Revolutionary developments in marketing, information and
communications technology continue to transform the banking and
financial industry. Distribution of banking services through the Internet is
an important part of this transformation. The objectives of this thesis are
mainly to assess the potential functions of e-clearing with respect to error
free fast funds settlement and to evaluate the competitive advantages of
Electronic Clearing House over Automated Clearing House. The study
explores the Electronic Clearing House in the perspective of time savings,
various costs elimination and maximization of profit for all the
stakeholders. The security measures in terms of digital signature to secure
data and information exchange over the internet would also be examined.
My research work during (Executive MBA 2006 ~ 2008) has been internationally published (Apr-2012) by LAP Publishing Germany. The topic of research was “Comparative Study of Automated Clearing House (ACH) AND Electronic Clearing House (ECH)”
https://www.morebooks.de/store/gb/book/comparative-study-of-ach-and-ech/isbn/978-3-8383-9439-8
CONFidence 2014: Arkadiusz Bolibok,Paweł Goleń: Evaluation of Transactional C...PROIDEA
There are more then 20 000 000 of users of internet banking systems in Poland. More than 7 000 000 of them use such systems actively. They usually lack of technical knowledge and are not aware of the current threat landscape linked with such systems. As a result users of internet banking are often profitable targets for cybercriminals.
Not all attacks are targeted against wealthy clients and highly sophisticated. It is more profitable to execute relatively simple mass attacks which affects as large population of targets as possible. The gain from single victim may be not very impressive, but number of users affected by such attacks yields a considerable outcome for the attackers.
As in every system, there are some security controls implemented in internet banking. Two such mechanisms are: user authentication, and transaction authorization. The transaction authorization is the (last?) line of defense which should be able to stop such attacks even if the first line of defense, authentication, has failed. As we know this is not always the case.
To design an effective control one needs to understand the environment in which this control will operate and the type of attacks it should withstand. To get this context we will analyze several typical attack scenarios and identify what weaknesses are exploited.
Based on this analysis we will prepare a list of requirements for an effective control s which could be used in internet banking to thwart typical attacks.
Next we will evaluate the typically used transaction authorization methods used in polish internet banking systems to check if they meet the requirements identified by us. Sample attack scenarios will be provided to demonstrate that if even one of these requirements is not met a gap is created which may lead to a successful attack.
Finally, one important question needs to be answered – can this transaction authorization mechanism be efficient enough to be the last line of defense against these mass attacks?
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
E-commerce is trading ofproducts or services using computer and Internet. It mainly revolves around
the Internet for it‟s functioning. Virtual mall, buying selling websites or domains, providing secure business
transactions, collection and use of demographic data comes under e- commerce. E-commerce security is an
important part for the framework and it is applied to the components that affect the vendor and the end user
through their daily payment and interaction with business. Since it involves various transactions, E-commerce
offers the banking industry a great opportunity but it also creates various risks and security threats. We can say
in the near future people would like to carry their transactions though mobile devices instead of carrying
currency in their wallets. Due to this the security of sensitive customer information is necessary. Thereare many
security protocols and algorithms used in securing credit card transactions over the Internet and we will discuss
and analyze the major ones.
The document discusses using a Trusted Platform Module (TPM) to securely store encryption keys for disk encryption on Linux. It describes configuring TPM to measure and seal an encryption key file using PCR registers. Modifications are made to initramfs and cryptroot scripts to support unsealing the key during boot without user input by using the TPM. While TPM provides secure storage, integrating it with Linux disk encryption requires additional configuration to get the key unsealed and passed to cryptsetup during early boot stages.
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...mfrancis
This document discusses the role of OSGi gateways in security for the Global System for Telematics (GST) project. The GST project aims to create an open market for telematics services in Europe. The Security (SEC) subproject of GST aims to define a security architecture and mechanisms to ensure security for telematics applications and infrastructure. OSGi gateways will play a key role in the GST security architecture by allowing secure communication between different entities like vehicles, service providers, and control centers while also enabling access to non-GST entities and services. The document outlines the GST security requirements, actors, and layered architecture that OSGi gateways would need to support to enable secure telematics
This document proposes a system for multi-factor authentication using one-time passwords (OTPs) generated on a user's mobile device without needing an internet or SMS connection. The system would work by registering user devices based on identifiers like IMEI and IMSI numbers. During login, the server would send random index variables to the mobile app to generate an OTP using those values, a secret seed derived from the device identifiers, and cryptographic hashing functions. If the server-generated and mobile app-generated OTPs match, access would be granted. This approach aims to securely generate OTPs offline to strengthen authentication without relying on SMS or internet connections.
This document discusses human and technological aspects of cyber threats facing universities. It notes that while increased data and connectivity enable opportunities, they also present cybersecurity risks that could threaten an organization's existence. The challenges for IT security leaders are to balance security awareness with business needs. Recent attacks have shown blending of new and old techniques, resulting in highly evasive threats. The document also describes the four key steps in security authentication: identification, authentication, authorization, and accountability. It stresses integrating these steps is vital for securing networks against various attacks.
