Abstract
The pervasive use of mobile phones has created a dynamic computing platform that a large percentage of the population carries routinely. There is a growing trend of integrating mobile phones with electronic identity, giving the phone the ability to prove or support the identity of the owner by containing, for example, a tuple of name, ID, photo and public key. While this helps phone owners prove who they are, it does not prove to them that they are giving their identities to intended parties. This is important in its own right for reasons of privacy and avoiding cases of “identity theft”, but all the more important when identity is being provided to support the transfer of value (e.g. in mobile payment) or information. In this paper we show how Human Interactive Security Protocols can support this type of authentication in cases where PKIs are inappropriate, misunderstood or too expensive, concentrating on the case of payment.
Chapter PDF
References
ITU Report, ITU sees 5 billion mobile subscriptions globally in 2010 (2010), http://www.itu.int/net/pressoffice/press_releases/2010/06.aspx
ITU Report, Personal Computers market, http://www.areppim.com/stats/stats_pcxfcst.htm
Srivastava, L.: Japan’s ubiquitous mobile information society. J. Policy, Regulation and Strategy for Telecommunications 6(4) (2004)
Reuters. Dutch deal paves way for mobile payments in 2012 (2012), http://uk.reuters.com/article/idUKLDE6880OC20100909
Finextra. China Telecom, Bank of China and China UnionPay launch mobile proximity payments, http://www.finextra.com/news/announcement.aspx?pressreleaseid=36776
Pasquet, M., Reynaud, J., Rosenberger, C.: Secure payment with NFC mobile phone in the smarttouch project. In: Symposium on Collaborative Technologies and Systems (2008)
Kadambi, K.S., Li, J., Karp, A.H.: Near-field communication-based secure mobile payment service. In: Proc. the 11th International Conference on Electronic Commerce (2009)
Francis, L., Hancke, G., Mayes, K., Markantonakis, K.: Practical NFC Peer-to-Peer Relay Attack Using Mobile Phones. In: Ors Yalcin, S.B. (ed.) RFIDSec 2010. LNCS, vol. 6370, pp. 35–49. Springer, Heidelberg (2010)
Anderson, R.: RFID and the Middleman. In: Proc. Financial Cryptography and Data Security (2007)
Haselsteiner, E., Breitfuss, K.: Security in Near Field Communication. In: Proc. Workshop on RFID Security (2006)
Bluetooth SIG. SPECIAL REPORT, Quarter 4 (2010), http://signature.bluetooth.com/bluetoothsig/2010Q4?pg=22#pg22
Chen, J.J., Adams, C.: Short-range wireless technologies with mobile payments systems. In: Proc. the 6th International Conference on Electronic Commerce (2004)
Pradhan, S., Lawrence, E., Zmijewska, A.: Bluetooth as an Enabling Technology in Mobile Transactions. In: Int’l Conference on Info. Tech.: Coding and Computing (2005)
Zolfaghar, K., Mohammadi, S.: Securing Bluetooth-based payment system using honeypot. In: Int’l Conference on Innovations in Info. Tech. (2009)
Gao, J., Edunuru, K., Cai, J., Shim, S.: P2P-Paid: A Peer-to-Peer Wireless Payment System. In: Proc. WMCS 2005 (2005)
Jakobsson, M., Wetzel, S.: Security Weaknesses in Bluetooth. In: Naccache, D. (ed.) CT-RSA 2001. LNCS, vol. 2020, pp. 176–191. Springer, Heidelberg (2001)
Mallat, N.: Exploring Consumer Adoption of Mobile Payments - A Qualitative Study. J. Strategic Information Systems 16(4), 413–432 (2007)
Mannan, M., van Oorschot, P.C.: Using a Personal Device to Strengthen Password Authentication from an Untrusted Computer. In: Proc. Financial Cryptography and Data Security (2008)
Mune, C., Gassira, R., Piccirillo, R.: Hijacking Mobile Data Connections (2009), http://www.blackhat.com/presentations/bh-europe-09/Gassira_Piccirillo/BlackHat-Europe-2009-Gassira-Piccirillo-Hijacking-Mobile-Data-Connections-whitepaper.pdf
