Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Danushka Jayasinghe, Konstantinos Markantonakis, Raja Akram, Keith Mayes

Research output: Chapter in Book/Report/Conference proceedingConference contribution

400 Downloads (Pure)

Abstract

Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.
Original languageEnglish
Title of host publicationRadio Frequency Identification and IoT Security
Subtitle of host publicationRFIDSec 2016
EditorsGerhard Hancke, Konstantinos Markantonakis
PublisherSpringer
Pages107-122
Number of pages16
ISBN (Electronic)978-3-319-62024-4
ISBN (Print)978-3-319-62023-7
DOIs
Publication statusPublished - 20 Jul 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer, Cham
Volume10155
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Cite this