6.1 Conclusions
Smart phones are taking payment industry to a whole new arena. Processing power and memory of smart phones are enhancing with time. A couple of years before mPayment meant payment by Short Message Service, often which involved the operators and banks - services were proprietary. But now it is possible to perform the EMV or other payment card based transactions through merchants using mobile terminal. Traditional PoS is different in a number of ways compared to mobile PoS. Mobile PoSs are portable and also customizable. It is possible to execute update immediately in most of the cases, like upgrading the application or firmware of mobile.
Magnetic stripe is a fairly old technology. The motivation behind this research work was the huge popularity of magnetic stripe all over the World, especially in the developing countries where chip based technology is yet to implement. Cellular technologies are available in most of the countries. At the same time vulnerability and security breaches that cause payment fraudulence was something necessary to be dealt with. This research thus focused how we can blend the old and modern technology to provide a secured payment solution by using the swipe based payment technology.
In our research, we have used the security mechanism used by EMV industry for chip based payment solution. EMV standard is well known for its strong security features. It uses digital certificates and digital signatures through PKI for providing confidentiality, integrity, authentication and non-repudiation. In our research we did not considered WPKI for several reasons. First of all, a complete end-to-end security is not possible in either scenario, but through PKI strong authentication is possible. For WPKI, there are several changes necessary. Architecture for WPKI is based on low resource wireless devices. As a result, fewer credentials are used to generate certificate which might simplify the hard work for an attacker. There is no CRL, instead WPKI uses short lived certificate which requires accurate time awareness by client otherwise attacker can exploit security by expired (timed out) certificate. Elliptic curve cryptography is getting popular to be used in WPKI for key generation. ECC has six times less bits than RSS (164 against 1024) which will take less time for attacker through cryptanalysis. Hence our research prefers PKI usage for strong security.
We have conducted a demo of the proposed idea and successfully conducted a secured payment through magnetic swipe card. While magnetic stripe based cards can be replicated by perpetrator but an extra authentication as proposed and shown in the demo that can prevent unauthorized transaction.
56
6.2 Future Works
Chip and PIN (EMV) cards brought payment card fraud to a minimum level. With strong security features EMV cards will definitely beat the magnetic stripe cards out of the payment scenario in future. Despite this fact, it is also true that it will take time to fully migrate to chip enabled payment World. During this time there strategies are to be adapted to stop magnetic card based payment fraud.
One huge disadvantage of magnetic stripe card is the insecure transaction in while purchasing online (E-commerce). Static data is provided by the customer, for example the card number, card holder name, address etc. which can be skimmed easily by a fraud. A verification method can solve this problem. In our design, we used smart phones as Terminals. Customers can also use smart phone feature for card holder verification purpose. The smart phone will contain an authorized application (by Issuer or trusted third party). The application will produce a one- time password by combining card data and PIN code. The online merchant will verify the password with Issuer. This way card holder will be verified.
A big problem of static magnetic stripe is that has no processing capability. A new type of magnetic stripes based cards is there in the market which has powered magnetic stripes; a thin layer of Lithium ion batteries are embedded into the card body. These cards is also compatible with traditional readers. It can generate one time password, a feature which can be utilized to generate a dynamic. Thus the problem with static data can be resolved with this feature.
57
References
[1] The Register, 2008. Criminals hijack terminals to swipe Chip-and-PIN data. [Online] Available at: http://www.theregister.co.uk/2008/08/13/counterfeit_pin_terminal_arrests [Accessed: 2012-09-13].
[2] Alan R.Hevner, Sudha Ram, Salvatore T. March, Jinsoo Park, , March 2004. Design science in information systems research. Mis Quarterly, Volume 28 No 1.
[3] Wikipedia, 2010. Mobile Banking, [Online] Available at:
<http://en.wikipedia.org/wiki/Mobile_banking>. [Accessed: 2012-09-9]]
[4] Teppo Halonen, 2002. A System for Secure Mobile Payment Transactions [e-Journal] Available at:<http://www.tml.tkk.fi/Publications/Thesis/halonen.pdf> [Accessed: 2012-11- 27].
[5] Joeri de Ruiter , Erik Poll. Formal Analysis of the EMV Protocol Suite [e-journal] Available at:< www.cs.ru.nl/E.Poll/papers/emv.pdf> [Accessed: 2012-10-17].
[6] How stuffs work, How does a magnetic stripe on the back of a credit card work, [Online] Available at: <http://money.howstuffworks.com/personal-finance/debt-
management/magnetic-stripe-credit-card1.htm> [Accessed: 2012-09-15]
[7] Prof. Sead Muftic, M. Ciobanu Morogan, Credit/Debit card payment. Electronic Commerce Protocols – Part 1, KTH.
