{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T18:04:27Z","timestamp":1769882667151,"version":"3.49.0"},"reference-count":46,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2024,11,11]],"date-time":"2024-11-11T00:00:00Z","timestamp":1731283200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"Recovery, Transformation and Resilience Plan, financed by the European Union (Next Generation), through the INCIBE-UCM"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Cryptography"],"abstract":"<jats:p>The article presents an innovative approach for secure authentication in internet banking transactions, utilizing an Out-of-Band visual two-factor authorization protocol. With the increasing rise of cyber attacks and fraud, new security models are needed that ensure the integrity, authenticity, and confidentiality of financial transactions. The identified gap lies in the inability of traditional authentication methods, such as TANs and tokens, to provide security in untrusted terminals. The proposed solution is the Dynamic Authorization Protocol (DAP), which uses mobile devices to validate transactions through visual codes, such as QR codes. Each transaction is assigned a unique associated code, and the challenge must be responded to within 120 s. The customer initiates the transaction on a computer and independently validates it on their mobile device using an out-of-band channel to prevent attacks such as phishing and man-in-the-middle. The methodology involves implementing a prototype in Java ME for Android devices and a Java application server, creating a practical, low-computational-cost system, accessible for use across different operating systems and devices. The protocol was tested in real-world scenarios, focusing on ensuring transaction integrity and authenticity. The results show a successful implementation at Banco do Brasil, with 3.6 million active users, demonstrating the efficiency of the model over 12 years of use without significant vulnerabilities. The DAP protocol provides a robust and effective solution for securing banking transactions and can be extended to other authentication environments, such as payment terminals and point of sale devices.<\/jats:p>","DOI":"10.3390\/cryptography8040051","type":"journal-article","created":{"date-parts":[[2024,11,11]],"date-time":"2024-11-11T11:34:11Z","timestamp":1731324851000},"page":"51","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":2,"title":["A Secure Approach Out-of-Band for e-Bank with Visual Two-Factor Authorization Protocol"],"prefix":"10.3390","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2075-6601","authenticated-orcid":false,"given":"Laerte Peotta","family":"de Melo","sequence":"first","affiliation":[{"name":"Department of Electrical Engineering, University of Bras\u00edlia, Federal District, Bras\u00edlia 70910-900, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8023-1057","authenticated-orcid":false,"given":"Dino","family":"Macedo Amaral","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, University of Bras\u00edlia, Federal District, Bras\u00edlia 70910-900, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6717-3374","authenticated-orcid":false,"given":"Robson","family":"de Oliveira Albuquerque","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, University of Bras\u00edlia, Federal District, Bras\u00edlia 70910-900, Brazil"},{"name":"Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor Jos\u00e9 Garc\u00eda Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1101-3029","authenticated-orcid":false,"given":"Rafael Tim\u00f3teo","family":"de Sousa J\u00fanior","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, University of Bras\u00edlia, Federal District, Bras\u00edlia 70910-900, Brazil"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2846-9017","authenticated-orcid":false,"given":"Ana Lucila","family":"Sandoval Orozco","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, University of Bras\u00edlia, Federal District, Bras\u00edlia 70910-900, Brazil"},{"name":"Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor Jos\u00e9 Garc\u00eda Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7573-6272","authenticated-orcid":false,"given":"Luis Javier","family":"Garc\u00eda Villalba","sequence":"additional","affiliation":[{"name":"Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor Jos\u00e9 Garc\u00eda Santesmases, 9, Ciudad Universitaria, 28040 Madrid, Spain"}]}],"member":"1968","published-online":{"date-parts":[[2024,11,11]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"de Oliveira Albuquerque, R., Cohen, F.F., Mota, J.L.T., and de Sousa J\u00fanior, R.T. (2008, January 28\u201329). Analysis of a Trust and Reputation Model Applied to a Computational Grid Using Software Agents. Proceedings of the 2008 International Conference on Convergence and Hybrid Information Technology, Daejeon, Republic of Korea.","DOI":"10.1109\/ICHIT.2008.182"},{"key":"ref_2","first-page":"186","article-title":"A Formal Classification of Internet Banking Attacks And Vulnerabilities","volume":"3","author":"Peotta","year":"2011","journal-title":"J. Comput. Sci. Inf. Technol. (IJCSIT)"},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Ghelani, D., Hua, T.K., Kumar, S., Koduru, R., and Hua, T.K. (2022). Cyber Security Threats, Vulnerabilities, and Security Solutions Models in Banking. Am. J. Comput. Sci. Technol.","DOI":"10.22541\/au.166385206.63311335\/v1"},{"key":"ref_4","unstructured":"Gates, K.A. (2011). Our Biometric Future: Facial Recognition Technology and the Culture of Surveillance, New York University Press."