Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Danushka Jayasinghe; Konstantinos Markantonakis; Raja Akram; Keith Mayes

doi:10.1007/978-3-319-62024-4_8

Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Danushka Jayasinghe, Konstantinos Markantonakis, Raja Akram, Keith Mayes

Computing Science

Royal Holloway University of London

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

1 Citation (Scopus)

Abstract

Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.

Original language	English
Title of host publication	Radio Frequency Identification and IoT Security
Subtitle of host publication	RFIDSec 2016
Editors	G Hancke, K Markantonakis
Pages	107-122
Number of pages	16
DOIs	https://doi.org/10.1007/978-3-319-62024-4_8
Publication status	Published - 20 Jul 2017

Publication series

Name	Lecture Notes in Computer Science
Volume	10155

Bibliographical note

© Springer International Publishing AG 2017

International Workshop on Radio Frequency Identification: Security and Privacy Issues
RFIDSec 2016: Radio Frequency Identification and IoT Security

Access to Document

10.1007/978-3-319-62024-4_8

Cite this

Enhancing EMV Tokenisation with Dynamic Transaction Tokens. / Jayasinghe, Danushka; Markantonakis, Konstantinos; Akram, Raja et al.
Radio Frequency Identification and IoT Security: RFIDSec 2016. ed. / G Hancke; K Markantonakis. 2017. p. 107-122 ( Lecture Notes in Computer Science; Vol. 10155).

Research output: Chapter in Book/Report/Conference proceeding › Published conference contribution

@inproceedings{dcc800a2ffdf43008f9adc3413ae0c16,

title = "Enhancing EMV Tokenisation with Dynamic Transaction Tokens",

abstract = "Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.",

author = "Danushka Jayasinghe and Konstantinos Markantonakis and Raja Akram and Keith Mayes",

note = "{\textcopyright} Springer International Publishing AG 2017 International Workshop on Radio Frequency Identification: Security and Privacy Issues RFIDSec 2016: Radio Frequency Identification and IoT Security",

year = "2017",

month = jul,

day = "20",

doi = "10.1007/978-3-319-62024-4_8",

language = "English",

series = " Lecture Notes in Computer Science",

pages = "107--122",

editor = "G Hancke and K Markantonakis",

booktitle = "Radio Frequency Identification and IoT Security",

}

TY - GEN

T1 - Enhancing EMV Tokenisation with Dynamic Transaction Tokens

AU - Jayasinghe, Danushka

AU - Markantonakis, Konstantinos

AU - Akram, Raja

AU - Mayes, Keith

N1 - © Springer International Publishing AG 2017 International Workshop on Radio Frequency Identification: Security and Privacy Issues RFIDSec 2016: Radio Frequency Identification and IoT Security

PY - 2017/7/20

Y1 - 2017/7/20

N2 - Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.

AB - Europay MasterCard Visa (EMV) Tokenisation specification details how the risk involved in Personal Account Number (PAN) compromise can be prevented by using tokenisation. In this paper, we identify two main potential problem areas that raise concerns about the security of tokenised EMV contactless mobile payments, especially when the same token also called a static token is used to pay for all transactions. We then discuss five associated attack scenarios that would let an adversary compromise payment transactions. It is paramount to address these security concerns to secure tokenised payments, which is the main focus of the paper. We propose a solution that would enhance the security of this process when a smart phone is used to make a tokenised contactless payment. In our design, instead of using a static token in every transaction, a new dynamic token and a token cryptogram is used. The solution is then analysed against security and protocol objectives. Finally the proposed protocol is subjected to mechanical formal analysis using Scyther which did not find any feasible attacks within the bounded state space.

U2 - 10.1007/978-3-319-62024-4_8

DO - 10.1007/978-3-319-62024-4_8

M3 - Published conference contribution

T3 - Lecture Notes in Computer Science

SP - 107

EP - 122

BT - Radio Frequency Identification and IoT Security

A2 - Hancke, G

A2 - Markantonakis, K

ER -

Enhancing EMV Tokenisation with Dynamic Transaction Tokens

Abstract

Publication series

Bibliographical note

Access to Document

Fingerprint

Cite this