Home   >   CSC-OpenAccess Library   >    Manuscript Information
Banking and Modern Payments System Security Analysis
Adam Ali.Zare Hudaib
Pages - 38 - 62     |    Revised - 31-03-2014     |    Published - 30-04-2014
Volume - 8   Issue - 2    |    Publication Date - April 2014  Table of Contents
MORE INFORMATION
KEYWORDS
Banking Security, Authentication, Chip and PIN, ATM.
ABSTRACT
Cyber-criminals have benefited from on-line banking (OB), regardless of the extensive research on financial cyber-security. To better be prepared for what the future might bring, we try to predict how hacking tools might evolve. We briefly survey the state-of-the-art tools developed by black- hat hackers and conclude that they could be automated dramatically. To demonstrate the feasibility of our predictions and prove that many two-factor authentication schemes can be bypassed, we have analyzed banking and modern payments system security.

In this research we will review different payment protocols and security methods that are being used to run banking systems. We will survey some of the popular systems that are being used today, with a deeper focus on the Chips, cards, NFC, authentication etc. In addition, we will also discuss the weaknesses in the systems that can compromise the customer's trust.
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 TechRepublic 
5 Scribd 
6 SlideShare 
7 PdfSR 
Adrian Pastor and Petko D. Petkov. “Hacking the interwebs”. GNUCitizen. Internet:http://www.gnucitizen.org/blog/hacking-the-interwebs/ [Jan, 2008].
Adrian Pastor. “BT home flub: Pwnin the BT home hub - exploiting IGDs remotely via UPnP”. GNUCitizen. Internet: http://www.gnucitizen.org/blog/bt-home-flub-pwnin-the-bt-home-hub-5/ [Jan, 2008].
Anderson, R.J., Needham, R.M. “Robustness principles for public key protocols”, CRYPTO 1995. LNCS, vol. 963, pp. 236–247 [1995].
“3-D Secure system overview”. Internet:https://partnernetwork.visa.com/vpn/global/retrieve_document.do?documentRetrievalId=119[2011].
“APACS announces latest fraud figures”. Internet:http://www.apacs.org.uk/APACSannounceslatestfraudfigures.htm [Sep, 2008].
“APACS. 2008 fraud figures announced by APACS”. Internet:http://www.ukpayments.org.uk/media_centre/press_releases/-/page/685/ [March, 2009].
“APACS: Online banking usage amongst over 55s up fourfold in five years“. Internet:http://www.apacs.org.uk/media_centre/press/08_24_07.html [Aug, 2007].
“Banking Code Standards Board”. The banking code. Internet:http://www.bankingcode.org.uk/ [March, 2008].
“CreditCall”. EMV.LIB Integration Guide. Internet:http://www.level2kernel.com/emvlibfidocumentation.html [June, 2010].
“Cronto: Products datasheet”. Internet:http://www.cronto.com/download/Cronto_Products_Datasheet.pdf [2010].
“Cronto”. Internet: http://www.cronto.com/download/Cronto_Products_Datasheet.pdf [2012].
“EMVCo, LLC. EMV 4.2”. Internet: http://www.emvco.com/ [June, 2004].
“EMVCo, LLC: EMV 4.1”. Internet: http://www.emvco.com/ [Aug, 2004].
“EMVCo. Terminal level 2, test cases”. Type Approval [Nov, 2011].
“Internet Retailer. Verified by Visa security program used as bait in phishing scams”.Internet: http://www.internetretailer.com/dailyNews.asp?id=13764 [Jan, 2005].
“Make Card Readers Optional”. Internet: http://www.stopthecardreaders.org/ [2008].
“Obscure. Extended HTML form attack”. Technical report, EyeonSecurity. Internet:http://www.hackerz.ir/e-books/Extended%20HTML%20Form%20Attack.pdf [2002].
“RBS Secure Terms of Use”. Internet:https://www.rbssecure.co.uk/rbs/tdsecure/terms_of_use.jsp [Dec, 2009].
