 SafePay: Protecting against Credit Card Forgery with Existing Magnetic Card Readers Yinzhi Cao †, Xiang Pan §, Yan Chen § † Lehigh University § Northwestern.

Slides:

Advertisements

Similar presentations

PRESENTED BY: FATIMA ALSALEH Credit Cards Fraud - skimmers -

Advertisements

Ecosystem Scenarios for Cloud-based NFC Payments

Michal Bodlák. Referred to as mobile money, mobile money transfer, and mobile wallet generally refer to payment services operated under financial regulation.

M-PAYMENT SYSTEM (e–WALLET ).

What’s new. Amazon Price Check App They’re making it even harder for real-world retailers,– scan and scram. Here’s how it works: you go into a store,

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

What is new in the digital world? What has happened since last time?

© 2015 Fair Isaac Corporation. Confidential. This presentation is provided for the recipient only and cannot be reproduced or shared without Fair Isaac.

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Towards a mobile content delivery network with a P2P architecture Carlos Quiroz.

Federated Authentication mechanism for mobile services Dasun Weerasinghe, Saritha Arunkumar, M Rajarajan, Veselin Rakocevic Mobile Networks Research Group.

1. 2 NFC (Near Field Communication) was Hot Keyword at MWC 2011 NFC Based Mobile Credit Payment NFC Based Mobile Payment for Public Transport.

Chapter 3: Storage Devices & Media ALYSSA BAO 1. 2 Solid State controls movements of electrons within a microchip Optical uses precision lasers to access.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

Rapid Mobile Development Enterprises are having a tough time keeping up with the demand for mobile apps. With these growing demands, businesses are expecting.

AS Level ICT Selection and use of input devices and input media: Capturing transaction data.

Telenet for Business Mobile & Security? Brice Mees Security Services Operations Manager.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

EPS (Electronic payment system) is an online business process used for fund transfer using electronic means, i.e  Personal computers  services  Mobile.

The Study of Security and Privacy in Mobile Applications Name: Liang Wei

Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.

By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.

Bluetooth Low Energy Based Ticketing Systems 11 th February, 2015 Sriharsha Kuchimanchi Supervisor: Prof. Riku Jantti Instructor: Shkumbin Hamiti.

ITEC0722: Mobile Business and Implementation: Mobile Payment and Security Suronapee Phoomvuthisarn, Ph.D.

Innovative Secure Payment Solutions John QIAN Senior Manager March,

Connect and Collect: Strategies for connecting to your constituents in an electronic world.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

NFC NEAR FIELD COMMUNICATION FESAL ALNAZI SAGINE DELLY DANIEL GOURDINE SUNGOO KANG ANGELA MENOHER CRAIG WRIGHT.

Staying Safe Online Keep your Information Secure.

Property of the Smart Card Alliance © 2011 The Future of NFC Mobile Payments Randy Vanderhoof Executive Director Transit Payments Markets Migration to.

© 2014 CustomerXPs Software Pvt Ltd | | Confidential 1 Tentacles of Fraud #StarfishBanks CustomerXPs Software Private Limited.

Chapter 2: Information Technology and AISs

Google Wallet By: Amanda Tazbaz ITMG 10. How it works ● Download application on Android smartphone ● Set up payment information ● Shop in store ● Click.

Enhancing the Security of Corporate Wi-Fi Networks using DAIR PRESENTED BY SRAVANI KAMBAM 1.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

The next generation of payments is here. Is your business ready?

Confidential & proprietary M2M communications in Transportation industry.

Dr. V.N.Sastry Professor, IDRBT & Executive Secretary, MPFI to 84 October 30,

THE MOBILE CHANNEL IN FINANCIAL SERVICES TARIK HUSAIN BUSINESS DEVELOPMENT DIRECTOR ASIAN BANKER SUMMIT APRIL 2011.

By: Ken Steinmann. A virtual wallet that securely stores your credit and debit cards, coupons, and rewards cards. You can make in-store payments by tapping.

Maryam Mehrnezhad Feng Hao Siamak F. Shahandashti Newcastle university, UK CryptoForma meeting, Belfast 4 May 2015 Tap-Tap and Pay (TTP): Preventing The.

S. A. Shonola & M. S. Joy Security Framework for Mobile Learning Environments.

By Hinal Pithia Monday, November 14, Overview The traditional wallet The digital wallet –How it works –Technology –Payment Models –The players –Considerations.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

An Analysis of Bluetooth Security Team A: Padmaja Sriraman Padmapriya Gudipati Sreenivasulu Lekkala.

What you need to know about PCI-DSS Jane Drews Chief Information Security Officer Information Security & Policy Office

IDENTITY THEFT By Deshano Dottery. FASTEST GROWING PROBLEM IN AMERICA Approximatley 15 million victims per year Approximatley 15 million victims per year.

SMARTER. TOGETHER. The Mobility of Fraud Michael Loox, CFI Director of Loss Prevention & Safety Coffee Bean and Tea Leaf David Johnston.

Mobile Security By Jenish Jariwala. What is Mobile Security?  Mobile Security is the protection of smartphones, tablets, laptops and other portable computing.

INTRODUCTION & QUESTIONS.

LESSON 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures for Securing.

Payment systems. Debit or Credit cards  Let the customers pay by taking money directly form their account  Allow the money to borrow the money and the.

