Security Aspects of Mobile Based E Wallet

An Electronic-wallet(e-wallet) is an electronic application that enables online e-commerce transactions like purchasing goods, paying utility bills, transferring money, booking flight etc. with a financial gadget (credit card/digital currency) using smart phones or computers. Electronic wallet is a very young concept that has taken on consumer psyche rapidly. Post Demonetization resulted in sudden surge in the customer base of e wallet companies. In the current scenario, it is easy for individual to download an e wallet app to make their e-payments conveniently. Since the transactions are done through mobile, it is preferred by most of the people for their online and offline cash transactions. It is gaining the attention due to its unique advantageous features. This paper tries answer for certain queries related to operational procedure of e wallet, kinds of e wallet and concluded with the security issues of e wallet

Does the online card payment system unwittingly facilitate fraud?

PhD ThesisThe research work in this PhD thesis presents an extensive investigation into the security settings of Card Not Present (CNP) financial transactions. These are the transactions which include payments performed with a card over the Internet on the websites, and over the phone. Our detailed analysis on hundreds of websites and on multiple CNP payment protocols justifies that the current security architecture of CNP payment system is not adequate enough to protect itself from fraud. Unintentionally, the payment system itself will allow an adversary to learn and exploit almost all of the security features put in place to protect the CNP payment system from fraud. With insecure modes of accepting payments, the online payment system paves the way for cybercriminals to abuse even the latest designed payment protocols like 3D Secure 2.0. We follow a structured analysis methodology which identifies vulnerabilities in the CNP payment protocols and demonstrates the impact of these vulnerabilities on the overall payment system. The analysis methodology comprises of UML diagrams and reference tables which describe the CNP payment protocol sequences, software tools which implements the protocol and practical demonstrations of the research results. Detailed referencing of the online payment specifications provides a documented link between the exploitable vulnerabilities observed in real implementations and the source of the vulnerability in the payment specifications. We use practical demonstrations to show that these vulnerabilities can be exploited in the real-world with ease. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to payment cards, with our work appearing in the media, radio and T

Strong authentication based on mobile application

The user authentication in online services has evolved over time from the old username and password-based approaches to current strong authentication methodologies. Especially, the smartphone app has become one of the most important forms to perform the authentication. This thesis describes various authentication methods used previously and discusses about possible factors that generated the demand for the current strong authentication approach. We present the concepts and architectures of mobile application based authentication systems. Furthermore, we take closer look into the security of the mobile application based authentication approach. Mobile apps have various attack vectors that need to be taken under consideration when designing an authentication system. Fortunately, various generic software protection mechanisms have been developed during the last decades. We discuss how these mechanisms can be utilized in mobile app environment and in the authentication context. The main idea of this thesis is to gather relevant information about the authentication history and to be able to build a view of strong authentication evolution. This history and the aspects of the evolution are used to state hypothesis about the future research and development. We predict that the authentication systems in the future may be based on a holistic view of the behavioral patterns and physical properties of the user. Machine learning may be used in the future to implement an autonomous authentication concept that enables users to be authenticated with minimal physical or cognitive effort

One Step Closer To European Union: Smart Card Technology In Turkey

Europe and Asia are competing to deploy smart cards for functions from banking to retailing to telecommunications. This study analyzes factors that contribute to the implementation of smart card technology, focusing on smart card and magnetic card technologies in the financial industry  in Turkey. The paper examines the effects of technological and business factors on Turkish banks, such as Akbank, Deniz Bank, Garanti Bankasi, and Tekstil Bank. The business factors are budgeting, culture, customization, and loyalty, and the technical factors are infrastructure, multi-functionality, payment speed, and transaction security.  This exploratory study will assist international and local entrepreneurial entrants to the financial industry in Turkey, in taking advantage of smart card technology

AN EVALUATION OF A BIOMETRIC ENABLED CREDIT CARD FOR PROVIDING HIGH AUTHENTICITY IDENTITY PROOFING DURING THE TRANSACTION AUTHENTICATION PROCESS