“RedTeam: iTAN online-banking security system”. CAN-2005-2779. Internet:http://www.redteam-pentesting.de/advisories/rt-sa-2005-014.txt [Aug, 2005].
Bohm, N., Brown, I., Gladman, B. “Electronic commerce: Who carries the risk of fraud?” The Journal of Information, Law and Technology (3). Internet:http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/bohm/ [Oct, 2000].
Burrows, M., Abadi, M., and Needham, R. “A logic of authentication. ACM Transactions on Computer Systems 8”, pp.18-36 [1996].
Choudary, O. “The smart card detective: a hand-held EMV interceptor. Master's thesis”,University of Cambridge. Internet: http://www.cl.cam.ac.uk/~osc22/scd/ [June 2010].
Dan Kaminsky. “DNS rebinding and more packet tricks”. 24th Chaos Communication Congress. Internet: http://events.ccc.de/congress/2007/Fahrplan/track/Hacking/2393.en.html[Dec, 2007].
Davida, G., Frankel, Y., Tsiounis, Y., Yung, M. “Anonymity control in E-cash systems”. FC 1997. LNCS, vol. 1318, pp. 1–16 [1997].
de Ruiter, J., and Poll, E. “Formal analysis of the EMV protocol suite”. Theory of Security and Applications (TOSCA 2011), vol. 6693 of LNCS, Springer, pp. 113-129 [March, 2011].
Drimer, S., and Murdoch, S. J. “Keep your enemies close: Distance bounding against smartcard relay attacks”. USENIX Security Symposium [August, 2007].
Drimer, S., Murdoch, S. J., and Anderson, R. “Thinking inside the box: system-level failures of tamper proofing”. IEEE Symposium on Security and Privacy (Oakland), pp. 281-295 [May,2008].
Drimer, S., Murdoch, S.J. “Keep your enemies close: Distance bounding against smartcard relay attacks”. In: USENIX Security Symposium [Aug, 2007].
Drimer, S., Murdoch, S.J., Anderson, R. “Thinking inside the box: system-level failures of tamper proofing”. IEEE Symposiumon Security and Privacy, Oakland, pp. 281–295 [May,2008].
E. M. Newton, P. J. Phillips. “Meta-Analysis of Third-Party Evaluations of Iris Recognition”,IEEE Transactions on Systems, Man, and Cybernetics, vol. 39, no. 1, pp. 4–11 [2009].
Finn, C. “MTN not budging on fraud issue”. IOL technology. Internet:http://www.ioltechnology.co.za/article.page.php?iSectionId=2885&iArticl%eId=4402087[May, 2008].
H. Proença, and A. Alexandre. "Towards noncooperative iris recognition: A classification approach using multiple signatures". IEEE Trans. vol. 29, pp. 607-612 [2007].
J. Daugman. “Probing the Uniqueness and Randomness of Iris Codes:Results from 200 Billion Iris Pair Comparisons”, Proceedings of the IEEE, vol. 94, no. 11 [2006].
J. Wright, A. Y. Yang, A. Ganesh, S. S. Sastry, and Y. Ma. “Robust Face Recognition via Sparse Representation”, IEEE Transactions on Pattern Analysis and Machine Intelligence,vol. 31, no. 2, pp. 210–227 [2009].
Jack, B. “Jackpotting automated teller machines redux”. Presentation at Black Hat USA.Internet: http://blackhat.com/html/bh-us-10/bh-us-10-archives.html [June, 2010].
Jenkins, R. “Brainless thugs get life term”. The Times. Internet:http://www.timesonline.co.uk/tol/news/uk/crime/article3850647.ece [May, 2008].
Jochen Topf. “HTML form protocol attack”. BugTraq posting. Internet:http://www.remote.org/jochen/sec/hfpa/hfpa.pdf [Aug, 2001].
Jon Varco. “Verified by Visa update”. Internet:http://www.barclaycardbusiness.co.uk/information_zone/customer_forum/pdf/1315_jon_varc o_visa.pdf. [2012].
