Shaik Shakeel Ahamad

DOI: https://doi.org/10.1109/access.2021.3139065

IF: 3.9

2022-01-01

IEEE Access

Abstract:The unprecedented growth of mobile applications promoted the usage of these mobile applications for payments. The current research works in mobile payments and commerce are prone to reverse-engineering attacks and lacked transport layer protection, so these research works do not ensure security. Therefore, such attacks on Mobile Payment Applications (MPA) will be successful, which leads to severe financial loss. To address these issues, we propose a secure framework incorporating a defense-in-depth approach for Near Field Communication (NFC) based mobile payment frameworks. Our defense-in-depth approach has three levels, i.e., Defense at hardware, mobile application, and communication level. We have proposed a NFC based Secure Protocol for Mobile Transaction (NSPMT) protocol and successfully verified a mobile payment protocol with BAN (Burrows, Abadi, and Needham) logic and Scyther tool, and our proposed protocol overcome multi-protocol attack, RAM (Random Access Memory) scrapping attack, DOS (Denial Of Service), DDOS (Distributed Denial Of Service), and Phlashing attacks. Our proposed mobile Payment system overcomes the known mobile application vulnerabilities, including Heartbleed and ROBOT (Return Of Bleichenbacher’s Oracle Threat). Our proposed protocol ensures all the security properties and the energy and communication cost and computational cost are far less than the existing works in the literature. Finally, we have successfully implemented our protocol using kotlin language in Android Studio, with two Mobile Payment Applications (MPA) and POS Payment Application (PPA), Elliptic Curve Digital Signature Algorithm (ECDSA) is used and Advanced Encryption Standard (AES) with GCM (Galois/Counter Mode) mode is used for encryption and decryption of Customer Payment Data at MPA and PPA.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chalee Thammarat

DOI: https://doi.org/10.3390/sym12101649

2020-10-09

Symmetry

Abstract:The standard protocol of near field communication (NFC) has concentrated primarily on the speed of communication while ignoring security properties. Message between an NFC-enabled smartphone and a point of sale are exchanged over the air (OTA), which is a message considered an authentication request for payment, billing, ticketing, loyalty services, identification or access control. An attacker who has an antenna can intercept or manipulate the exchanged messages to take advantage of these. In order to solve this problem, many researchers have suggested authentication methods for NFC communications. However, these remain inadequate transaction security and fairness. In this paper, we will propose a technique that ensures mutual authentication, security properties, and strong fairness. Mutual authentication is a security property that prevents replay attacks and man-in-the-middle attacks. Both fair exchange and transaction security are also significant issues in electronic transactions with regards to creating trust among the parties participating in the transaction. The suggested protocol deploys a secure offline session key generation technique to increase transaction security and, importantly, make our protocol lightweight while maintaining the fairness property. Our analysis suggests that our protocol is more effective than others regarding transaction security, fairness, and lightweight protocol. The proposed protocol checks robustness and soundness using Burrows, Abadi and Needham (BAN) logic, the Scyther tool, and automated validation of internet security protocols and applications (AVISPA) that provide formal proofs for security protocols. Furthermore, our protocol can resolve disputes in case one party misbehaves.

Forough Sadat Mirkarimzade Tafti,Shahriar Mohammadi,Mehdi Babagoli

DOI: https://doi.org/10.1016/j.jisa.2021.102997

IF: 4.96

2021-11-01

Journal of Information Security and Applications

Abstract:Mobile payments have received a lot of attention because they are available at any time and place. One of the various payment methods is Near Field Communication (NFC) mobile payment. As a result of potential problems that may arise using mobile payments such as fraud and information theft, the security of mobile payment protocols is pivotal. One of the critical stages in mobile payment security is the mutual authentication between the user and the Mobile Network Operator (MNO). Global System for Mobile (GSM) proposed a protocol to mutual authentication using symmetric key cryptographic method. In this paper, we have introduced a new protocol for NFC mobile payment, which improves the GSM authentication protocol due to the existence of symmetric cryptographic security threats, and uses an asymmetric encryption method to mutual authentication. Also, this protocol reduces the number of required key-pairs for authentication. Furthermore, our proposed protocol, increases resistance to attacks such as replay attack, DOS, eavesdropping attacks, repudiation, man in the middle attack and de-synchronization. Because mobile devices have limited resources and processing power, our proposed protocol reduces the signalling overhead and processing load of the client-side as much as possible.

