Enhancing the Security of Centralised and Distributed Payments
Total Page:16
File Type:pdf, Size:1020Kb
Enhancing the Security of Centralised and Distributed Payments Submitted by Danushka Jayasinghe for the degree of Doctor of Philosophy of the Royal Holloway, University of London 2017 Declaration I, Danushka Jayasinghe, hereby declare that this thesis and the work presented in it is entirely my own. Where I have consulted the work of others, this is always clearly stated. Signed . (Danushka Jayasinghe) Date: 1 Publications The research carried out has led to the publication and presentation of a number of academic papers in international conferences. 1. D. Jayasinghe, K. Markantonakis and K. Mayes, \Optimistic Fair-Exchange with Anonymity for Bitcoin Users," In The 11th International Conference on e-Business Engineering (ICEBE), Guangzhou, China, pp.44-51, IEEE, 2014. 2. D. Jayasinghe, R. N. Akram, K. Markantonakis, K. Rantos and K. Mayes, \En- hancing EMV Online PIN Verification,” In The 14th International Conference on Trust, Security and Privacy in Computing and Communications (Trustcom/ BigDataSE/ISPA), pp.808-817, Helsinki, Finland, IEEE, 2015. 3. D. Jayasinghe, K. Markantonakis, I. Gurulian, R. N. Akram and K. Mayes, \Ex- tending EMV Tokenised Payments to Offline-Environments," In The 15th Inter- national Conference on Trust, Security and Privacy in Computing and Commu- nications (Trustcom/BigDataSE/ISPA), pp.443-450, Tianjin, China, IEEE, 2016. 4. D. Jayasinghe, K. Markantonakis, R. N. Akram and K. Mayes, \Enhancing EMV Tokenisation with Dynamic Transaction Tokens," In 12th International Work- shop: Radio Frequency Identification and IoT Security (RFIDSec), pp.107-122, Hong Kong, Springer, 2016. 5. D. Jayasinghe, S. Cobourne, K. Markantonakis, R. N. Akram and K. Mayes, \Philanthropy On The Blockchain," In The 11th WISTP International Confer- ence on Information Security Theory and Practice (WISTP), Heraklion, Greece, Springer, 2017. 2 Abstract In the last few decades, the way humans engage in payment transactions and the tools they use to transact with each other have evolved dramatically. Advancement in cryptography, information security, computer networking, distributed computing, etc. provides the required tools for modern day payment solution providers to design payment technologies that can be used to carry out convenient payment transactions. Yet, the financial loss associated with financial fraud, payment related attacks and data breaches that directly affect the financial institutions, merchants and consumers is significant. Because of this, an important development in the payment evolution is the consideration towards security of payment transactions. The main focus of this thesis is to enhance the security of both EMV (Europay MasterCard Visa) based centralised payments and Bitcoin/blockchain based distributed payments while showing more emphasis on new and emerging payment technologies such as: mobile payments, tokenisation and distributed ledger technology. EMV is a standard that provides interoperability to Chip & PIN, Contactless and Tokenised payment transactions in a global scale. The thesis, investigates the current EMV payment architectures to identify potential weaknesses that pose a threat to the security of payment transactions. In our research, we were able to identify five main issues related to EMV Online PIN Verification in two deployment methods and three main issues related to EMV Tokenisation that raise security concerns. We discuss potential attack scenarios, and propose solutions that address the identified issues and enhance the security of payment transactions. The proposed solutions are subject to mechanical formal analysis and practical implementation was carried out to obtain performance measurements. The thesis, also investigates payments in distributed payment systems such as Bit- coin and blockchains. We identify issues such as fair-exchange related to distributed payments and propose solutions to improve security and anonymity. Furthermore, we explore how blockchain technology can be leveraged to enhance the security in other payment transactions such as: donation payments, humanitarian aid and SMS-based mobile payments. Finally, the thesis provides conclusion of this research and suggesting future research directions. 