability of a single point of failure.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339 Journal of Information Assurance & Cyber security ______
Furthermore, if the desktop is infected by the wallet and participate in signing the malware that can be able to change the transaction and the mobile wallet used to transaction details, the user can notice that verify the transaction and participate in when the transaction information is sent to signing the transaction. the mobile wallet. The user can then abort this transaction and prevent the attacker Method of Attack from stealing the bitcoins. An attacker can compromise the two devices Clearly, the two-factor wallet improves the and steal the two private key shares by security of the wallet that is used by performing the following phases. individuals at some extent. However, as discussed in the threat modelling section, an Phase One: Infection the devices adversary who manages to compromise the first factor (the desktop) can bypass the An attacker can follow any attack approach second factor (the phone). This vulnerability illustrated in Figure 1 to install malware on means the two-factor wallet is not secure the user’s devices. Importantly, to infect the enough to protect the Bitcoin wallets used by second device, either the attacker can follow individuals. Therefore, a solution that any approach represented by the attack tree enhances the security of this kind of wallet is which requires user interaction, or employ proposed in this paper, and it is described in cross-platform infection as (Dmitrienko et al., the proposed solution chapter. 2014) did to compromise the second factor and steal the Transaction Authentication Threat Model Number (TAN) of the online banking transaction. More details about cross- We performed risk assessment and identified platform infection attacks are provided in effective countermeasures that help to avoid (Dmitrienko et al., 2014). One form of and mitigate the possible risks utilising the sophisticated malware that can be installed Microsoft threat modelling (J.D. Meier, 2003). on the user’s device infects the user’s browser. This malware utilises Man in the Two-Factor Wallet (Online wallet and Browser MITB techniques, which are Mobile wallet) Attack powerful and sophisticated attacks normally associated with Internet crime (Dougan and Since this study focuses on online wallets, it Curran, 2012). This kind of attack often will explain how the two-factor wallet that targets online bank accounts and steals (Gennaro et al., 2016) and (Mann and users’ credentials, tamper with transactions Loebenberger, 2015) represent can be and facilitate the theft of second-factor compromised if one applies it to an online authentication and TANs from a second wallet instead of a desktop wallet. One type device. Therefore, MITB malware can also of Bitcoin wallet is the hybrid online wallet target online Bitcoin wallets. where the wallet service provider does not have control over the private keys because Browsers allowing user to install any they do not know them. The private key extension from arbitrary websites shares are generated, encrypted, and decrypted on the client side. Since this type (untrusted parties) can easily be infected by of online wallet is to some extent similar to malware. The attacker can craft the malicious the desktop wallet where users have full payload into an extension that runs with high control over their keys, it is more suitable to privileges and then trick the user into employ it in the two-factor wallet approach. installing the malware onto the device The attacker can compromise the two through any of the ways represented in factors: the device used to access the online Figure 1.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Informa tion Assurance & Cyber security ______
Figure 1: Attack tree with the goal of running the malware into victim’s devices
Figure 2: Attack tree with the goal of performing MITH browser attack
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
As (Barth et al., 2010) report in their paper, message to the user to compromise the 88% of the Firefox extensions they analysed mobile device. ran with full privileges, even though the extensions required less than these assigned Phase Two: Stealing the Wallet File privileges. Therefore, malicious extensions can infect the browser and perform an MITB attack. Figure 2 represents how an MITB Because hybrid wallets generate, encrypt, attack can be performed. and decrypt private keys on the client side, more specifically in the client’s browser and After the malware is installed on the device, typically in JavaScript (Eskandari et al., the malware will not launch until the 2015), MITB malware can lie-in-wait either browser is restarted. Then the malicious for the private key share to be generated or extension will be installed onto the browser’s after decrypting it in order to sign the configuration. Next, the browser loads the transaction. MITB malware can also easily extension which registers a handler for every discover the password used to protect this page that the browser will load. As (Mário private key share by stealing the password Almeida, 2011) mentioned, the MITB once the user enters it and then sending it to malware will monitor all of the user’s a malicious server. By doing this, an attacker activities. When any page is loaded by the can obtain the first share key. In addition to browser, the malicious extension compares the first private share, the attacker also the URL against the list of sites that the needs to steal the mobile wallet’s private attacker specified. If the URL matches one of share in order to steal the user’s funds. After the desired pages, the malware will change successfully infecting the mobile device as the page’s content by adding an extra field in mentioned in the previous section, the order to ask the user to verify the user’s attacker can steal the private key share used mobile phone number in order to send a link in the mobile device by the same method. to an important application security update, which is in fact a malicious application. Once Determine Threats the user clicks submit, all the information including the phone number will be sent to Table 1 summarises the threat modelling the attacker in order to send the malicious process.