K. W. Bowyer, K. Hollingsworth, and P. J. Flynn. “Image understanding for iris biometrics: A survey”, Computer Vision and Image Understanding, vol. 110, no. 2, pp. 281–307 [2008].
Kelman, A. “Job v Halifax PLC (not reported) case number 7BQ00307”. Digital Evidence and Electronic Signature Law Review , vol. 6 [2009].
Kerckhoffs, A. “La cryptographie militaire”. Journal des sciences militaires 9, 5–38 [1983].
Lomas, N. “Government gateway 2.0 looks to fatter future”. Internet:http://www.silicon.com/publicsector/0,3800010403,39168629,00.htm [Oct, 2007].
Markettos, A. T., and Moore, S. W. “Frequency injection attack on ringoscillator-based true random number generators”. Workshop on Cryptographic Hardware and Embedded Systems, pp. 317-331 [2009].
Masaki Watanabe, Toshio Endoh,Morito Shiohara, and Shigeru Sasaki. ”Palm vein authentication technology and its applications”, The Biometric Consortium Conference, USA,pp.1-2 [September 19-21, 2005].
Mohamed Shahin, Ahmed Badawi, and Mohamed Kamel. ”Biometric Authentication Using Fast Correlation of Near Infrared Hand Vein Patterns”, International Journal of Biological and Medical Sciences, vol 2,No.1, pp. 141-148 [winter, 2007].
Moon, D., Flatley, J., Hoare, J., Green, B., and Murphy, R. “Acquisitive crime and plastic card fraud: Findings from the 2008/09 British crime survey”. Statistical bulletin, Home Ofice,April 2010. Internet:http://webarchive.nationalarchives.gov.uk/20110218135832/http://rds.homeoffice.gov.uk/rds/pdfs10/hosb0810.pdf [April, 2010].
Murdoch, S. J. “Reliability of chip & PIN evidence in banking disputes”. Digital Evidence and Electronic Signature Law Review, vol. 6, Pario Communications, pp. 98-115 [Nov, 2010].
Needham, R. M., and Schroeder, M. D. “Using encryption for authentication in large networks of computers”. Commun. ACM 21, pp. 993-999 [Dec. 1978].
Nicholas Bohm, Ian Brown, and Brian Gladman. “Electronic commerce: Who carries the risk of fraud?” The Journal of Information, Law and Technology, (3) [Oct, 2000].
Saar Drimer, Steven J. Murdoch, and Ross Anderson. “Optimized to fail: Card readers for online banking”. Financial Cryptography, LNCS 5628. Springer [2009].
Samuel, H. “Chip and pin scam ‘has netted millions from British shoppers”. Telegraph.Internet: http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346%/Chip-and-pin-scam-has-netted-millionsfrom-British-shoppers.html [Oct, 2008].
Shi Zhao, Yiding Wang and Yunhong Wang. “Extracting Hand Vein Patterns from Low-Quality Images: A New Biometric Technique Using Low-Cost Devices”, Fourth International Conference on Image and Graphics [2007].
Synthetic PIN for Authentication and Authorisation”. Internet:http://protectoria.com/Secure-Authentication [June, 2014].
Taylor, M. “Police think French pair tortured for pin details”. The Guardian. Internet:http://www.guardian.co.uk/uk/2008/jul/05/knifecrime.ukcrime [Jun, 2008].
Wong, R.M., Berson, T.A., Feiertag, R.J. “Polonium: an identity authentication system”.IEEE Symposium on Security and Privacy, p. 101 [1985].
Yuhang Ding, Dayan Zhuang and Kejun Wang. “A Study of Hand Vein Recognition Method”,The IEEE International Conference on Mechatronics & Automation Niagara Falls, Canada[July, 2005].
Mr. Adam Ali.Zare Hudaib
Two Mas ltd - Poland
adamhudaib@gmail.com


CREATE AUTHOR ACCOUNT
 
LAUNCH YOUR SPECIAL ISSUE
View all special issues >>
 
PUBLICATION VIDEOS