Skip to main content
SpringerLink
Log in

A novel verification method for payment card systems

  • Original Article
  • Published:
Personal and Ubiquitous Computing Aims and scope Submit manuscript

Abstract

Security plays a crucial role in payment systems; however, some implementations of payment card security rely on weak cardholder verification methods, such as card and a signature, or use the card without having any cardholder verification process at all. Other vulnerable implementations of cardholder verification methods suffer from many security attacks, such as relay attacks and cloning attacks. In addition, the impact of these security attacks is high since they cause monetary losses for banks and consumers. In this paper, we introduce a new cardholder verification method using a multi-possession factor authentication with a distance bounding technique. It adds an extra level of security to the verification process and utilizes the idea of distance bounding which prevents many different security attacks. The proposed method gives the user the flexibility to add one or more extra devices and select the appropriate security level. This paper argues that the proposed method mitigates or removes many popular security attacks that are claimed to be effective in current card based payment systems, and that it can help to reduce fraud on payment cards. Furthermore, the proposed method provides an alternative verification technique and enables cardholders with special needs to use the payment cards and make the payment system more accessible.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. Left-shift registers also work but we use right-shift registers to demonstrate the distance bounding technique.

References

  1. Alhothaily A, Alrawais A, Cheng X, Bie R (2014) Towards more secure cardholder verification in payment systems. In: Cai Z, Wang C, Cheng S, Wang H, Gao H (eds) Wireless algorithms, systems, and applications. Lecture notes in computer science, vol 8491. Springer, pp 356–367. doi:10.1007/978-3-319-07782-6_33

  2. Atkins S. Visa europe claims growth of 46 % in contactless payments in last three months. http://contactlessintelligence.com/2013/05/21/visa-europe-claims-growth-of-46-in-contactless-payments-in-last-three-months-alone/

  3. Bond M, Choudary O, Murdoch SJ, Skorobogatov S, Anderson R (2014) Chip and skim: cloning emv cards with the pre-play attack. In: 2014 IEEE symposium on security and privacy (SP), pp 49–64

  4. Bonneau J, Preibusch S, Anderson R (2012) A birthday present every eleven wallets? The security of customer-chosen banking pins. In: Keromytis AD (ed) Financial cryptography and data security. Lecture notes in computer science, vol 7397. Springer, Heidelberg, pp 25–40. doi:10.1007/978-3-642-32946-3_3

  5. Brands S, Chaum D (1994) Distance-bounding protocols. In: Helleseth T (ed) Advances in cryptology–EUROCRYPT’93. Lecture notes in computer science, vol 765. Springer, Heidelberg, pp 344–359. doi:10.1007/3-540-48285-7_30

  6. Breebaart J, Buhan I, de Groot K, Kelkboom E (2011) Evaluation of a template protection approach to integrate fingerprint biometrics in a pin-based payment infrastructure. Electron Commer Res Appl 10(6):605–614

    Article  Google Scholar 

  7. Ceipidor UB, Medaglia CM, Marino A, Sposato S, Moroni A (2012) Kernees: a protocol for mutual authentication between nfc phones and pos terminals for secure payment transactions. In: 2012 9th international ISC conference on information security and cryptology (ISCISC). IEEE, pp 115–120

  8. Cisco (2015) Cisco visual networking index: global mobile data traffic forecast update, 2014–2019. In: White Paper

  9. de Souza Faria G, Kim HY (2013) Identification of pressed keys from mechanical vibrations. IEEE Trans Inf Forensics Secur 8(7):1221

    Article  Google Scholar 

  10. Discover zip. https://www.discover.com/credit-cards/help-center/account/zip/

  11. Drimer S, Murdoch SJ (2007) Keep your enemies close: distance bounding against smartcard relay attacks. In: USENIX security symposium, pp 87–102

  12. Emms M, Arief B, Defty T, Hannon J, Hao F, van Moorsel A (2012) The dangers of verify PIN on contactless cards, computing science. Newcastle University, Newcastle upon Tyne

    Google Scholar 

  13. Emms M, Arief B, Freitas L, Hannon J, van Moorsel A (2014) Harvesting high value foreign currency transactions from emv contactless credit cards without the pin. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 716–726

  14. Emms M, van Moorsel A (2011) Practical attack on contactless payment cards. In: HCI2011 Workshop-Heath, Wealth and Identity Theft

  15. EMV (2013) Book A: architecture and general requirements. EMVCo

  16. EMV (2013) Book B: entry point. EMVCo

  17. EMV (2013) Book D: contactless communication protocol. EMVCo

  18. Expresspay—American express. http://www.americanexpress.com/expresspay

  19. Hancke GP, Kuhn MG (2005) An rfid distance bounding protocol. In: First international conference on security and privacy for emerging areas in communications networks, 2005. SecureComm 2005. IEEE, pp 67–73

  20. Hancke GP (2005) A practical relay attack on iso 14443 proximity cards. Technical report, University of Cambridge Computer Laboratory