Madlmayr, G., Langer, J., Kantner, C., Scharinger, J.: NFC Devices: Security and Privacy. In: Third Int’l Conference on Availability, Reliability and Security (2008)
Gotstev, A., Maslennikov, D.: Mobile Malware Evolution: An Overview, Part 3, http://www.securelist.com/en/analysis/204792080/Mobile_Malware_Evolution_An_Overview_Part_3
Lawton, G.: Is It Finally Time to Worry about Mobile Malware? J. Computer 41(5), 12–14 (2008)
Fleizach, C., Liljenstam, M., Johansson, P., Voelker, G.M., Mehes, A.: Can you infect me now?: malware propagation in mobile phone networks. In: Proc. WORM 2007 (2007)
Sanders, R.: From EMV to NFC: the contactless trail? J. Card Technology Today 20(3) (2008)
Adida, B., Bond, M., Clulow, J., Lin, A., Murdoch, S., Anderson, R.J., Rivest, R.: Phish and Chips. In: Security Protocols Workshop (2006)
S21sec. ZeuS Mitmo: Man-in-the-mobile, http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html
RSA Lab. Making Sense of Man-in-the-browser Attacks, http://www.rsa.com/products/consumer/whitepapers/10459_MITB_WP_0510.pdf
Nguyen, L.H., Roscoe, A.W.: Authentication protocols based on low-bandwidth unspoofable channels: a comparative survey. J. Computer Security (2010)
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)
Nguyen, L.H., Roscoe, A.W.: Efficient group authentication protocol based on human interaction. In: Proc. FCS-ARSPA (2006)
Nguyen, L.H., Roscoe, A.W.: Authenticating ad hoc networks by comparison of short digests. J. Information and Computation 206 (2008)
Vaudenay, S.: Secure communications over insecure channels based on short authenticated strings. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 309–326. Springer, Heidelberg (2005)
Laur, S., Nyberg, K.: Efficient Mutual Data Authentication Using Manually Authenticated Strings. In: Proc. Cryptology and Network Security (2006)
Dataloss, http://datalossdb.org/search?query=card
Kainda, R., Flechais, I., Roscoe, A.W.: Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols. In: Proc. SOUPS (2009)
NIST. Security Requirement for Cryptographic Modules. FIPS 140-2 (2002)
NIST. Recommendation for Key Management. SP 800-57 (2007)
NIST. Cryptographic Algorithms and Key Sizes for Personal Identity Verification. SP 800-78 (2010)
Times Online. Don’t use cards at petrol stations, http://www.timesonline.co.uk/tol/money/consumer_affairs/article1400176.ece
Startribune. Metro restaurant workers indicted in credit card scam, http://www.startribune.com/local/west/102029153.html
Callegati, F., Cerroni, W., Ramilli, M.: Man-in-the-Middle Attack to the HTTPS Protocol. IEEE Security & Privacy (2009)
Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-Middle in Tunnelled Authentication Protocols. In: Security Protocols Workshop (2005)
Kügler, D.: “Man in the middle” attacks on bluetooth. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 149–161. Springer, Heidelberg (2003)
Tobin, D.: Open sesame: the magic car thieves. The Sunday Times (February 6, 2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bangdao, C., Roscoe, A.W. (2011). Mobile Electronic Identity: Securing Payment on Mobile Phones. In: Ardagna, C.A., Zhou, J. (eds) Information Security Theory and Practice. Security and Privacy of Mobile Devices in Wireless Communication. WISTP 2011. Lecture Notes in Computer Science, vol 6633. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-21040-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-21040-2_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-21039-6
Online ISBN: 978-3-642-21040-2
eBook Packages: Computer ScienceComputer Science (R0)