computer science, information systems

Weixi Gu,Zheng Yang,Longfei Shangguan,Xiaoyu Ji,Yiyang Zhao

DOI: https://doi.org/10.1109/trustcom.2014.34

2014-01-01

Abstract:Near field authentication is of great importance for a range of applications, and has attracted many research efforts in the past decades. Several approaches have been developed and demonstrated their feasibility. The state-of-art works, however, still have much room to improve their automation and usability. First, user assistance is required in most existing approaches, which will be easily observed and imitated by attackers. Second, the authentications of several works heavily depend on special hardware, e.g., Server or high resolution screen, which greatly restricts their application scenarios. In this paper, we present a near field authentication system Tooth that needs little human assistance and is compatible with most smart phones. ToAuth is based on the key insight that the acceleration traces are similar for a pair of smart phones when they are contacting physically and vibrating. The random vibration patterns are sufficiently uncertain to provide high entropy to generate a pair of cryptographic keys yet are inimitable for a third party who does not get in touch with the vibration source. ToAuth leverages the keys to make authentication for smart phones. We implement ToAuth on Android platform and evaluate its performance under various scenarios. Extensive experiments demonstrate ToAuth could achieve around 90% success rate in stable environment, and prevent attacks depended on vibration noise.

Mahdi Ghafoorian,Morteza Nikooghadam

DOI: https://doi.org/10.1007/s11276-020-02319-x

IF: 2.701

2020-04-27

Wireless Networks

Abstract:Near Field Communication (NFC) is a promising technology that facilitate E-commerce through contactless communications. In the past decade, the NFC characteristics such as availability and usage simplicity have attracted the attention of most smartphones’ manufacturers and industries. Nevertheless, lack of a common and a comprehensive approach to employ NFC as a contactless payment tool, results in the persistence of some unresolved problems. These problems have hampered the widespread use of this technology since its appearance. During past years, most researchers have focused on addressing security threats existing in NFC environment. In this regard, these researches led to the introduction of an NFC security standard (NFC-SEC), which has been published by ISO and ECMA organizations. However, this standard does not offer privacy for users and there are few practical works providing it through NFC communications. Recently, some privacy preserving protocols have been proposed to supply NFC security along with anonymity. In this paper, we first prove that these previous protocols suffer from security vulnerabilities. Second, we propose our anonymous and secure key agreement (ASKA) protocol for NFC application using pseudonyms in order to address most probable security threats and those persisting in previous schemes. Third, we provide informal and formal security analysis using the Real-Or-Random model. The safety of the ASKA protocol is also verified by conducted simulation on the widely accepted AVISPA tool. Finally, the computational and communicational cost comparison along with the implementation result confirm that the proposed protocol is more suitable for NFC applications than previous schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jie Xu,Kaiping Xue,Qingyou Yang,Peilin Hong

DOI: https://doi.org/10.1109/TCE.2018.2811260

2018-01-01

IEEE Transactions on Consumer Electronics

Abstract:Nowadays, near field communication (NFC) has been widely used in electronic payment, ticketing, and many other areas. NFC security standard requires the use of public key infrastructure (PKI) to implement mutual authentication and session keys negotiation in order to ensure communication security. In traditional PKI-based schemes, every user uses a fixed public/private key pair to implement authen...

