隨著網際網路的普及,民眾在家使用網路銀行進行各種線上轉帳、匯款交易的情況已經很普及。網路銀行為了確保交易安全性均具備了各種安全驗證機制,如:使用者鑑別、SSL加密、Smart Card Identify、OTP(one time password)等方法,但面對日新月異的攻擊手法仍舊難以全面防範。舉例來說目前市面上各家網路銀行大多以微軟的IE為Base進行開發,因使用了Active X元件與IE特有的JScript支援方法而造成Client端的Browser限定只能使用IE進行交易。然而微軟提供了非常強大的功能給IE的Plug-in開發者,藉由微軟提供的BHO技術,我們可對IE進行使用者行為模式追蹤,甚至在使用者不知情的情況下竄改網路交易訊息內容。 本研究係針對網路銀行線上轉帳交易之安全性問題進行研究,並將系統設計、交易流程、安全機制進行研究與分析。對於使用IE進行交易時,因BHO技術所衍生的風險問題進行相關說明與探討,同時提出改良與加強防範的方法。 With the popularization of internet, it is very common using internet bank to perform on-line accounts transferring at home. In order to guarantee the transaction security, the internet bank has possessed various kinds of safety and security mechanisms. For instance, the internet bank provides users’ authentication, SSL, Smart Card identification, one-time password and other methods. Despite this efforts, it is still difficult to lockout all kind of attacks. For example, most internet banks use Microsoft IE as the base platform, in which Active X and JScript are used. It turns out that the browser of client can only use IE to do the deal. Since Microsoft equips very strong function for plug-in developer in IE, it makes that tracing the transaction activities very easy. Furthermore, one can use BHO to overwrite transaction information without being discovered. This research investigates the security and safety issues of transactions of internet bank. Specially, we focus on the risk due to the adoption of BHO technology. The method of security improvement and prevention will be proposed.
