Applying Machine Learning to enhance payments systems security

Ph. D. Thesis.During the last two decades, the economic losses because fraudulent card payment transactions have tripled. The significant percentage of losses is because of fraud on e-commerce transactions. Nowadays, there is a clear trend to use more and more mobile devices to make electronic purchases, and it is estimated that this trend will continue in the coming years. In the card payment scheme, big financial institutions process millions of transactions every day; thus, they can model the processed transactions to predict fraud. On the other hand, merchants process a much lower number of transactions, but they have access to valuable information that they can collect from the devices that users utilise during the transaction. In this thesis, we propose a series of measures to enhance the security of these two scenarios based on past transactional data and information collected from the users’ device. Most of the approaches proposed so far to model processed transactions were based on supervised Machine Learning techniques. We propose a fraud detection system for card payments based on an unsupervised machine learning technique; thus, the system may be able to recognise new patterns of fraud. On the other hand, we are looking far ahead, and because of the increment of use of mobile devices to conduct payments, we propose a series of measures to enhance the security of the mobile payment system. We have proposed a user identification and verification systems for smartphones. We base the identification and verification systems on motion data, so the systems will not require any explicit action from users

Appraisal of Cashless Policy on the Nigerian Financial System

The Central Bank of Nigeria (CBN) has been active in the inauguration of policies and schemes to foster the implementation of the cashless policy in Nigeria. However the current transition to cashless economy raises a lot of concerns with no substantial evidence yet to justify its implementation. This study was carried out in order to appraise the implementation of the cashless policy since its introduction into the Nigerian financial system in 2012 and also to examine the persistent challenges facing its implementation. In view of the above stated objective, primary data were collected with the aid of the questionnaire, which was randomly administered to 120 respondents ranging from First Bank, Zenith Bank and United Bank for Africa. The banks were selected based on their total assets and the information collected covered the activities of the CBN and that of these banks towards implementation of the cashless policy from 2012 till date.The data collected were presented and analyzed with the aid of the Statistical Package for Social Sciences (SPSS) using descriptive statistics and one-sample t-test. The results led to the conclusion that despite the need to operate cashless transactions dominating the modern Nigerian economy, the cashless policy will have the desired impact only if a lot is done to ensure the implementation of an effective cashless system

Fintech in financial reporting and audit for fraud prevention and safeguarding equity investments

Purpose The purpose of this paper is to explore the audit-related causes of financial scandals and advice on how emerging technologies can provide solutions thereto. Specifically, this study seeks to look at the facilitators of financial statement fraud and explain specific fintech advancements that contribute to financial information reliability for equity investments. Design/methodology/approach The study uses the case studies of Enron and Arthur Andersen to document the evidence of audit-related issues in historical financial scandals. Then, a comprehensive and interdisciplinary literature review at the intersection of business, accounting and engineering, provides a foundation to propose technology advancements that can solve identified problems in accounting and auditing. Findings The findings show that blockchain, internet of things, smart contracts and artificial intelligence solutions have different functionality and can effectively solve various financial reporting and audit-related problems. Jointly, they have a strong potential to enhance the reliability of the information in financial statements and generally change how companies operate. Practical implications The proposed and explained technology advancements should be of interest to all publicly listed companies and investors, as they can help safeguard equity investments, thus build investors’ trust towards the company. Social implications Aside from implications for capital markets participants, the study findings can materially benefit various stakeholder groups, the broader company environment and the economy. Originality/value This is the first paper that seeks solutions to financial fraud and audit-related financial scandals in technology and not in implementing yet another regulation. Given the recent technology advancements, the study findings provide insights into how the role of an external auditor might evolve in the future

