Smartphones as Practical and Secure Location Verification Tokens for Payments

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Marforio, Claudio ^a   Karapanos, Nikolaos ^a   Soriente, Claudio ^a   Kostiainen, Kari ^a   Čapkun, Srdjan ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

[No Author keywords available]

Indexed keywords

AUTHENTICATION; BEHAVIORAL RESEARCH; MOBILE SECURITY;

ARM TRUSTZONE; AUTHENTICATION SOLUTIONS; FRAUDULENT TRANSACTIONS; LOCATION BASED; LOCATION VERIFICATION; POINT OF SALE; SALE TRANSACTIONS; SECURE LOCATION; SMART PHONES; TRUSTED EXECUTION ENVIRONMENTS;

SMARTPHONES;

EID: 85133408027     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23165     Document Type: Conference Paper

References (63)

1. European Central Bank, “Report on card fraud,” July 2012, http://www.ecb.int/pub/pdf/other/cardfraudreport201207en.pdf.
2. P. Fourez and Mastercard International Inc., “Location controls on payment card transactions,” http://patentscope.wipo.int/search/en/ WO2011022062, 2011, Patent No. WO/2011/022062.
3. F. S. Park, C. Gangakhedkar, and P. Traynor, “Leveraging cellular infrastructure to improve fraud prevention,” in Proceedings of the 25th Annual Computer Security Applications Conference, ser. ACSAC’09, 2009, pp. 350–359.
4. Barclays, “Mobile PINsentry,” http://goo.gl/pcuGo, last access 2013.
5. Google Inc., “Google 2-Step Verification,” http://www.google.com/landing/2step/, last access 2013.
6. A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM’11, 2011.
7. Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in IEEE Symposium on Security and Privacy, ser. SP’12, 2012.
8. ARM, “Building a Secure System using TrustZone Technology,” http://www.arm.com, 2009.
9. S. Saroiu and A. Wolman, “I am a sensor, and i approve this message,” in Proceedings of ACM International Workshop on Mobile Computing Systems and Applications (HotMobile), 2010.
10. H. Liu, S. Saroiu, A. Wolman, and H. Raj, “Software abstractions for trusted sensors,” in The 10th International Conference on Mobile Systems, Applications, and Services (MobiSys), 2012.
11. C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun, “Secure enrollment and practical migration for mobile trusted execution environments,” in Proceedings of the third ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM’13, 2013.
12. J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes,” in 2012 IEEE Symposium on Security and Privacy, May 2012. [Online]. Available: http://www.cl.cam.ac.uk/~jcb82/doc/BHOS12-IEEESP-quest_to_replace_passwords.pdf
13. R. Guida, R. Stahl, T. Bunt, G. Secrest, and J. Moorcones, “Deploying and using public key technology: lessons learned in real life,” IEEE Security Privacy, vol. 2, no. 4, 2004.
14. A. Czeskis, M. Dietz, T. Kohno, D. S. Wallach, and D. Balfanz, “Strengthening user authentication through opportunistic cryptographic identity assertions,” in Proceedings of the 19th ACM Conference on Computer and Communications Security, ser. CCS’12, 2012, pp. 404–414.
15. M. Mannan, B. H. Kim, A. Ganjali, and D. Lie, “Unicorn: two-factor attestation for data security,” in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS’11, 2011, pp. 17–28.
16. K. Kostiainen, E. Reshetova, J.-E. Ekberg, and N. Asokan, “Old, new, borrowed, blue – a perspective on the evolution of mobile platform security architectures,” in ACM conference on Data and application security and privacy, ser. CODASPY’11, 2011.
17. K. Kostiainen, J.-E. Ekberg, N. Asokan, and A. Rantala, “On-board credentials with open provisioning,” in International Symposium on Information, Computer, and Communications Security, ser. ASIACCS’09, 2009.
18. GlobalPlatform, “Device specifications,” available at: http://www.globalplatform.org/specificationsdevice.asp.
19. osmocomBB, http://bb.osmocom.org, last access 2013.
20. 3GPP, “3GPP TS 23.040 - Technical realization of the Short Message Service (SMS),” http://www.3gpp.org/ftp/Specs/html-info/23040. htm, last access 2013.
21. Offspark B.V., “PolarSSL,” https://polarssl.org/, last access 2013.
22. ARM, “ARM Motherboard Express,” http://www.arm.com/products/tools/development-boards/versatile-express/motherboard-express.php.
23. ARM, “ARM Coretile Express,” http://www.arm.com/products/tools/development-boards/versatile-express/coretile-express.php.
24. Sierraware, “Open Virtualization - ARM TrustZone and ARM Hyper-visor Open Source Software,” http://www.openvirtualization.org/.
25. GlobalPlatform, “GlobalPlatform Device Specifications,” http://www.globalplatform.org/specificationsdevice.asp, last access 2013.
26. Android Development Team, “Android 4.1 APIs - Jelly Bean,” http://developer.android.com/about/versions/jelly-bean.html, 2013.
27. Bouncy Castle Crypto APIs, http://www.bouncycastle.org, last access 2013.
28. G. Inc., “Google Cloud Messaging for Android,” http://developer.android.com/google/gcm/index.html, last access 2013.
29. CherryPy Team, “CherryPy - A Minimalistic Python Web Framework,” http://www.cherrypy.org/, 2013.
30. SQLite Development Team, “SQLite,” http://www.sqlite.org, last access 2013.
