Secure Verification for Payment and Banking Systems Open Access
Downloadable ContentDownload PDF
It is apparent that the increasing penetration of personal electronic devices in people's daily lives will continue to have a profound influence on security. Many people carry personal electronic devices and rely on them for everyday tasks. Furthermore, with the arrival of the “Personal Internet of Things”, the number of connected personal devices is expected to grow even larger in the near future. Although this trend creates many challenges, the idea of cooperation between these personal devices could provide us with ample opportunities to enhance security. This dissertation focuses on leveraging personal devices to enhance the verification methods for payment and banking systems. In our first work, we introduce a new cardholder verification method using a multi-possession factor authentication along with the distance bounding technique, which prevents many different security attacks. The proposed method gives the user the flexibility to add one or more additional devices and select the appropriate security level. The proposed method mitigates or removes many popular security attacks that are claimed to be effective in current card-based payment systems, and it can help to reduce fraud on payment cards. In our second work, we focus on Person-To-Person payment systems, which play a significant role in our daily lives. We introduce two secure fund transfer methods to send money peer-to-peer using the existing banking infrastructure and leveraging personal devices. Our methods provide a convenient way to transfer money quickly, and they do not require using bank cards or any identification card. Unlike other peer-to-peer payment systems, the proposed methods do not require the receiving entity to have a bank account or to perform any registration procedures. Our third work leverages personal devices to secure online banking system, as well. We observe that many banks and various services have long relied on username/password combinations to verify users. These legacy authentication methods have failed over and over, and they are not immune against a wide variety of attacks that can be launched against users, networks, or authentication servers. In this work, we design an efficient and practical user authentication scheme, which utilizes different cryptographic primitives and solves many security issues in legacy authentication methods. Lastly, using secret sharing and threshold cryptography, we propose a threshold-based authentication system by leveraging user computing devices and allowing users to designate permissions. Any subset of registered physical or virtual devices can participate to run an authentication protocol and provide the user with a one-time credential to access an online banking system.