Summary of Contributions

Contributions from my PhD research are:

 The contribution of the literature review: a detailed literature review that binds the research on the security analysis of various card payment systems and protocols.

 The contribution of Methodology: A framework for current and future research looking into the security analysis of CNP payment systems

 The contribution of software tools: Creation of multiple software tools for the protocol security analysis

 The contribution of identified vulnerabilities: The identification of several weak practices in CNP payment system, undocumented vulnerabilities and practical demonstration of at least three attack scenarios: Distributed guessing attack, cardholder impersonation attack and betrayal attack

 The contribution of Distributed Guessing Attack

 The contribution of Reverse engineering the 3DS 2.0 frictionless authentication

 The contribution of Cardholder impersonation attack on 3DS 2.0 frictionless authentication

 The contribution of betrayal attack

 Practical experimental research with impact

The Contribution of the Literature Review

In the literature review, we have established a link between the existing academic research into payments security and the areas of weaknesses in CNP payment systems, which were of potential interest of this research. With literature review on payments security, we established certain weakness in the architecture of card payment system. Specifically,

 The wireless interface on payment cards introduces new categories of attack (i.e. skimming, eavesdropping and relay) and the data were stolen from the wireless interface can be used to make fraudulent CNP payments.

 Just like contactless payment cards, the data in the EMV chip and PIN interface can easily be read by false readers. This data includes the complete card number and card’s expiry date which can be used to make fraudulent CNP payments.

 The 3DS 1.0 protocol which required the cardholder to enter static passwords on a pop-up screen was more burden to the payment industry than a solution. This allowed freedom for the online merchant to have options on the protocol they want to implement on their checkout systems.

 Cryptographically bounded one-time passcodes for online payments using EMV readers were vulnerable to chip and PIN attacks where an attacker can generate one-time passcodes from stolen payment cards.

The literature review supports the assertion made in this PhD thesis that the security of the online payment system is fundamentally weakened by the philosophy of providing convenience to the customer. Also, the requirement for backward compatibility makes it essential for the card data to be available in plain text across other interfaces which might have an impact on the security of the CNP payment system.

The Contribution of the Methodology

The analysis methodology used for this PhD research consist of four systematic steps (i) the use of UML sequence diagrams and comparison table which enabled us to concisely provide the description of CNP payment system (ii) involved the use of various vulnerability identification techniques like security failure analysis and reverse engineering techniques which allowed us to define the test cases and identify the vulnerabilities of CNP payment system. (iii) involved demonstrating the existence of attacks in the real world and determining the feasibility, magnitude and representativeness of the attack and (iv) examining how disclosure exercise can be done ethically and effectively to mitigate the vulnerabilities.

The Contribution of Software Tools

To assess the CNP payment system for vulnerabilities, we have designed several software tools which involve (i) tshirtshop - a web store enabled us to link our understandings on CNP payment protocols with practical implementations. It provided us with an experimental platform which was used to assess the security of CNP payment protocols and fraud filters offered by payment acquirers (ii) website bot – enabled us to execute our test case on tens of online merchants. Website bot was programmed to link to online websites under study with an aim to explore vulnerabilities in

authorisation-only CNP payment system. (iii) AutoIt scripts – which automated our experiments on tens of windows applications and (iv) Android NFC skimming app – which was developed to

understand the EMV contactless protocol. This enabled us to explore the vulnerabilities in contactless payment protocols that can be linked to the CNP payment system.

The Contribution of Distributed Guessing Attack

The distributed guessing attack demonstrated that the current security model of the payment networks is ill-suited to dealing with online CNP payments. The networks lack the ability to correlate

information from multiple sources to detect distributed guessing attacks. Our survey of the online payment landscape highlights that the vulnerabilities we described in Chapter 7 are systemic. The variations in merchants’ security settings, which create the conditions for the attack, are present in the 400 of the most popular e-commerce websites. We present an attack scenario involving payment systems such as iTunes, Google Wallet, and PayPal that allows attackers to subvert the payment functionality from its intended purpose of validating entered credit or debit card details, into helping the attackers to generate all of the security data fields required to create an online payment account. Even worse, these data will allow attackers to transfer money to an anonymous recipient, on top of an ability to fraudulently purchase items online.

Our experimental work has shown that it is possible to implement a web bot which will generate all of the fields required to create an online account. We have proved that it is possible to circumvent all of

by the merchants) put in place to protect the cardholders. We have also demonstrated that it is possible to refine the web bot so that it will generate data from multiple websites, circumventing the limitations of the number of attempts one can make to enter the correct value, which is imposed by some payment systems. As a result of our ethical disclosure process, a number of the top 10 Alexa rated online merchants have changed their online security settings. This shows that the research is relevant and impactful.

The Contribution of Reverse Engineering the 3DS 2.0 Frictionless Authentication

By reverse engineering the frictionless instance of 3DS 2.0 protocol, we provided the first public description of the working of the protocol. The research work done in this section was a substantial contribution to our PhD as it helped us to identify the vulnerabilities associated with the 3DS 2.0 protocol. We demonstrated the use of publicly available tools like Fiddler that can be employed for performing security research into online CNP payment systems.

The Contribution of Cardholder Impersonation Attack

The work done to explore cardholder impersonation attack was a significant advancement in our understanding of attacks against 3DS 2.0 because it is applicable to the payment protocols recommend currently by the payment industry. it may be one of the most realistic and attractive attacks for

criminals, if and when authorisation only transactions are no longer permitted. It could even be used at the moment, by criminals who wish to make purchases on the merchant and in the regions like Europe which now mandate 3DS 2.0 on merchant websites. If this attack becomes more widely used, its net effect will be that criminals can use stolen cards in online shops without the cardholder being negligent exactly as was the case with authorisation only systems before the introduction of 3D Secure.

The Contribution of Betrayal Attack

Giving merchants freedom to choose the security settings may prove useful for merchants’ business, but our experimental results and observations with the betrayal attack confirm that it can be

detrimental to the overall security of the online payment system. We notified to the payment industry stakeholders about the existence of betrayal attack on 3DS 2.0 system as a result of which we saw that the 3DS 2.0 merchant guidelines were change reflecting the patching of betrayal attack. By this, we conclude that our vulnerability disclosure with betrayal attack contributed to patching of

vulnerabilities that existed within the 3DS 2.0protocol.

Practical Experimental Research

The research work in this PhD was focussed on protocols that are currently in use by the payment industry to accept CNP payment over the Internet. Unlike EMV protocol, the security features of the CNP payment protocols are not documented in the available implementation guides and standards by

several features in the design of CNP payment protocols but in practice such features, if implemented incorrectly can result in exploitable vulnerabilities.

Even though there were limitations identified with the access of CNP payment system documentation and test cards required for experiments, we still took this challenge and designed our experiments on real implementations of CNP payment protocols and by remaining ethically moral with the sensitive CNP payment processing systems. By documenting our results to public accessible platforms, we passed our message of security in CNP payment systems and educated public some best practices to be followed while making payments over CNP payment systems.