Does the online card payment system unwittingly facilitate fraud?

PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of Card Not Present (CNP) financial transactions. These are the transactions which include payments performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on hundreds of websites and on multiple CNP payment protocols justifies that the current security architecture of CNP payment system is not adequate enough to protect itself from fraud. Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of the security features put in place to protect the CNP payment system from fraud. With insecure modes of accepting payments, the online payment system paves the way for cybercriminals to abuse even the latest designed payment protocols like 3D Secure 2.0. We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The analysis methodology comprises of UML diagrams and reference tables which describe the CNP payment protocol sequences, software tools which implements the protocol and practical demonstrations of the research results. Detailed referencing of the online payment specifications provides a documented link between the exploitable vulnerabilities observed in real implementations and the source of the vulnerability in the payment specifications. We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards, with our work appearing in the media, radio and T

An Approach to Near Field Data Selection in Radio Frequency Identification

Personal identification is needed in many civil activities, and the common identification cards, such as a driver\u27s license, have become the standard document de facto. Radio frequency identification has complicated this matter. Unlike their printed predecessors, contemporary RFID cards lack a practical way for users to control access to their individual fields of data. This leaves them more available to unauthorized parties, and more prone to abuse. Here, then was undertaken a means to test a novel RFID card technology that allows overlays to be used for reliable, reversible data access settings. Similar to other proposed switching mechanisms, it offers advantages that may greatly improve outcomes. RFID use is increasing in identity documents such as drivers\u27 licenses and passports, and with it concern over the theft of personal information, which can enable unauthorized tracking or fraud. Effort put into designing a strong foundation technology now may allow for widespread development on them later

Eesti elektrooniline ID-kaart ja selle turvaväljakutsed

Eesti elektrooniline isikutunnistust (ID-kaart) on üle 18 aasta pakkunud turvalist elektroonilist identiteeti Eesti kodanikele. Avaliku võtme krüptograafia ja kaardile talletatud privaatvõti võimaldavad ID-kaardi omanikel juurde pääseda e-teenustele, anda juriidilist jõudu omavaid digiallkirju ning elektrooniliselt hääletada. Käesolevas töös uuritakse põhjalikult Eesti ID-kaarti ning sellega seotud turvaväljakutseid. Me kirjeldame Eesti ID-kaarti ja selle ökosüsteemi, seotud osapooli ja protsesse, ID-kaardi elektroonilist baasfunktsionaalsust, seotud tehnilisi ja juriidilisi kontseptsioone ning muid seotud küsimusi. Me tutvustame kõiki kasutatud kiipkaardiplatforme ja nende abil väljastatud isikutunnistuste tüüpe. Iga platformi kohta esitame me detailse analüüsi kasutatava asümmeetrilise krüptograafia funktsionaalsusest ning kirjeldame ja analüüsime ID-kaardi kauguuendamise lahendusi. Lisaks esitame me süstemaatilise uurimuse ID-kaardiga seotud turvaintsidentidest ning muudest sarnastest probleemidest läbi aastate. Me kirjeldame probleemide tehnilist olemust, kasutatud leevendusmeetmeid ning kajastust ajakirjanduses. Käesoleva uurimustöö käigus avastati mitmeid varem teadmata olevaid turvaprobleeme ning teavitati nendest seotud osapooli. Käesolev töö põhineb avalikult kättesaadaval dokumentatsioonil, kogutud ID-kaartide sertifikaatide andmebaasil, ajakirjandusel,otsesuhtlusel seotud osapooltega ning töö autori analüüsil ja eksperimentidel.For more than 18 years, the Estonian electronic identity card (ID card) has provided a secure electronic identity for Estonian residents. The public-key cryptography and private keys stored on the card enable Estonian ID card holders to access e-services, give legally binding digital signatures and even cast an i-vote in national elections. This work provides a comprehensive study on the Estonian ID card and its security challenges. We introduce the Estonian ID card and its ecosystem by describing the involved parties and processes, the core electronic functionality of the ID card, related technical and legal concepts, and the related issues. We describe the ID card smart card chip platforms used over the years and the identity document types that have been issued using these platforms. We present a detailed analysis of the asymmetric cryptography functionality provided by each ID card platform and present a description and security analysis of the ID card remote update solutions that have been provided for each ID card platform. As yet another contribution of this work, we present a systematic study of security incidents and similar issues the Estonian ID card has experienced over the years. We describe the technical nature of the issue, mitigation measures applied and the reflections on the media. In the course of this research, several previously unknown security issues were discovered and reported to the involved parties. The research has been based on publicly available documentation, collection of ID card certificates in circulation, information reflected in media, information from the involved parties, and our own analysis and experiments performed in the field.https://www.ester.ee/record=b541416