He-Jun Lu,Dui Liu

DOI: https://doi.org/10.1371/journal.pone.0256367

IF: 3.7

2021-08-16

PLoS ONE

Abstract:Aimed at the security authentication problem between Near Field Communication (NFC) devices, this paper uses the technology of asymmetric encryption algorithm, symmetric encryption algorithm, hash function, timestamp and survival period to improve the confidentiality, performance and security of the protocol. The symmetric encryption algorithm encrypts the transmission content, while the asymmetric encryption algorithm encrypts the shared key. The whole authentication process is secure, and the key distribution is secure. The improved NFC device authentication protocol can effectively resist the brute force attack, man-in-the-middle attack and replay attack in the authentication process, it can reduce the number of message transmission in the authentication process, improve the transmission efficiency, enhance the confidentiality, integrity, non-repudiation and improve the security of NFC device authentication.

multidisciplinary sciences

Pardis Pourghomi,Muhammad Qasim saeed,Gheorghita Ghinea

DOI: https://doi.org/10.48550/arXiv.1312.2828

2013-12-10

Cryptography and Security

Abstract:Near Field Communication (NFC) technology is based on a short range radio communication channel which enables users to exchange data between devices. With NFC technology, mobile services establish a contactless transaction system to make the payment methods easier for people. Although NFC mobile services have great potential for growth, they have raised several issues which have concerned the researches and prevented the adoption of this technology within societies. Reorganizing and describing what is required for the success of this technology have motivated us to extend the current NFC ecosystem models to accelerate the development of this business area. In this paper, we introduce a new NFC payment application, which is based on our previous NFC Cloud Wallet model to demonstrate a reliable structure of NFC ecosystem. We also describe the step by step execution of the proposed protocol in order to carefully analyse the payment application and our main focus will be on the Mobile Network Operator (MNO) as the main player within the ecosystem.

Muhammad Tanveer,Samia Allaoua Chelloug,Maali Alabdulhafith,Ahmed A. Abd El-Latif

DOI: https://doi.org/10.1016/j.eij.2024.100474

IF: 4.195

2024-05-16

Egyptian Informatics Journal

Abstract:With the rapid progress of communication technology, the Internet of Things (IoT) has emerged as an essential element in our daily lives. Given that the IoT encompasses diverse devices that often have limited resources in terms of communication, computation, and storage. Consequently, the National Institute of Standards and Technology (NIST) has standardized several lightweight cryptographic algorithms for encryption and decryption, specifically designed to meet the needs of resource-constrained IoT devices. These cryptographic algorithms, known as authenticated encryption with associated data (AEAD), offer more than just confidentiality—they also guarantee information integrity and authentication. Unlike conventional encryption algorithms like AES, which solely provide confidentiality, AEAD algorithms encompass additional functionality to achieve authenticity. This eliminates the need for separate algorithms like message authentication codes to ensure authenticity. Therefore, by leveraging the characteristics of an AEAD protocol, it is possible to develop a lightweight authentication framework to mitigate the security risks inherent in public communication channels. Therefore, in this work, we designed the lightweight authentication protocol for the smart healthcare system (BLAP-SHS) using an AEAD mechanism. In order to do this, a session key must first be created for encrypted communication. This is done via a method called mutual authentication, which verifies the legitimacy of both the user and the server. The random-or-real methodology ensures the security of the derived session key, and the Scyther tool is used to assess BLAP-SHS' resistance to man-in-the-middle and replay attacks. Through using the technique of informal security analysis, the resilience of BLAP-SHS against denial of service, and password-guessing threats are evaluated. By juxtaposing BLAP-SHS with other prominent authentication techniques, the usefulness of BLAP-SHS is also assessed in terms of computing and communication costs. We illustrate that the BLAP-SHS requires a reduction in computation cost ranging from [70.11% to 95.21%] and a reduction in communication resources ranging from [3.85% to 9.09%], as evidenced by our comparative study.

