Abstract
During the past decade, cybersecurity threats have drawn everyone’s attention and it’s becoming a national priority in many leading countries. With the development of sophisticated mobile technology, mobile (contactless) payment insecurity, which may cause huge financial losses, is now becoming a serious threat to our daily life. During the holiday season in 2013, China’s most welcome mobile payment system provider - Alipay - lost over 20 GB worth of customer data in a security breach, which affected at least 15 million customers. Even though the company has promised to evaluate the security of the system and to take necessary measures to protect customer’s data, are we still safe with the payment? In this paper, we investigate several security vulnerabilities for Alipay wallet, which may cause individual’s personal data and financial losses. This is due to not only less regulation by authorities but also the failure of enabling secure proximity authentication during mobile payment. By going through these surprising vulnerabilities, we come up with some ideas on how to combat them and show how to enhance the mobile payment security by enabling proximity authentication before monetary transactions.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
https://pay.weixin.qq.com, accessed at: 10/15/2016.
- 2.
http://www.paycash.eu/, accessed at: 10/15/2016.
- 3.
https://www.thelevelup.com/, accessed at: 10/15/2016.
- 4.
http://go4q.mobi/, accessed at: 10/15/2016.
References
Weber, T.A.: The question of ownership in a sharing economy. In: 2015 48th Hawaii International Conference on System Sciences (HICSS), Kauai, HI, pp. 4874–4883 (2015)
Weber, T.A.: Intermediation in a Sharing Economy: Insurance, Moral Hazard, and Rent Extraction. Journal of Management Information Systems. SSRN: http://ssrn.com/abstract=2439110. Accessed 15 Nov 2016
Petsas, T., Papadogiannakis, A., Polychronakis, M., Markatos, E.P., Karagiannis, T.: Rise of the planet of the apps: a systematic study of the mobile app ecosystem. In: Proceedings of the Internet Measurement Conference, pp. 277–290 (2013)
Breshahan, T., Greenstein, S.: Economics of the internet and mobile computing: the next platform rivalry. Am. Econ. Rev. Pap. Proc. 104(5), 475–480 (2014)
Lee, G.M., Lee, J., Whinston, A.B.: Matching mobile applications for cross promotion. In: Proceedings of the Workshop on e-Business (2014)
HKPC Warns of Intensive Cyber Attacks in 2015. https://www.hkpc.org/en/corporate-info/media-centre/press-releases/2015/5668-hkpc-warns-of-intensive-cyber-attacks-in-2015. Accessed 15 Nov 2016
Tencent Mobile Security Labs: 2014 First Series Security Report of Rooted Phone. Chinese Only http://m.qq.com/security_lab/news_detail_278.html. Accessed 15 Nov 2016
Electronic Cheque (e-Cheque) E-Brochure. http://www.hkma.gov.hk/media/eng/doc/key-functions/finanical-infrastructure/infrastructure/retail-payment-initiatives/e-Cheque_e-brochure_Plaictrext_eng.pdf. Accessed 15 Nov 2016
Ryback, W.: Launch of Two-Factor Authentication for Internet Banking. Hong Kong Monetary Authority (2005)
Hancke, G., Kuhn, M.: An RFID distance bounding protocol. In: SecureComm 2005, pp. 67–73. IEEE Computer Society (2005)
Kim, C.H., Avoine, G., Koeune, F., Standaert, F.-X., Pereira, O.: The swiss-knife RFID distance bounding protocol. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 98–115. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00730-9_7
Avoine, G., Lauradoux, C., Marin, B.: How secret-sharing can defeat terrorist fraud. In: ACM Wisec 2011, pp. 145–156. ACM SIGSAC (2011)
Yang, A., Zhuang, Y., Wong, D.S.: An efficient single-slow-phase mutually authenticated RFID distance bounding protocol with tag privacy. In: Chim, T.W., Yuen, T.H. (eds.) ICICS 2012. LNCS, vol. 7618, pp. 285–292. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34129-8_25
Zhuang, Y., Yang, A., Wong, D.S., Yang, G., Xie, Q.: A highly efficient rfid distance bounding protocol without real-time PRF evaluation. In: Lopez, J., Huang, X., Sandhu, R. (eds.) NSS 2013. LNCS, vol. 7873, pp. 451–464. Springer, Heidelberg (2013). doi:10.1007/978-3-642-38631-2_33
EMVCo Specifications. https://www.emvco.com/specifications.aspx. Accessed 15 Nov 2016
Wang, Y., Hahn, C., Sutrave, K.: Mobile payment security, threats, and challenges. In: Second International Conference on Mobile and Secure Services (MobiSecServ 2016), Gainesville, FL, pp. 1–5 (2016)
Research, J.: Global digital payments to reach USD 3.6 trillion in 2016. http://www.juniperresearch.com/press/press-releases/global-digital-payments-to-reach-$3-6-trillion. Accessed 15 Nov 2016
Zhuang, Y., Hancke, G.P., Wong, D.S.: How to demonstrate our presence without disclosing identity? Evidence from a grouping-proof protocol. In: Kim, H., Choi, D. (eds.) WISA 2015. LNCS, vol. 9503, pp. 423–435. Springer, Cham (2016). doi:10.1007/978-3-319-31875-2_35
Vidas, T., Owusu, E., Wang, S., Zeng, C., Cranor, L.F., Christin, N.: QRishing: the susceptibility of smartphone users to QR code phishing attacks. In: Adams, A.A., Brenner, M., Smith, M. (eds.) FC 2013. LNCS, vol. 7862, pp. 52–69. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41320-9_4
China’s central bank halts Tencent, Alibaba mobile payment process. http://www.reuters.com/article/us-china-cbank-payments-idUSBREA2D06420140314. Accessed 15 Nov 2016
e-Learning in HSMC. http://ctl.hsmc.edu.hk/en/e-learning. Accessed 15 Nov 2016
Acknowledgment
This work was supported by a research grant (Project Number: 2015.A1.030.16A) from the Public Policy Research Funding Scheme of the Central Policy Unit of the Hong Kong Special Administrative Region Government. We also thank anonymous reviewers’ valuable comments and PC Chairs’ shepherding.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhuang, Y., Leung, A.C.M., Hughes, J. (2017). Matching in Proximity Authentication and Mobile Payment EcoSystem: What Are We Missing?. In: Hancke, G., Markantonakis, K. (eds) Radio Frequency Identification and IoT Security. RFIDSec 2016. Lecture Notes in Computer Science(), vol 10155. Springer, Cham. https://doi.org/10.1007/978-3-319-62024-4_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-62024-4_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62023-7
Online ISBN: 978-3-319-62024-4
eBook Packages: Computer ScienceComputer Science (R0)