705 research outputs found
Provably Unlinkable Smart Card-based Payments
The most prevalent smart card-based payment method, EMV, currently offers no
privacy to its users. Transaction details and the card number are sent in
cleartext, enabling the profiling and tracking of cardholders. Since public
awareness of privacy issues is growing and legislation, such as GDPR, is
emerging, we believe it is necessary to investigate the possibility of making
payments anonymous and unlinkable without compromising essential security
guarantees and functional properties of EMV. This paper draws attention to
trade-offs between functional and privacy requirements in the design of such a
protocol. We present the UTX protocol - an enhanced payment protocol satisfying
such requirements, and we formally certify key security and privacy properties
using techniques based on the applied pi-calculus
Recommended from our members
Managing near field communication (NFC) payment applications through cloud computing
This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The Near Field Communication (NFC) technology is a short-range radio communication channel which enables users to exchange data between devices. NFC provides a contactless technology for data transmission between smart phones, Personal Computers (PCs), Personal Digital Assistants (PDAs) and such devices. It enables the mobile phone to act as identification and a credit card for customers. However, the NFC chip can act as a reader as well as a card, and also be used to design symmetric protocols. Having several parties involved in NFC ecosystem and not having a common standard affects the security of this technology where all the parties are claiming to have access to clientâs information (e.g. bank account details).
The dynamic relationships of the parties in an NFC transaction process make them partners in a way that sometimes they share their access permissions on the applications that are running in the service environment. These parties can only access their part of involvement as they are not fully aware of each otherâs rights and access permissions. The lack of knowledge between involved parties makes the management and ownership of the NFC ecosystem very puzzling. To solve this issue, a security module that is called Secure Element (SE) is designed to be the base of the security for NFC. However, there are still some security issues with SE personalization, management, ownership and architecture that can be exploitable by attackers and delay the adaption of NFC payment technology. Reorganizing and describing what is required for the success of this technology have motivated us to extend the current NFC ecosystem models to accelerate the development of this business area. One of the technologies that can be used to ensure secure NFC transactions is cloud computing which offers wide range advantages compared to the use of SE as a single entity in an NFC enabled mobile phone. We believe cloud computing can solve many issues in regards to NFC application management. Therefore, in the first contribution of part of this thesis we propose a new payment model called âNFC Cloud Wallet". This model demonstrates a reliable structure of an NFC ecosystem which satisfies the requirements of an NFC payment during the development process in a systematic, manageable, and effective way
Analysis and evaluation of security developments in electronic payment methods
This master thesis with the name "Analysis and Evaluation of Security Developments in Electronic Payment Methods," aims to make a compendium of the technologies and standards used on today's payment card transactions since there is no such compendium available today. This thesis also evaluates the security of the technologies used and the amount of effort required by merchants for the compliance of the Payment Card Industry Data Security Standard (PCI DSS). With the results of these evaluations, it was possible to make recommendations to the merchants using payment cards as a form of payment and to the manufacturers of payment cards. Recommendations that its intention is to increase the security of the card payment transactions
Mobile Authentication with NFC enabled Smartphones
Smartphones are becoming increasingly more deployed and as such new possibilities for utilizing the smartphones many capabilities for public and private use are arising. This project will investigate the possibility of using smartphones as a platform for authentication and access control, using near field communication (NFC). To achieve the necessary security for authentication and access control purposes, cryptographic concepts such as public keys, challenge-response and digital signatures are used. To focus the investigation a case study is performed based on the authentication and access control needs of an educational institutions student ID. To gain a more practical understanding of the challenges mobile authentication encounters, a prototype has successfully been developed on the basis of the investigation. The case study performed in this project argues that NFC as a standalone technology is not yet mature to support the advanced communication required by this case. However, combining NFC with other communication technologies such as Bluetooth has proven to be effective. As a result, a general evaluation has been performed on several aspects of the prototype, such as cost-effectiveness, usability, performance and security to evaluate the viability of mobile authentication
The Cryptographic Security of the German Electronic Identity Card
In November 2010, the German government started to issue the new electronic identity card (eID) to its citizens. Besides its original utilization as a âvisualâ identification document, the eID card can be used by the cardholder to prove oneâs identity at border control and to enhance security of authentication processes over the Internet, with the eID card serving as a token to reliably
transmit personal data to service providers or terminals, respectively. To this end, the German Federal Office for Information Security (BSI) proposed several cryptographic protocols now deployed on the eID card.