This document provides an overview of a proposed mobile-based software token system for two-factor authentication. The system aims to replace existing hardware and computer-based software tokens by using mobile phones. It consists of software installed on client mobile phones, a server, and a GSM modem. The system can generate one-time passwords locally on the phone or via SMS from the server. Algorithms and factors like IMEI, IMSI, username, and PIN are used to securely generate unique passwords. Functional requirements include modules for password generation, client design, and server design. Non-functional requirements address availability, efficiency, flexibility, portability, integrity, and scalability.
Revolutionary developments in marketing, information and
communications technology continue to transform the banking and
financial industry. Distribution of banking services through the Internet is
an important part of this transformation. The objectives of this thesis are
mainly to assess the potential functions of e-clearing with respect to error
free fast funds settlement and to evaluate the competitive advantages of
Electronic Clearing House over Automated Clearing House. The study
explores the Electronic Clearing House in the perspective of time savings,
various costs elimination and maximization of profit for all the
stakeholders. The security measures in terms of digital signature to secure
data and information exchange over the internet would also be examined.
My research work during (Executive MBA 2006 ~ 2008) has been internationally published (Apr-2012) by LAP Publishing Germany. The topic of research was “Comparative Study of Automated Clearing House (ACH) AND Electronic Clearing House (ECH)”
https://www.morebooks.de/store/gb/book/comparative-study-of-ach-and-ech/isbn/978-3-8383-9439-8
CONFidence 2014: Arkadiusz Bolibok,Paweł Goleń: Evaluation of Transactional C...PROIDEA
There are more then 20 000 000 of users of internet banking systems in Poland. More than 7 000 000 of them use such systems actively. They usually lack of technical knowledge and are not aware of the current threat landscape linked with such systems. As a result users of internet banking are often profitable targets for cybercriminals.
Not all attacks are targeted against wealthy clients and highly sophisticated. It is more profitable to execute relatively simple mass attacks which affects as large population of targets as possible. The gain from single victim may be not very impressive, but number of users affected by such attacks yields a considerable outcome for the attackers.
As in every system, there are some security controls implemented in internet banking. Two such mechanisms are: user authentication, and transaction authorization. The transaction authorization is the (last?) line of defense which should be able to stop such attacks even if the first line of defense, authentication, has failed. As we know this is not always the case.
To design an effective control one needs to understand the environment in which this control will operate and the type of attacks it should withstand. To get this context we will analyze several typical attack scenarios and identify what weaknesses are exploited.
Based on this analysis we will prepare a list of requirements for an effective control s which could be used in internet banking to thwart typical attacks.
Next we will evaluate the typically used transaction authorization methods used in polish internet banking systems to check if they meet the requirements identified by us. Sample attack scenarios will be provided to demonstrate that if even one of these requirements is not met a gap is created which may lead to a successful attack.
Finally, one important question needs to be answered – can this transaction authorization mechanism be efficient enough to be the last line of defense against these mass attacks?
Analysis of Security Algorithms used in E-Commerce and ATM TransactionsIJERD Editor
E-commerce is trading ofproducts or services using computer and Internet. It mainly revolves around
the Internet for it‟s functioning. Virtual mall, buying selling websites or domains, providing secure business
transactions, collection and use of demographic data comes under e- commerce. E-commerce security is an
important part for the framework and it is applied to the components that affect the vendor and the end user
through their daily payment and interaction with business. Since it involves various transactions, E-commerce
offers the banking industry a great opportunity but it also creates various risks and security threats. We can say
in the near future people would like to carry their transactions though mobile devices instead of carrying
currency in their wallets. Due to this the security of sensitive customer information is necessary. Thereare many
security protocols and algorithms used in securing credit card transactions over the Internet and we will discuss
and analyze the major ones.
The document discusses using a Trusted Platform Module (TPM) to securely store encryption keys for disk encryption on Linux. It describes configuring TPM to measure and seal an encryption key file using PCR registers. Modifications are made to initramfs and cryptroot scripts to support unsealing the key during boot without user input by using the TPM. While TPM provides secure storage, integrating it with Linux disk encryption requires additional configuration to get the key unsealed and passed to cryptsetup during early boot stages.
The Role of the OSGi Gateway in GST Security Objectives and Architecture - An...mfrancis
This document discusses the role of OSGi gateways in security for the Global System for Telematics (GST) project. The GST project aims to create an open market for telematics services in Europe. The Security (SEC) subproject of GST aims to define a security architecture and mechanisms to ensure security for telematics applications and infrastructure. OSGi gateways will play a key role in the GST security architecture by allowing secure communication between different entities like vehicles, service providers, and control centers while also enabling access to non-GST entities and services. The document outlines the GST security requirements, actors, and layered architecture that OSGi gateways would need to support to enable secure telematics
This document proposes a system for multi-factor authentication using one-time passwords (OTPs) generated on a user's mobile device without needing an internet or SMS connection. The system would work by registering user devices based on identifiers like IMEI and IMSI numbers. During login, the server would send random index variables to the mobile app to generate an OTP using those values, a secret seed derived from the device identifiers, and cryptographic hashing functions. If the server-generated and mobile app-generated OTPs match, access would be granted. This approach aims to securely generate OTPs offline to strengthen authentication without relying on SMS or internet connections.
