64 research outputs found
Applying Machine Learning to enhance payments systems security
Ph. D. Thesis.During the last two decades, the economic losses because fraudulent card payment transactions have tripled. The significant percentage of losses is because of fraud on e-commerce
transactions. Nowadays, there is a clear trend to use more and more mobile devices to make
electronic purchases, and it is estimated that this trend will continue in the coming years.
In the card payment scheme, big financial institutions process millions of transactions every
day; thus, they can model the processed transactions to predict fraud. On the other hand,
merchants process a much lower number of transactions, but they have access to valuable
information that they can collect from the devices that users utilise during the transaction.
In this thesis, we propose a series of measures to enhance the security of these two scenarios
based on past transactional data and information collected from the users’ device. Most of
the approaches proposed so far to model processed transactions were based on supervised
Machine Learning techniques. We propose a fraud detection system for card payments based
on an unsupervised machine learning technique; thus, the system may be able to recognise
new patterns of fraud.
On the other hand, we are looking far ahead, and because of the increment of use of mobile
devices to conduct payments, we propose a series of measures to enhance the security of the
mobile payment system. We have proposed a user identification and verification systems
for smartphones. We base the identification and verification systems on motion data, so the
systems will not require any explicit action from users
Appraisal of Cashless Policy on the Nigerian Financial System
The Central Bank of Nigeria (CBN) has been active in the inauguration of policies and schemes to foster the
implementation of the cashless policy in Nigeria. However the current transition to cashless economy raises
a lot of concerns with no substantial evidence yet to justify its implementation. This study was carried out in
order to appraise the implementation of the cashless policy since its introduction into the Nigerian financial
system in 2012 and also to examine the persistent challenges facing its implementation. In view of the above
stated objective, primary data were collected with the aid of the questionnaire, which was randomly
administered to 120 respondents ranging from First Bank, Zenith Bank and United Bank for Africa. The
banks were selected based on their total assets and the information collected covered the activities of the
CBN and that of these banks towards implementation of the cashless policy from 2012 till date.The data
collected were presented and analyzed with the aid of the Statistical Package for Social Sciences (SPSS)
using descriptive statistics and one-sample t-test. The results led to the conclusion that despite the need to
operate cashless transactions dominating the modern Nigerian economy, the cashless policy will have the
desired impact only if a lot is done to ensure the implementation of an effective cashless system
Recommended from our members
Fintech in financial reporting and audit for fraud prevention and safeguarding equity investments
Purpose
The purpose of this paper is to explore the audit-related causes of financial scandals and advice on how emerging technologies can provide solutions thereto. Specifically, this study seeks to look at the facilitators of financial statement fraud and explain specific fintech advancements that contribute to financial information reliability for equity investments.
Design/methodology/approach
The study uses the case studies of Enron and Arthur Andersen to document the evidence of audit-related issues in historical financial scandals. Then, a comprehensive and interdisciplinary literature review at the intersection of business, accounting and engineering, provides a foundation to propose technology advancements that can solve identified problems in accounting and auditing.
Findings
The findings show that blockchain, internet of things, smart contracts and artificial intelligence solutions have different functionality and can effectively solve various financial reporting and audit-related problems. Jointly, they have a strong potential to enhance the reliability of the information in financial statements and generally change how companies operate.
Practical implications
The proposed and explained technology advancements should be of interest to all publicly listed companies and investors, as they can help safeguard equity investments, thus build investors’ trust towards the company.
Social implications
Aside from implications for capital markets participants, the study findings can materially benefit various stakeholder groups, the broader company environment and the economy.
Originality/value
This is the first paper that seeks solutions to financial fraud and audit-related financial scandals in technology and not in implementing yet another regulation. Given the recent technology advancements, the study findings provide insights into how the role of an external auditor might evolve in the future
On the security of mobile sensors
PhD ThesisThe age of sensor technology is upon us. Sensor-rich mobile devices
are ubiquitous. Smart-phones, tablets, and wearables are increasingly
equipped with sensors such as GPS, accelerometer, Near Field Communication
(NFC), and ambient sensors. Data provided by such sensors, combined
with the fast-growing computational capabilities on mobile platforms,
offer richer and more personalised apps. However, these sensors
introduce new security challenges to the users, and make sensor management
more complicated.
In this PhD thesis, we contribute to the field of mobile sensor security by
investigating a wide spectrum of open problems in this field covering attacks
and defences, standardisation and industrial approaches, and human
dimensions. We study the problems in detail and propose solutions.
First, we propose “Tap-Tap and Pay” (TTP), a sensor-based protocol to
prevent the Mafia attack in NFC payment. The Mafia attack is a special
type of Man-In-The-Middle attack which charges the user for something
more expensive than what she intends to pay by relaying transactions
to a remote payment terminal. In TTP, a user initiates the payment by
physically tapping her mobile phone against the reader. We observe that
this tapping causes transient vibrations at both devices which are measurable
by the embedded accelerometers. Our observations indicate that
these sensor measurements are closely correlated within the same tapping,
and different if obtained from different tapping events. By comparing the
similarity between the two measurements, the bank can distinguish the
Mafia fraud apart from a legitimate NFC transaction. The experimental
results and the user feedback suggest the practical feasibility of TTP. As
compared with previous sensor-based solutions, ours is the only one that
works even when the attacker and the user are in nearby locations or share
similar ambient environments. Second, we demonstrate an in-app attack based on a real world problem
in contactless payment known as the card collision or card clash. A card
collision happens when more than one card (or NFC-enabled device) are
presented to the payment terminal’s field, and the terminal does not know
which card to choose. By performing experiments, we observe that the
implementation of contactless terminals in practice matches neither EMV
nor ISO standards (the two primary standards for smart card payment)
on card collision. Based on this inconsistency, we propose “NFC Payment
Spy”, a malicious app that tracks the user’s contactless payment transactions.