On the security of mobile sensors

PhD ThesisThe age of sensor technology is upon us. Sensor-rich mobile devices are ubiquitous. Smart-phones, tablets, and wearables are increasingly equipped with sensors such as GPS, accelerometer, Near Field Communication (NFC), and ambient sensors. Data provided by such sensors, combined with the fast-growing computational capabilities on mobile platforms, offer richer and more personalised apps. However, these sensors introduce new security challenges to the users, and make sensor management more complicated. In this PhD thesis, we contribute to the field of mobile sensor security by investigating a wide spectrum of open problems in this field covering attacks and defences, standardisation and industrial approaches, and human dimensions. We study the problems in detail and propose solutions. First, we propose “Tap-Tap and Pay” (TTP), a sensor-based protocol to prevent the Mafia attack in NFC payment. The Mafia attack is a special type of Man-In-The-Middle attack which charges the user for something more expensive than what she intends to pay by relaying transactions to a remote payment terminal. In TTP, a user initiates the payment by physically tapping her mobile phone against the reader. We observe that this tapping causes transient vibrations at both devices which are measurable by the embedded accelerometers. Our observations indicate that these sensor measurements are closely correlated within the same tapping, and different if obtained from different tapping events. By comparing the similarity between the two measurements, the bank can distinguish the Mafia fraud apart from a legitimate NFC transaction. The experimental results and the user feedback suggest the practical feasibility of TTP. As compared with previous sensor-based solutions, ours is the only one that works even when the attacker and the user are in nearby locations or share similar ambient environments. Second, we demonstrate an in-app attack based on a real world problem in contactless payment known as the card collision or card clash. A card collision happens when more than one card (or NFC-enabled device) are presented to the payment terminal’s field, and the terminal does not know which card to choose. By performing experiments, we observe that the implementation of contactless terminals in practice matches neither EMV nor ISO standards (the two primary standards for smart card payment) on card collision. Based on this inconsistency, we propose “NFC Payment Spy”, a malicious app that tracks the user’s contactless payment transactions. This app, running on a smart phone, simulates a card which requests the payment information (amount, time, etc.) from the terminal. When the phone and the card are both presented to a contactless terminal (given that many people use mobile case wallets to travel light and keep wallet essentials close to hand), our app can effectively win the race condition over the card. This attack is the first privacy attack on contactless payments based on the problem of card collision. By showing the feasibility of this attack, we raise awareness of privacy and security issues in contactless payment protocols and implementation, specifically in the presence of new technologies for payment such as mobile platforms. Third, we show that, apart from attacking mobile devices by having access to the sensors through native apps, we can also perform sensor-based attacks via mobile browsers. We examine multiple browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose “TouchSignatures” and “PINLogger.js”, two novel attacks in which malicious JavaScript code listens to such sensor data measurements. We demonstrate that, despite the much lower sampling rate (comparing to a native app), a remote attacker is able to learn sensitive user information such as physical activities, phone call timing, touch actions (tap, scroll, hold, zoom), and PINs based on these sensor data. This is the first report of such a JavaScript-based attack. We disclosed the above vulnerability to the community and major mobile browser vendors classified the problem as high-risk and fixed it accordingly. Finally, we investigate human dimensions in the problem of sensor management. Although different types of attacks via sensors have been known for many years, the problem of data leakage caused by sensors has remained unsolved. While working with W3C and browser vendors to fix the identified problem, we came to appreciate the complexity of this problem in practice and the challenge of balancing security, usability, and functionality. We believe a major reason for this is that users are not fully aware of these sensors and the associated risks to their privacy and security. Therefore, we study user understanding of mobile sensors, specifically their risk perceptions. This is the only research to date that studies risk perceptions for a comprehensive list of mobile sensors (25 in total). We interview multiple participants from a range of backgrounds by providing them with multiple self-declared questionnaires. The results indicate that people in general do not have a good understanding of the complexities of these sensors; hence making security judgements about these sensors is not easy for them. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective. This makes the security and privacy issues of mobile sensors and other sensorenabled technologies an important topic to be investigated further