3 Acknowledgement The completion of this thesis would not have been possible without the support of a number of wonderful people. First and foremost, I would like to express my deepest gratitude to my supervisor Prof. Konstantinos Markantonakis for his supervision and guidance throughout my PhD. I am grateful for his approachability, invaluable reviews and feedback. I would also like to thank my advisor, Prof. Keith Mayes for his support during the PhD. I would like to thank Dr. Raja Naeem Akram for his insightful reviews and com- ments on the thesis. I am also grateful to Sheila Cobourne for her reviews and support throughout my PhD. Special thanks to all my colleagues at the Smart Card & IoT Security Centre: Benoit Ducray, Iakovos Gurulian, Assad Umar, Lazaros Kyrillidis, Sara Abu-Ghazalah, Hafizah Mansor, Mehari Msgna, Rashedul Hassan, Robert Lee and Carlton Shepherd for the many interesting discussions. A very special thank goes to my beloved wife Madushani for her amazing support, love and care during my PhD. Your encouragement was a key ingredient for completing this milestone. I would also like to thank my parents and my two sisters for their love, support and encouragement during this time. Even though there isn't enough space here to mention all your names, I would also like to thank my friends, relatives, in-laws and others who have provided me help and support in any shape or form during this remarkable journey. Finally, I would also like to thank the UK Cards Association (subset of UK Finance since July 2017) and the ISG - Smart Card & IoT Security Centre for financially spon- soring my PhD. The invaluable discussions, recommendations and feedback provided by David Baker and Bill Reding from the UK Cards Association throughout this work are much appreciated. 4 Contents 1 Introduction 15 1.1 Motivation and Challenges.......................... 16 1.2 Aim and Objectives............................. 17 1.3 Contributions................................. 17 1.4 Thesis Outline................................ 20 I Background 23 2 Payment Systems and Formal Analysis Tools 24 2.1 EMV based Centralised Payments..................... 25 2.1.1 EMV................................. 25 2.1.2 EMV Online PIN Verification.................... 26 2.1.3 Financial Fraud........................... 28 2.1.4 EMV Tokenisation.......................... 29 2.1.5 Current Operating Environment of EMV Tokenisation...... 30 2.2 Bitcoin/Blockchain based Distributed Payments.............. 31 2.2.1 Blockchain Technology........................ 33 2.2.2 Bitcoin................................ 35 2.2.3 Existing SMS Payment Systems and Bitcoin........... 37 2.3 Anonymous and Fair-exchange Payment Schemes............. 37 2.3.1 Anonymous Payment Schemes................... 38 2.3.2 Fair-exchange Schemes........................ 38 2.4 Formal Analysis Tools............................ 40 2.4.1 CasperFDR.............................. 41 2.4.2 Scyther................................ 42 2.5 Summary................................... 43 5 II Improvements for EMV based Centralised Payments 45 3 Improving Online PIN Verification Security 46 3.1 Introduction.................................. 47 3.1.1 Two OPV Deployment Methods.................. 48 3.1.2 Problem Statement.......................... 50 3.1.3 Contributions............................. 51 3.2 Potential Concerns.............................. 52 3.2.1 Operating Environment and Assumptions............. 52 3.2.2 Attacker's Capability......................... 53 3.2.3 Two Potential Risk Scenarios.................... 54 3.3 Proposed Solutions.............................. 56 3.3.1 Card based Solutions......................... 60 3.3.2 Terminal based Solutions...................... 62 3.3.3 Binding of OPV and Transaction Authorisation.......... 64 3.3.4 Our Experience Related to EMV Specifications.......... 64 3.4 Analysis.................................... 65 3.4.1 Security Analysis........................... 65 3.4.2 Practical Implementation...................... 68 3.4.3 Mechanical Formal Analysis..................... 69 3.5 Summary................................... 69 4 Improving OPV Security in Unified Authorisation Method 71 4.1 Introduction.................................. 72 4.2 Potential Concerns.............................. 72 4.2.1 Two Potential Risk Scenarios.................... 73 4.3 Proposed Solutions.............................. 75 4.3.1 Card Based Solutions........................ 76 4.3.2 Terminal based Solution....................... 80 4.3.3 Binding of OPV and Transaction Authorisation.......... 82 4.4 Analysis.................................... 83 4.4.1 Security Analysis........................... 83 4.4.2 Practical Implementation...................... 85 4.4.3 Mechanical Formal Analysis..................... 86 4.5 Summary................................... 86 6 5 Tokenisation based Protocol for Offline Payment Transactions 88 5.1 Introduction.................................. 89 5.1.1 Problem Statement.......................... 89 5.1.2 Contributions............................. 90 5.2 Offline Operating Environment and Adversary's Capability....... 91 5.3 Proposed Solution.............................. 92 5.3.1 Protocol Assumptions........................ 93 5.3.2 Setup Phase.............................. 93 5.3.3 Payment Phase...........................