This app, running on a smart phone, simulates a card which
requests the payment information (amount, time, etc.) from the terminal.
When the phone and the card are both presented to a contactless
terminal (given that many people use mobile case wallets to travel light
and keep wallet essentials close to hand), our app can effectively win the
race condition over the card. This attack is the first privacy attack on
contactless payments based on the problem of card collision. By showing
the feasibility of this attack, we raise awareness of privacy and security
issues in contactless payment protocols and implementation, specifically
in the presence of new technologies for payment such as mobile platforms.
Third, we show that, apart from attacking mobile devices by having access
to the sensors through native apps, we can also perform sensor-based
attacks via mobile browsers. We examine multiple browsers on Android
and iOS platforms and study their policies in granting permissions to
JavaScript code with respect to access to motion and orientation sensor
data. Based on our observations, we identify multiple vulnerabilities,
and propose “TouchSignatures” and “PINLogger.js”, two novel attacks in
which malicious JavaScript code listens to such sensor data measurements.
We demonstrate that, despite the much lower sampling rate (comparing to
a native app), a remote attacker is able to learn sensitive user information
such as physical activities, phone call timing, touch actions (tap, scroll,
hold, zoom), and PINs based on these sensor data. This is the first report
of such a JavaScript-based attack. We disclosed the above vulnerability to
the community and major mobile browser vendors classified the problem
as high-risk and fixed it accordingly.
Finally, we investigate human dimensions in the problem of sensor management.
Although different types of attacks via sensors have been known for many years, the problem of data leakage caused by sensors has remained
unsolved. While working with W3C and browser vendors to fix
the identified problem, we came to appreciate the complexity of this problem
in practice and the challenge of balancing security, usability, and functionality.
We believe a major reason for this is that users are not fully
aware of these sensors and the associated risks to their privacy and security.
Therefore, we study user understanding of mobile sensors, specifically
their risk perceptions. This is the only research to date that studies risk
perceptions for a comprehensive list of mobile sensors (25 in total). We
interview multiple participants from a range of backgrounds by providing
them with multiple self-declared questionnaires. The results indicate that
people in general do not have a good understanding of the complexities
of these sensors; hence making security judgements about these sensors
is not easy for them. We discuss how this observation, along with other
factors, renders many academic and industry solutions ineffective. This
makes the security and privacy issues of mobile sensors and other sensorenabled
technologies an important topic to be investigated further
An Approach to Guide Users Towards Less Revealing Internet Browsers
When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed
The strategic implications of the current Internet design for cyber security
Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.Includes bibliographical references (p. 87-89).In the last two decades, the Internet system has evolved from a collection point of a few networks to a worldwide interconnection of millions of networks and users who connect to transact virtually all kinds of business. The evolved network system is also known as Cyberspace. The use of Cyberspace is now greatly expanded to all fields of human endeavor by far exceeding the original design projection. And even though, the Internet architecture and design has been robust enough to accommodate the extended domains of uses and applications, it has also become a medium used to launch all sorts of Cyber attacks that results into several undesirable consequences to users. This thesis analyzes the current Internet system architecture and design and how their flaws are exploited to launch Cyber attacks; evaluates reports from Internet traffic monitoring activities and research reports from several organizations; provides a mapping of Cyber attacks to Internet architecture and design flaw origin; conducts Internet system stakeholder analysis; derives strategic implications of the impact of Internet system weaknesses on Cyber security; and makes recommendations on the broader issues of developing effective strategies to implement Cyber security in enterprise systems that have increasingly become complex. From a global architectural design perspective, the study conducted demonstrates that although the Internet is a robust design, the lack of any means of authentication on the system is primarily responsible for the host of Cyber security issues and thus has become the bane of the system. Following the analysis, extrapolation of facts and by inferences we conclude that the myriad of Cyber security problems will remain and continue on the current exponential growth path until the Internet and in particular the TCP/IP stack is given the ability to authenticate and that only through a collaborative effort by all stakeholders of the Internet system can the other major Cyber security issues be resolved especially as it relates to envisioning and fashioning new Cyber security centric technologies.by Charles M. Iheagwara.S.M.in Engineering and Managemen
Cybersecurity and the Digital Health: An Investigation on the State of the Art and the Position of the Actors
Cybercrime is increasingly exposing the health domain to growing risk. The push towards a strong connection of citizens to health services, through digitalization, has undisputed advantages. Digital health allows remote care, the use of medical devices with a high mechatronic and IT content with strong automation, and a large interconnection of hospital networks with an increasingly effective exchange of data. However, all this requires a great cybersecurity commitment—a commitment that must start with scholars in research and then reach the stakeholders. New devices and technological solutions are increasingly breaking into healthcare, and are able to change the processes of interaction in the health domain. This requires cybersecurity to become a vital part of patient safety through changes in human behaviour, technology, and processes, as part of a complete solution. All professionals involved in cybersecurity in the health domain were invited to contribute with their experiences. This book contains contributions from various experts and different fields. Aspects of cybersecurity in healthcare relating to technological advance and emerging risks were addressed. The new boundaries of this field and the impact of COVID-19 on some sectors, such as mhealth, have also been addressed. We dedicate the book to all those with different roles involved in cybersecurity in the health domain
- …