A PKI Enabled Authentication Protocol for Secure E- Payment ...

A PKI Enabled Authentication Protocol for Secure EPayment Framework Md Rezaul Islam1, M. F Mridha2and Md. Mahbubur Rahman3 1

Department of Information and Communication Technology, Bangladesh University of Professionals, 2 Department of Computer Science and Engineering, University of Asia Pacific, 3 Department of Computer Science and Engineering, Military Institute of Science and Technology, [email protected]

Abstract—E-commerce is now an evolving aspect to web consumer and e-payment (electronic payment) is critical consideration among it, where consumer authentication, credential confidentiality, transaction information integrity are growing concerns here. We have studied the concept of Secure Electronic Transaction (SET) that was dominant consideration in e-payment system using public key infrastructure (PKI). Since SET has tagged with some adoption challenges, its simplification and integration with ground breaking development near field communication (NFC) can satisfy all security requirements of epayments. The cell phone or personal digital assistant (PDA) based wallet also latest technology which is user friendly and easy deployable. In this paper, a secure and end to end authentication protocol has been proposed, that incorporates wallet and NFC with existing SET technology that contribute e-payment consumer super comfort in privacy and provide utmost certainty to card issuer bank about customer/user authenticity. Index Terms—E-payment, Credit Card, Debit Card, Security, E-commerce.

I. INTRODUCTION The overwhelming technology innovations are continuously improving and its impact changing social cultural and economic relationship rigorously. Multitude of-services: ecommerce/e-payment, e-voting, e-governance, are revolutionary ideas that provide customer life more relaxed, time saving, accessible and convenient. E-commerce service growth is exponential due to its speed, digitization, accessibility, user friendly, time saving in nature. E-payment is an integral part of e-commerce. There are three basic types of e-payment system: business to business (B2B), consumer to consumer (C2C) and business to consumer (B2C). Shehzad Ashraf et al [1].Along with the wired internet, wireless technology has exponentially advanced as well. Today cellular phones and other handheld devices like PDA that promote access to the Internet have also accelerated e-business transactions. But growing number of erudite cybercrime, financial frauds, cracking, customer credentialdisclosure, identity theft are concerning this e-payment industry. People are bothered their personal data are being dispatched to third party and this breaks privacy. Customer wants to maintain their credentials confidentiality, purchase data integrity, whereas, issuer bank needs to verify customer authenticity. Cryptographic protection of customer data (bank info, debit/credit numbers)

can assure them to more engage in e-payments and give customer confidence that their privacy is preserved. Here PKI plays important role for e-payment security and privacy concerns. According to Farrell and Zolotarev[10], PKI is vital for e-commerce security, since many applications that use PKI are not Web services and PKI is the only choice available for connecting business relationships to keys and identities when more than one domain is involved. PKI promotes several cryptographic actions, such as, data encryption, digital signatures and identity authentication. Before commencement of SET in 1996, PKI primarily used only in SSL/TLS (secure socket layer/Transport layer security).

Latest development NFCis booming due to its widespread adaptation in contactless payment including internet of things (IOT). NFC is very suitable and easy to use. Its application ranging fromwireless transaction payment to ticketing, device pairing to transfer data, health care applications, social network services, educational services, and location based services [12]using RFID made it very popular.NFCworks simply by 5-10 cm closing two devices at 13.56 MHz and 106, 212, 424, or 848 Kbits per second[11].Payment related information can be transformed from NFC enabled point of sales (POS) machine to NFC activated mobile device. Though NFC poses several threats including eavesdropping, spoofing, tag replacement, tag hiding (TRTH), data corruption, data alteration, protocols are already in place to securely operate NFC. Among them, NFC secure protocol has processing stack of handshaking scheme, certificate verification, signature verification, and alert mechanism[13].Some other study suggests security enabled passive tag supporting authenticated encryption decryption using symmetric cryptography,steganography, graphical password to secure NFC[11][14]. Mwalletis another ground breaking addition to contactless payment. It’seasy, fast, secure and private. This API can gather all the information in a card simply using camera or user can manually enter.The isight camera [15] picture will not be saved as picture to photo library rather decrypt the card information. Wallet determines the payment network and reencrypts the data with a key, thatpayment networks or any card issuer authorized provider can unlock it. While encryption, some other information is associated with, such as, the transaction history with this device, device name, phone

