Before describing in detail the construction of a low-cost, efficient and accurate login authentication system through 5 basic methods, it is necessary to sort out the 4 most serious security vulnerabilities today.
Whether these 4 most serious security holes can be effectively patched will become an important test index to test the effectiveness of the 5 basic methods.
1) Security Vulnerability No. 1: Proprietary Number Registration Method
Nowadays, more and more websites use personal unique numbers as login accounts.
For example, the online banking of the bank generally provides the login method with the ID number as the account number. Commercial websites generally provide a phone number bound to an account as a way to log in to an account. This seems to be a convenient "intimate" design for "forgetful" users (there are too many accounts, and the account number on which website is which one can't remember). While providing convenience and convenience for "forgetful" users, it becomes a security hole and The achievement of the following attack methods can be effectively implemented.
Attack means 1) Use the ID card or phone number as a probe to detect whether the ID card or phone number opens an account on a certain website?
Attack method 2) Use the login password corresponding to a certain ID card or phone number obtained on other websites, and the attempter logs in, which is commonly known as a credential stuffing attack.
Attack method 3) A blocking attack is performed on the account of a certain ID number or phone number by entering the wrong password.
If this security loophole is not effectively patched, I believe that in the near future (it is estimated that some people have already started doing this) we will see what the two most trending technologies of "artificial intelligence + big data" can do to someone. The website has opened an account, what website has not opened an account, etc. The results are sold online.
2) Security Vulnerability No. 2: Verify SMS
The verification method for verifying SMS has basically become a mandatory verification method for network applications that require a little security level. But the verification text message is defenseless in the face of a small hacking virus. There are more than 10 million accounts compromised by the hacking virus.
When a mobile phone is infected with the number stealing virus, theoretically speaking, all accounts of the mobile phone owner are already open to the control of the number stealing virus. At the same time, the phone may also become a tool for attacking other people's accounts.
It is not without incident that all the bank cards of the owner were brutally bloodbathed due to an account-stealing virus.
3) Security Vulnerability No. 3: Illegal Transaction of Bank Cards
Under the current laws and regulations, bank cards can only be owned and used by citizens who have opened bank cards, and trading is prohibited. But online, selling bank cards with online banking is already an open and semi-open business. At the same time, in all online fraud cases, there must also be the bank cards of outsiders as a tool for committing crimes.
4) No. 4 security loophole: a security loophole that inevitably occurs when the mobile phone on the APP is out of control.
More and more applications are now being moved to smartphones. And these applications put on the mobile phone are directly, indirectly, more or less related to the owner's property. In this way, once the mobile phone is out of control (for example, it is stolen, robbed, or traded as a second-hand mobile phone without proper treatment), the property of the original owner on the mobile phone is in a dangerous state.
Figures 1 to 5 below are screenshots of Alipay, WeChat, Industrial Bank, Shanghai Pudong Development Bank, and Hua Xia Bank in a simulated out-of-control state (mobile phone without card).
Judging from my experimental results, I believe that Alipay and WeChat have greater security vulnerabilities. Because I have completed the login of Alipay and WeChat on the mobile phone that is not the phone number bound to the Alipay and WeChat accounts.
Almost all operations related to money are completed on the mobile phone that is not bound to the Alipay account. These operations include: payment, transfer, grabbing red envelopes, repayment with Huabei, binding bank cards, etc.
After the WeChat login is completed without a card, there is no problem in transferring pictures and information.
Alipay and WeChat are the two most influential and widely used applications, and these two applications are directly related to money. Mobile banking is a standard product in today's banking system, and it is the money jar that people carry with them. These applications still have such security loopholes, it is estimated that quite a few other APPs must also have No. 4 security loopholes.
Figure 1 Screenshot of Alipay login without SIM card
Figure 2 Screenshot of WeChat login without SIM card
Figure 3 Screenshot of IB mobile banking without SIM card login
Figure 4 Screenshot of SPD Bank mobile banking without SIM card login
Figure 5 Screenshot of Hua Xia Bank mobile banking without SIM card login