A practical demonstration of security controls designed to mitigate critical risks in a digital banking ecosystem, modeled after Maybank. This project was developed for the TEB2093 Computer Security course.
This project addresses the critical cybersecurity risks faced by modern financial institutions. Based on a Detailed Risk Analysis (DRA) and Threat Modelling using the STRIDE framework, we identified credential theft as a primary threat. This system demonstrates the implementation of Multi-Factor Authentication (MFA) as a robust countermeasure to protect user accounts and prevent unauthorized transactions.
- User Registration & Management: Securely register new users with password hashing.
- Multi-Factor Authentication (MFA):
- TOTP Support: Integration with Time-based One-Time Password (TOTP) authenticator apps (like Google Authenticator).
- Simulated Email OTP: A fallback OTP mechanism for demonstration purposes.
- Secure Session Management: Generates and manages session tokens to maintain user state after login.
- Context-Aware Security: Requires re-authentication for high-value transactions.
- Rate Limiting: Prevents brute-force attacks on user accounts.
- Comprehensive Audit Logging: Logs all critical security events for compliance and forensic analysis.
- Email Validation: Ensures users provide a correctly formatted email address during registration.
To run this project, ensure the following files are in the same directory:
MaybankMFA/
├── main2.py # The main application logic and user interface.
├── database.py # Handles all database interactions (SQLite).
├── auth.py # Contains authentication helpers (hashing, MFA).
├── bank_demo.db # The SQLite database (this will be created automatically).
└── README.md # This file.
Before you begin, ensure you have the following installed:
- Python 3.6+
- pip (Python's package installer)
You will also need to install the required Python libraries:
pip install pyotpFollow these steps to get the project running on your local machine:
-
Clone or Download the Project: Save all the project files (
main2.py,database.py,auth.py) into a single folder. -
Create a Virtual Environment (Recommended): Open your terminal or command prompt, navigate to your project folder, and run:
# For Windows python -m venv .venv .\.venv\Scripts\activate # For macOS/Linux python3 -m venv .venv source .venv/bin/activate
-
Install Dependencies: With your virtual environment active, install the
pyotplibrary:pip install pyotp
-
Run the Application: You are now ready to start the demo. In your terminal, run:
python main.py
The database file (
bank_demo.db) will be created automatically on the first run.
This guide walks you through the entire user flow, from registration to performing a secure transaction.
-
Run the application (
python main2.py). -
From the main menu, choose
1to register a new user. -
Enter a valid email address (e.g.,
demo.user@bank.com). -
Enter a password.
-
Upon successful registration, the system will display a TOTP Secret and a QR Code URI.
[SUCCESS] User registered successfully! For enhanced security, add the following TOTP secret to your authenticator app (like Google Authenticator): TOTP Secret: JBSWY3DPEHPK3PXP Or scan this QR Code (using an online generator): QR Code URI: otpauth://totp/Maybank%20Security:demo.user%40bank.com?secret=JBSWY3DPEHPK3PXP&issuer=Maybank%20Security -
Action: Open an authenticator app (e.g., Google Authenticator, Microsoft Authenticator) on your phone and use the "Enter a setup key" option to add the account using the provided
TOTP Secret.
-
From the main menu, choose
2to log in. -
Enter the email and password you just registered.
-
The system will prompt you for an MFA method. Choose
1for TOTP. -
Enter the current 6-digit code from your authenticator app.
-
If successful, you will be logged in and given a full session token.
[SUCCESS] Login successful! IMPORTANT: Copy the FULL session token below for the next step. FULL SESSION TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- From the main menu, choose
3to simulate a transaction. - Paste the full session token you received after logging in.
- Enter a recipient's account number and an amount (e.g.,
50.00).- Result: The low-value transaction will be processed immediately.
- Now, try a high-value transaction. Choose
3again, paste the token, and enter an amount over1000.00(e.g.,1500.00). - The system will trigger a new MFA challenge. Enter the new code displayed on your screen to authorize the transaction.
- From the main menu, choose
4to view the audit log. - The system will display a log of all recent security events, including successful logins, transactions, and MFA challenges, demonstrating a clear audit trail.
- Mitigating Credential Theft: MFA ensures that a stolen password alone is not enough to access an account.
- Defense in Depth: Multiple layers of security (password, MFA, session management) are implemented.
- Principle of Least Privilege: Session tokens grant limited, time-bound access.
- Non-Repudiation: The audit log provides evidence of user actions, preventing them from denying performed transactions.
- Incident Response: The audit log is a critical component for post-incident analysis and forensic investigation.
- Biometric Authentication: Integrate fingerprint or facial recognition for a more seamless user experience.
- Hardware Security Keys: Add support for FIDO2/WebAuthn standards.
- Adaptive Authentication: Implement risk-based authentication that adjusts security requirements based on user behavior and context.
- Real-time Notifications: Send push notifications for login attempts and transactions.
- Nur Shaheera Husna Mohd Shahril (22000926)
- Yasmeen binti Ahmad Toha (22000954)
- Muhammad Hafiez Aieman bin Mohd Azean Affendi (22001872)
- Muhammad Shahir Haikal bin Shahirul Fahizam (22001866)
Course: TEB2093 Computer Security Instructor: Dr. Nazleeni Samiha binti Haron