Conclusiones

The literature review in this chapter has focused on three areas of academic research related to the security of the EMV chip and PIN protocol, EMV contactless protocol and CNP payment protocols. The research in the literature review influenced the research presented in this PhD thesis as follows:

Security Analysis of EMV Chip and PIN

Our methodology, which is discussed in the next chapter is influenced by the research into exploitable vulnerabilities in the EMV protocol. My guide (Aad van Moorsel) encouraged the use of controlled practical experiments in my research. This allowed me to demonstrate that the vulnerabilities highlighted in the protocol were exploitable in the real world, and thereby increase the impact of the research. This approach has proven very successful in our papers which are discussed in Chapter 6, Chapter 7 and Chapter 8.

Papers in this category looked at the system wide impacts of the individual vulnerabilities in the EMV Chip and Pin payment systems. This gives context to our research and has helped us to more fully understand the impact of the vulnerabilities identified by my research and assisting me to convey this message to a non-academic audience; the general public, law enforcement and the payment industry stakeholders.

Learning from the papers in this section, during the first of my research, I developed a part of EMV chip and PIN specification that helped me understand the EMV chip and PIN transaction process which benefitted my research to understand how the payment protocols are designed and

implemented.

Security Analysis of EMV Contactless

Research into the exploitable vulnerabilities in the EMV contactless technology, have both influenced and confirmed the technology choices made in our experimental work. Work by Hancke (2011), Roland and Scharinger (2013), Roland et al. (2012) demonstrated the use of NFC enabled

smartphones as a practical attack platform against EMV contactless payments. Learning from their research, I developed an application on NFC enable android phone which emulated the EMV

contactless POS terminal. The NFC application developed was helpful in extracting the payment card details from its contactless interface. There are cases where features in the contactless transaction protocol / technology does not affect the security of contactless payments but has a potential to affect entire CNP payment system. This is further explained in Chapter 6.

Research presented by Emms et al. (2014) and Emms et al. (2015) helped me in understanding how the payment authorisation messages are handled by the card issuing banks in the backend.

Work by Kfir and Wool (2005) and Diakos et al. (2015) on extending the range of NFC

comprehensively explores extended range reading and eavesdropping contactless payments which supported my assertions made on contactless cards that it is not difficult for criminals to steal user payment card details from a distance using contactless interface.

I started my research applying the lessons learned from EMV contactless technology on security assessment of university-based RFID access control systems. This project work [64] exploited a vulnerability which would allow attackers to create cloned copy of the university issued smart cards.

Security Analysis of CNP Payment Protocols

As discussed earlier, and even pointed by Murdoch et al (2014) [4], the deployed CNP payment systems has escaped academic scrutiny to a major extent. The research papers detailed in this section are only a broader overview of the challenges faced by payment protocol designers. The research articles available for CNP payment system do not provide an extensive technical detail on every aspects CNP protocols that are currently in use. Before I started my research work, there were a lot of questions still needed to be answered for example:

 What are the standards which are needed to be followed while accepting a card payment online?

 If the freedom is allowed for the merchants to choose the type of payment protocol (authorisation-only and authentication-enabled), then what is the minimum information required by the card issuing banks to process an online payment transaction?

 Do the distributed protocol choices will have any effect on security of CNP payment system? How secure such a payment system be?

 If the authorisation-only protocol is dependent upon static card details, then what is the data used by merchants and card issuers for their fraud protection algorithms?

 Is the user machine (mobile and PCs) trusted enough to host card issuer bound keys and digital certificates?

 As with EMV chip and PIN and EMV contactless, is the online payment transaction cryptographically bounded? How is transaction authentication performed in the CNP payments?

3.6

Conclusion

There are several leading academic research teams actively analysing the security of payment systems and transaction protocol and researching potentially exploitable vulnerabilities in the payment

protocols. EMV Chip and Pin and EMV Contactless have been especially given a substantial importance because of the availability of clearly defined protocol specifications. However, the research gaps associated with CNP payment systems were clearly defined and with the increasing fraud rates, it can be withdrawn that more research is needed in the area of CNP payment systems. In this literature review we have established a link between the existing academic research and the areas of weaknesses in CNP payment systems, which were of my potential interest of this research. Some of the weakness identified in the payment system which drove my research were:

 Wireless interface and the data available in EMV contactless interface introduce new categories of attack (i.e. skimming, eavesdropping and relay) for online payment systems.

 The data in the EMV chip and PIN interface can easily be read by false readers making it possible for attackers to use the stolen card details over online payment system.

 The 3DS 1.0 which required the cardholder to enter static passwords on a pop-up screen was more burden to the payment industry than a solution. This allowed a freedom for the online merchant to have options on the protocol they want to implement on their checkout systems.

 Cryptographically bounded one-time passcodes for online payments using EMV readers were vulnerable to chip and PIN attacks where an attacker can generate one-time passcodes from a stolen payment cards.

The literature review supports the assertion made in this PhD thesis that the security of the online payment system is fundamentally weakened by the philosophy of providing convenience to the customer at the checkout. Also, the requirement for backward compatibility makes it essential for the card data to be available in plain text across other interfaces which reduces the security to the least secure technology supported by the system.