Table 1 Summary of the threat modelling process
Threat Description Attacker steals the bitcoins from the two-factor wallet by stealing private key shares Threat target User’s browser and mobile device Risk ranking High Attack techniques MITB malware Countermeasures 1. Use three secret key shares. 2. Use the Token and the fraud detection mechanism. 3. Check the Token and use the fraud detection mechanism in every request. 4. Abort the transaction and log it if fraud is detected. 5. Use the isolation mechanism and the extensions that run with least privilege.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339 Journal of Information Assurance & Cyber security ______
desktop and sends it to the Proposed Solution server. - Server checks the authorisation Three-Factor Wallet of the request by checking the Token and the user’s behaviour The main countermeasure proposed here to as would be described in the avoid the described risks is using a three- security analysis section. factor wallet instead of two-factor wallet; a - Server sends the transaction to proposed three-factor wallet will be more the mobile wallet in order to secure for the wallet used by individuals. To allow the user to confirm it. utilise this wallet, it is necessary to have - When both the user (using the three private key shares to sign any mobile phone) and the server transaction. One on the user’s desktop, the confirm the transaction, then the second on the user’s mobile phone, and the three parties start the three- third on an online server. Therefore, if party threshold scheme in order attackers manage to steal both of the secret to sign the transaction. shares as described in the threat model, they - The three parties then exchange cannot spend the bitcoins in the user’s wallet the required messages for the because they also need the third share to sign three-party threshold scheme any transaction. Involving the server in the over a secure connection in signing process makes the transaction very order to generate a signature. difficult to compromise as the hacker must - Server embeds the complete also attack the server or trick it into signing signature into the transaction. the transaction. Therefore, this new - Server broadcasts the correctly proposed online Bitcoin three-factor wallet is signed transaction onto the more secure than the existing two-factor Bitcoin network. wallet. Figure 3 represents a sequence diagram In practice, it is assumed that the three showing how the three parties communicate participants are communicating over a in order to sign the transaction using the secure channel. As previously mentioned, the three-party signature protocol. hybrid online wallet is suitable for use in the two-factor online wallet. Therefore, it will Three-Factor Scheme also be suitable to be used in the three-factor wallet. The service provider can be a trusted The three-factor wallet can be implemented dealer that constructs the key, generates the by applying the scheme that (Gennaro et al., shares, and distributes the shares to the 2016) was represented in their appendix, parties. The server should then completely which is an extended version of Mackenzie delete all records of the desktop and the and Reiter’s two-party signature scheme mobile phone’s key shares. Of course, the used in two-factor wallet. The three-factor user needs to trust the server to execute that wallet requires a 3-out-of-3 threshold task. Once each one of the three participants signature to be applied. Consequently, it is has the key share, they execute the following suitable to use the multi-party scheme to steps to sign the transaction: implement the three-factor wallet.