This document discusses human and technological aspects of cyber threats facing universities. It notes that while increased data and connectivity enable opportunities, they also present cybersecurity risks that could threaten an organization's existence. The challenges for IT security leaders are to balance security awareness with business needs. Recent attacks have shown blending of new and old techniques, resulting in highly evasive threats. The document also describes the four key steps in security authentication: identification, authentication, authorization, and accountability. It stresses integrating these steps is vital for securing networks against various attacks.
This document provides an overview of a proposed mobile-based software token system for two-factor authentication. The system aims to replace existing hardware and computer-based software tokens by using mobile phones. It consists of software installed on client mobile phones, a server, and a GSM modem. The system can generate one-time passwords locally on the phone or via SMS from the server. Algorithms and factors like IMEI, IMSI, username, and PIN are used to securely generate unique passwords. Functional requirements include modules for password generation, client design, and server design. Non-functional requirements address availability, efficiency, flexibility, portability, integrity, and scalability.
This document discusses identity management and security in cloud computing. It covers key topics such as:
- Centralized identity management provides benefits like a single user identity, consistent security policies, and reduced costs.
- Authentication establishes a user's identity through credentials. Popular methods include JSON web tokens (JWTs) which use digital signatures to authenticate API requests without authenticating each one individually.
- JWTs work by having a client authenticate once to get a token, then include that token in subsequent requests to prove identity without further authentication. The token contains identity claims and is digitally signed by an authentication authority.
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...CSCJournals
In this paper we propose a security architecture for the transaction procedure of On-Line Mutual Fund Trading system which is implemented using multi mobile agents that helps an individual, who is a kind of Do It yourself investor to invest her/his money in mutual funds online. Here, we modify, design and implement the global standard which provides security for transaction processing in E-Commerce i.e. Secure Electronic Transactions (SET). This eliminates the fraud that normally occurs during money transaction on-line. Modified SET protocol provides authentication of the participants, non-repudiation, data integrity and confidentiality. These features give a guarantee of security during payment procedure. The system is implemented on Aglets Framework - ASDK2.0.2 which is Mobile Agent Development platform and using java programming language. The issues of security and performance are analyzed.
This document describes an automated toll collection system using near-field communication (NFC) technology. The system aims to reduce toll transaction processing times and provide receipts and usage logs to customers. It uses an Android mobile application to transmit encrypted credentials from an NFC-enabled device to a tollgate terminal. A web service validates the credentials against a database and confirms sufficient account balances for toll payments. If valid, an SMS is sent to the customer as a receipt. The system architecture includes a web interface for account management and administration reports. Literature on NFC systems integration and security was also reviewed.
Integration Of Triangular Location Detection, IoT, Open CV - User Authenti...IRJET Journal
This document proposes a system that uses triangular location detection with IoT, OpenCV, and Zigbee hardware for user authentication during ATM cash loading for improved security. The system uses three Zigbees connected to the delivery vehicle, user's mobile phone, and ATM. When all three are within range, indicating the vehicle is at the ATM, an OTP is generated and verified between the vehicle and ATM Zigbees. In addition to OTP, user signature is verified using OpenCV after cash is loaded into the ATM, providing multi-factor authentication. This integrated system aims to provide more reliable and effective security compared to existing signature or PIN-based authentication alone.
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET Journal
This document proposes an algorithm called ID-PUIC for remote data uploading and integrity checking in public clouds. It aims to address security issues when clients store sensitive data in public clouds, which they do not fully control. The proposed system uses a proxy to upload client data and perform remote integrity checks with the public cloud server. It introduces a protocol for the proxy to generate tags for file blocks and upload them along with the data for integrity verification. The ID-PUIC algorithm is more efficient for integrity checking than existing solutions as it ignores certificate management and uses bilinear pairings for security. The document outlines the system model, data flow, modules including key generation, tag generation and proofs to check integrity remotely between the client and public cloud server
Nowaday, embedded systems are widely used and connected to networks, especially the Internet. This become the Internet of Things (IoT) era. When a device is on the Internet, it may be attacked or intentionally used by an unauthorized persons. How can we make IoT devices secure under the limited resources?
This presentation will explain the lesson learned from banking and card payment industry how the embedded systems process financial transaction reliably and securely.
This document summarizes a research paper on designing a secure cloud-assisted mobile health monitoring system. The system aims to address privacy and security issues while lowering healthcare costs. It incorporates techniques like multi-dimensional range queries, outsourcing decryption to the cloud, and proxy re-encryption to shift computational tasks to the cloud without compromising privacy. The system architecture allows a mobile health service provider to store encrypted data and programs in the cloud and deliver them securely. It enables clients to query the cloud for monitoring programs using privacy-preserving tokens. The cloud assists with computationally intensive tasks without learning private query inputs or outputs, to protect all parties' privacy and data.