computer science, information systems, artificial intelligence

Hosam Alamleh,Ali Abdullah S. AlQahtani,Baker Al Smadi

DOI: https://doi.org/10.48550/arXiv.2304.09468

2023-04-19

Cryptography and Security

Abstract:The rise of smartphones has led to a significant increase in the usage of mobile payments. Mobile payments allow individuals to access financial resources and make transactions through their mobile devices while on the go. However, the current mobile payment systems were designed to align with traditional payment structures, which limits the full potential of smartphones, including their security features. This has become a major concern in the rapidly growing mobile payment market. To address these security concerns,in this paper we propose new mobile payment architecture. This architecture leverages the advanced capabilities of modern smartphones to verify various aspects of a payment, such as funds, biometrics, location, and others. The proposed system aims to guarantee the legitimacy of transactions and protect against identity theft by verifying multiple elements of a payment. The security of mobile payment systems is crucial, given the rapid growth of the market. Evaluating mobile payment systems based on their authentication, encryption, and fraud detection capabilities is of utmost importance. The proposed architecture provides a secure mobile payment solution that enhances the overall payment experience by taking advantage of the advanced capabilities of modern smartphones. This will not only improve the security of mobile payments but also offer a more user-friendly payment experience for consumers.

Dennis Giese,Kevin Liu,Michael Sun,Tahin Syed,Linda Zhang

DOI: https://doi.org/10.48550/arXiv.1904.10623

2019-04-24

Abstract:Near-Field Communication (NFC) is a modern technology for short range communication with a variety of applications ranging from physical access control to contactless payments. These applications are often heralded as being more secure, as they require close physical proximity and do not involve Wi-Fi or mobile networks. However, these systems are still vulnerable to security attacks at the time of transaction, as they require little to no additional authentication from the user's end. In this paper, we propose a method to attack mobile-based NFC payment methods and make payments at locations far away from where the attack occurs. We evaluate our methods on our personal Apple and Google Pay accounts and demonstrate two successful attacks on these NFC payment systems.

Cryptography and Security

Liming Fang,Minghui Li,Zhe Liu,Changting Lin,Shouling Ji,Anni Zhou,Willy Susilo,Chunpeng Ge

DOI: https://doi.org/10.1109/tdsc.2021.3102099

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Mobile payment system has been expected to provide more efficient and convenient payment methods. However, compared to traditional payments, mobile payment issues related to the security of electronic accounts and payment apps present serious challenges. In this paper, we find the potential security risks by analyzing the commonly used tokenized mobile payment method and put forward the corresponding off-site attack strategy. In this scenario, the attackers are not only limited to malicious third parties but also can be illegal merchants. To address the off-site attack, especially the potential attackers who may be malicious merchants, we also propose SALP, a secure and authenticated payment protocol, using time and position as necessary conditions for the payment confirmation. Furthermore, we leverage identity-based signature (IBS) to prevent altering the information and reduce the overhead of the third-party authentication. We conduct case studies to demonstrate that the SALP can effectively prevent the off-site payment attack without a trusted hardware environment. In particular, we finally argue that SALP does not bring additional system overhead without degrading the convenience of mobile payment.

Ayu Tiwari,Sudip Sanyal,Ajith Abraham,Svein Johan Knapskog,Sugata Sanyal

DOI: https://doi.org/10.48550/arXiv.1111.3010

2011-11-13

Abstract:Previous Web access authentication systems often use either the Web or the Mobile channel individually to confirm the claimed identity of the remote user. This paper proposes a new protocol using multifactor authentication system that is both secure and highly usable. It uses a novel approach based on Transaction Identification Code and SMS to enforce extra security level with the traditional Login/password system. The system provides a highly secure environment that is simple to use and deploy, that does not require any change in infrastructure or protocol of wireless networks. This Protocol for Wireless Payment is extended to provide two way authentications.

Cryptography and Security

Dr. Rekha N

DOI: https://doi.org/10.22214/ijraset.2021.35473

2021-06-20

International Journal for Research in Applied Science and Engineering Technology

Abstract:Counterfeit medications are known as the medications that were manufactured for the purpose of deceptively representing as authentic, effective and original in the market. Such medications cause severe health issues for patients. Counterfeited drugs have an inimical effect on the human health. The legal manufacturing companies also face threats to their revenue loss due to these counterfeited medicines. In this paper, we introduce a novel authentication protocol for anti-counterfeited drugs systems based on Internet of Things (IoT) to help checking the validity of drugs ‘‘unit dosage’’. Our protocol uses the near-field communication (NFC) as it is convenient for mobile environment. The protocol also offers reliable update phase for NFC. Furthermore, our scheme is complemented with performance evaluation along with the use of random oracle model for formal security analysis.

