27 research outputs found
Securing Plastic Money Using an RFID Based Protocol Stack
Since 2006, there have been three major systems that have been implemented in an attempt to reduce the threat of credit card fraud - Chip and PIN (United Kingdom), Chip Authentication Program - CAP (European Union), and RFID enabled credit cards (United States of America). In spite of a big effort by the EMV\footnote{EMV Co.: a body comprising of Europay, Mastercard, and Visa which develops standards for credit card interaction.}, there has been little evidence to demonstrate the success of these schemes in stopping fraudsters, scammers, and identity thieves. This may be attributed to combinations of poor usability, lack of trusted interfaces, the absence of smart-card cryptography that takes full advantage of the available computation resources, and inadequate authentication protocols. In this paper, we explain the shortcomings and vulnerabilities of each of these systems, and then explain requirements of a secure and usable cashless payment system. We also describe a new RFID based protocol stack - SECAPS (Secure Cashless Payment System), which obviates many of the attacks on the current schemes by using the newly available computation resources on modern RFID Tags
A Survey on the Evolution of Cryptographic Protocols in ePassports
ePassports are biometric identification documents that contain RFID Tags and are primarily used for border security. The embedded RFID Tags are capable of storing data, performing low cost computations and cryptography, and communicating wirelessly. Since 2004, we have witnessed the development and widespread deployment of three generations of electronic passports - The ICAO First Generation ePassport (2004), Extended Access Control (EAC v1.0) ePassports (2006), and Extended Access Control with Password Authentication and Connection Establishment (EAC v2.1) ePassports (2008). Currently, over thirty million ePassports have been issued around the world. In this paper, we provide an introductory study of the technologies implemented in ePassports - Biometrics, RFID, and Public Key Infrastructures; and then go on to analyze the protocols implemented in each of the three generations of ePassports, finally we point out their shortcomings and scope for future related research
ATOM: A Generalizable Technique for Inferring Tracker-Advertiser Data Sharing in the Online Behavioral Advertising Ecosystem
Data sharing between online trackers and advertisers is a key component in
online behavioral advertising. This sharing can be facilitated through a
variety of processes, including those not observable to the user's browser. The
unobservability of these processes limits the ability of researchers and
auditors seeking to verify compliance with regulations which require complete
disclosure of data sharing partners. Unfortunately, the applicability of
existing techniques to make inferences about unobservable data sharing
relationships is limited due to their dependence on protocol- or case-specific
artifacts of the online behavioral advertising ecosystem (e.g., they work only
when client-side header bidding is used for ad delivery or when advertisers
perform ad retargeting). As behavioral advertising technologies continue to
evolve rapidly, the availability of these artifacts and the effectiveness of
transparency solutions dependent on them remain ephemeral. In this paper, we
propose a generalizable technique, called ATOM, to infer data sharing
relationships between online trackers and advertisers. ATOM is different from
prior work in that it is universally applicable -- i.e., independent of ad
delivery protocols or availability of artifacts. ATOM leverages the insight
that by the very nature of behavioral advertising, ad creatives themselves can
be used to infer data sharing between trackers and advertisers -- after all,
the topics and brands showcased in an ad are dependent on the data available to
the advertiser. Therefore, by selectively blocking trackers and monitoring
changes in the characteristics of ads delivered by advertisers, ATOM is able to
identify data sharing relationships between trackers and advertisers. The
relationships discovered by our implementation of ATOM include those not found
using prior approaches and are validated by external sources.Comment: Accepted at PETS'22 16 Pages 3 Tables 2 Figure
Fuzzy Privacy Preserving Peer-to-Peer Reputation Management
The P2PRep algorithm is a reputation-management mechanism in which a peer uses fuzzy techniques to compute local reputations and aggregates these results to compute a global reputation for another peer which has made an offer of service. While this mechanism is known to be extremely effective in the presence of malicious peers, it has one drawback: it does not preserve the anonymity of peers in the network during the voting phase of protocol. This makes it unsuitable for use in networks which associate peers with a routing identifier such as an IP address. We propose in this paper, a solution to this problem - the 3PRep (Privacy Preserving P2PRep) algorithm which implements two protocols to maintain vote privacy in P2PRep without significant additional computation and communications overhead. In doing so, we also provide a method to compute the Ordered Weighted Average (OWA) over distributed datasets while maintaining privacy of these data
The Inventory is Dark and Full of Misinformation: Understanding the Abuse of Ad Inventory Pooling in the Ad-Tech Supply Chain
Ad-tech enables publishers to programmatically sell their ad inventory to
millions of demand partners through a complex supply chain. Bogus or low
quality publishers can exploit the opaque nature of the ad-tech to deceptively
monetize their ad inventory. In this paper, we investigate for the first time
how misinformation sites subvert the ad-tech transparency standards and pool
their ad inventory with unrelated sites to circumvent brand safety protections.
We find that a few major ad exchanges are disproportionately responsible for
the dark pools that are exploited by misinformation websites. We further find
evidence that dark pooling allows misinformation sites to deceptively sell
their ad inventory to reputable brands. We conclude with a discussion of
potential countermeasures such as better vetting of ad exchange partners,
adoption of new ad-tech transparency standards that enable end-to-end
validation of the ad-tech supply chain, as well as widespread deployment of
independent audits like ours.Comment: To appear at IEEE Symposium on Security & Privacy (Oakland) 202