Abstract
Security plays a crucial role in payment systems; however, some implementations of payment card security rely on weak cardholder verification methods, such as card and a signature, or use the card without having any cardholder verification process at all. Other vulnerable implementations of cardholder verification methods suffer from many security attacks, such as relay attacks and cloning attacks. In addition, the impact of these security attacks is high since they cause monetary losses for banks and consumers. In this paper, we introduce a new cardholder verification method using a multi-possession factor authentication with a distance bounding technique. It adds an extra level of security to the verification process and utilizes the idea of distance bounding which prevents many different security attacks. The proposed method gives the user the flexibility to add one or more extra devices and select the appropriate security level. This paper argues that the proposed method mitigates or removes many popular security attacks that are claimed to be effective in current card based payment systems, and that it can help to reduce fraud on payment cards. Furthermore, the proposed method provides an alternative verification technique and enables cardholders with special needs to use the payment cards and make the payment system more accessible.
Similar content being viewed by others
Notes
Left-shift registers also work but we use right-shift registers to demonstrate the distance bounding technique.
References
Alhothaily A, Alrawais A, Cheng X, Bie R (2014) Towards more secure cardholder verification in payment systems. In: Cai Z, Wang C, Cheng S, Wang H, Gao H (eds) Wireless algorithms, systems, and applications. Lecture notes in computer science, vol 8491. Springer, pp 356–367. doi:10.1007/978-3-319-07782-6_33
Atkins S. Visa europe claims growth of 46 % in contactless payments in last three months. http://contactlessintelligence.com/2013/05/21/visa-europe-claims-growth-of-46-in-contactless-payments-in-last-three-months-alone/
Bond M, Choudary O, Murdoch SJ, Skorobogatov S, Anderson R (2014) Chip and skim: cloning emv cards with the pre-play attack. In: 2014 IEEE symposium on security and privacy (SP), pp 49–64
Bonneau J, Preibusch S, Anderson R (2012) A birthday present every eleven wallets? The security of customer-chosen banking pins. In: Keromytis AD (ed) Financial cryptography and data security. Lecture notes in computer science, vol 7397. Springer, Heidelberg, pp 25–40. doi:10.1007/978-3-642-32946-3_3
Brands S, Chaum D (1994) Distance-bounding protocols. In: Helleseth T (ed) Advances in cryptology–EUROCRYPT’93. Lecture notes in computer science, vol 765. Springer, Heidelberg, pp 344–359. doi:10.1007/3-540-48285-7_30
Breebaart J, Buhan I, de Groot K, Kelkboom E (2011) Evaluation of a template protection approach to integrate fingerprint biometrics in a pin-based payment infrastructure. Electron Commer Res Appl 10(6):605–614
Ceipidor UB, Medaglia CM, Marino A, Sposato S, Moroni A (2012) Kernees: a protocol for mutual authentication between nfc phones and pos terminals for secure payment transactions. In: 2012 9th international ISC conference on information security and cryptology (ISCISC). IEEE, pp 115–120
Cisco (2015) Cisco visual networking index: global mobile data traffic forecast update, 2014–2019. In: White Paper
de Souza Faria G, Kim HY (2013) Identification of pressed keys from mechanical vibrations. IEEE Trans Inf Forensics Secur 8(7):1221
Discover zip. https://www.discover.com/credit-cards/help-center/account/zip/
Drimer S, Murdoch SJ (2007) Keep your enemies close: distance bounding against smartcard relay attacks. In: USENIX security symposium, pp 87–102
Emms M, Arief B, Defty T, Hannon J, Hao F, van Moorsel A (2012) The dangers of verify PIN on contactless cards, computing science. Newcastle University, Newcastle upon Tyne
Emms M, Arief B, Freitas L, Hannon J, van Moorsel A (2014) Harvesting high value foreign currency transactions from emv contactless credit cards without the pin. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 716–726
Emms M, van Moorsel A (2011) Practical attack on contactless payment cards. In: HCI2011 Workshop-Heath, Wealth and Identity Theft
EMV (2013) Book A: architecture and general requirements. EMVCo
EMV (2013) Book B: entry point. EMVCo