},{"key":"ref_5","unstructured":"Nelson, L. (2012). Proposed Method for Evaluating Voice Authentication Systems. [Master\u2019s Thesis, University of Wisconsin-Madison]."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"85","DOI":"10.3233\/JCS-1998-61-205","article-title":"The inductive approach to verifying cryptographic protocols","volume":"6","author":"Paulson","year":"1998","journal-title":"J. Comput. Secur."},{"key":"ref_7","unstructured":"de Oliveira, F.R. (2019). Verification of the Dynamic Authorization Protocol. [Master\u2019s Thesis, Bras\u00edlia University]."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"138","DOI":"10.1186\/s40537-023-00807-3","article-title":"Role of authentication factors in Fin-tech mobile transaction security","volume":"10","author":"Khan","year":"2023","journal-title":"J. Big Data Springer"},{"key":"ref_9","unstructured":"Pandian, A.P., Fernando, X., and Haoxiang, W. (2022, January 9\u201310). Secure Mobile Internet Banking System Using QR Code and Biometric Authentication. Proceedings of the Computer Networks, Big Data and IoT, Tiruchirappalli, India."},{"key":"ref_10","unstructured":"Sonawane, S., Khandave, M., and Nemade, N. (2022, January 9\u201310). Secure Authentication for Online Banking Using QR Code. Proceedings of the International Conference on Computer Networks, Big Data and IoT, Tiruchirappalli, India."},{"key":"ref_11","unstructured":"Lyu, L., and Tang, Q. (2021). Secure Mobile Authentication Using QR Codes for Banking Systems. Int. J. Inf. Secur."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Starnberger, G., Froihofer, L., and Goeschka, K.M. (2009, January 16\u201319). QR-TAN: Secure mobile transaction authentication. Proceedings of the Proceedings\u2014International Conference on Availability, Reliability and Security, ARES 2009, Fukuoka, Japan.","DOI":"10.1109\/ARES.2009.96"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"37","DOI":"10.1145\/3424302.3425909","article-title":"Security Analysis of SMS as a Second Factor of Authentication: The challenges of multifactor authentication based on SMS, including cellular security deficiencies, SS7 exploits, and SIM swapping","volume":"18","author":"Jover","year":"2020","journal-title":"Queue"},{"key":"ref_14","unstructured":"Reese, K., Smith, T., Dutson, J., Armknecht, J., Cameron, J., and Seamons, K. (2019, January 12\u201313). A Usability Study of Five Two-Factor Authentication Methods. Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), Santa Clara, CA, USA."},{"key":"ref_15","first-page":"741","article-title":"Online Banking User Authentication Methods: A Systematic Literature Review","volume":"12","author":"Salameh","year":"2023","journal-title":"IEEE Access"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"357","DOI":"10.3390\/jcp4020018","article-title":"An Integrated Approach to Cyber Risk Management with Cyber Threat Intelligence Framework to Secure Critical Infrastructure","volume":"4","author":"Samhat","year":"2024","journal-title":"J. Cybersecur. Priv."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Gao, Q., Fan, H., and Yu, C. (2024). Systemic Importance and Risk Characteristics of Banks Based on a Multi-Layer Financial Network Analysis. Entropy, 26.","DOI":"10.3390\/e26050378"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Ravilla, H., Sayal, R., and Kulkarni, P. (2024). Study and Analysis of FIDO2 Passwordless Web Authentication. Advances in Computational Intelligence and Informatics, Springer.","DOI":"10.1007\/978-981-97-4727-6_38"},{"key":"ref_19","first-page":"331","article-title":"Modern Authentication Techniques in Smart Phones: Security and Usability Perspective","volume":"8","author":"Shafique","year":"2017","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Byers, D., and Shahmehri, N. (2010, January 5). Unified modeling of attacks, vulnerabilities and security activities. Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems, New York, NY, USA.","DOI":"10.1145\/1809100.1809106"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"379","DOI":"10.1002\/j.1538-7305.1948.tb01338.x","article-title":"The mathematical theory of communication","volume":"27","author":"Shannon","year":"1948","journal-title":"Bell Syst. Tech. J."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Li, N. (2023). Efficient Equality Test on Identity-Based Ciphertexts Supporting Flexible Authorization. Entropy, 25.","DOI":"10.3390\/e25020362"},{"key":"ref_23","unstructured":"Rodopoulos de Oliveira, F. (2024, July 30). Repository DAP Verification. Available online: https:\/\/github.com\/rodopoulos\/dap-verification."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"120","DOI":"10.1145\/359340.359342","article-title":"A method for obtaining digital signatures and public-key cryptosystems","volume":"21","author":"Rivest","year":"1978","journal-title":"Commun. ACM"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"107","DOI":"10.1007\/BF00124891","article-title":"Authentication and Authenticated Key Exchanges","volume":"2","author":"Diffie","year":"1992","journal-title":"Des. Codes Cryptogr."