- User authenticates its desktop Key Generation and Setup and mobile phone to the server. - User initiates the request The extension of the two-party signature (Bitcoin transaction) from the protocol requires 3� – 2 rounds. As a result,
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
the 3-out-of-3 signature scheme is is shared in a 3-out-of-3 scheme accomplished in seven rounds. among the three parties. Therefore, given a large integer �, one can Before the parties start the protocol to compute � = �(�� ��� � = �(�� , generate the final encrypted signature, they where �, � ∈ ��. Using these values, first have to generate their share keys. it is possible to do +� which is an Therefore, each participant has to perform efficient computable operation that the following steps: can be done over the ciphertext space as follows:
- Each participant �� has to choose a random value �� ∈ �� and then � +� � = �(� + � ��� �� �� compute �� = � which is assumed Also one can compute: to be public. Hence, the secret key � = where x is an will be � = ∏� �� ��� � and the � ×� � �(� � ��� �� public key will be y = �� �� � . integer - All participants share a secret key D for the additively homomorphic The message space and ciphertext space are encryption scheme E. The secret key denoted as �� and ��, respectively.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
Figure 3: Three-factor wallet sequence diagram
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
Signature Generation computations, and passes the output of the computation to another participant. This To implement the 3-out-of-3 signature protocol can be implemented by the desktop, scheme, the multi-party protocol will the online server (service provider), and the proceed for seven rounds. Every participant mobile in order to provide a secure three- accepts some inputs, applies some factor wallet as follows:
Round 1 (Desktop): � - Selects �� ← �� �� - �� = �� ��� �
- �� = �(���
- �� = �(���� ��� �� ′ ′ - �� = �� = ⊥ ′ ′ - Send these values to the second part (online server) < M, ��, ��, �� , ��> Round 2 (Online server): � - Selects �� ← �� �� - �� = �� ��� �
- �� = �� ⊗ ��
- �� = �(���� ��� �� ⊗ �� ′ - �� = �(��� ′ - �� = �(���� ��� �� ′ ′ ′ ′ - Send these values to the third party (smartphone) < �, ��, ��, ��, ��, ��, ��, ��, �� > Round 3 (Smartphone): � - Selects �� ← �� �� - �� = �� ��� � �� - �� = � �� �
- Sends < �� > to the online server Round 4 (Online Server): �� - �� = �� �� �
- Sends < ��, �� > to the desktop Round 5 (Desktop):
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
�� - �� = �� �� � � � - ∏ 1 ← ��� : ∃��, �� ∈ �−� , � � such that: �� ��/�� - �� = �� and � = ��
- � (��� = �� ��� �(��� = ��
- Sends < ��, ∏ 1 > to the online server Round 6 (Online Server): - Verifies ∏ 1 � � - ∏ 2 ← ��� ∶ ∃��, �� ∈ �−� , � � such that: �� ��/�� - �� = �� and � = ��
- � (��� = ���(��� ��� �(��� = ���(��� ′ ′ - ����� = �� ��� ����� = ��
- Sends < ��, ��, ∏ 1 , ∏ 2 > to the smartphone Round 7 (Smartphone): - Verifies ∏ 1, ∏ 2 � - � ← ��� - � = �(�� ′ - � = � (�1� ∈ �� ′ - � = �(���
- � = �(��� ��� �� ⊗ ��� ⊗ �(����� ⊗ ��� ⊗ �(��� � � - ∏ 3 ← ��� ��, �� ∈ �−� , � � such that: �� ��/�� - �� = � and � = ��
- �(�� = ����(��� + ����(��� ′ - ��� � = �� - Sends < �, �′, ∏ 3 > to the online server and < �, �′, ∏ 2 , ∏ 3 > to the user’s PC Online Server: - Verifies ∏ 3 Desktop: - Verifies ∏ 2 , ∏ 3 Finally: All the three parties call the distributed decryption protocol for D in order to get � = ��� (����� � then the parties output the signature for � � = (�, ��.
Security Analysis threshold signature with the user. This check can be done by adding a special encrypted The three-factor wallet prevents attackers Token pattern comprised of a timestamp who manage to steal the first two key shares value, nonce, user’s IP address, and MAC from spending the bitcoins in the victim’s address. The user can determine the trusted wallet because they need the third share devices. Therefore, the server will hold a which resides on the online server. whitelist of the public IP and the MAC addresses for the devices from which the user can perform requests. In fact, the server uses the IP Geolocation which links the IP When the user initiates the Bitcoin address to an Internet-connected real-world transaction and sends it to the online server, geographical location of the desktop and the the online server has to check the mobile devices; the IP address is linked to a authorisation of this request to verify that country, region, and Internet Service the user is legitimate before starting the provider (ISP) (Bendale and Kumar, 2014).