This document summarizes a research paper that proposes a secure cloud-based mobile health monitoring system called CAM. The system aims to protect patient privacy and the intellectual property of healthcare service providers. It incorporates techniques like anonymous identity-based encryption and outsourced decryption to encrypt health data and shift decryption tasks to the cloud. The system also randomizes diagnostic programs and decision thresholds stored in the cloud to protect provider content. The goal is to allow resource-constrained providers to participate in mobile healthcare via cloud support while preserving security and privacy.
This document summarizes a research paper on designing a secure cloud-assisted mobile health monitoring system. The system aims to address privacy and security issues while lowering healthcare costs. It incorporates techniques like multi-dimensional range queries, outsourcing decryption to the cloud, and proxy re-encryption to shift computational tasks to the cloud without compromising privacy. The system architecture allows a mobile health service provider to store encrypted data and programs in the cloud and deliver them securely. It enables clients to query the cloud for monitoring programs using privacy-preserving tokens. The cloud assists with computationally intensive tasks without learning private query inputs or outputs. The system aims to achieve effective privacy preservation while reducing the workload on clients and the service provider.
Secure Multi-Owner Group Signature Based Secure M-Health Records in Cloud IJMER
This document summarizes a research paper that proposes a secure cloud-based mobile health monitoring system called CAM. The system aims to protect patient privacy and the intellectual property of healthcare service providers. It incorporates techniques like anonymous identity-based encryption and outsourced decryption to encrypt health data and shift decryption tasks to the cloud. The system also randomizes diagnostic programs and decision thresholds stored in the cloud to protect provider content. The final scheme enables resource-constrained providers to participate by reducing their computational burden through techniques like key-private proxy re-encryption.
This document describes a proposed anti-fraud security system for ATMs. The current ATM security relies on PINs and message passing, but higher levels of fraud require improved security. The proposed system adds several new modules: user registration to permit access by others, PIN verification with message confirmation, camera activation to verify the user, location tracing if not verified, and permitting access if confirmed by a registered user. The system aims to reduce ATM theft and fraud while maintaining usability. It was inspired by security needs in banking and would help limit financial risk for customers and banks from ATM transactions.
“The entire tokenization infrastructure that’s put in place by the payment networks is also a business model. They’ve tied their model to Apple so that transactions and enablement of mobile payments has to go through Visa, MasterCard, AMEX and the like.” Tim Sloane, Mercator Advisory Group
Adaptive authentication to determine login attempt penalty from multiple inpu...Conference Papers
This document proposes an adaptive authentication method that determines login penalties based on multiple input sources. It describes adding an IP address checker module to the existing Trust Engine component of the Mi-UAP authentication platform. The IP address checker would identify the source type of the user's IP address and apply the appropriate penalty, such as requiring additional authentication methods or blocking the user, depending on factors like whether the IP is on a blacklist database. The document outlines the process and provides examples of how penalties would be applied based on the identified source type.
Adaptive authentication to determine login attempt penalty from multiple inpu...Conference Papers
This document proposes an adaptive authentication solution that determines login penalties based on multiple input sources. It describes adding an IP address checker module to the existing Trust Engine component of the Mi-UAP authentication platform. The IP address checker would identify the source type of a user's IP address and apply the appropriate penalty, such as requiring additional authentication methods or blocking the user, depending on factors like whether the IP is on a blacklist database. The document outlines the process flow and provides examples of how penalties would be applied based on the identified source type.
This document summarizes a research paper that proposes a two-factor authentication protocol for secure mobile payments. The protocol uses transaction identification codes (TICs) and SMS messages for authentication. TICs are one-time passwords issued by banks to users. The protocol encrypts and stores TIC lists on users' phones. During a transaction, the user selects a TIC which is verified by the bank. An SMS is also sent to the user for confirmation. The protocol aims to securely authenticate both the user and transaction using the user's mobile device and banking information.
Security Analysis of Mobile Authentication Using QR-Codes csandit
The QR-Code authentication system using mobile application is easily implemented in a mobile
device with high recognition rate without short distance wireless communication support such
as NFC. This system has been widely used for physical authentication system does not require a
strong level of security. The system also can be implemented at a low cost. However, the system
has a vulnerability of tampering or counterfeiting, because of the nature of the mobile
application that should be installed on the user’s smart device. In this paper we analyze the
vulnerabilities about each type of architectures of the system and discuss the concerns about the
implementation aspect to reduce these vulnerabilities.
SECURITY ANALYSIS OF MOBILE AUTHENTICATION USING QR-CODES cscpconf
The QR-Code authentication system using mobile application is easily implemented in a mobile device with high recognition rate without short distance wireless communication support such as NFC. This system has been widely used for physical authentication system does not require a strong level of security. The system also can be implemented at a low cost. However, the system has a vulnerability of tampering or counterfeiting, because of the nature of the mobile application that should be installed on the user’s smart device. In this paper we analyze the vulnerabilities about each type of architectures of the system and discuss the concerns about the implementation aspect to reduce these vulnerabilities.
