商业银行移动支付安全研究

doi:10.3969/j.issn.1000-436x.2014.z2.018

Abstract

Abstract:

There is no doubt that mobile payment is the spotlight in Internet finance now.Although users can enjoy quick and convenient services,they have to face with more severe security problems at the same time:the attack incidents,such as cellphone Trojan and privacy leaks emerge endlessly.Lots of viruses which are designed for attacking financial payments can steal users’ personal information including account,password and verification code in the proceedings of remote payment and near field communication.Security issues have already seriously impeded the further development of the mobile payment market.To solve the above problems,discusses the security issues in mobile terminals,payments,network and interactive logic of banking business from financial institutions’ perspective was discussed systematically.In addition,current status of relevant security key technologies are summarized from academic research community and industry fields.Finally,based on related research achievements,the design of system architecture and suggestions for mobile payment security are proposed,which can guide the future development of commercial bank.

Key words: mobile payment, terminal security, near field communication, vulnerability mining, risk assessment

Xi CHEN,You-liang TIAN,Zhuo MA,Jian-feng MA. Research on security of mobile payment for commercial bank[J]. Journal on Communications, 2014, 35(Z2): 131-139.

Figures/Tables 5

References 37

[1]	MüLLER-VEERSE F . Mobile Commerce Report[R]. Technical Report,Durlacher Research Ltd, 1999.
[2]	艾瑞咨询. 2012-2013 年中国移动支付用户调研报告简版[EB/OL]. .iResearch. 2012-2013 China Mobile Payment User Behavior Report[EB/OL]. .
[3]	艾瑞咨询. 2013 年中国第三方移动支付数据报告[EB/OL]. .iResearch. 2013 China Third-party Payment Platforms Data Report[EB/OL]. .
[4]	艾瑞咨询. 2013 年中国移动安全数据报告[EB/OL]. .iResearch. 2013 China Mobile Security Report[EB/OL]. .
[5]	ENCK W , ONGTANG M , MCDANIEL P . Understanding android security[J]. Security ＆ Privacy, 2009,7(1): 50-57.
[6]	ENCK W , OCTEAU D , MCDANIEL P ,et al. A study of android application security[A]. USENIX Security Symposium[C]. 2011.
[7]	DAVI L , DMITRIENKO A , SADEGHI A R ,et al. Privilege Escalation Attacks on Android[M]. Information Security. Springer Berlin Heidelberg, 2011. 346-360.
[8]	ENCK W , ONGTANG M , MCDANIEL P . On lightweight mobile phone application certification[A]. Proceedings of the 16th ACM Conference on Computer and Communications Security[C]. 2009. 235-245.
[9]	CHIN E , FELT A,P , GREENWOOD K ,et al. Analyzing inter-application communication in android[A]. Proceedings of the 9m International Conference on Mobile System,Applications and Services[C]. 2011.
[10]	BARRERA D , KAYACIK H G , VAN OORSCHOT P C ,et al. A methodology for empirical analysis of permission-based security models and its application to android[A]. Proceedings of the 17th ACM Conference on Computer and Communications Security[C]. 2010. 73-84.
[11]	FELT A P , CHIN E , HANNA S ,et al. Android permissions demystified[A]. Proceedings of the 18th ACM Conference on Computer and Communications Security[C]. 2011. 627-638.
[12]	SHIN W , KIYOMOTO S , FUKUSHIMA K ,et al. A formal model to analyze the permission authorization and enforcement in the Android framework[A]. 2010 IEEE Second International Conference on Social Computing (SocialCom)[C]. 2010. 944-951.
[13]	张中文, 雷灵光, 王跃武 . Android Permission 机制的实现与安全分析[J]. 信息网络安全, 2012,(8): 3-6. ZHANG Z W , LEI L G , WANG Y W . Studying the implementation and security of the permission mechanism in Android[J]. Netinfo Security, 2012,(8): 3-6.
[14]	CHAN P P F , HUI L C K , YIU S M . Droidchecker:analyzing android applications for capability leak[A]. Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks[C]. 2012. 125-136.
[15]	ENCK W , GILBERT P , CHUN B ,et al. TaintDroid:an information-flow tracking system for realtime privacy monitoring on smartphones[A]. Proceedings of the 9m USENIX Symposium on Operating Systems Design and Implementation[C]. 2010.
[16]	ZHOU Y J , ZHANG X W , JIANG X X ,et al. Taming information-stealing smartphone applications on android[A]. TRUST[C]. 2011. 93-107.
[17]	LUO T B , HAO H , DU W L ,et al. Attacks on Web view in the android system[A]. Proceedings of the Annual Computer Security Application Conference[C]. 2011.
[18]	ZHOU W , ZHOU Y , JIANG X ,et al. Detecting repackaged smartphone applications in third-party android marketplaces[A]. Proceedings of the Second ACM Conference on Data and Application Security and Privacy[C]. 2012. 317-326.
[19]	VIDAS T , CHRISTIN N . Sweetening android lemon markets:measuring and combating malware in application marketplaces[A]. Proceedings of the Third ACM Conference on Data and Application Security and Privacy[C]. 2013. 197-208.
[20]	JUNG J H , KIM J Y , LEE H C ,et al. Repackaging attack on Android banking applications and its countermeasures[J]. Wireless Personal Communications, 2013. 1-17.
[21]	ZHOU W , ZHANG X , JIANG X . AppInk:watermarking Android APPS for repackaging deterrence[A]. Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security[C]. 2013. 1-12.
[22]	SUAREZ-TANGIL G , TAPIADOR J E,PERIS-LOPEZ P ,et al. Dendroid:a text mining approach to analyzing and classifying code structures in Android malware families[J]. Expert Systems with Applications, 2014,41(4): 1104-1117.
[23]	MADLMAYR G , LANGER J , KANTNER C ,et al. NFC devices:security and privacy[A]. Availability,Reliability and Security,2008[C]. ARES 08,Third International Conference on IEEE, 2008. 642-647.
[24]	HASELSTEINER E , BREITFUB K . Security in near field communication (NFC)[A]. Workshop on RFID Security RFIDSec[C]. 2006.
[25]	MULLINER C . Vulnerability analysis and attacks on NFC-enabled mobile phones[A]. Availability,Reliability and Security ARES'09[C]. 2009. 695-700.
[26]	HANCKE G P . Practical eavesdropping and skimming attacks on high-frequency RFID tokens[J]. Journal of Computer Security, 2011,19(2): 259-288.
[27]	CANEY R , DORROS C , KENNEDY S ,et al. Mobile Pickpocketing:Exfiltration of Sensitive Data through NFC-enabled Mobile Devices[R]. Technical Report,CMU-cyLab-13-015,Carnegie Mellon University, 2013.
[28]	DIAKOS T P , BRIFFA J A , BROWN T W C ,et al. Eavesdropping near-field contactless payments:a quantitative analysis[J]. The Journal of Engineering, 2013,1(1).
[29]	ALLAH A , MOSTAFA M . Strengths and weaknesses of near field communication (NFC) technology[J]. Global Journal of Computer Science and Technology, 2011,11(3).
[30]	ROLAND M . Applying Recent Secure Element Relay Attack Scenarios to the Real World:Google Wallet Relay Attack[R]. arXiv preprint arXiv:1209.0875, 2012.
[31]	Charlie Miller. Exploring the nfc attack surface[EB/OL]. .
[32]	EUN H , LEE H , OH H . Conditional privacy preserving security protocol for NFC applications[J]. Consumer Electronics,IEEE Transactions on, 2013,59(1): 153-160.
[33]	PARK S W , LEE I Y . Anonymous authentication scheme based on NTRU for the protection of payment information in NFC mobile environment[J]. Journal of Information Processing Systems, 2013,9(3).
[34]	LEE Y S , KIM E , JUNG M S . A NFC based authentication method for defence of the man in the middle attack[A]. Proceeding of the 3 rd International Conference on Computer Science and Information Technology (ICCSIT'2013)[C]. 2013. 4-5.
[35]	GUMMESON J J , PRIYANTHA B , GANESAN D ,et al. EnGarde:Protecting the mobile phone from malicious NFC interactions[A]. Proceeding of the 11th Annual International Conference on Mobile Systems,Applications,and Services[C]. 2013. 445-458.
[36]	DYKES R . Cloud based electronic wallet:U.S.Patent Application 13/468,686[P].2012-5-10.
[37]	KAMARA S , LAUTER K . Cryptographic Cloud Storage[M]. Financial Cryptography and Data Security,Springer Berlin Heidelberg, 2010. 136-149.