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
After successful authentication and before framework also reduces the false positive any transactions, the server generates this and false negative rates; more information unique Token by utilising a unique key which about this framework can be found in (Wei et exists only on the server. The Token is sent al., 2013)’s paper. Entrust has reported that back to the client and inserted into a hidden one of the most effective solutions against field. When the user attempts to perform the MITB is a fraud detector that monitors user transaction, the server receives the request. behaviour (Entrust, 2014). Therefore, online It then reads and decrypts the Token value Bitcoin wallets can also utilise these kinds of using the same key that was utilised to create fraud detection applications to detect it. If the server is unable to correctly decrypt abnormal behaviour by attackers attempting the Token, that means there is an intrusion to use their own devices or the victim’s attempt. Then the server should block the device. transaction, log it, and notify the user. If the server decrypts the Token, it will validate the The attacker who attempts to perform the values that the token was composed with to transaction from the user’s devices by verify their validity. Firstly, the server altering the transaction’s form values can be compares the IP and MAC addresses against prevented also by running the browser’s the current addresses that submitted the extensions in a sandbox that isolates them request. If they match, the server checks the from other extensions, and most importantly, timestamp by comparing it against the from the browser’s internals, web pages, and server’s current timestamp in order to the operating system resources. SandFOX is prevent the reply attacks. Finally, the server an example of a client-side browser policies confirms that the nonce submitted with the that creates a sandbox environment for the request matches the nonce existing in the Firefox browser (Saini et al., 2015). Token. If the nonce is valid, the request continues; otherwise, the transaction should In addition to applying an appropriate be blocked. In fact, the user is allowed to sandbox to the browser, it is important that a determine only two trusted devices, IP user who operates an online Bitcoin wallet addresses, and MAC addresses. If the user never installs any extensions from arbitrary needs to change the devices, he must make a web sites because they might already contain substitution. malware or run with full browser privileges. Users should install extensions only from Although this token eliminates some attacks trusted stores. as will be discussed in the evaluation chapter, it cannot prevent a powerful attacker who Evaluation manages to compromise all of the information in the user’s possession. Effectiveness against possible attacks Therefore, it is necessary to add an extra layer of security to provide a defence in- The proposed three-factor wallet that we depth to the three-factor user’s wallet. This proposed provides several features that help can be accomplished by adding fraud to secure it against possible attacks. The detection software that monitors the user’s three-party threshold signature that the behaviour on the server side. This technique wallet employs helps the wallet to not captures and then analyses all of the user’s become a single point of failure. Therefore, web traffic from login until session the attacker who attempts to compromise completion. Machine learning techniques this wallet needs to attack the three different such as Neural Network and Random Forests places where the three secret key shares can be used to detect the fraud. (Wei et al., exist. Additionally, the encrypted Token that 2013) present a framework that has proved the server generates when the user connects its efficiency and accuracy by being tested in to it eliminates the attacker’s ability to steal a major Australian bank. Furthermore, this the user’s session and make unauthorised ______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
requests. In other words, it prevents cross side request forgery (CSRF) attacks (Blatz, One might argue that the mobile phone can 2007). also be compromised. In this case, attackers would need to perform a sophisticated attack The user can only specify two devices to which requires replacing the modified perform the transaction, and the devices can transaction the server sent to the user’s be changed only if the user provides second- mobile phone, presenting the original factor authentication and verifies the change transaction that the user requested, and then using email. If the server detects login from a signing the attacker’s transaction. This attack device or location that the server does not is more complicated than those performed by recognize, it will deny the access and send an URLzone malware. Since these malwares email to the user detailing the attempted normally run in the browser’s extension, login. The server asks the user to verify this running the browser’s extensions in a change not only by the email but also by sandbox is important because it