Does the online card payment system unwittingly facilitate fraud?

PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of Card Not Present (CNP) financial transactions. These are the transactions which include payments performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on hundreds of websites and on multiple CNP payment protocols justifies that the current security architecture of CNP payment system is not adequate enough to protect itself from fraud. Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of the security features put in place to protect the CNP payment system from fraud. With insecure modes of accepting payments, the online payment system paves the way for cybercriminals to abuse even the latest designed payment protocols like 3D Secure 2.0. We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The analysis methodology comprises of UML diagrams and reference tables which describe the CNP payment protocol sequences, software tools which implements the protocol and practical demonstrations of the research results. Detailed referencing of the online payment specifications provides a documented link between the exploitable vulnerabilities observed in real implementations and the source of the vulnerability in the payment specifications. We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards, with our work appearing in the media, radio and T

Secret Little Functions and Codebook for Protecting Users from Password Theft

Abstract—In this paper, we discuss how to prevent users’ passwords from being stolen by adversaries. We propose differentiated security mechanisms in which a user has the freedom to choose a virtual password scheme ranging from weak security to strong security. The tradeoff is that the stronger the scheme, the more complex the scheme may be. Among the schemes, we have a default method (i.e., traditional password scheme), system recommended function, user-specified function, user-specified program, etc. A function/program is used to implement the virtual password concept with a trade off of security for complexity requiring a small amount of human computing. We further propose codebook approach to serve as system recommended functions and provide a security analysis. For user-specified functions, we adopt secret little functions, in which security is enhanced by hiding secret functions/algorithms. I

IMPLEMENTING ELLIPTIC CURVE CRYPTOGRAPHY ON PC AND SMART CARD

Elliptic Curve Cryptography (ECC) is a relatively new branch of public key cryptography. Its main advantage is that it can provide the same level of security as RSA with significantly shorter keys, which is beneficial for a smart card based implementation. It is also important as a possible alternative of RSA. This paper presents the author´s research concerning ECC and smart cards. The authors introduce their ECC prototype implementation that relies on Java Card technology and is capable of running on smart cards. Test results with various cards are attached. It is also analyzed in what extent algorithms with the complexity of ECC can be executed in smart card environment with limited resources

Need To Know Before Utopian Balloon Is Popped: Security Perspective Analysis of Nun-Fungible Tokens

Non-Fungible Tokens (NFTs) have exploded into the technological and blockchain worlds with millions of dollars’ worth of cryptocurrencies such as Ethereum and Bitcoin among others, being traded for with these NFTs by individuals. NFTs are utilized by most buyers and sellers to show authenticity and sole ownership of a rare piece of work which could be in the form of an art, a video, a game, an image, a collectible, or anything the individual deems to be of great value and of interest for other individuals to pay for and own. NFTs however are not immune to the security and privacy issues that are already affiliated with the blockchain. This research work therefore examines the existing vulnerabilities in the blockchain then specifically investigates vulnerabilities with NFTs. Not much of research effort has been put into this area but the ones that have been conducted centered on generic security issues related to Non-Fungible Tokens. Taxonomies are developed in this paper to classify the security threats and attacks as identified by investigating the vulnerabilities of NFTs. This work will be of great assistance to investors and developers who look to enter into the NFT market, as they will be provided with some adequate knowledge for them to be aware of the security issues related to the booming market of NFTs

A Critical Investigation into Identifying Key Focus Areas for the Implementation of Blockchain Technology in the Mining Industry

Thesis (PhD)--University of Pretoria, 2023.The value of digital information is ever-increasing as more companies utilize digital technologies such as Artificial Intelligence (AI) and the Internet of Things (IoT) to gain deeper insight into their business operations and drive productivity gains. It is therefore important to safeguard and ensure the integrity of digital information exchange. Blockchain technology (BCT) was identified as potentially providing the mining industry with a trusted system for securely exchanging digital value. However, there is little evidence or understanding of how/where BCT can be implemented and what benefits the industry could obtain. This research study provides a fundamental understanding of what the technology is in order to identify the associated capabilities and potential application benefits for the mining industry. From a technology push perspective, blockchain capabilities are used to evaluate how the technology’s value drivers map to the mining industries core value chain processes. This was done to identify potential focus areas within the mining enterprise for further research and development of blockchain applications.ARMMining EngineeringMEngUnrestricte

Mobile Identity, Credential, and Access Management Framework

Organizations today gather unprecedented quantities of data from their operations. This data is coming from transactions made by a person or from a connected system/application. From personal devices to industry including government, the internet has become the primary means of modern communication, further increasing the need for a method to track and secure these devices. Protecting the integrity of connected devices collecting data is critical to ensure the trustworthiness of the system. An organization must not only know the identity of the users on their networks and have the capability of tracing the actions performed by a user but they must trust the system providing them with this knowledge. This increase in the pace of usage of personal devices along with a lack of trust in the internet has driven demand for trusted digital identities. As the world becomes increasingly mobile with the number of smart phone users growing annually and the mobile web flourishing, it is critical to implement strong security on mobile devices. To manage the vast number of devices and feel confident that a machine’s identity is verifiable, companies need to deploy digital credentialing systems with a strong root of trust. As passwords are not a secure method of authentication, mobile devices and other forms of IoT require a means of two-factor authentication that meets NIST standards. Traditionally, this has been done with Public Key Infrastructure (PKI) through the use of a smart card. Blockchain technologies combined with PKI can be utilized in such a way as to provide an identity and access management solution for the internet of things (IoT). Improvements to the security of Radio Frequency Identification (RFID) technology and various implementations of blockchain make viable options for managing the identity and access of IoT devices. When PKI first began over two decades ago, it required the use of a smart card with a set of credentials known as the personal identity verification (PIV) card. The PIV card (something you have) along with a personal identification number (PIN) (something you know) were used to implement two-factor authentication. Over time the use of the PIV cards has proven challenging as mobile devices lack the integrated smart card readers found in laptop and desktop computers. Near Field Communication (NFC) capability in most smart phones and mobile devices provides a mechanism to allow a PIV card to be read by a mobile device. In addition, the existing PKI system must be updated to meet the demands of a mobile focused internet. Blockchain technology is the key to modernizing PKI. Together, blockchain-based PKI and NFC will provide an IoT solution that will allow industry, government, and individuals a foundation of trust in the world wide web that is lacking today

Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort