7,742 research outputs found
Chip and Skim: cloning EMV cards with the pre-play attack
EMV, also known as "Chip and PIN", is the leading system for card payments
worldwide. It is used throughout Europe and much of Asia, and is starting to be
introduced in North America too. Payment cards contain a chip so they can
execute an authentication protocol. This protocol requires point-of-sale (POS)
terminals or ATMs to generate a nonce, called the unpredictable number, for
each transaction to ensure it is fresh. We have discovered that some EMV
implementers have merely used counters, timestamps or home-grown algorithms to
supply this number. This exposes them to a "pre-play" attack which is
indistinguishable from card cloning from the standpoint of the logs available
to the card-issuing bank, and can be carried out even if it is impossible to
clone a card physically (in the sense of extracting the key material and
loading it into another card). Card cloning is the very type of fraud that EMV
was supposed to prevent. We describe how we detected the vulnerability, a
survey methodology we developed to chart the scope of the weakness, evidence
from ATM and terminal experiments in the field, and our implementation of
proof-of-concept attacks. We found flaws in widely-used ATMs from the largest
manufacturers. We can now explain at least some of the increasing number of
frauds in which victims are refused refunds by banks which claim that EMV cards
cannot be cloned and that a customer involved in a dispute must therefore be
mistaken or complicit. Pre-play attacks may also be carried out by malware in
an ATM or POS terminal, or by a man-in-the-middle between the terminal and the
acquirer. We explore the design and implementation mistakes that enabled the
flaw to evade detection until now: shortcomings of the EMV specification, of
the EMV kernel certification process, of implementation testing, formal
analysis, or monitoring customer complaints. Finally we discuss
countermeasures
Providing Authentication & Authorization Mechanisms for Active Service Charging
Active network technology enables fast deployment of new network services tailored to the specific needs of end users, among others features. Nevertheless proper charging for these new added value services require suitable authentication and authorization mechanisms. In this article we describe a security architecture for SARA (Simple Active Router-Assistant) architecture, an active network platform deployed in the context of the IST-GCAP project. The proposed solution provides all the required security features, and it also grants proper scalability of the overall system, by using a distributed key-generation algorithm.Publicad
Greater Privacy Protection for Online Credit Card Payment
Privacy is always one of the primary concerns in electronic commerce. Consumers must have the right to keep their buying habits and personal information confidential, especially when it comes to on-line credit card payment. Not just only because this payment method has been becoming the trend of modern consuming practice, but also it involves the sensitivity of privacy information. Based on the need-to-know principle, transaction information should be distributed properly among participants to be against aggregation and analysis. In this paper, the privacy required for on-line credit card payment is described, and the privacy protection on three common payment protocols such as SSL, SET and 3D SET are also analyzed in detail. Two solutions are then proposed to enhance privacy protection for cardholder
A Purchase Protocol with Multichannel Authentication
While online shopping are becoming more accepted by people in modern life, cardholders are more concerned about card fraud and the lack of cardholder authentication in the current online credit card payment. This paper proposes a purchase protocol with live cardholder authentication for online transaction which combines telephone banking and online banking together. The order information and payment information are sent though the Internet and encrypted by asymmetric key encryption. The cardholder is authenticated by the card issuing bank ringing back at the customer’s phone number and the cardholder inputting the secure PIN and the amount to pay. The multichannel authentication makes the cardholder feel secure and card fraud difficult. Furthermore, the protocol does not require the cardholder to obtain public key certificates or install additional software for the online transactionPeer reviewe
An empirical analysis of smart contracts: platforms, applications, and design patterns
Smart contracts are computer programs that can be consistently executed by a
network of mutually distrusting nodes, without the arbitration of a trusted
authority. Because of their resilience to tampering, smart contracts are
appealing in many scenarios, especially in those which require transfers of
money to respect certain agreed rules (like in financial services and in
games). Over the last few years many platforms for smart contracts have been
proposed, and some of them have been actually implemented and used. We study
how the notion of smart contract is interpreted in some of these platforms.
Focussing on the two most widespread ones, Bitcoin and Ethereum, we quantify
the usage of smart contracts in relation to their application domain. We also
analyse the most common programming patterns in Ethereum, where the source code
of smart contracts is available.Comment: WTSC 201
Anonymous reputation based reservations in e-commerce (AMNESIC)
Online reservation systems have grown over the last recent
years to facilitate the purchase of goods and services. Generally,
reservation systems require that customers provide
some personal data to make a reservation effective. With
this data, service providers can check the consumer history
and decide if the user is trustable enough to get the reserve.
Although the reputation of a user is a good metric to implement
the access control of the system, providing personal
and sensitive data to the system presents high privacy risks,
since the interests of a user are totally known and tracked
by an external entity. In this paper we design an anonymous
reservation protocol that uses reputations to profile
the users and control their access to the offered services, but
at the same time it preserves their privacy not only from the
seller but the service provider
A SECURE ONLINE PAYMENT SYSTEM
An online payment system allows a customer to make a payment to an online merchant or a service provider. Payment gateways, a channel between customers and payment processors, use various security tools to secure a customer’s payment information, usually debit or credit card information, during an online payment. However, the security provided by a payment gateway cannot completely protect a customer’s payment information when a merchant also has the ability to obtain the payment information in some form. Furthermore, not all merchants provide a secure payment environment to their customers and, despite having a standard payment policy, adhere to it. Consequently, this exposes a customer’s payment information to risks of being compromised or misused by merchants or stolen by hackers and spammers. In this thesis we propose a new approach to payment systems in which a customer’s payment information cannot be obtained by a merchant. A customer sends his payment information directly to a payment gateway and a payment gateway, upon verifying the transaction, sends a payment to the appropriate merchant. We use the Pedersen commitment scheme along with dual signatures to securely transfer funds to a merchant and protect a customer’s payment information from any Internet vulnerabilities
- …