will prevent entering the second-factor authentication. the malware from being able to access the Therefore, attackers attempting to replace browser’s internals or modify any the user’s addresses with their own transactions. addresses need to obtain the second factor and also compromise the user’s email. Notably, the three-factor online wallet runs Moreover, attackers cannot easily substitute with multiple independent defences on both the user’s email by their email to receive the the server and user sides to provide a verification email because they need to defence in depth. Therefore, if one of the confirm this change using the user’s second defences is hacked, the others remain viable. email that the user entered at the time of registration. Additionally, the fraud detection Availability application that monitors the user behaviour that the server utilises can prevent any In the three-factor wallet, all three shares attempted attacks. should be available to sign any transaction. Users only need to worry about the two An attacker might manage to perform a shares that they obtain and should keep them transaction with the user’s devices by safe, secure, and available for signing. The changing the outgoing data such as the third share is stored on the server; therefore, destination public address or the amount of the server is responsible for keeping it secure bitcoins that the user attempts to send. MITB and safe. Users should trust and depend on malware such as URLzone performs such the server to provide its share at the time of attacks (Dougan and Curran, 2012). Indeed, signing. However, the server might be this malware aims to steal money from the unavailable at the very moment when the victim’s bank account by modifying the form user needs to sign the transaction because it fields that the user submits to the server, might go down for several reasons. For such as the amount of money and the instance, the server may receive thousands of receiver’s account. The server processes the requests while it does not have the capacity modified transaction normally and cannot and resources to handle them. Therefore, a detect the changes. The same attack can be load balancer should be added to distribute achieved in the online Bitcoin wallet. the requests across a number of servers However, in the proposed three-factor wallet, (Cardellini et al., 1999) that should also have the server sends the transaction to the an additional secret key share in order to mobile wallet to verify it before the three participate in signing the transaction. parties start signing the transaction. Moreover, a denial of service attack Therefore, the server will send the modified (Neumann, 2000) could occur which makes version to the user’s mobile wallet, and the the server unavailable at a time when the user can detect the change. user needs to sing a transaction. Therefore,
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339 Journal of Information Assurance & Cyber security ______
precautions, countermeasures, and Three-factor wallet and its proposed mitigations against any trouble or attack mechanisms should be considered in future should be placed on the server’s side, so that research. The implementation of this method the server is available on demand. should be tested using “use cases” with realistic scenarios by using several Usability techniques to verify that this solution fulfils the security controls that are claimed. The The proposed three-factor wallet is similar to evaluation of this proposal is required to the two-factor wallet in terms of usability; validate its effectiveness and identify users only need to initiate the transaction potential improvements. from the first device and confirm it from the second device. Therefore, the three-factor References wallet does not add extra overhead to the user. In fact, with online banking, users 1. BARTH, A., FELT, A. P., SAXENA, P. & usually have to use their phone to receive the BOODMAN, A. Protecting Browsers SMS TAN and then enter it to complete the from Extension Vulnerabilities. transaction. Therefore, the usability of three- NDSS, 2010. Citeseer. factor wallet is reasonable. 2. BENDALE, J. & KUMAR, J. R. 2014. Time Efficiency Review of different IP geolocation methods and concepts. International The proposed threshold signature scheme Journal of Computer Science and suggested for use with the three-factor wallet Information Technologies, 5, 436- is the previously mentioned multi-party 440. threshold signature of (Gennaro et al., 2016).
They evaluated the performance of this 3. BLATZ, J. 2007. CSRF: Attack and protocol and reported that when three Defense. McAfee® Foundstone® parties participate in the protocol, the Professional Services, White Paper . execution time was approximately 6 seconds, comparable to online banking where the user 4. BLOCKCHAIN.INFO. 2016. Bitcoin also needs to wait several seconds to receive News_ Live Bitcoin Exchange Rate the SMS. Therefore, applying the multi-party [Online]. Available: threshold signature scheme for 3-out-of-3 https://blockchain.info/markets/ threshold cases is efficient according to [Accessed June 2016]. (Gennaro et al., 2016)’s evaluation.