31. Comcetera Ltd., “Number Portability Lookup,” http://www.numberportabilitylookup.com/, 2013.
32. EMV, “Integrated Circuit Card Specifications for Payment Systems, Book 1-4, Version 4.3,” 2011. [Online]. Available: http://www.emvco.com/
33. Mastercard, “Mastercard Developer Zone,” 2013. [Online]. Available: https://developer.mastercard.com/
34. VISA, “Visa Developer Program,” 2013. [Online]. Available: https://developer.visa.com/
35. Telegraph, “EU to end mobile roaming charges next year,” June 2013, http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/telecoms/10119159/ EU-to-end-mobile-roaming-charges-next-year.html.
36. R. Pries, T. Hobfeld, and P. Tran-Gia, “On the suitability of the short message service for emergency warning systems,” in Proceedings of the 63rd Vehicular Technology Conference, ser. VTC 2006-Spring, vol. 2, 2006, pp. 991–995.
37. ValidSoft, “ValidPOS,” 2013. [Online]. Available: http://www.validsoft.com/
38. Google Inc., “Google wallet,” http://www.google.com/wallet/, last access 2013.
39. K.-P. Yee, “User interaction design for secure systems,” in International Conference on Information and Communications Security, ser. ICICS ’02, 2002.
40. Z. Ye, S. W. Smith, and D. Anthony, “Trusted paths for browsers,” ACM Trans. Inf. Syst. Secur., vol. 8, no. 2, pp. 153–186, 2005.
41. M. Selhorst, C. Stüble, F. Feldmann, and U. Gnaida, “Towards a trusted mobile desktop,” in International conference on Trust and trustworthy computing, ser. TRUST’10, 2010.
42. ARM, “Securing the system with trustzone ready program,” http://www.arm.com/files/pdf/Tech_seminar_TrustZone_v7_PUBLIC.pdf, last access 2013.
43. S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, “The emperor’s new security indicators,” in IEEE Symposium on Security and Privacy, ser. SP’07, 2007.
44. S. Egelman, L. F. Cranor, and J. Hong, “You’ve been warned: an empirical study of the effectiveness of web browser phishing warnings,” in SIGCHI Conference on Human Factors in Computing Systems, ser. CHI’08, 2008, pp. 1065–1074.
45. C. Jackson, D. R. Simon, D. S. Tan, and A. Barth, “An evaluation of extended validation and picture-in-picture phishing attacks,” in International Conference on Financial cryptography and International conference on Usable Security, ser. FC’07/USEC’07, 2007, pp. 281–293.
46. K. Kostiainen and N. Asokan, “Credential life cycle management in open credential platforms (short paper),” in ACM workshop on Scalable trusted computing, ser. STC’11, 2011, pp. 65–70.
47. GSM Association, “Requirements for Single Wire Protocol NFC Handsets,” http://www.gsma.com/mobilenfc/, 2011.
48. Giesecke & Devrient GmbH, “G&D Makes Mobile Terminal Devices Even More Secure with New Version of Smart Card in MicroSD Format,” http://www.gi-de.com/en/about_g_d/press/press_releases/G% 26D-Makes-Mobile-Terminal-Devices-Secure-with-New-MicroSD% E2%84%A2-Card-g3592.jsp, last access 2013.
49. SD Association, “smartSD Memory Cards,” hhttps://www.sdcard.org/developers/overview/ASSD/smartsd/, last access 2013.
50. PayPal, “PayPal Security Key,” https://www.paypal.com/securitykey/.
51. RSA, “RSA SecurID,” http://www.emc.com/security/rsa-securid.htm/.
52. “United Bankers’ Bank Authenticates Customers Online,” Biometric Technology Today, vol. 12, no. 6, p. 4, 2004.
53. “Bank of Utah Adopts Keystroke Dynamics,” Biometric Technology Today, vol. 15, no. 5, p. 5, 2007.
54. VISA, “Verified by VISA,” http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx.
55. JVL Ventures, LLC, “ISIS,” https://www.paywithisis.com/.
56. B. Parno, “Bootstrapping trust in a “trusted” platform,” in Proceedings of the third Conference on Hot Topics in Security, ser. HOTSEC’08, 2008, pp. 9:1–9:6.
57. P. Gilbert, J. Jung, K. Lee, H. Qin, D. Sharkey, A. Sheth, and L. P. Cox, “Youprove: authenticity and fidelity in mobile sensing,” in SenSys, J. Liu, P. Levis, and K. Römer, Eds. ACM, 2011, pp. 176–189.
58. P. Gilbert, L. P. Cox, J. Jung, and D. Wetherall, “Toward trustworthy mobile sensing,” in Proceedings of ACM International Workshop on Mobile Computing Systems and Applications (HotMobile), 2010.
59. A. Dua, N. Bulusu, and W. chang Feng, “Towards trustworthy participatory sensing,” in 4th USENIX Workshop on Hot Topics in Security (HotSec), 2009, pp. 1–6.
60. H. Raj, D. Robinson, T. Tariq, P. England, S. Saroiu, and A. Wolman, “Credo: Trusted computing for guest vms with a commodity hypervisor,” Microsoft Research, Tech. Rep. MSR-TR-2011-130, 2011.
61. C. Dwork, “Differential privacy,” in ICALP (2), ser. Lecture Notes in Computer Science, M. Bugliesi, B. Preneel, V. Sassone, and I. Wegener, Eds., vol. 4052. Springer, 2006, pp. 1–12.
62. J. Sorber, M. Shin, R. A. Peterson, and D. Kotz, “Plug-n-trust: practical trusted sensing for mhealth,” in International Conference on Mobile Systems, Applications, and Services, ser. MobiSys’12, 2012.
63. W. Enck, P. Gilbert, B. gon Chun, L. P. Cox, J. Jung, P. McDaniel, and A. Sheth, “Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones,” in OSDI, 2010, pp. 393–407.