nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol

verfasst von : Mohammed Aamir Ali, Aad van Moorsel

Erschienen in: Financial Cryptography and Data Security

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

3 Domain Secure 2.0 (3DS 2.0) is the most prominent user authentication protocol for credit card based online payment. 3DS 2.0 relies on risk assessment to decide whether to challenge the payment initiator for second factor authentication information (e.g., through a passcode). The 3DS 2.0 standard itself does not specify how to implement transaction risk assessment. The research questions addressed in this paper therefore are: how is transaction risk assessment implemented for current credit cards and are there practical exploits against the 3DS 2.0 risk assessment approach? We conduct a detailed reverse engineering study of 3DS 2.0 for payment using a browser, the first study of this kind. Through experiments with different cards, from different countries and for varying amounts, we deduct the data and decision making process that card issuers use in transaction risk assessment. We will see that card issuers differ considerable in terms of their risk appetite. We also demonstrate a practical impersonation attack against 3DS 2.0 that avoids being challenged for second factor authentication information, requiring no more data than obtained with the reverse engineering approach presented in this paper.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel ZLiTE: Lightweight Clients for Shielded Zcash Transactions Using Trusted Execution

Nächstes Kapitel Short Paper: Making Contactless EMV Robust Against Rogue Readers Colluding with Relay Attackers

Nur mit Berechtigung zugänglich

Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575–582, December 2013. https://doi.org/10.1109/UIC-ATC.2013.76

Alexa: Alexa - Top Sites by Category: Business/E-Commerce (2018). https://goo.gl/V52tcs

Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78–86 (2017)CrossRef

AOWASP: Cross-site scripting (XSS) OWASP (2018). https://goo.gl/x54ner

Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360–371. IEEE (2009)

van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)

CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017). https://goo.gl/z2mByt

Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716–726. ACM, New York (2014). https://doi.org/10.1145/2660267.2660312. http://doi.acm.org/10.1145/2660267.2660312

Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313–321. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_26CrossRef

10.

EMVCo: 3D Secure 2.0 (2017). https://goo.gl/d1ksLf

11.

E.solutions: Live HTTP Header (2018). https://www.esolutions.se/

12.

Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom/BigDataSE/ISPA, vol. 1, pp. 1386–1391. IEEE (2015)

13.

EU Council: Directive (EU) 2015/2366 (2015). https://goo.gl/psyvps

14.

GoogleAndroid: Android pay (2014). https://www.android.com/pay/

15.

Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010). https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393

16.

Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03549-4_14CrossRef

17.

HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018). https://www.httpwatch.com/

18.

Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018). http://jsnice.org/

19.

Kim, D., Kwon, B.J., Dumitraş, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435–1448. ACM, New York (2017). https://doi.org/10.1145/3133956.3133958. http://doi.acm.org/10.1145/3133956.3133958

20.

King, R.: Verified by Visa: bad for security, worse for business - Richard’s Kingdom (2009). https://goo.gl/NgUUvn

21.

MalShare: Malware Repository for Researchers (2018). https://malshare.com/

22.

Mastercard: Merchant SecureCode implementation guide (2014). https://goo.gl/DyQ7Jb

23.

Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336–342. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14577-3_27CrossRef

24.

Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21–32. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_2CrossRef

25.

Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433–446. IEEE (2010). https://doi.org/10.1109/SP.2010.33

26.

PayPal: PayPal Pro - 3D secure developer guide (2018). https://goo.gl/7mPWWt

27.

PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016). https://goo.gl/PNSEq3

28.

PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009). https://goo.gl/JQKH3T

29.

RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/publications/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf

30.

RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009). https://www.redteam-pentesting.de/en/advisories/rt-sa-2005-014/-new-banking-security-system-itan-not-as-secure-as-claimed

31.

Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236–251 (2016)CrossRef

32.

Telerik: Fiddler web debugging tool (2018). https://goo.gl/BURSaH

33.

Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331–346. IEEE (2009)

34.

Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421–1434. ACM, New York (2017). https://doi.org/10.1145/3133956.3134067. https://doi.acm.org/10.1145/3133956.3134067

35.

Visa Inc: 3D Secure (2017). https://goo.gl/TZSTEc

36.

Visa Inc: Visa Developer Centre (2018). https://goo.gl/8dDqWv

37.

WickyBay: FRAUDFOX VM, WickyBay Store (2017). https://goo.gl/aAZY1K

38.

Zeltser, L.: (2018). https://zeltser.com/malware-sample-sources/

Titel: Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol
verfasst von: Mohammed Aamir Ali
Aad van Moorsel
Verlag: Springer International Publishing
Buch: Financial Cryptography and Data Security
Print ISBN: 978-3-030-32100-0

Electronic ISBN: 978-3-030-32101-7

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-32101-7_13

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner