Merx: Secure and Privacy Preserving Delegated Payments

In this paper we present Merx, a secure payment system that enables a user to delegate a transaction to a third party while protecting the user's privacy from a variety of threats. We assume that the user does not trust the delegated person nor the merchant and wishes to minimize the information transmitted to the user's bank. Our system protects the user from fraud perpetrated by the delegated party or by the merchant. The scheme has a number of other applications such as delegating the withdrawal of cash from Automated Teller Machines ATM and allowing companies to restrict an employee's expenses during business trips. Merx is designed to be used with mobile phones and mobile computing devices, especially in situations where end-users do not have access to the Internet. We evaluate the performance of the proposed mechanism and show that it requires negligible overhead and can be gradually deployed as it is able to piggyback on existing payment-network infrastructures.

[1]  R. K. Shyamasundar,et al.  An efficient, secure and delegable micro-payment system , 2004, IEEE International Conference on e-Technology, e-Commerce and e-Service, 2004. EEE '04. 2004.

[2]  Lawrence C. Paulson Verifying the SET Protocol: Overview , 2002, FASec.

[3]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[4]  Mark Pickens,et al.  Mobile phone banking and low-income customers : evidence from South Africa , 2006 .

[5]  Ross Anderson,et al.  Fast Software Encryption , 1994 .

[6]  Dieter Gollmann,et al.  Computer Security — ESORICS 94 , 1994, Lecture Notes in Computer Science.

[7]  Mihir Bellare,et al.  iKP - A Family of Secure Electronic Payment Protocols , 1995, USENIX Workshop on Electronic Commerce.

[8]  E. Gabber,et al.  Agora: a minimal distributed protocol for electronic commerce , 1996 .

[9]  Angelos D. Keromytis,et al.  Offline Micropayments without Trusted Hardware , 2002, Financial Cryptography.

[10]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[11]  Martín Abadi,et al.  The Millicent Protocol for Inexpensive Electronic Commerce , 1995, World Wide Web J..

[12]  Charalampos Manifavas,et al.  NetCard - A Practical Electronic-Cash System , 1996, Security Protocols Workshop.

[13]  Adi Shamir,et al.  PayWord and MicroMint: Two Simple Micropayment Schemes , 1996, Security Protocols Workshop.

[14]  Gunela Astbrink,et al.  Password sharing: implications for security design based on social practice , 2007, CHI.

[15]  Ross J. Anderson Liability and Computer Security: Nine Principles , 1994, ESORICS.

[16]  R. K. Shyamasundar,et al.  e-coupons: An Efficient, Secure and Delegable Micro-Payment System , 2005, Inf. Syst. Frontiers.

[17]  R. K. Shyamasundar,et al.  Towards a Flexible Access Control Mechanism for E-Transactions , 2004, EGCDMAS.

[18]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[19]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[20]  David P. Jablon Strong password-only authenticated key exchange , 1996, CCRV.

[21]  Amir Herzberg,et al.  MiniPay: Charging per Plick on the Web , 1997, Comput. Networks.

[22]  Marvin A. Sirbu,et al.  NetBill: an Internet commerce system optimized for network-delivered services , 1995, IEEE Wirel. Commun..