TY - GEN
T1 - Enhancing EMV Tokenisation with Dynamic Transaction Tokens
AU - Jayasinghe, Danushka
AU - Markantonakis, Konstantinos
AU - Akram, Raja
AU - Mayes, Keith
PY - 2017/7/20
Y1 - 2017/7/20
N2 - Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.
AB - Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.
U2 - 10.1007/978-3-319-62024-4_8
DO - 10.1007/978-3-319-62024-4_8
M3 - Conference contribution
SN - 978-3-319-62023-7
T3 - Lecture Notes in Computer Science
SP - 107
EP - 122
BT - Radio Frequency Identification and IoT Security
A2 - Hancke, Gerhard
A2 - Markantonakis, Konstantinos
PB - Springer
ER -