[8] Paragon Application Systems, Comparing Chip Card and Magnetic Stripe Card Transaction Flows. [Online] Available at: http://www.paragonedge.com/news/industry- insights/comparing-chip-card-and-magnetic-stripe-card-transaction-
flows.html?showall=&start=3 > [Accessed: 2012-09-15]
[9] EMVX, EMV Transaction Flow Diagram, n.d. [Online] Available at: http://www.level2kernel.com/flow_chart.html [Accessed: 2012-09-15]
[10] Paragon Application Systems, n.d. Chip Cards 101: The What and Why of EMV. [Online] Available at: <http://www.paragonedge.com/news/industry-insights/chip-cards- what-and-why-of-emv.html>. [Accessed: 2012-09-17]
[11] Wikipedia, “EMV”, [Online] Available at:
http://en.wikipedia.org/wiki/EMV#Control_of_the_EMV_standard [Accessed: 2012-09-17]
[12] Smart Card Alliance, September 2012. Card Payments Roadmap in the United States: How Will EMV Impact the Future Payments Infrastructure? Publication Number: PC-12001. [13] Alan McSweeney, March 2010. Data, Information And Knowledge Management
Framework And The Data Management Book Of Knowledge (Dmbok. [Online] Available at:<http://www.slideshare.net/alanmcsweeney/data-information-and-knowledge-management-
framework-and-the-data-management-book-of-knowledge-dmbok-3366885> [Accessed:
58
[14] UNE, “Understanding Knowledge”, [Online] Available at:<
http://turing.une.edu.au/~comp292/Lectures/HEADER_KM_2004_LEC_NOTES/node2.htm > [Accessed 2011-12-03].
[15] Matt Bishop, 2004. Introduction to Computer Security, Boston: Addison-Wesley. [16] Florian Eisl, June 2004. Smart Card Security Services for an Open Application Environment used in Mobile Phones, Lund University.
[17] Wikipedia, EMV. [Online] Available at:< http://en.wikipedia.org/wiki/EMV> [Accessed: 2012-09-24]
[18] Bell ID, 2011. Six Myths Preventing EMV Migration to U. [e-Journal]Available
at:http://www.finextra.com/Finextra-downloads/featuredocs/White%20Paper%20-
%20EMV%20Migration%20US%201.9.pdf > [Accessed: 2012-09-25]
[19] Card Connect,n.d. Answer to Reset. [Online] Available
at:<http://www.openscdp.org/scripts/tutorial/emv> [Accessed 2012-11-10].
[20] Aurorasophia, Banej.,n.d. EMV. Creative Commons Attribution-Share Alike 3.0
Unported [e-Article] Available at: <http://www.scribd.com/doc/50366292/EMV> [Accessed: 2012-11-10]
[21] Master card international, 1998. Integrated Circuit Card Application Specification. Version 2.
[22] EMV Integrated Circuit Card Specifications for Payment Systems, June 2008. Security and Key Management ", Book 2, Version 4.2.
[23] Khuong An Nguyen and Chris Mitchell, 2010. EMV (Chip and PIN) Projec Academia. [e-Journal ] Available at: <http://www.academia.edu/373702/EMV_Chip_and_PIN_survey >[Accessed: 2012-10-25]
[24] EETimes, 2010. Building a reliable magnetic card reader. [Online] Available
at:<http://www.analog-eetimes.com/en/building-a-reliable-magnetic-card-reader-part-1-of- 2.html?cmp_id=71&news_id=222900822> [Accessed: 2012-10-25]
[25] IBM DevelopersWork,2002. Show me the money. [Online] Available at:<
http://www.ibm.com/developerworks/ibm/library/i-money/ > [Accessed: 18h of November] [26] EMV Integrated Circuit Card Specifications for Payment Systems, June 2008.
Application Specification. Book 3, Version 4.2.
[27] Chan Yeob Yeun and Tim Farnham, 2001. Secure M-Commerce with WPKI. England: Toshiba Research Europe Limited.
[28] : Martijn Oostdijk, Maarten Wegdam (Novay), 2009. Mobile PKI for SURFnet SURFnet.
[29] N T Trask, S A Jaweed , July 2001. Adapting public key infrastructures to the mobile Environment. BT Technol J, Vol 19 - No 3.
[30] Dr. Feng Zhang, March 2010. SECURE APPLICATIONS FOR FINANCIAL ENVIRONMENTS (SAFE) SYSTEM. KTH.
59
[31] Vijay Vaishnavi, Bill Kuechler, 2011-09-30.Design Science Research in Information Systems. Association for Information Systems, [Online] Available at:
<http://desrist.org/design-research-in-information-systems> [Accessed: 2012-11-26] [32] Teppo Halonen, 2002. A System for Secure Mobile Payment Transactions [online] Available at: <http://www.tml.tkk.fi/Publications/Thesis/halonen.pdf> [Accessed: 2012-11- 27].
[33] Card-O-Rama, 1992. Magnetic Stripe Technology and Beyond. [Online] Available at: <http://www.gae.ucm.es/~padilla/extrawork/card-o-rama.txt> [Accessed: 2012-09-14]. [34] Pushpak Patil, 2012. [Online] Available at: <http://dexterous-
programmer.blogspot.se/2012/04/emv-transaction-step-1-application.html> [Accessed: 2012- 12-02].