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
This document presents the results of a case study on an adaptive authentication system. The study analyzed over 171,000 login records from over 1,200 users collected over 254 days. It found that most logins occurred during standard working hours and from within the organization's internal network. When analyzing attribute factors like location, time, browser and operating system, it found most logins originated from Kuala Lumpur, Malaysia, and the most used browser and operating system combination was Chrome on Windows 7. The study aims to evaluate the adaptive authentication system's ability to determine risk levels based on normal user behavior profiles.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
This document discusses identity management and security in cloud computing. It covers key topics such as:
- Centralized identity management provides benefits like a single user identity, consistent security policies, and reduced costs.
- Authentication establishes a user's identity through credentials. Popular methods include JSON web tokens (JWTs) which use digital signatures to authenticate API requests without authenticating each one individually.
- JWTs work by having a client authenticate once to get a token, then include that token in subsequent requests to prove identity without further authentication. The token contains identity claims and is digitally signed by an authentication authority.
Security Architecture for On-Line Mutual Funds Trading With Multiple Mobile A...CSCJournals
In this paper we propose a security architecture for the transaction procedure of On-Line Mutual Fund Trading system which is implemented using multi mobile agents that helps an individual, who is a kind of Do It yourself investor to invest her/his money in mutual funds online. Here, we modify, design and implement the global standard which provides security for transaction processing in E-Commerce i.e. Secure Electronic Transactions (SET). This eliminates the fraud that normally occurs during money transaction on-line. Modified SET protocol provides authentication of the participants, non-repudiation, data integrity and confidentiality. These features give a guarantee of security during payment procedure. The system is implemented on Aglets Framework - ASDK2.0.2 which is Mobile Agent Development platform and using java programming language. The issues of security and performance are analyzed.
This document describes an automated toll collection system using near-field communication (NFC) technology. The system aims to reduce toll transaction processing times and provide receipts and usage logs to customers. It uses an Android mobile application to transmit encrypted credentials from an NFC-enabled device to a tollgate terminal. A web service validates the credentials against a database and confirms sufficient account balances for toll payments. If valid, an SMS is sent to the customer as a receipt. The system architecture includes a web interface for account management and administration reports. Literature on NFC systems integration and security was also reviewed.
Integration Of Triangular Location Detection, IoT, Open CV - User Authenti...IRJET Journal
This document proposes a system that uses triangular location detection with IoT, OpenCV, and Zigbee hardware for user authentication during ATM cash loading for improved security. The system uses three Zigbees connected to the delivery vehicle, user's mobile phone, and ATM. When all three are within range, indicating the vehicle is at the ATM, an OTP is generated and verified between the vehicle and ATM Zigbees. In addition to OTP, user signature is verified using OpenCV after cash is loaded into the ATM, providing multi-factor authentication. This integrated system aims to provide more reliable and effective security compared to existing signature or PIN-based authentication alone.
IRJET-An Algorithmic Approach for Remote Data Uploading and Integrity Checkin...IRJET Journal
This document proposes an algorithm called ID-PUIC for remote data uploading and integrity checking in public clouds. It aims to address security issues when clients store sensitive data in public clouds, which they do not fully control. The proposed system uses a proxy to upload client data and perform remote integrity checks with the public cloud server. It introduces a protocol for the proxy to generate tags for file blocks and upload them along with the data for integrity verification. The ID-PUIC algorithm is more efficient for integrity checking than existing solutions as it ignores certificate management and uses bilinear pairings for security. The document outlines the system model, data flow, modules including key generation, tag generation and proofs to check integrity remotely between the client and public cloud server
Nowaday, embedded systems are widely used and connected to networks, especially the Internet. This become the Internet of Things (IoT) era. When a device is on the Internet, it may be attacked or intentionally used by an unauthorized persons. How can we make IoT devices secure under the limited resources?
This presentation will explain the lesson learned from banking and card payment industry how the embedded systems process financial transaction reliably and securely.
This document summarizes a research paper on designing a secure cloud-assisted mobile health monitoring system. The system aims to address privacy and security issues while lowering healthcare costs. It incorporates techniques like multi-dimensional range queries, outsourcing decryption to the cloud, and proxy re-encryption to shift computational tasks to the cloud without compromising privacy. The system architecture allows a mobile health service provider to store encrypted data and programs in the cloud and deliver them securely. It enables clients to query the cloud for monitoring programs using privacy-preserving tokens. The cloud assists with computationally intensive tasks without learning private query inputs or outputs, to protect all parties' privacy and data.
This document summarizes a research paper that proposes a secure cloud-based mobile health monitoring system called CAM. The system aims to protect patient privacy and the intellectual property of healthcare service providers. It incorporates techniques like anonymous identity-based encryption and outsourced decryption to encrypt health data and shift decryption tasks to the cloud. The system also randomizes diagnostic programs and decision thresholds stored in the cloud to protect provider content. The goal is to allow resource-constrained providers to participate in mobile healthcare via cloud support while preserving security and privacy.
This document summarizes a research paper on designing a secure cloud-assisted mobile health monitoring system. The system aims to address privacy and security issues while lowering healthcare costs. It incorporates techniques like multi-dimensional range queries, outsourcing decryption to the cloud, and proxy re-encryption to shift computational tasks to the cloud without compromising privacy. The system architecture allows a mobile health service provider to store encrypted data and programs in the cloud and deliver them securely. It enables clients to query the cloud for monitoring programs using privacy-preserving tokens. The cloud assists with computationally intensive tasks without learning private query inputs or outputs. The system aims to achieve effective privacy preservation while reducing the workload on clients and the service provider.