ISSN: 2180 – 1843 e-ISSN: 2289-8131 Vol. X No. X

1

Journal of Telecommunication, Electronic and Computer Engineering

no, model of device along with any companion device OS required to establish wallet. Payment authorization using fingerprint/passcode is another innovative addition to activate wallet, fairly advocated by apple pay in iOS security [15].Consumer can initiate payment through wallet by default fingerprint to touch ID or passcode instead. Secure communication by serial interface between chip and touch ID has already been established there to mitigate the risk involved. This could further breakout the dimension of transferring money within wallets instigated by method of wallet activation using fingerprint or passcode. In this paper we introduce an e-payment framework thatensures to send end user identity authentications as well as preserve customer privacy. In this proposed framework, merchant or service providergenerates unique order information (OI) after consumer/buyer selects and finalizes goods. OI comprises with merchant name, bill voucher and these are encrypted with publicly shared key provided by consumer or buyer. Payment information (PI)also generated by merchant, consist of merchant name, acquirer bank name and other required information. Another specific transaction ID generated by merchant (TIDM), which is unique with time stamp and merchant certificate, its expiry date.OI and TIDM transferred from merchant to consumer by NFC point of sale (POS) terminal, encrypted with buyer’s public key.At the same time merchant send PI to a trusted third party, here electronic transaction center (ETC), which advocates for arbitration among participating parties. Moreover, PKI enabled encryption during data pass makes the system secure and authentic.

Next discussions in this paper are organized as follows: Section two discussed the motivation, whichenhancedconsideration for this research. Section three briefed some preliminaries about e-payment system, which will help to understand further elaboration, such as e-payment phases and constraints required. Section four briefed existing related secure electronic techniques (SET). Section five discussed the proposed PKI enabled authentication with required functions and steps. In Section six, we further elaborated key security requirements and their alignment with proposed transaction method. In section seven, a brief comparison assessment on available similar introduction followed by conclusion. II. MOTIVATION Cybercrimes are now increasingly sophisticated in nature. Phishing, session high jacking, biometric skimming, SIM cloning are widely deliberated financial frauds. Customers are not satisfied enough only single or double factor authentication. So Fin Tech companies are approaching multifactor authentication using cryptographic encryption, which can provide end to end approach, can ensure high confidentiality of user’s credentials, assures that intended

2

party will have access only required information, and all other information will remain unapproachable and encrypted. This is for reasons that, e-consumers are now most concerned, they will remain anonymous during transactions and their personal information will not unveil. However, mobile wallet has paved the way of keeping user or consumer anonymous, as user’s full credit/debit/payment card number never been exposed to other party during transaction except for card registration and initialization to the payment network. After successful initialization, a device specific account number (DAN) is assigned to safeguard full card number thereby. The use of uniqueanddynamic token with time stamp ensures to distinctively identify the purchaser/user later. Considering the above scenarios and methods, using existing SET and PKI, instigated us to devise such a transaction technique, where information are exchanged between parties with other party’s public key cryptographic encryption duly hashing and signeddigitally. Thus, authentication and confidentiality are guaranteed end to end. III. PRELIMINARIES In this section, to make a clear consensus with forward discussion, here we briefly explained basic definitions of epayment systems, its different phases required, such as, registration/personalization phase, the important aspectsi.e information exchanged and payment phase, finally the dispute resolution phase for better customer comfort is added here. An e-payment system enables transaction for buying and selling products, goods in digital market. It also enables paying for services or value provided by service providers in digital medium instead of using check or cash. Generallyan epayment system comprises of a consumer/user, their bank accounts, merchant or service providers and an electronic transaction center to resolve any arisen dispute. Through an epayment system, basically aim is to provide a framework for digital products or service value purchased through online system, with maintaining privacy of consumer’s credentials, ensuring smooth changeof information and resolution of dispute if found. Integrated exchange means that none of the participants should have unfair advantages by altering the data, high jacking the session to gain personal advantages. If any dispute found after transaction, the trusted third party like electronic transaction center (ETC), in this study, responsible for resolution. Before initiating transaction, participants must go through registration and personalization with the corresponding system, which in turn assign a unique identity. In addition, both merchant and consumer must open accounts with banks to secure exchange of information. With a view to maintain personality, using PKI & cryptographic system, participants selects their private keys then compute and links their public keys with corresponding party and banks.