Metrics

Recommended 0

No Suggested Reading articles found!

Research on security of mobile payment for commercial bank

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 37

Related Articles 14

Metrics

Recommended 0

[1]	Zhiyong LUO,Xu YANG,Jiahui LIU,Rui XU. Network intrusion intention analysis model based on Bayesian attack graph [J]. Journal on Communications, 2020, 41(9): 160-169.
[2]	Xinyu WANG,Ben NIU,Fenghua LI,Kun HE. Risk assessing and privacy-preserving scheme for privacy leakage in APP [J]. Journal on Communications, 2019, 40(5): 13-23.
[3]	Hongyu SUN,Yuan HE,Jice WANG,Ying DONG,Lipeng ZHU,He WANG,Yuqing ZHANG. Application of artificial intelligence technology in the field of security vulnerability [J]. Journal on Communications, 2018, 39(8): 1-17.
[4]	Hao LIU,Lian-ming ZHANG,Zhi-gang CHEN. Task-based access control mode of peer-to-peer network based on fuzzy theory [J]. Journal on Communications, 2017, 38(2): 44-52.
[5]	Zhi-qiang WANG,Qi-xu LIU,Yu-qing ZHANG. Research of discovering vulnerabilities of NFC applications on Android platform [J]. Journal on Communications, 2014, 35(Z2): 117-123.
[6]	. Research of discovering vulnerabilities of NFC applications on Android platform [J]. Journal on Communications, 2014, 35(Z2): 16-123.
[7]	. Research on security of mobile payment for commercial bank [J]. Journal on Communications, 2014, 35(Z2): 18-139.
[8]	. Risk assessment model based on fuzzy Petri nets [J]. Journal on Communications, 2013, 34(Z1): 16-132.
[9]	Xiang GAO,Yue-fei ZHU,Sheng-li LIU,Jin-long FEI,Long LIU. Risk assessment model based on fuzzy Petri nets [J]. Journal on Communications, 2013, 34(Z1): 126-132.
[10]	. Method for router online security risk assessment quantification [J]. Journal on Communications, 2013, 34(11): 8-70.
[11]	Jun-gang YANG,Li LIANG,Gu-jing LIU,Qian ZHANG,Chang-qing ZHANG. Method for router online security risk assessment quantification [J]. Journal on Communications, 2013, 34(11): 59-70.
[12]	Biao SONG,Jian-ming ZHU. Evolution entropy risk assessment of ERP information security based on the business process [J]. Journal on Communications, 2012, 33(Z1): 210-215.
[13]	Dong-mei ZHAO,Jian-feng MA,Yue-sheng WANG. Model of fuzzy risk assessment of the information system [J]. Journal on Communications, 2007, 28(4): 51-56.
[14]	Yong-jie WANG,Ming XIAN,Jin LIU,Guo-yu WANG. Study of network security evaluation based on attack graph model [J]. Journal on Communications, 2007, 28(3): 29-34.