The Password Authenticated Connection Establishment (PACE) protocol secures the wireless communication between the eID card and the userâs local card reader, based on a cryptographically weak password like the PIN chosen by the card owner. Subsequently, the Extended Access Control (EAC) protocol is executed by the chip and the service provider to mutually authenticate and agree on a shared secret session key. This key is then used in the secure channel protocol, called Secure Messaging (SM). Finally, an optional protocol,
called Restricted Identification (RI), provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not by malicious ones).
This thesis consists of two parts. First, we present the above protocols and provide a rigorous analysis on their security from a cryptographic point of view. We show that the Germen eID card provides reasonable security for authentication and exchange of sensitive information allaying concerns regarding its usage.
In the second part of this thesis, we introduce two possible modifications to enhance the security of these protocols even further. Namely, we show how to (a) add to PACE an additional efficient chip authentication step, and (b) augment RI to allow also for signatures under pseudonyms
Cooperating broadcast and cellular conditional access system for digital television
This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.The lack of interoperability between PayâTV service providers and a horizontally integrated business transaction model have compromised the competition in the PayâTV market. In addition, the lack of interactivity with customers has resulted in high churn rate and improper security measures have contributed into considerable business loss. These issues are the main cause of high operational costs and subscription fees in the PayâTV systems.
This paper presents a novel endâtoâend system architecture for PayâTV systems cooperating mobile and broadcasting technologies. It provides a costâeffective, scalable, dynamic and secure access control mechanism supporting converged services and new business opportunities in PayâTV systems. It enhances interactivity, security and potentially reduces customer attrition and operational cost. In this platform, service providers can effectively interact with their customers, personalise their services and adopt appropriate security measures. It breaks up the rigid relationship between a viewer and setâtop box as imposed by traditional conditional access systems, thus, a viewer can fully enjoy his entitlements via an arbitrary setâtop box.
Having thoroughly considered stateâofâtheâart technologies currently being used across the world, the thesis highlights novel use cases and presents the full design and implementation aspects of the system. The design section is enriched by providing possible security structures supported thereby. A business collaboration structure is proposed, followed by a reference model for implementing the system. Finally, the security architectures are analysed to propose the best architecture on the basis of security, complexity and setâtop box production cost criteria
Electronic Payment Systems Observatory (ePSO). Newsletter Issues 9-15
Abstract not availableJRC.J-Institute for Prospective Technological Studies (Seville
Contactless payments :usability at the cost of security?
PhD ThesisEMV (Europay, MasterCard, Visa), commonly termed âChip & PINâ, is becoming the dominant card
based payment technology globally. The EMV Chip & PIN transaction protocol was originally
designed to operate in an environment where the card was physically inserted into the POS terminal /
ATM and used a wired connection to communicate. The introduction of EMV contactless payments
technology raises an interesting question âhas usability been improved at the cost of security?â.
Specifically, to make contactless payments more convenient / usable, a wireless interface has been
added to EMV cards and PIN entry has been waived for contactless payments. Do these new usability
features make contactless cards less secure?
This PhD thesis presents an analysis of the security of the EMV contactless payments. It considers
the security of the EMV contactless transaction protocols as stand-alone processes and the wider
impact of contactless technology upon the security of the EMV card payment system as a whole.
The thesis contributes a structured analysis methodology which identifies vulnerabilities in the EMV
protocol and demonstrates the impact of these vulnerabilities on the EMV payment system. The
analysis methodology comprises UML diagrams and reference tables which describe the EMV
protocol sequences, a protocol emulator which implements the protocol, a Z abstract model of the
protocol and practical demonstrations of the research results. Detailed referencing of the EMV
specifications provide a documented link between the exploitable vulnerabilities observed in real
EMV cards and the source of the vulnerability in the EMV specifications.
Our analysis methodology has identified two previously undocumented vulnerabilities in the EMV
contactless transaction protocol. The potential existence of these vulnerabilities was identified using
the Z abstract model with the protocol emulator providing experimental confirmation of the potential
for real-world exploitation of the vulnerabilities and test results quantifying the extent of the impact.
Once a vulnerability has been shown to be exploitable using the protocol emulator, we use practical
demonstrations to show that these vulnerabilities can be exploited in the real-world using off-the-shelf
equipment. This presents a stronger impact message when presenting our research results to a nontechnical
audience. This has helped to raise awareness of security issues relating to EMV contactless
cards, with our work appearing in the media, radio and TV
- âŠ