An Approach to Guide Users Towards Less Revealing Internet Browsers

When browsing the Internet, HTTP headers enable both clients and servers send extra data in their requests or responses such as the User-Agent string. This string contains information related to the sender’s device, browser, and operating system. Previous research has shown that there are numerous privacy and security risks result from exposing sensitive information in the User-Agent string. For example, it enables device and browser fingerprinting and user tracking and identification. Our large analysis of thousands of User-Agent strings shows that browsers differ tremendously in the amount of information they include in their User-Agent strings. As such, our work aims at guiding users towards using less exposing browsers. In doing so, we propose to assign an exposure score to browsers based on the information they expose and vulnerability records. Thus, our contribution in this work is as follows: first, provide a full implementation that is ready to be deployed and used by users. Second, conduct a user study to identify the effectiveness and limitations of our proposed approach. Our implementation is based on using more than 52 thousand unique browsers. Our performance and validation analysis show that our solution is accurate and efficient. The source code and data set are publicly available and the solution has been deployed

The strategic implications of the current Internet design for cyber security

Thesis (S.M. in Engineering and Management)--Massachusetts Institute of Technology, Engineering Systems Division, System Design and Management Program, 2011.Cataloged from PDF version of thesis.Includes bibliographical references (p. 87-89).In the last two decades, the Internet system has evolved from a collection point of a few networks to a worldwide interconnection of millions of networks and users who connect to transact virtually all kinds of business. The evolved network system is also known as Cyberspace. The use of Cyberspace is now greatly expanded to all fields of human endeavor by far exceeding the original design projection. And even though, the Internet architecture and design has been robust enough to accommodate the extended domains of uses and applications, it has also become a medium used to launch all sorts of Cyber attacks that results into several undesirable consequences to users. This thesis analyzes the current Internet system architecture and design and how their flaws are exploited to launch Cyber attacks; evaluates reports from Internet traffic monitoring activities and research reports from several organizations; provides a mapping of Cyber attacks to Internet architecture and design flaw origin; conducts Internet system stakeholder analysis; derives strategic implications of the impact of Internet system weaknesses on Cyber security; and makes recommendations on the broader issues of developing effective strategies to implement Cyber security in enterprise systems that have increasingly become complex. From a global architectural design perspective, the study conducted demonstrates that although the Internet is a robust design, the lack of any means of authentication on the system is primarily responsible for the host of Cyber security issues and thus has become the bane of the system. Following the analysis, extrapolation of facts and by inferences we conclude that the myriad of Cyber security problems will remain and continue on the current exponential growth path until the Internet and in particular the TCP/IP stack is given the ability to authenticate and that only through a collaborative effort by all stakeholders of the Internet system can the other major Cyber security issues be resolved especially as it relates to envisioning and fashioning new Cyber security centric technologies.by Charles M. Iheagwara.S.M.in Engineering and Managemen

Cybersecurity and the Digital Health: An Investigation on the State of the Art and the Position of the Actors

Cybercrime is increasingly exposing the health domain to growing risk. The push towards a strong connection of citizens to health services, through digitalization, has undisputed advantages. Digital health allows remote care, the use of medical devices with a high mechatronic and IT content with strong automation, and a large interconnection of hospital networks with an increasingly effective exchange of data. However, all this requires a great cybersecurity commitment—a commitment that must start with scholars in research and then reach the stakeholders. New devices and technological solutions are increasingly breaking into healthcare, and are able to change the processes of interaction in the health domain. This requires cybersecurity to become a vital part of patient safety through changes in human behaviour, technology, and processes, as part of a complete solution. All professionals involved in cybersecurity in the health domain were invited to contribute with their experiences. This book contains contributions from various experts and different fields. Aspects of cybersecurity in healthcare relating to technological advance and emerging risks were addressed. The new boundaries of this field and the impact of COVID-19 on some sectors, such as mhealth, have also been addressed. We dedicate the book to all those with different roles involved in cybersecurity in the health domain