Secure Multi-Owner Group Signature Based Secure M-Health Records in Cloud IJMER
This document summarizes a research paper that proposes a secure cloud-based mobile health monitoring system called CAM. The system aims to protect patient privacy and the intellectual property of healthcare service providers. It incorporates techniques like anonymous identity-based encryption and outsourced decryption to encrypt health data and shift decryption tasks to the cloud. The system also randomizes diagnostic programs and decision thresholds stored in the cloud to protect provider content. The final scheme enables resource-constrained providers to participate by reducing their computational burden through techniques like key-private proxy re-encryption.
This document describes a proposed anti-fraud security system for ATMs. The current ATM security relies on PINs and message passing, but higher levels of fraud require improved security. The proposed system adds several new modules: user registration to permit access by others, PIN verification with message confirmation, camera activation to verify the user, location tracing if not verified, and permitting access if confirmed by a registered user. The system aims to reduce ATM theft and fraud while maintaining usability. It was inspired by security needs in banking and would help limit financial risk for customers and banks from ATM transactions.
“The entire tokenization infrastructure that’s put in place by the payment networks is also a business model. They’ve tied their model to Apple so that transactions and enablement of mobile payments has to go through Visa, MasterCard, AMEX and the like.” Tim Sloane, Mercator Advisory Group
Adaptive authentication to determine login attempt penalty from multiple inpu...Conference Papers
This document proposes an adaptive authentication method that determines login penalties based on multiple input sources. It describes adding an IP address checker module to the existing Trust Engine component of the Mi-UAP authentication platform. The IP address checker would identify the source type of the user's IP address and apply the appropriate penalty, such as requiring additional authentication methods or blocking the user, depending on factors like whether the IP is on a blacklist database. The document outlines the process and provides examples of how penalties would be applied based on the identified source type.
Adaptive authentication to determine login attempt penalty from multiple inpu...Conference Papers
This document proposes an adaptive authentication solution that determines login penalties based on multiple input sources. It describes adding an IP address checker module to the existing Trust Engine component of the Mi-UAP authentication platform. The IP address checker would identify the source type of a user's IP address and apply the appropriate penalty, such as requiring additional authentication methods or blocking the user, depending on factors like whether the IP is on a blacklist database. The document outlines the process flow and provides examples of how penalties would be applied based on the identified source type.
This document summarizes a research paper that proposes a two-factor authentication protocol for secure mobile payments. The protocol uses transaction identification codes (TICs) and SMS messages for authentication. TICs are one-time passwords issued by banks to users. The protocol encrypts and stores TIC lists on users' phones. During a transaction, the user selects a TIC which is verified by the bank. An SMS is also sent to the user for confirmation. The protocol aims to securely authenticate both the user and transaction using the user's mobile device and banking information.
Security Analysis of Mobile Authentication Using QR-Codes csandit
The QR-Code authentication system using mobile application is easily implemented in a mobile
device with high recognition rate without short distance wireless communication support such
as NFC. This system has been widely used for physical authentication system does not require a
strong level of security. The system also can be implemented at a low cost. However, the system
has a vulnerability of tampering or counterfeiting, because of the nature of the mobile
application that should be installed on the user’s smart device. In this paper we analyze the
vulnerabilities about each type of architectures of the system and discuss the concerns about the
implementation aspect to reduce these vulnerabilities.
SECURITY ANALYSIS OF MOBILE AUTHENTICATION USING QR-CODES cscpconf
The QR-Code authentication system using mobile application is easily implemented in a mobile device with high recognition rate without short distance wireless communication support such as NFC. This system has been widely used for physical authentication system does not require a strong level of security. The system also can be implemented at a low cost. However, the system has a vulnerability of tampering or counterfeiting, because of the nature of the mobile application that should be installed on the user’s smart device. In this paper we analyze the vulnerabilities about each type of architectures of the system and discuss the concerns about the implementation aspect to reduce these vulnerabilities.
ADAPTIVE AUTHENTICATION: A CASE STUDY FOR UNIFIED AUTHENTICATION PLATFORM csandit
This document presents the results of a case study on an adaptive authentication system. The study analyzed over 171,000 login records from over 1,200 users collected over 254 days. It found that most logins occurred during standard working hours and from within the organization's internal network. When analyzing attribute factors like location, time, browser and operating system, it found most logins originated from Kuala Lumpur, Malaysia, and the most used browser and operating system combination was Chrome on Windows 7. The study aims to evaluate the adaptive authentication system's ability to determine risk levels based on normal user behavior profiles.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
Secure Mobile Payment
1. Secure Mobile Payment via
Trusted Computing
Qi Li, Tsinghua University
Xinwen Zhang and Jean-Pierre Seifert, Samsung Research
张新文
Hulin Zhong, Lutong Network
This talk does not represent Samsung’s technical view
1
2. Mobile Threats
• Mobile devices become more open and general-purpose
• McAfee's 2008 Mobile Security Report
– nearly 14% percent of global mobile users have been directly infected or
have known someone who was infected by a mobile virus
– more than 86% of consumers worry about receiving inappropriate or
unsolicited content, fraudulent bill increases, or information loss or theft
– more then 70% of users expect mobile operators or device manufacturers
to pre-load mobile security functionality.