Credit card fraud has continued to grow despite efforts to protect financial data from data breaches of financial institutions. Data breaches of financial transactional records over the past decade have impacted millions of U.S. consumers, resulting in decreased consumer confidence in security. Banking institutions losing money due to fraud are forced to raise interest rates and increase fees to their cardholders. The costs of fraud are passed to the banking institution’s customers to offset the losses. The requisite to detect and eliminate fraud before it occurs is mutually beneficial to both the banking institution and cardholders. Credit card companies continue to focus on methods for identifying fraudulent transactions as they occur and on validating account owners. Financial institutions utilize various models to alert consumers of potential fraud on a real-time basis. Current authorization models that validate the identity of the account holders during the transaction are limited or nonexistent. Many consumers are not required to provide any form of identification or signature proving identity for minimal purchase amount. For purchases requiring validation, consumers are able to validate a transaction with a simple, unverified signature mark at a merchant terminal. The introduction of the chip card added the additional element of security but can be combined with additional user authentication methods. To provide a more secure financial transaction, identity verification as a user authentication method can be realized through biometrics, most commonly, a fingerprint and can be achieved through the use of merchant touch screen credit card terminals or mobile purchasing applications. Using a physical credit card embedded with a fingerprint positions the user authentication process at the point of sale, thus providing real-time validation of the user as the credit card account owner utilizing the biometric fingerprint as identity proof and signature. This research seeks to evaluate the biometric-enabled physical credit card in an effort to increase the level of credit card transaction security and reduce the occurrences of fraud

A Chip off the Old Block or a New Direction for Payment Card Security? The Law and Economics of the U.S. Transition to EMV

Article published in the Michigan State Law Review

On the security of mobile sensors

PhD ThesisThe age of sensor technology is upon us. Sensor-rich mobile devices are ubiquitous. Smart-phones, tablets, and wearables are increasingly equipped with sensors such as GPS, accelerometer, Near Field Communication (NFC), and ambient sensors. Data provided by such sensors, combined with the fast-growing computational capabilities on mobile platforms, offer richer and more personalised apps. However, these sensors introduce new security challenges to the users, and make sensor management more complicated. In this PhD thesis, we contribute to the field of mobile sensor security by investigating a wide spectrum of open problems in this field covering attacks and defences, standardisation and industrial approaches, and human dimensions. We study the problems in detail and propose solutions. First, we propose “Tap-Tap and Pay” (TTP), a sensor-based protocol to prevent the Mafia attack in NFC payment. The Mafia attack is a special type of Man-In-The-Middle attack which charges the user for something more expensive than what she intends to pay by relaying transactions to a remote payment terminal. In TTP, a user initiates the payment by physically tapping her mobile phone against the reader. We observe that this tapping causes transient vibrations at both devices which are measurable by the embedded accelerometers. Our observations indicate that these sensor measurements are closely correlated within the same tapping, and different if obtained from different tapping events. By comparing the similarity between the two measurements, the bank can distinguish the Mafia fraud apart from a legitimate NFC transaction. The experimental results and the user feedback suggest the practical feasibility of TTP. As compared with previous sensor-based solutions, ours is the only one that works even when the attacker and the user are in nearby locations or share similar ambient environments. Second, we demonstrate an in-app attack based on a real world problem in contactless payment known as the card collision or card clash. A card collision happens when more than one card (or NFC-enabled device) are presented to the payment terminal’s field, and the terminal does not know which card to choose. By performing experiments, we observe that the implementation of contactless terminals in practice matches neither EMV nor ISO standards (the two primary standards for smart card payment) on card collision. Based on this inconsistency, we propose “NFC Payment Spy”, a malicious app that tracks the user’s contactless payment transactions. This app, running on a smart phone, simulates a card which requests the payment information (amount, time, etc.) from the terminal. When the phone and the card are both presented to a contactless terminal (given that many people use mobile case wallets to travel light and keep wallet essentials close to hand), our app can effectively win the race condition over the card. This attack is the first privacy attack on contactless payments based on the problem of card collision. By showing the feasibility of this attack, we raise awareness of privacy and security issues in contactless payment protocols and implementation, specifically in the presence of new technologies for payment such as mobile platforms. Third, we show that, apart from attacking mobile devices by having access to the sensors through native apps, we can also perform sensor-based attacks via mobile browsers. We examine multiple browsers on Android and iOS platforms and study their policies in granting permissions to JavaScript code with respect to access to motion and orientation sensor data. Based on our observations, we identify multiple vulnerabilities, and propose “TouchSignatures” and “PINLogger.js”, two novel attacks in which malicious JavaScript code listens to such sensor data measurements. We demonstrate that, despite the much lower sampling rate (comparing to a native app), a remote attacker is able to learn sensitive user information such as physical activities, phone call timing, touch actions (tap, scroll, hold, zoom), and PINs based on these sensor data. This is the first report of such a JavaScript-based attack. We disclosed the above vulnerability to the community and major mobile browser vendors classified the problem as high-risk and fixed it accordingly. Finally, we investigate human dimensions in the problem of sensor management. Although different types of attacks via sensors have been known for many years, the problem of data leakage caused by sensors has remained unsolved. While working with W3C and browser vendors to fix the identified problem, we came to appreciate the complexity of this problem in practice and the challenge of balancing security, usability, and functionality. We believe a major reason for this is that users are not fully aware of these sensors and the associated risks to their privacy and security. Therefore, we study user understanding of mobile sensors, specifically their risk perceptions. This is the only research to date that studies risk perceptions for a comprehensive list of mobile sensors (25 in total). We interview multiple participants from a range of backgrounds by providing them with multiple self-declared questionnaires. The results indicate that people in general do not have a good understanding of the complexities of these sensors; hence making security judgements about these sensors is not easy for them. We discuss how this observation, along with other factors, renders many academic and industry solutions ineffective. This makes the security and privacy issues of mobile sensors and other sensorenabled technologies an important topic to be investigated further

