Securing Plastic Money Using an RFID Based Protocol Stack

Since 2006, there have been three major systems that have been implemented in an attempt to reduce the threat of credit card fraud - Chip and PIN (United Kingdom), Chip Authentication Program - CAP (European Union), and RFID enabled credit cards (United States of America). In spite of a big effort by the EMV\footnote{EMV Co.: a body comprising of Europay, Mastercard, and Visa which develops standards for credit card interaction.}, there has been little evidence to demonstrate the success of these schemes in stopping fraudsters, scammers, and identity thieves. This may be attributed to combinations of poor usability, lack of trusted interfaces, the absence of smart-card cryptography that takes full advantage of the available computation resources, and inadequate authentication protocols. In this paper, we explain the shortcomings and vulnerabilities of each of these systems, and then explain requirements of a secure and usable cashless payment system. We also describe a new RFID based protocol stack - SECAPS (Secure Cashless Payment System), which obviates many of the attacks on the current schemes by using the newly available computation resources on modern RFID Tags

A Survey on the Evolution of Cryptographic Protocols in ePassports

ePassports are biometric identification documents that contain RFID Tags and are primarily used for border security. The embedded RFID Tags are capable of storing data, performing low cost computations and cryptography, and communicating wirelessly. Since 2004, we have witnessed the development and widespread deployment of three generations of electronic passports - The ICAO First Generation ePassport (2004), Extended Access Control (EAC v1.0) ePassports (2006), and Extended Access Control with Password Authentication and Connection Establishment (EAC v2.1) ePassports (2008). Currently, over thirty million ePassports have been issued around the world. In this paper, we provide an introductory study of the technologies implemented in ePassports - Biometrics, RFID, and Public Key Infrastructures; and then go on to analyze the protocols implemented in each of the three generations of ePassports, finally we point out their shortcomings and scope for future related research

ATOM: A Generalizable Technique for Inferring Tracker-Advertiser Data Sharing in the Online Behavioral Advertising Ecosystem

Data sharing between online trackers and advertisers is a key component in online behavioral advertising. This sharing can be facilitated through a variety of processes, including those not observable to the user's browser. The unobservability of these processes limits the ability of researchers and auditors seeking to verify compliance with regulations which require complete disclosure of data sharing partners. Unfortunately, the applicability of existing techniques to make inferences about unobservable data sharing relationships is limited due to their dependence on protocol- or case-specific artifacts of the online behavioral advertising ecosystem (e.g., they work only when client-side header bidding is used for ad delivery or when advertisers perform ad retargeting). As behavioral advertising technologies continue to evolve rapidly, the availability of these artifacts and the effectiveness of transparency solutions dependent on them remain ephemeral. In this paper, we propose a generalizable technique, called ATOM, to infer data sharing relationships between online trackers and advertisers. ATOM is different from prior work in that it is universally applicable -- i.e., independent of ad delivery protocols or availability of artifacts. ATOM leverages the insight that by the very nature of behavioral advertising, ad creatives themselves can be used to infer data sharing between trackers and advertisers -- after all, the topics and brands showcased in an ad are dependent on the data available to the advertiser. Therefore, by selectively blocking trackers and monitoring changes in the characteristics of ads delivered by advertisers, ATOM is able to identify data sharing relationships between trackers and advertisers. The relationships discovered by our implementation of ATOM include those not found using prior approaches and are validated by external sources.Comment: Accepted at PETS'22 16 Pages 3 Tables 2 Figure

Fuzzy Privacy Preserving Peer-to-Peer Reputation Management

The P2PRep algorithm is a reputation-management mechanism in which a peer uses fuzzy techniques to compute local reputations and aggregates these results to compute a global reputation for another peer which has made an offer of service. While this mechanism is known to be extremely effective in the presence of malicious peers, it has one drawback: it does not preserve the anonymity of peers in the network during the voting phase of protocol. This makes it unsuitable for use in networks which associate peers with a routing identifier such as an IP address. We propose in this paper, a solution to this problem - the 3PRep (Privacy Preserving P2PRep) algorithm which implements two protocols to maintain vote privacy in P2PRep without significant additional computation and communications overhead. In doing so, we also provide a method to compute the Ordered Weighted Average (OWA) over distributed datasets while maintaining privacy of these data

The Inventory is Dark and Full of Misinformation: Understanding the Abuse of Ad Inventory Pooling in the Ad-Tech Supply Chain

Ad-tech enables publishers to programmatically sell their ad inventory to millions of demand partners through a complex supply chain. Bogus or low quality publishers can exploit the opaque nature of the ad-tech to deceptively monetize their ad inventory. In this paper, we investigate for the first time how misinformation sites subvert the ad-tech transparency standards and pool their ad inventory with unrelated sites to circumvent brand safety protections. We find that a few major ad exchanges are disproportionately responsible for the dark pools that are exploited by misinformation websites. We further find evidence that dark pooling allows misinformation sites to deceptively sell their ad inventory to reputable brands. We conclude with a discussion of potential countermeasures such as better vetting of ad exchange partners, adoption of new ad-tech transparency standards that enable end-to-end validation of the ad-tech supply chain, as well as widespread deployment of independent audits like ours.Comment: To appear at IEEE Symposium on Security & Privacy (Oakland) 202