Samir Chabbi,Rachid Boudour,Fouzi Semchedine,Djalel Chefrour

DOI: https://doi.org/10.1080/19393555.2020.1773583

2020-06-04

Information Security Journal: A Global Perspective

Abstract:Near Field Communication (NFC) technology has been used recently for electronic payment between an Automated Teller Machine (ATM) and a Smartphone. It is threatened by several attacks that can steal the user personal data like the password or the Personal Identification Number (PIN). In this paper, we present Dynamic Array PIN (DAP), a novel approach for user authentication on a Smartphone that uses NFC electronic payment with an ATM. Our analysis and experimentation prove that this technique protects against thirteen different attacks and is cost-effective in terms of required hardware, authentication time, computing power and storage space.

Muhammad Bilal,Shin-Gak Kang

DOI: https://doi.org/10.3390/s17050979

2017-05-02

Abstract:Authentication is one of the essential security services in Wireless Sensor Networks (WSNs) for ensuring secure data sessions. Sensor node authentication ensures the confidentiality and validity of data collected by the sensor node, whereas user authentication guarantees that only legitimate users can access the sensor data. In a mobile WSN, sensor and user nodes move across the network and exchange data with multiple nodes, thus experiencing the authentication process multiple times. The integration of WSNs with Internet of Things (IoT) brings forth a new kind of WSN architecture along with stricter security requirements; for instance, a sensor node or a user node may need to establish multiple concurrent secure data sessions. With concurrent data sessions, the frequency of the re-authentication process increases in proportion to the number of concurrent connections, which makes the security issue even more challenging. The currently available authentication protocols were designed for the autonomous WSN and do not account for the above requirements. In this paper, we present a novel, lightweight and efficient key exchange and authentication protocol suite called the Secure Mobile Sensor Network (SMSN) Authentication Protocol. In the SMSN a mobile node goes through an initial authentication procedure and receives a re-authentication ticket from the base station. Later a mobile node can use this re-authentication ticket when establishing multiple data exchange sessions and/or when moving across the network. This scheme reduces the communication and computational complexity of the authentication process. We proved the strength of our protocol with rigorous security analysis and simulated the SMSN and previously proposed schemes in an automated protocol verifier tool. Finally, we compared the computational complexity and communication cost against well-known authentication protocols.

Cryptography and Security,Networking and Internet Architecture

Tao Feng,Nicholas DeSalvo,Lei Xu,Xi Zhao,Xi Wang,Weidong Shi

DOI: https://doi.org/10.4108/icst.mobicase.2014.257767

2014-01-01

Abstract:With the rise of Internet connected mobile devices, applications have migrated from PCs to mobile computing platforms. An important aspect, payment processing, faces new security challenges from these developments. Inasmuch, these advancements demand efforts from researchers and industry to meet increasing security needs. Threats can ensue from data loss, theft from lost, stolen, or decommissioned devices, information-stealing malware, and password peeping. We propose a secure framework for sensitive session driven applications which combines biometric-based continuous and implicit tracking of user identities, and TrustZone. This framework is accomplished through monitoring fingerprint authentication logs as well as detecting events when the phone has left the user's hands, all while in TrustZone, a platform for secure computation and storage on mobile devices. This solution leverages multiple onboard sensors as well as the ARM architecture to accomplish these feats. We conducted two user-studies acquiring smartphone users' usage statistics to investigate security and usability needs of our identity-tracking solution. To monitor these subtle gestures in real-world uncontrolled environments, multi-session data collection has been conducted to iteratively improve system performance. The evaluation results have demonstrated the feasibility of this framework as a secure session-based payment system.