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Katz, J., and Lindell, Y. (2014). Introduction to Modern Cryptography, Chapman and Hall\/CRC. [2nd ed.].","DOI":"10.1201\/b17668"},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"430","DOI":"10.1016\/j.future.2016.05.024","article-title":"Evaluation of transaction authentication methods for online banking","volume":"80","author":"Kiljan","year":"2018","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_28","unstructured":"Company, G.N. (2024, October 31). Payment Authentication in 2019\u2014Trends and Predictions: Common Authentication Methods to Protect Online Payment. Available online: https:\/\/www.gpayments.com\/resources\/whitepapers\/online-payment-authentication-in-2019-trends-and-predictions\/."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Yildirim, N., and Varol, A. (2019, January 10\u201312). A Research on Security Vulnerabilities in Online and Mobile Banking Systems. Proceedings of the 2019 7th International Symposium on Digital Forensics and Security (ISDFS), Barcelos, Portugal.","DOI":"10.1109\/ISDFS.2019.8757495"},{"key":"ref_30","first-page":"2312","article-title":"Cyber-attacks and Cyber Security Readiness: Iraqi Private Banks Case","volume":"5","author":"Hasan","year":"2021","journal-title":"Soc. Sci. Humanit. J. (SSHJ)"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Balhasan, A.B., Alkasih, I.A., Sallabi, W.S., Bokhatwa, M.B., Bilhasan, A.S., and Alhuni, S.A. (2022, January 23\u201325). A Case Study on the Information Security System of Al Wahda Bank. Proceedings of the 2022 International Conference on Electrical and Computing Technologies and Applications (ICECTA), Ras Al Khaimah, United Arab Emirates.","DOI":"10.1109\/ICECTA57148.2022.9990540"},{"key":"ref_32","unstructured":"Almomani, A., Gupta, B.S., Atawneh, S., Meulenberg, A., and Al-Zobi, M. (2013, January 12\u201313). Phishing Attacks: A Recent Comprehensive Study and a New Anatomy. Proceedings of the 6th International Conference on Information Technology, Bangkok, Thailand."},{"key":"ref_33","first-page":"449","article-title":"A systematic review and research challenges on phishing cyberattacks from an electroencephalography and gaze-based perspective","volume":"28","author":"Iosif","year":"2023","journal-title":"Pers. Ubiquitous Comput."},{"key":"ref_34","unstructured":"Syed, A.M. (2021). Social engineering: Concepts, Techniques and Security Countermeasures. arXiv."},{"key":"ref_35","unstructured":"Sadeghi, A.R. (2013, January 1\u20135). How to Attack Two-Factor Authentication Internet Banking. Proceedings of the Financial Cryptography and Data Security, Okinawa, Japan."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Christianson, B., Crispo, B., Malcolm, J.A., and Roe, M. (2009). The Man-in-the-Middle Defence. International Workshop on Security Protocols, Springer.","DOI":"10.1007\/978-3-642-04904-0"},{"key":"ref_37","unstructured":"Choudary, O.S. (2010). The Smart Card Detective: A Hand-Held EMV Interceptor. [Master\u2019s Thesis, University of Cambridge]."},{"key":"ref_38","first-page":"321","article-title":"Session key distribution using smart cards","volume":"EUROCRYPT\u201996","author":"Shoup","year":"1996","journal-title":"Proceedings of the 15th Annual International Conference on Theory and Application of Cryptographic Techniques"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"8176","DOI":"10.1016\/j.egyr.2021.08.126","article-title":"A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments","volume":"7","author":"Li","year":"2021","journal-title":"Energy Rep."},{"key":"ref_40","first-page":"1224","article-title":"Design and development for detection and prevention of ATM skimming frauds","volume":"17","author":"Hattali","year":"2020","journal-title":"Indones. J. Electr. Eng. Comput. Sci."},{"key":"ref_41","unstructured":"Ahmed, K., Qaisar, S., Din, I.U., and Rehman, M.U. (2020, January 14\u201317). Detection of Man-in-the-Middle Attacks using Machine Learning. Proceedings of the 2020 IEEE ICMLA, Virtual."},{"key":"ref_42","unstructured":"Karia, A.M.A.R., and Patankar, M.T. (2020, January 11\u201312). Analyzing the Security of OTP 2FA in the Face of Malicious Terminals. Proceedings of the International Conference on Recent Trends in Advanced Computing, Chennai, India."},{"key":"ref_43","first-page":"232","article-title":"Entity authentication and key distribution","volume":"CRYPTO \u201993","author":"Bellare","year":"1994","journal-title":"Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology"},{"key":"ref_44","first-page":"12","article-title":"Abstract Security Patterns and the Design of Secure Systems","volume":"7","author":"Fernandez","year":"2024","journal-title":"Cybersecurity"},{"key":"ref_45","unstructured":"Peotta, L., and Gondim, P. (2012). Risk Assessment and Real Time Vulnerability Identification in IT Environments, IGI Global."},{"key":"ref_46","unstructured":"de Melo, L.P. (2012). DAP (Dynamic Authorization Protocol): Secure Approach Out-of-Band for E-Bank with a Two Factor Visual Authentication. [Ph.D. Thesis, University of Brasilia]."}],"container-title":["Cryptography"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2410-387X\/8\/4\/51\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T16:29:58Z","timestamp":1760113798000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2410-387X\/8\/4\/51"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,11,11]]},"references-count":46,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["cryptography8040051"],"URL":"https:\/\/doi.org\/10.3390\/cryptography8040051","relation":{},"ISSN":["2410-387X"],"issn-type":[{"value":"2410-387X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,11,11]]}}}