What does Chip offer Banks today?. CARD TYPES CREDIT DEBIT CHARGE PRIVATE LABEL PRE-PAYMENT MULTI FUNCTION.

By: Ted Worthington.  About TJ Max  Discovery  How the break in occurred  The Payment Card Industry-Data Security Standard  Lawsuit and Investigation.

Near Field Communication Armando Octavio Yesenia Sunny Nidia.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

Saahithi Chillara Radhika Goyal ECE Fall Senior Design Project.

Information Systems Design and Development Security Precautions Computing Science.

Mobile Payments SPENDING MONEY THE HARD WAY, SINCE BY JOSH TURIEL, JH TURIEL & ASSOCIATES INC.

Payment Card Industry (PCI) Rules and Standards

Going Mobile Across Campus

Suronapee Phoomvuthisarn, Ph.D.

Apple Pay Research on NFC and the security threat

Welcome To Money pad November 23, 2018 Sample footer.

Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.

Presentation transcript:

 SafePay: Protecting against Credit Card Forgery with Existing Magnetic Card Readers Yinzhi Cao †, Xiang Pan §, Yan Chen § † Lehigh University § Northwestern University

Road Map  Introduction & Background  Design & Implementation  Evaluation  Conclusion

Magnetic stripe card suffers from credit card forgery attack Magnetic stripe stores plain text of card information Malicious merchant Card reader hacker Bad guy with skimming device Attacker Original card: Forged card:

Real world attack examples  [Barnes & Noble store]. Attackers have stolen customers’ credit card information at 63 Barnes & Noble stores by hacked credit card readers.  [Target Store]. Credit and debit card information of 70 million customers has been stolen during a large- scale data breach of Target stores. ...  The incurred loss of such attack in the U.S is over $8 billion dollars per year.

Existing approaches are not compatible  EMV card:  Not compatible with dominant magnetic card readers.  All existing EMV cards still have a magnetic stripe as a backup (still vulnerable).  Mobile wallet applications (e.g., Apple Pay, Google Wallet):  Various techniques such as QR codes and using Near Field Communication (NFC).  Does not work with card readers, and adopted even less than EMV cards.

SafePay Design Goals 1.Leakage Resilience: prevent credit card information leakage through malicious magnetic card reader. 2.Backward Compatibility: be compatible with magnetic card reader. 3.User Friendly and Low Cost : be easy to use and impose low cost. Core Ideas 1.Disposable Credit Card Number: virtual card number that will expire after a number of usage. 2.Dynamic Magnetic Credit Card Chip: a chip that accepts new data (card information) and can be swiped on existing card readers. 3.Mobile Banking Application : A mobile app that combines the above two components. Coffee Shop Gas Station Card No. A (1111 … 11) Card No. B ( ) Card No. A

Road Map  Introduction & Background  Design & Implementation  Evaluation  Conclusion

SafePay design SafePay Magnetic Credit Card Chip Credit Card Association Side (i.e., bank and payment network) Merchant Side (No Modification) SafePay Mobile App Client Side (1). Request disposable credit card information. (2). Connected through Microphone jack or bluetooth (3). Swipe the chip (4). Authorization

SafePay deployment Bank DeploymentProxy Deployment

SafePay Magnetic Credit Card (MCC) chip requirement  Work on magnetic card reader.  Support dynamic card information.  Easy to update associated card information with low cost. SafePay Magnetic Credit Card Chip SafePay Mobile App

SafePay MCC chip design  Replicate the changing magnetic field generated by swiping magnetic card.  No storage of the card number 2. Generate changing magnetic field 1. Swipe card 3. Induce current 4. Decode current and reconstruct data

SafePay MCC chip design (cont’d)  How to generate magnetic field?  Electromagnet, which is solenoid (coil of wires).  How to control the solenoid?  Waveform of current.  Encode disposable card information into sound (WAV) file and play it.

SafePay User-side Component

SafePay implementation & demo

Road Map  Introduction & Background  Design & Implementation  Evaluation  Conclusion

Evaluation: Feasibility  Feasibility experiments in the wild:  Get disposable card number through ShopSafe.  Succeeded in all scenarios: vending machine, coffee shop, and gas station.

Evaluation: Robustness  Randomly select 20 people.  Ask them to install SafePay on their phones and use it for 10 times.  19/20 of them get 10 times correct swipe.  The failed case is caused by low volume setting of the phone.

Evaluation: Scalability  For each set of valid card info, 13 digits can be used for disposable credit card numbers.  Assuming 1 billion people using the service, each person can have 10 billion disposable credit card numbers.

Evaluation: c ost of users  Mobile app: free.  Magnetic card chip:  Amplifier: ~$0.37  Low pass filter: ~$0.02  Solenoid: ~$0.1  Total: < $0.5  Will be even cheaper with massive production

Road Map  Introduction & Background  Design & Implementation  Evaluation  Conclusions

Conclusions  We propose SafePay, a system to protect customers from credit card forgery and is compatible with existing magnetic card readers.  We implemented a prototype of SafePay and successfully tested it on several real-world merchants.  Its cost is less than $0.5.  Since published, SafePay has been reported by dozens of media, such as economictimes.com, yahoo.com and sciencenewsline.com.

22 Recognition 22 Interest from vendors

Thanks & Questions?