Regulation for E-payment Systems - Analytical Approaches Beyond Private Ordering

Technology-driven payment instruments and services are facilitating the development of e-commerce; however, security concerns beleaguer their implementation, particularly in developing countries. This article considers the limits of private ordering in the regulation of e-payment systems. It uses Nigeria to exemplify a developing country that is increasingly pushing for the adoption of a regulatory framework for e-payment systems based on private ordering. It argues that, although technical standards and self-regulation by the financial industry are important, law is an essential regulatory mechanism that is largely absent. The article proposes that law be used as a mechanism to set and compel compliance with technical and industry standards, thus building trust, catering to public interest concerns and legitimizing the regulatory process

ELECTRONIC COMMERCE SECURITY IN THE CONTEXT OF THE MEANS OF PAYMENT DEMATERIALIZATION

Some items regarding electronic commerce, electronic vulnerabilities, electronic means of payment, digital money and electronic micropayments are presented below. Then is presented a method of assessing the quality of applications and e-commerce Web sites. This method is then adapted from the operational point of view, developed and implemented in the study of the electronic micropayment systems’ security, in the purpose of analyzing and evaluating their security in the context of the means of payment dematerialization.e-commerce, micropayment, security, encryption, digital economy, EWAM

Analysis and evaluation of security developments in electronic payment methods

This master thesis with the name "Analysis and Evaluation of Security Developments in Electronic Payment Methods," aims to make a compendium of the technologies and standards used on today's payment card transactions since there is no such compendium available today. This thesis also evaluates the security of the technologies used and the amount of effort required by merchants for the compliance of the Payment Card Industry Data Security Standard (PCI DSS). With the results of these evaluations, it was possible to make recommendations to the merchants using payment cards as a form of payment and to the manufacturers of payment cards. Recommendations that its intention is to increase the security of the card payment transactions