Consumer-facing technology fraud: Economics, attack methods and potential solutions

The emerging use of modern technologies has not only benefited society but also attracted fraudsters and criminals to misuse the technology for financial benefits. Fraud over the Internet has increased dramatically, resulting in an annual loss of billions of dollars to customers and service providers worldwide. Much of such fraud directly impacts individuals, both in the case of browser-based and mobile-based Internet services, as well as when using traditional telephony services, either through landline phones or mobiles. It is important that users of the technology should be both informed of fraud, as well as protected from frauds through fraud detection and prevention systems. In this paper, we present the anatomy of frauds for different consumer-facing technologies from three broad perspectives - we discuss Internet, mobile and traditional telecommunication, from the perspectives of losses through frauds over the technology, fraud attack mechanisms and systems used for detecting and preventing frauds. The paper also provides recommendations for securing emerging technologies from fraud and attacks.N/

Locative-Media Ethics: A Call for Protocols to Guide Interactions of People, Place, and Technologies

Imagine yourself wherever you were 20 years ago, and that an entrepreneurial, fresh-faced, and friendly young newsboy comes to your doorstep. He asks you to subscribe to the local paper. There is no cost to this subscription, he says, but, in exchange for community news, the boy must be allowed to come into your house and look at all of your photos, even the most intimate ones, making duplicates for his boss as he sees fit. As a part of this transaction, he also gets to copy down all of the details from your desk calendar, your Rolodex, your letters, your diary, your to-do lists, your bookcase, your documents from work, anything he comes across that he finds interesting. He gets to follow you around and gather even more information about what you do, where you go, and when. He can do all of this for as long as he wants, in whatever depth he wants, and however he wants, and then can use this information freely for some vague commercial purpose. For just a free subscription, would you have taken this deal

Server-based and server-less BYOD solutions to support electronic learning

Over the past 10 years, bring your own device has become an emerging practice across the commercial landscape and has empowered employees to conduct work-related business from the comfort of their own phone, tablet, or other personal electronic device. Currently in the Department of Defense, and specifically the Department of the Navy, no viable solution exists for the delivery of eLearning content to a service member's personal device that satisfy existing policies. The purpose of this thesis is to explore two potential solutions: a server-based method and a server-less method, both of which would allow Marines and Sailors to access eLearning course material by way of their personal devices. This thesis will test the feasibility and functionality of our server-based and server-less solutions by implementing a basic proof of concept for each. The intent is to provide a baseline from which further research and development can be conducted, and to demonstrate how these solutions present a low-risk environment that preserves government network security while still serving as a professional military education force multiplier. Both solutions, while demonstrated with limited prototypes, have the potential to finally introduce bring your own device into the Department of the Navy's eLearning realm.http://archive.org/details/serverbasedndser1094549343Captain, United States Marine CorpsCaptain, United States Marine CorpsApproved for public release; distribution is unlimited

The War on Cash: The Digitization and Privatization of Cash and a Critical Need for Regulation

Many financial services professionals, central bankers, technologists, academics, and consumers across the world believe that we are at the dawn of a truly cashless society. In several countries, a defacto cashless society already exists. During the ongoing Covid19 pandemic, we have seen a further acceleration of the decline, and indeed refusal, of cash transactions globally. Numerous studies focus on the benefits of cashless transactions and in many instances peer reviewed papers unquestionably extol the virtues of such. The researcher contends that consumers are being nudged towards a positive evaluation of a cashless society, because despite varied sources of information, financial, technology, and government sectors are predominantly reporting its positive connotations. However, there are many downsides to cashless payments and an impending cashless society, many of which have significant and life changing consequences for consumers and economies, yet this remains very much under researched. The researcher contends that as a society, we cannot do nothing; we cannot allow cash to be digitized and privatized by stealth. We must turn our attention to the consequences of a cashless society so we may identify solutions or mitigations and open a regulatory path towards a mediated transition

Development of Criteria for Mobile Device Cybersecurity Threat Classification and Communication Standards (CTC&CS)

The increasing use of mobile devices and the unfettered access to cyberspace has introduced new threats to users. Mobile device users are continually being targeted for cybersecurity threats via vectors such as public information sharing on social media, user surveillance (geolocation, camera, etc.), phishing, malware, spyware, trojans, and keyloggers. Users are often uninformed about the cybersecurity threats posed by mobile devices. Users are held responsible for the security of their device that includes taking precautions against cybersecurity threats. In recent years, financial institutions are passing the costs associated with fraud to the users because of the lack of security. The purpose of this study was to design, develop, and empirically test new criteria for a Cybersecurity Threats Classification and Communication Standard (CTC&CS) for mobile devices. The conceptual foundation is based on the philosophy behind the United States Occupational Safety and Health Administration (OSHA)’s Hazard Communication Standard (HCS) of Labels and Pictograms that is mainly focused on chemical substances. This study extended the HCS framework as a model to support new criteria for cybersecurity classification and communication standards. This study involved three phases. The first phase conducted two rounds of the Delphi technique and collected quantitative data from 26 Subject Matter Experts (SMEs) in round one and 22 SMEs in round two through an anonymous online survey. Results of Phase 1 emerged with six threats categories and 62 cybersecurity threats. Phase 2 operationalized the elicited and validated criteria into pictograms, labels, and safety data sheets. Using the results of phase one as a foundation, two to three pictograms, labels, and safety data sheets (SDSs) from each of the categories identified in phase one were developed, and quantitative data were collected in two rounds of the Delphi technique from 24 and 19 SMEs respectively through an online survey and analyzed. Phase 3, the main data collection phase, empirically evaluated the developed and validated pictograms, labels, and safety data sheets for their perceived effectiveness as well as performed an analysis of covariance (ANCOVA) with 208 non-IT professional mobile device users. The results of this study showed that pictograms were highly effective; this means the participants were satisfied with the characteristics of the pictograms such as color, shapes, visual complexity, and found these characteristics valuable. On the other hand, labels and Safety Data Sheets (SDS) did not show to be effective, meaning the participants were not satisfied or lacked to identify importance with the characteristics of labels and SDS. Furthermore, the ANCOVA results showed significant differences in perceived effectiveness with SDSs with education and a marginal significance level with labels when controlled for the number of years of mobile device use. Based on the results, future research implications can observe discrepancies of pictogram effectiveness between different educational levels and reading levels. Also, research should focus on identifying the most effective designs for pictograms within the cybersecurity context. Finally, longitudinal studies should be performed to understand the aspects that affect the effectiveness of pictograms

$=€=Bitcoin?

Bitcoin (and other virtual currencies) have the potential to revolutionize the way that payments are processed, but only if they become ubiquitous. This Article argues that if virtual currencies are used at that scale, it would pose threats to the stability of the financial system—threats that have been largely unexplored to date. Such threats will arise because the ability of a virtual currency to function as money is very fragile—Bitcoin can remain money only for so long as people have confidence that bitcoins will be readily accepted by others as a means of payment. Unlike the U.S. dollar, which is backed by both a national government and a central bank, and the euro, which is at least backed by a central bank, there is no institution that can shore up confidence in Bitcoin (or any other virtual currency) in the event of a panic. This Article explores some regulatory measures that could help address the systemic risks posed by virtual currencies, but argues that the best way to contain those risks is for regulated institutions to out-compete virtual currencies by offering better payment services, thus consigning virtual currencies to a niche role in the economy. This Article therefore concludes by exploring how the distributed ledger technology pioneered by Bitcoin could be adapted to allow regulated entities to provide vastly more efficient payment services for sovereign currency-denominated transactions, while at the same time seeking to avoid concentrating the provision of those payment services within “too big to fail” banks