5. CARDELLINI, V., COLAJANNI, M. & Conclusion YU, P. S. 1999. Dynamic load balancing on web-server systems. This article found that employing three- IEEE Internet computing, 3, 28-39. factor for a Bitcoin wallet is more secure than the two-factor which was found to be in a 6. DMITRIENKO, A., LIEBCHEN, C., higher risk. A three-factor was explained ROSSOW, C. & SADEGHI, A.-R. On the using 3-out-of-3 signature protocol. Three- (in) security of mobile two-factor factor wallet employed 3-out-of-3 signature authentication. International protocol in which the secret shares are Conference on Financial distributed not only between the user’s Cryptography and Data Security, devices but also on an online server. This 2014. Springer, 365-383. method making the attempts to compromise
Bitcoin wallet is more difficult as the online 7. DOUGAN, T. & CURRAN, K. 2012. server needs to be compromised as well. Man in the browser attacks. International Journal of Ambient ______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339
Journal of Information Assurance & Cyber security ______
Computing and Intelligence (IJACI), 4, 15. MACKENZIE, P. & REITER, M. K. 29-39. Two-party generation of DSA signatures. Annual International 8. ENTRUST 2014. Defeating Man-in- Cryptology Conference, 2001. the-Browser Malware. Springer, 137-154.
16. MANN, C. & LOEBENBERGER, D. 9. ESKANDARI, S., CLARK, J., BARRERA, Two-factor authentication for the D. & STOBERT, E. A first look at the Bitcoin protocol. International usability of bitcoin key management. Workshop on Security and Trust 2015. Workshop on Usable Security Management, 2015. Springer, 155- (USEC. 171.
10. GENNARO, R., GOLDFEDER, S. & 17. MÁRIO ALMEIDA, U. B., ARAS NARAYANAN, A. Threshold-optimal TARAHAN 2011. Man-in-the- DSA/ECDSA signatures and an Browser Attacks. application to Bitcoin wallet security. International Conference 18. NARAYANAN, A., BONNEAU, J., on Applied Cryptography and FELTEN, E., MILLER, A. & Network Security, 2016. Springer, GOLDFEDER, S. 2016. Bitcoin and 156-174. Cryptocurrency Technologies: A Comprehensive Introduction , Princeton University Press. 11. GOLDFEDER, S., GENNARO, R., KALODNER, H., BONNEAU, J., KROLL, 19. NEUMANN, P. G. 2000. Denial-of- J. A., FELTEN, E. W. & NARAYANAN, service attacks. Communications of A. 2015. Securing Bitcoin wallets via the ACM, 43 , 136-136. a new DSA/ECDSA threshold signature scheme. Accessed 2015- 20. SAINI, A., GAUR, M. S., LAXMI, V. & 06-09. NANDA, P. sandFOX: secure sandboxed and isolated environment 12. HILL, A. 2014. Bitcoin: Is for firefox browser. Proceedings of Cryptocurrency Viable? the 8th International Conference on Security of Information and Networks, 2015. ACM, 20-27. 13. J.D. MEIER, A. M., MICHAEL DUNNER, SRINATH VASIREDDY, 21. STEWART, J. 2014. Cryptocurrency- RAY ESCAMILLA, ANANDHA Stealing Malware Landscape MURUKAN. 2003. Chapter 3: Threat [Online]. Available: Modeling [Online]. Available: https://www.secureworks.com/rese https://msdn.microsoft.com/en- arch/cryptocurrency-stealing- us/library/ff648644.aspx [Accessed malware-landscape [Accessed 20 20 Aug 2016]. July 2016].
14. JOHNSON, D., MENEZES, A. & 22. WEI, W., LI, J., CAO, L., OU, Y. & CHEN, VANSTONE, S. 2001. The elliptic J. 2013. Effective detection of curve digital signature algorithm sophisticated online banking fraud (ECDSA). International journal of on extremely imbalanced data. information security, 1, 36-63. World Wide Web, 16 , 449-475.
______
Sabreen MohammedSiraj Ahmadjee (2018), Journal of Information Assurance & Cybersecurity, DOI: 10.5171/2018. 415339