Matching in Proximity Authentication and Mobile Payment EcoSystem: What Are We Missing?

During the past decade, cybersecurity threats have drawn everyone’s attention and it’s becoming a national priority in many leading countries. With the development of sophisticated mobile technology, mobile (contactless) payment insecurity, which may cause huge financial losses, is now becoming a serious threat to our daily life. During the holiday season in 2013, China’s most welcome mobile payment system provider - Alipay - lost over 20 GB worth of customer data in a security breach, which affected at least 15 million customers. Even though the company has promised to evaluate the security of the system and to take necessary measures to protect customer’s data, are we still safe with the payment? In this paper, we investigate several security vulnerabilities for Alipay wallet, which may cause individual’s personal data and financial losses. This is due to not only less regulation by authorities but also the failure of enabling secure proximity authentication during mobile payment. By going through these surprising vulnerabilities, we come up with some ideas on how to combat them and show how to enhance the mobile payment security by enabling proximity authentication before monetary transactions.

[1]  Thomas A. Weber The Question of Ownership in a Sharing Economy , 2014, 2015 48th Hawaii International Conference on System Sciences.

[2]  Gerhard P. Hancke,et al.  How to Demonstrate Our Presence Without Disclosing Identity? Evidence from a Grouping-Proof Protocol , 2015, WISA.

[3]  Cédric Lauradoux,et al.  How secret-sharing can defeat terrorist fraud , 2011, WiSec '11.

[4]  Yong Wang,et al.  Mobile payment security, threats, and challenges , 2016, 2016 Second International Conference on Mobile and Secure Services (MobiSecServ).

[5]  Evangelos P. Markatos,et al.  Rise of the planet of the apps: a systematic study of the mobile app ecosystem , 2013, Internet Measurement Conference.

[6]  Guomin Yang,et al.  A Highly Efficient RFID Distance Bounding Protocol without Real-Time PRF Evaluation , 2013, NSS.

[7]  Markus G. Kuhn,et al.  An RFID Distance Bounding Protocol , 2005, First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05).

[8]  Timothy F. Bresnahan,et al.  Mobile Computing: The Next Platform Rivalry , 2014 .

[9]  Duncan S. Wong,et al.  An Efficient Single-Slow-Phase Mutually Authenticated RFID Distance Bounding Protocol with Tag Privacy , 2012, ICICS.

[10]  Gildas Avoine,et al.  The Swiss-Knife RFID Distance Bounding Protocol , 2008, ICISC.

[11]  Cheng Zeng,et al.  QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks , 2013, Financial Cryptography Workshops.

[12]  Thomas A. Weber Intermediation in a Sharing Economy: Insurance, Moral Hazard, and Rent Extraction , 2014, J. Manag. Inf. Syst..