Tuomas AuraT-110.4206 Information security technology

Payment systems

Aalto University, autumn 2012

2

Outline1. Money transfer2. Card payments3. Anonymous payments

MONEY TRANSFER

3

4

Common payment systems Cash Electronic credit transfer, e-lasku Direct debit Check Credit card Cash transfer Mobile payment Anonymous paymentWhich are regulated?

Electronic credit transfer Also called bank transfer, wire transfer Payment process (e.g. UK CHAPS):

– Clearing: if the payment is between two banks, the sending bank sends the information to a central processor, which keeps track of payments

– Settlement: transfer of funds between the central-bank reserve accounts of the two banks at the end of the day for the balance of all transactions that day ( risk to central bank or receiving bank if a sending bank goes bust)

Float: money between debit from the sender’s bank account and credit to the receiver’s account banks gain interest on float payments in some systems take days without any technical reason

Finality varies for sender, banks and receiver – Most electronic transfers immediately final to sender and bank, not receiver– Old direct debit in Finland is final for sender; SEPA direct debit is reversible

5

Central processor

Sending bank

Receiving bankSender Receiver

Sender makes payment

Clearing Settlementbetween banks

Funds availableto receiver

Timelinefloat

6

Check Check payment:

1. Payer writes the check

2. Clearing: payee deposits the check, bank collects payment, paying bank inspect the check for authenticity and sufficient funds

3. Settlement: transfer of funds between banks Float: in some countries, funds are available immediately

after deposit, before clearing and settlement payee effectively gets an interest-free loan

Payer writes check

Clearing Settlementbetween banks

Funds availableto payee

TimelinePayee depositscheck

/negative) float

[classhelper.org]

Credit card Credit card issuer takes a ~2-5% transaction fee from

seller– Buyer protection: card issuer takes some of the risk– Initial 30–60 days of interest-free credit for buyer– Kickbacks to some card holders

Transaction final after 90 days clearer rules on finality than in bank transfer (one of the reasons why businesses like credit cards)

7

Creditcardpurchase

Transactionfinal

Buyer maypay balanceInterest-free

TimelineFunds availableto seller

negative float

8

Cash transfers Western Union, MoneyGram: money transfer for people without

bank accounts– Sender pays cash at one branch office; receiver gets the cash at

another branch office (no bank account needed)– Used mostly by migrants to send money to 3rd-world countries– Receiver must have id card or answer test question

Example:NAME: MICHAEL SMITHADDRESS: 144 EAST STREET LAGOS TEST QUESTION: WHAT IS THE DOGS NAMEANSWER: SPOT

Hawala: informal network of agents based on Islamic law or honor system– This and other informal systems conflict with money laundering

legislation

9

Issues with float Victim receives a check or credit card details; ships goods

before payment clears

Victim receives a check; funds available before the check clears; victim makes an irreversible payment (e.g. refunds all or part of the money)

Scammerwritesfalse check

Check foundto be false orno funds deposit reversed

Funds availableto victim

TimelineVictim depositscheck

Victim returns(part of)the money

Funds availableto scammer

Scammerwritesfalse check

Check foundto be false orno funds deposit reversed

Funds availableto victim

TimelineVictim depositscheck

Victim shipsgoods

10

Issues with float Victim receives a reversible payment; victim makes an

irreversible payment

Criminal(e.g phisher)makes a money transfer to mule

Muleasked torepay

Funds availableto mule

Timeline

Mule makes forwardpayment

Funds availableto scammer

11

Mobile payment Replacing banks in countries where branch network is

sparse and carrying cash may be unsafe M-PESA in Kenya MTN Mobile Money in South Africa

– Implemented with SMS and SIM-Toolkit– PIN and some kind of symmetric crypto– Deposit and withdrawal at agent offices– Money transfer and bill payment with phone– SMS money transfer to unregistered users– Anyone can just start using the service; some limits relaxed

after strong authentication with id card Similar services in India

– Discontinued Nokia Money: app on phone, not on SIM

12

PayPal Payment between registered accounts on

central server– Used for Internet purchases especially on auction

web sites Depends on credit cards and banks accounts

for deposit and withdrawal Payer and payee can remain pseudonymous Stronger traceability of verified accounts– Links user to a bank account

CARD PAYMENT

13

Mag-stripe bank cards Magnetic stripe contains primary account number (PAN), name,

expiration date, service code, PVKI, PVV, CVV1 Signature and (sometimes) photo id required at point of sale (POS) PIN required by automated teller machines (ATM) and some POS

– PIN is a function of data on mag stripe and key in terminal offline PIN verification at disconnected POS or ATM

Possible to copy data on the mag stripe CVV1 is a cryptographic MAC of the PAN, name, expiration and service

code (based on 3DES) Offline terminal has a security module to store the card and PIN

verification keys CVV2 to make online fraud harder

– 3-4 digits printed on card but not on mag stripe– Required for web and phone (“card not present”) transactions– Not stored by merchant after online verification safe from server hacking– Vulnerable to phishing