• F-secure 2007 mobile threat report
– 370 malware by end of 2007
– viruses, Trojans, and spyware
– User downloaded codes, BT, MMS, MMC card
2
3. Related Work in Samsung
• Secure boot on mobile phone devices
– Secure u-boot
– Integrity verification of kernel image and read-
only filesystem
• Integrity measurement for mobile phone
– IMA
– SELinux
– TCG MPWG compatible mobile phone platform
3
4. Outline
• Problem Statement
• Background
• Overview of Secure Payment Scheme
• Secure Payment Transactions
• Enhanced Payment Schemes
• Prototype Implementation and
Evaluation
• Conclusion
4
5. Mobile Payment
• A typical mobile payment scheme involves three parties: a mobile device, a
merchant, and a financial service provider.
• There are two types of e-payment applications:
– Check-like payments require a certain amount of virtual money which is taken
away from the customer before a payment is made.
– Cash-like payments require that a customer’s account is involved in each payment
transaction.
• To secure a payment transaction, a trusted third party (TTP) is involved to
authenticate and authorize users.
• General security requirements of mobile payments have been well studied in
the literature, however, mobile phones face the intrusion of different malware.
5
6. Problem Statement
• The existing embedded operating systems (OS) cannot provide
sufficient integrity and isolation protection for the security demands of
mobile payment applications.
• While the majority of existing research focuses on secure payment
transactions, there is no intensive research on platform integrity
protection for secure payments on mobile devices.
• Without trusted mobile devices, the security of payment applications
and data cannot be guaranteed at all.
• Existing secure payment schemes fail to provide a platform integrity
protection solution for mobile payment transactions.
• The problem how to establish and verify a secure runtime
environment of an e-wallet software was never addressed until now.
6
7. Trusted Computing
• As a key mechanism defined by the TCG, attestation is used to report
the measured PCR values to a requestor who needs to know the
runtime-state of a platform.
– System components validate whether the runtime environment;
– Measurement agent measures the state of the runtime environment;
– Attestation service provides the platform integrity metrics.
• Typically, a trusted boot mechanism is also required for a trusted
platform, e.g., with the help of a core root of trust for measurement
(CRTM) and the TPM itself.
7
8. Secure Payment Scheme
• We propose a platform integrity protection solution for the whole
secure mobile payment process.
• Our architecture consists of five major parties for a complete secure
m-payment solution:
– Mobile phone: A trusted mobile device consists of a TPM and trusted
services which provide the integrity evidences of the platform.
– Software provider: A software provider provides payment applications in a
secure way, such as e-wallet.
– Merchant: Merchants not only need to provide the commodities that
customers demand, but also the Point of Sales (POS) devices to
authorize customers and guarantee that the payment information is
forwarded to the financial service providers.
– Financial service provider: provides user accounts for m-payments and
validates the user payment information during the payment transaction
processes.
– TC service provider: a trusted third party (TTP) to validate whether a
measurement list is non-tampered and the system integrity
8
9. Secure Payment Transactions
• Secure software downloading
– For a secure payment scheme, e-wallet applications are essential for m-
payment transactions. In this context an e-wallet runtime environment is
also important.
• Secure e-wallet initialization
– In order to secure payment transaction processes itself, we also need to
secure the e-wallet initialization process.
• Secure payment transaction
– Similarly, we need to evaluate and validate the integrity of the whole
mobile phone before an actual payment process.
• We assume that the key pairs of an AIK should be generated inside
the TPM of the mobile phone and the AIK credential should be signed
and retrieved from the third trusted party.
9
10. Secure Software Downloading
• The process of application downloading consists of two stages, the
first stage is integrity measurement and the second is software
downloading.
– A measurement request is generated by the application manager, and the
measurement service initiates the respective measurement operation.
• Software runtime environment and e-wallet application downloading,
which have similar procedures.
10
11. Secure Downloading Protocol
• Secure Downloading Protocol
– The TC service provider verifies the AIK certificate which binds
the verification key of the Quote.
– The signatures of the software runtime and the software integrity
are verified before software installation.
Attestation Measurement Application Software TC Service
TPM
Service Agent Manager Provider Provider
2) Quote=
1) Attestation request: {nonce}
Sig{PCR, nonce}AIK
3) Measurement List (ML)
4) {Quote, (ML}
5) {Quote, (ML}
6) {Quote, (ML}
6a) determine trusted credential
6b) validate signature
6c) validate ML using PCR
8) {software| SIg{software}SK_SP} 7) Attestation result
8a) verify the software provider
8b) verify the software
11
12. E-wallet Initialization
• The e-wallet initialization
aims to generate a key
pair and securely stores
the private part (e.g., account
info) for the
m-payment application.
