Using human interactive security protocols to secure payments

Chen, Bangdao

January 2012

We investigate using Human Interactive Security Protocols (HISPs) to secure payments. We start our research by conducting extensive investigations into the payment industry. After interacting with different payment companies and banks, we present two case studies: online payment and mobile payment. We show how to adapt HISPs for payments by establishing the reverse authentication method. In order to properly and thoroughly evaluate different payment examples, we establish two attack models which cover the most commonly seen attacks against payments. We then present our own payment solutions which aim at solving the most urgent security threats revealed in our case studies. Demonstration implementations are also made to show our advantages. In the end we show how to extend the use of HISPs into other domains.

005.82

Securing Mobile Payment Protocol based on EMV Standard

Sifatullah Bhuiyan, Mohammad

January 2012

This is an era of communication technology. This era has faced a lot of innovation in technology sector. Mobile phones were once used for calling or text messaging only, now slowly becoming competitor of computers. The rapid development of hardware, software and operating system of smartphones made it possible to do multiple tasks through the phones. Nowadays, smart phones have powerful operating systems which provide wide range of applications. Smart phones can be interfaced with external hardware also. The payment industry is about to see a drastic change because of these features. People can now pay through their smartphones; they can use payment cards to pay through it etc. But financial transaction is a very sensitive service and security is very crucial here. For financial services, the major security services such as confidentiality, integrity, authenticity, authorization and non-repudiation must be ensured. There are two major types of payment cards, magnetic-stripe based cards and chip based cards. Chip based card provides better security. Magnetic stripe based cards being static, is easy to counterfeit. But the fact that these magnetic stripe cards are still used in many countries, it is necessary to provide a security solution in order to protect customers from treachery. In this thesis, it has been investigated how to secure the mobile payment based on EMV standard. EMV is a chip based payment card. It has strong security features which made skimming or tampering it very hard. But, Magstripe based payments still remained insecure. This thesis paper aims to secure the transaction when paid with magnetic stripe based cards. Several measures have been taken to ensure that major security services are met. In addition, a prototype was developed and tested to demonstrate the practicality of the designed solution. The research results of this paper show that by transacting through the secured mobile payment protocol, customers can avail payment service more securely than traditional magnetic striped card based payments.

Mobile Payment Security

EMV

Magnetic Stripe

Engineering and Technology

Teknik och teknologier

Technicko-ekonomické aspekty platebního styku / Technical and economic aspects of payment transactions

Barvíková, Kamila

January 2017

Thesis describes technical and economic aspects of payment transaction using the empirical analysis on real data of payment institution. It focuses on the description of selected products provided by payment institution and empirically analyzes them on the basis of the available data in terms of the number of transactions in individual currencies, the ratio of product types utilization and clearing and settlement used by the payment institution. The thesis also describes the security requirements necessary for the conduct of payment transactions on the Internet for non-technically educated audiences. At the end of the thesis there are several recommendations for the development of payment institution based on empirical knowledge from data analysis, which can be used for further analysis of the payment institution.

Jämförande analys av kontaktlösa betalningar med bankkort och smarttelefon ur ett säkerhetsperspektiv / Comparative analysis of contactless payment with cards and smartphones from a security perspective

Holmberg Tvingstedt, Tove

January 2022

Att betala med kort är idag standardiserat, men något som också är väldigt vanligt är att betala kontaktlöst. Detta kan göras både med ett kontaktlöst kort eller med en smarttelefon. Teknologin som möjliggör detta är närfältskommunikation. Examensarbetet undersöker hur säkerheten i dessa betalningsmetoder är uppbyggd, vad det finns för säkerhetsproblem samt hur användningen kan se ut i framtiden. Den primära frågeställningen var att undersöka om det är lika säkert eller till och med säkrare att använda en smarttelefon för kontaktlösa betalningar jämfört med ett kontaktlöst kort. För att undersöka detta, gjordes en omfattande litteraturstudie och en enkätundersökning. Resultatet av examensarbetet visade på att det fanns olika typer av hot och sårbarheter som exempelvis avlyssning, modifikation och korruption av data, reläattacker, skadlig applikation och programvara, svag autentisering och manipulation av applikationer. Det fanns även flertalet aspekter som påverkade hur väl dessa hot kunde utföras, bland annat tokenisering, kryptering men även det korta avståndet som krävs och social ingenjörskonst. Det upptäcktes även att attackytan skiljde sig mellan metoderna. Smarttelefonen hade flertalet hot och sårbarheter som ofta baseras på att det finns ett användargränssnitt, att enheten har ett annat användningsområde, och exempelvis skadlig programvara och ”rootade” enheter. När en enhet är ”rootad” betyder det att användaren får en annan typ av åtkomstkontroll. Enkätundersökningen visade att ungefär hälften av deltagarna kan tänka sig använda smarttelefonen i framtiden för att utföra kontaktlösa betalningar. / To pay with a card is standardized today, but something that is also very common is to pay contactless. This is possible to do with a contactless card or with a smartphone. The technology that makes this possible is Near Field Communication. This thesis examines how the security in these payment methods is structured, which security issues exists but also how the use may look in the future. The thesis also includes to investigate if it is as safe or even safer to use a smartphone for contactless payments compared to a contactless card. To investigate this, an extensive literature study and a questionnaire survey was conducted. The results of the thesis showed that there were different types of threats and vulnerabilities such as eavesdropping, data modification, data corruption, relay-attacks but also malicious application and software, weak authentication, and manipulation of applications. However, there were also several aspects that affected how well these threats could be carried out, including tokenization, encryption but also the short distance required and social engineering. It was also discovered that the attack surface differed between the two methods. The smartphone had several threats and vulnerabilities many of them existed since there is a user interface, and that the device is used in other ways. For example, malware and “rooted” devices, when a device is “rooted” it means that the user gets another type of access control for the device. The survey showed that about half of the participants may be willing to use a smartphone in the future to make contactless payments.

Contactless payment

NFC

Near Field Communication

EMV (Europay

Visa

Mastercard) chip

NFC payment

payment security

NFC security

Kontaktlös betalning

Near Field Communication (NFC)

närfältskommunikation EMV (Europay

Visa

Mastercard) chip

NFC-betalning

betalningssäkerhet

NFC- säkerhet

Engineering and Technology

Teknik och teknologier