Daojing He,Maode Ma,Yan Zhang,Chun Chen,Jiajun Bu

DOI: https://doi.org/10.1016/j.comcom.2010.02.031

IF: 5.047

2011-01-01

Computer Communications

Abstract:Seamless roaming over wireless network is highly desirable to mobile users, and security such as authentication of mobile users is challenging. Recently, due to tamper-resistance and convenience in managing a password file, some smart card based secure authentication schemes have been proposed. This paper shows some security weaknesses in those schemes. As the main contribution of this paper, a secure and light-weight authentication scheme with user anonymity is presented. It is simple to implement for mobile user since it only performs a symmetric encryption/decryption operation. Having this feature, it is more suitable for the low-power and resource-limited mobile devices. In addition, it requires four message exchanges between mobile user, foreign agent and home agent. Thus, this protocol enjoys both computation and communication efficiency as compared to the well-known authentication schemes. As a special case, we consider the authentication protocol when a user is located in his/her home network. Also, the session key will be used only once between the mobile user and the visited network. Besides, security analysis demonstrates that our scheme enjoys important security attributes such as preventing the various kinds of attacks, single registration, user anonymity, no password/verifier table, and high efficiency in password authentication, etc. Moreover, one of the new features in our proposal is: it is secure in the case that the information stored in the smart card is disclosed but the user password of the smart card owner is unknown to the attacker. To the best of our knowledge, until now no user authentication scheme for wireless communications has been proposed to prevent from smart card breach. Finally, performance analysis shows that compared with known smart card based authentication protocols, our proposed scheme is more simple, secure and efficient.

V. Suresh Kumar,Osamah Ibrahim Khalaf,Radha Raman Chandan,Qusay Bsoul,Shashi Kant Gupta,Firas Zawaideh,Deema Mohammed Alsekait,Diaa Salama AbdElminaam

DOI: https://doi.org/10.1038/s41598-024-76306-z

IF: 4.6

2024-10-29

Scientific Reports

Abstract:Robust verification protocols are crucial for maintaining the security and reliability of sensitive information due to the increasing complexity of cyber-attacks. This paper introduces a novel 5G Secure Handover Protocol aimed at addressing security and effectiveness issues encountered in existing systems. The proposed protocol is robust against various attacks, including de-synchronization, replay, man-in-the-middle (MITM), denial of services (DoS), and jamming, ensures perfect forward key secrecy, safeguarding communication confidentiality. The proposed protocol utilizes a combination of spiking neural network and fuzzy logic (SNN-FL) techniques that must choose the goal cell as carefully as possible before initiating the transfer process. By combining fuzzy logic and spiking neural networks to reduce handover latency and thwart several types of cyberattacks, the proposed 5G Secure Handover Protocol improves security. Extensive simulations show its efficacy and emphasize its potential for safe communication in large-scale cybersecurity applications. The paper presents a novel secure authentication protocol that significantly reduces handover delays and improves efficiency. Simulations show its resilience against common security threats, protecting sensitive information and maintaining secure communication channels. The protocol, with low communication expenses, complex spatial, and latency for changeover verification, is ideal for large-scale cybersecurity applications, contributing to the development of secure digital authentication mechanisms.

multidisciplinary sciences

Samaneh Layeghian Javan,Abbas Ghaemi Bafghi

DOI: https://doi.org/10.1007/s10660-014-9151-6

2014-09-19

Electronic Commerce Research

Abstract:Regarding the development of mobile technology, it seems essential to have a payment protocol which provides the required security features along with an acceptable efficiency in mobile environment. This article introduces an anonymous payment protocol based on secure wireless payment protocol (SWPP). Contrary to SWPP, this protocol manages to provide anonymity and privacy of the customer. This protocol uses a blindly signed pseudo digital certificate and anonymous bank account in order to protect the customer’s identity. The proposed protocol was simulated, and then its security and efficiency features were compared to those of other protocols. The comparison proves that this protocol covers all security features required by a secure payment system. Moreover, it is more efficient than other protocols.

management,business