EMV (2013) Book D: contactless communication protocol. EMVCo
Expresspay—American express. http://www.americanexpress.com/expresspay
Hancke GP, Kuhn MG (2005) An rfid distance bounding protocol. In: First international conference on security and privacy for emerging areas in communications networks, 2005. SecureComm 2005. IEEE, pp 67–73
Hancke GP (2005) A practical relay attack on iso 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory
Henniger O, Nikolov D (2013) Extending EMV payment smart cards with biometric on-card verification. In: Fischer-Hübner S, de Leeuw E, Mitchell C (eds) Policies and research in identity management. IFIP advances in information and communication technology, vol 396. Springer, Heidelberg, pp 121–130. doi:10.1007/978-3-642-37282-7_12
Heydt-Benjamin TS, Bailey DV, Fu K, Juels A, O’hare T (2007) Vulnerabilities in first-generation RFID-enabled credit cards. In: Dietrich S, Dhamija R (eds) Financial cryptography and data security. Lecture notes in computer science, vol 4886. Springer, Heidelberg, pp 2–14. doi:10.1007/978-3-540-77366-5_2
Hu W (2013) Mobile and handheld computing solutions for organizations and end-users. IGI Global, Hershey
Ion I, Dragovic B (2010) Don’t trust pos terminals! verify in-shop payments with your phone. In: Proceedings of SMPU 8
Joshi GP, Kim SW et al (2008) Survey, nomenclature and comparison of reader anti-collision protocols in rfid. IETE Tech Rev 25(5):285
King D (2012) Chip-and-PIN: success and challenges in reducing fraud. https://www.frbatlanta.org/-/media/Documents/rprf/rprf_pubs/120111wp.pdf?la=en
Mastercard paypass. http://www.mastercard.us/paypass.html
Miri A (2013) Advanced security and privacy for RFID technologies. Information Science Reference, Hershey
Mowery K, Meiklejohn S, Savage S (2011) Heat of the moment: characterizing the efficacy of thermal camera-based attacks. In: Proceedings of the 5th USENIX conference on Offensive technologies. USENIX Association, pp 6–6
Nakajima M (2011) Payment system technologies and function innovations and developments. IGI Globale, Hershey
Ogundele O, Zavarsky P, Ruhl R, Lindskog D (2012) Fraud reduction on emv payment cards by the implementation of stringent security features. Int J Intell Comput Res (IJICR) 3(1/2):252–262
Ogundele O, Zavarsky P, Ruhl R, Lindskog D (2012) The implementation of a full emv smartcard for a point-of-sale transaction. In: 2012 World Congress on internet security (WorldCIS). IEEE, pp 28–35
Patrick AS, Yung M (2005) Financial cryptography and data security: 9th international conference, FC 2005, Roseau, The Commonwealth Of Dominica, February 28-March 3, 2005, Revised Papers, volume 3570. Springer
Payment card industry (pci) data security standard. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Report: Contactless card payments current and forecast analysis to 2017—SecureIDNews. http://secureidnews.com/news-item/report-contactless-card-payments-current-and-forecast-analysis-to-2017/
Roland M, Langer J (2013) Cloning credit cards: a combined pre-play and downgrade attack on emv contactless. In: Proceedings of the 7th USENIX conference on offensive Technologies. USENIX Association, pp 6–6
Sifatullah Bhuiyan M (2012) Securing mobile payment protocol based on emv standard. Master’s thesis, KTH
Visa paywave. http://usa.visa.com/personal/cards/card_technology/paywave.html
Wiedenbeck S, Waters J, Sobrado L, Birget J-C (2006) Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces. ACM, pp 177–184
Zalewski M (2005) Cracking safes with thermal imaging. http://lcamtuf.coredump.cx/tsafe/l
Acknowledgments
Alhothaily acknowledges the scholarship fund from the Saudi Arabian Monetary Agency. Alrawais acknowledges the scholarship fund from the Ministry of Higher Education, Saudi Arabia, and from the College of Computer Engineering and Sciences, Prince Sattam bin Abdulaziz University, Saudi Arabia. This research is also supported by the National Science Foundation of the USA under grant number CNS-1318872, and the National Natural Science Foundation of China under grant number 61171014.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Alhothaily, A., Alrawais, A., Cheng, X. et al. A novel verification method for payment card systems. Pers Ubiquit Comput 19, 1145–1156 (2015). https://doi.org/10.1007/s00779-015-0881-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00779-015-0881-9