  21. Henniger O, Nikolov D (2013) Extending EMV payment smart cards with biometric on-card verification. In: Fischer-Hübner S, de Leeuw E, Mitchell C (eds) Policies and research in identity management. IFIP advances in information and communication technology, vol 396. Springer, Heidelberg, pp 121–130. doi:10.1007/978-3-642-37282-7_12

  22. Heydt-Benjamin TS, Bailey DV, Fu K, Juels A, O’hare T (2007) Vulnerabilities in first-generation RFID-enabled credit cards. In: Dietrich S, Dhamija R (eds) Financial cryptography and data security. Lecture notes in computer science, vol 4886. Springer, Heidelberg, pp 2–14. doi:10.1007/978-3-540-77366-5_2

  23. Hu W (2013) Mobile and handheld computing solutions for organizations and end-users. IGI Global, Hershey

    Book  Google Scholar 

  24. Ion I, Dragovic B (2010) Don’t trust pos terminals! verify in-shop payments with your phone. In: Proceedings of SMPU 8

  25. Joshi GP, Kim SW et al (2008) Survey, nomenclature and comparison of reader anti-collision protocols in rfid. IETE Tech Rev 25(5):285

    Article  Google Scholar 

  26. King D (2012) Chip-and-PIN: success and challenges in reducing fraud. https://www.frbatlanta.org/-/media/Documents/rprf/rprf_pubs/120111wp.pdf?la=en

  27. Mastercard paypass. http://www.mastercard.us/paypass.html

  28. Miri A (2013) Advanced security and privacy for RFID technologies. Information Science Reference, Hershey

    Book  Google Scholar 

  29. Mowery K, Meiklejohn S, Savage S (2011) Heat of the moment: characterizing the efficacy of thermal camera-based attacks. In: Proceedings of the 5th USENIX conference on Offensive technologies. USENIX Association, pp 6–6

  30. Nakajima M (2011) Payment system technologies and function innovations and developments. IGI Globale, Hershey

    Book  Google Scholar 

  31. Ogundele O, Zavarsky P, Ruhl R, Lindskog D (2012) Fraud reduction on emv payment cards by the implementation of stringent security features. Int J Intell Comput Res (IJICR) 3(1/2):252–262

    Google Scholar 

  32. Ogundele O, Zavarsky P, Ruhl R, Lindskog D (2012) The implementation of a full emv smartcard for a point-of-sale transaction. In: 2012 World Congress on internet security (WorldCIS). IEEE, pp 28–35

  33. Patrick AS, Yung M (2005) Financial cryptography and data security: 9th international conference, FC 2005, Roseau, The Commonwealth Of Dominica, February 28-March 3, 2005, Revised Papers, volume 3570. Springer

  34. Payment card industry (pci) data security standard. https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

  35. Report: Contactless card payments current and forecast analysis to 2017—SecureIDNews. http://secureidnews.com/news-item/report-contactless-card-payments-current-and-forecast-analysis-to-2017/

  36. Roland M, Langer J (2013) Cloning credit cards: a combined pre-play and downgrade attack on emv contactless. In: Proceedings of the 7th USENIX conference on offensive Technologies. USENIX Association, pp 6–6

  37. Sifatullah Bhuiyan M (2012) Securing mobile payment protocol based on emv standard. Master’s thesis, KTH

  38. Visa paywave. http://usa.visa.com/personal/cards/card_technology/paywave.html

  39. Wiedenbeck S, Waters J, Sobrado L, Birget J-C (2006) Design and evaluation of a shoulder-surfing resistant graphical password scheme. In: Proceedings of the working conference on advanced visual interfaces. ACM, pp 177–184

  40. Zalewski M (2005) Cracking safes with thermal imaging. http://lcamtuf.coredump.cx/tsafe/l

Download references

Acknowledgments

Alhothaily acknowledges the scholarship fund from the Saudi Arabian Monetary Agency. Alrawais acknowledges the scholarship fund from the Ministry of Higher Education, Saudi Arabia, and from the College of Computer Engineering and Sciences, Prince Sattam bin Abdulaziz University, Saudi Arabia. This research is also supported by the National Science Foundation of the USA under grant number CNS-1318872, and the National Natural Science Foundation of China under grant number 61171014.

Author information

Authors and Affiliations

  1. The George Washington University, Washington, DC, USA

    Abdulrahman Alhothaily, Arwa Alrawais & Xiuzhen Cheng

  2. General Department of Payment Systems, Saudi Arabian Monetary Agency, Riyadh, Saudi Arabia

    Abdulrahman Alhothaily

  3. College of Computer Engineering and Sciences, Prince Sattam bin Abdulaziz University, Al-Kharj, Saudi Arabia

    Arwa Alrawais

  4. College of Information Science and Technology, Beijing Normal University, Beijing, China

    Rongfang Bie

Authors
  1. Abdulrahman Alhothaily
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arwa Alrawais
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Xiuzhen Cheng
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Rongfang Bie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Abdulrahman Alhothaily.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alhothaily, A., Alrawais, A., Cheng, X. et al. A novel verification method for payment card systems. Pers Ubiquit Comput 19, 1145–1156 (2015). https://doi.org/10.1007/s00779-015-0881-9

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00779-015-0881-9

Keywords

Search

Navigation