• Seal secrets with TPM
12
13. Secure payment transaction
• Procedures
– Similar to the above two
processes, the integrity
measurement mechanism is
also invoked in the process of
secure payment transaction.
– Secure Payment Protocol
13
14. Enhanced Payment Schemes
• The efficiency and scalability issues of mobile payment will greatly
influence mobile payment performance.
– First, in the above scheme, each mobile payment application needs an
AIK, which introduces management cost to the overall mobile computing
infrastructure
– Second, in the above scheme the TC service provider is involved in the
attestations of every payment transaction.
• We propose two enhanced mobile payment solutions for different
optimization requirements.
– In the first solution, we leverage the phone number as the device identity
to resolve the credential management problem.
– Second, for further optimization, we also reduce the TC service provider
related attestation steps during payment transactions.
• These two enhanced schemes are independent of each other, and
they can be jointly used in a real system.
14
15. IBS for Attestation
• In a typical IBS system, there are four basic algorithms: setup
algorithm, extract algorithm, sign algorithm and verify algorithm.
PKG 1k (MK,MSK)
MKg
MSK,“Alice” sQIDA
UKg
sQIDA MK
Alice sQIDA MK, “Alice” Bob
M,σ
M Sign Verify acc/rej
• In this scheme, we fully utilize the mobile phone infrastructure and
replace in the transaction processes the AIK based public key
signature with an IBS algorithm.
• We only replace the signature algorithm and do not change the
underlying payment protocols, the enhanced schemes achieves the
same security goals.
15
16. Extended AIK Certificate for Attestation
• In the payment scheme, the financial service provider needs to
interact with the TC service provider within every payment
transaction, which might be a potential performance bottleneck.
• The core idea behind this scheme is that the integrity of the mobile
phone is validated when the TC service provider issues an AIK
certificate and the expected integrity values are included within the
certificate.
Attestation Measurement M-Payment Financial
TPM
Service Agent Application Provider
• In summary, comparedAttestation request: {nonce} one, several benefits are
2) Quote=
1)
to the original
achieved by this new scheme:
Sig{PCR, nonce} AIK
– Flexibility: In this scheme, (ML)financial service provider or a POS terminal
3) Measurement List a
can directly attest a mobile (ML}
4) {Quote,
phone on behalf of a TC service provider
– Security: The integrity of the mobile platformUser account| Signature validated by
5) TPM_Unseal(PCR) 6) {
is in any case
comparing the claimed measurement values to those embedded inside
|Quote, (ML}
the AIK certificate.
6a) determine trusted credential
– Performance: A TC service provider is not involved in every payment
transaction and a financial service provider can directly6b) validate signature
attest a mobile
phone 6c) validate PCR in credential
Transaction e-receipt}
16
17. Prototype Overview
• In our prototype, the platform integrity storage is realized by a
software TPM. Specifically, Trusted Java is used to provide the TCG
Software Stack (TSS).
• Different platforms were developed to act as a mobile device, a
financial service provider, a POS terminal, and a TC service provider,
respectively.
17
18. Performance Evaluation
• We only evaluated the performance of payment transactions
including the integrity attestation operations.
• The measured time includes the time of the TPM operations, the
measurement time, the verification time and the overhead.
– A whole payment transaction without SSL may cost only 2.70s — even
with 100 concurrent transactions to the same financial service server.
• We similarly evaluated our enhanced payment scheme using an IBS.
Similar performance is achieved.
18
19. Related Work
• M-payment security has been studied extensively in the literature.
– security requirements of mobile payments
– biometric-enabled payment system
– solutions considering the restrictions of mobile networks
– ……
• Another line of work focuses on securing e-wallets.
– A generalization of e-wallets to enable account-based payments.
– Ebringer et al. propose a parasitic authentication, thus offering security for
handheld computers
– ……
• Molar et al. provide a secure RFID solution with remote attestation.
They fully use TC technologies to secure RFID.
• Platform integrity measurement and attestation mechanisms
– IBM IMA
– Property-based, Semantic-aware, Behavior-based attestation
19
20. Conclusion
• We proposed a secure mobile payment scheme using
trusted computing (TC) technology. In our proposed
architecture we presented a platform integrity protection
solution for mobile payment via NFC.
• Our scheme addresses the unresolved security
challenges of mobile payment, including platform integrity
verification and user privacy protection.
• In order to improve the efficiency, flexibility and
performance of our payment scheme, we proposed two
enhanced payment schemes, utilizing an IBS scheme and
an attestation cache.
• The experimental results show that our scheme is efficient
and effective to achieve the security target.
20
21. Problems and Ongoing Work
• Platform integrity measurement
– Existing solution are not practical
• Either trust all components, or trust some untrusted components
– Representing of platform integrity measurement
• Static/loadtime measurement only
• Our ongoing work:
– Efficient IM and attestation for mobile phone devices
– Leverage some unique properties of phone systems and business model
– Leverage integrity models: Biba, Clark-Wilson, LOMAC, SEIM, etc
• To reduce measured components
• But still preserve the attestation assurance
• Via mandatory access control in OS level for information flow monitoring
– Virtualization on mobile devices
• Virtualogix, Trango, OpenKernel, etc.
21