15

Mag-stripe Visa PIN verification Input from magnetic stripe:

– Primary account number (PAN) i.e. 15-digit card number – PIN verification key indicator (PVKI, one digit 1..6) – PIN verification value (PVV, 4 decimal characters)

Verifier must have– PIN verification key (PVK, 128-bit 3DES key)– PVKI is an index for PVK to enable PVK changes

Create security parameter (TSP):1. Concatenate 11 rightmost digits of PAN, PVKI and PIN2. The 16-digit concatenation is one hexadecimal DES block

PVV generation:1. 3DES encryption of TSP with the key PVK2. Decimalization of the encryption result to 4-digit PVV

Decimalization happens by taking the 4 leftmost digits 0..9 from the hexadecimal encrypted block– If less than 4 such digits, take 4 first digits A..F and map A=0,B=1,C=3...[For details see IBM]

16

Chip-and-PIN bank cards EMV standard (Europay, Mastercard, Visa) Smartcard chip (ICC) on the bank card

– Tamperproof ICC stodes a cryptographic signature key– Card also contains a certificate

Three levels of secure transactions:1. Static data authentication (SDA):

– Certificate verification only; no longer used in Finland

2. Dynamic data authentication (DDA): – Card signs a random challenge sent by terminal

3. Combined DDA and application cryptogram (CDA):– Card signs transaction details incl. random challenge

Card holder authenticated with PIN or signature– PIN usually sent to the card, which answers yes/no

17

EMV security issues Not possible to copy the chip Mag stripe can still be copied

Possible to create a copy of the mag stripe: use in the USA or as the fallback method after chip failure

– Mag stripe data can also be read from the chip PIN used frequently easier to capture

18

ANONYMOUS PAYMENTS

19

Anonymous digital cash David Chaum 1982, later DigiCash product — never really used but an

influential idea Participants: bank, buyer Alice, merchant Bob

Anonymous:– Bank cannot link issued and deposited coins, not even with Bob’s help

Not transferable: must be deposited to bank after one use Uses blind signatures: bank signs coins without seeing their contents

cannot link events of coin issuing and use20

Bank

Alicebuyer

Bobmerchant

1. Bank issues coin

2. Alice spends coin

3. Bob deposits coin

Anonymous digital cash Idea 1: blind signature:

Bank has an RSA signature key pair key (e,d,n) for signing 1€ coins (and different keys for 10€, 100€,...)

1. Alice creates a coin from random “serial number” SN and redundant padding required for RSA signature;Alice generates a random number R, computes coin R⋅ e mod n, and sends this to the bank

2. Bank computes (coin R⋅ e)d mod n = coind R mod n ⋅ and sends this to Alice

3. Alice divides with R to get the signed coin coind mod n Bank has signed the coin without seeing it and cannot link the coin to Alice

Alice can pay 1€ to Bob by giving him the coin– Bob deposits coin to bank; bank checks signature and only accepts the

same coin once Problem: Cheaters are anonymous; if someone pays the same coin

to two merchants, who was it? 21

Anonymous digital cash Idea 2: double-spending detection– Alice must set SN = h( h(N) | h(N xor “Alice”) ) where N

random– After Alice has given the coin to Bob, Bob asks Alice to reveal

one of h(N),N xor “Alice” or N,h(N xor “Alice”) If Alice spends the coin twice, she reveals her name with

50% probability Make each 1€ coin of k separately signed sub-coins

detection probability p = 1-2-k

– Coins will be quite large: k=128 with 2048-bit RSA signatures makes 32kB/coin

Problem: What forces Alice to create SN this way? How can bank check the contents of the message signed blindly? 22

Anonymous digital cash

Idea 3: cut and choose– Alice creates k pairs of sub-coins for signing– Bank asks Alice to reveal N for one sub-coin in

each pair and signs the other one cheating detection probability p = 1-2-k

Alice can make anonymous payments but will be caught with probability p = 1-2-k if she tries to create an invalid coin or spend the same coin twice

23

Reading material Ross Anderson: Security Engineering, 2nd ed.,

chapter 10 Interesting reading online:– Scam baiting sites have stories about advance-fee

fraud (e.g. http://www.419eater.com) but not always nice

– University of Cambridge Security Group: http://www.cl.cam.ac.uk/research/security/banking/

24

Exercises What are the main threats in

a) online card transactions?b) POS transactions?c) ATM cash withdrawals?

What differences are there in the way credit cards and bank debit cards address these threats?

Could you (technically) use bank cards or credit cardsa) as door keys?b) as bus tickets?c) for strong identification of persons on the Internet?

How could a malicious merchant perform a man-in-the-middle attack against chip-and-PIN transactions?

When a fraudulent bank transaction occurs, who will suffer the losses? Find out about the regulation and contractual rules on such liability.

Bank security is largely based on anomaly detection and risk mitigation. In what ways could a bank reduce the risk of fraud in mag-stipe or chip-and-PIN payments?

Even though DigiCash coins are unlinkable, what ways are there for the merchant or bank (or them together) to find out what Alice buys?

25