Manuscript Title

An e-payment transaction from commencement to completion generally involves of following five/six phases: A. Registration Phase In this first phase, all parties interested to involve in epayment, must have to share their information with the corresponding party, who will uphold the first party’s purpose i.e. securely and effectively manage information, that no other third party can access first party’s information and unveil it. Consumer registers debit, prepaid or credit card into wallet by entering information manually or capturing by isight camera as previously stated. Figure 1: depicts the card personalization process to wallet. Wallet sends this card information securely to issuer or other authorized service supplier. Then analyzing this, service provider determines if to approve and allow the card to be added. If wallet assures, this is your card, then a specific device account number (DAN) created, stored and send it to wallet. This is used while in transaction, the full card number is never stored or utilized or exposed. Issuer also set an auto incremented token (TKN) generator, which will issue single particular token during each transaction. All this communication during registration occurs with TLS encryption. So Wallet can hold as many debit, credit and prepaid card as possible.

Figure 1: Depicts the card personalization process to wallet.

transaction specific code TIDM also generated. Merchant sends that to authorized ETC along with PI for further processing. This TIDM is unique and never reused for other transaction. C. Paying phase After receiving order information, cost details, consumer first check the trust factor of merchant from authorized center ETC and after getting positive acknowledgement, sends order details OI to card issuer bank to initiates necessary payment. The bank first identifies the authenticity of consumer and check account for fund availability. If authenticity fails, or sufficient fund not available, the transaction aborted. Otherwise, bank generates specific keyTKN according to type and amount of transaction required, which is temporary acknowledgement to payment and send that to consumer. This is dynamically generated key and never reused, so any dispute arisen regarding duplicate payment is resolved by this. D. Exchanging phase Upon receiving dynamic token, consumer sends that token TKN along with the corresponding transaction ID given from merchant (TIDM) to authorize third party or ETC. Upon receiving TIDM from consumer, ETC first matches TIDM with that it received from merchant earlier. If TIDM does not match, ETC aborts the transaction and replay to merchant and consumer about that. If TIDM matches, ETC considers this as transaction acknowledgement from consumer and sends this temporary confirmation to merchant. E. Transferring phase Getting positive acknowledgement from ETC, merchant transfer intended goods or service value to consumer. If products or services are in good in quality and consumer satisfiedwith the service rendered by merchant, consumer issues an accept receipt to ETC, which is an acknowledgement that, consumer purchased the goods and ETC delivers the TKN with corresponding TIDM to acquiring bank. That acquiring bank info decrypted from PI provided by the merchant earlier. Acquiring bank sends those TIDM and TKN to issuer bank for payment authorization. Issuer bank first evaluates the issued TKN with the stored TKN and received TIDM from acquirer bank matches with that of from consumer. If this evaluation is successful, then deducts money from consumer account and delivers to acquirer bank.

B. Buying phase The consumer choices goods/products to be purchased from broker’s websites or from any authorized service points, makes final selection then submits the choices to merchant. It also may consist of value of service provided by any provider. Merchant prepares an order information (OI) comprised of consumer’s bill of selected goods, total cost, others required info. The merchant also prepares a payment information (PI) comprised of merchant info, acquirer bank info etc.A

F. Dispute resolution phase This phase is very important for future reference, if any dispute arisen regarding this transaction, so the unique TIDM and TKN is stored with issuer and acquirer bank as well. As this is transaction specific unique value, it prevents from double spending prevention as well.


3


IV. SECURE ELECTRONIC TRANSACTION The technology which governs in electronic transaction system is Secure Electronic Transaction (SET). SET is open in encryption and while developing its security mechanism, credit card transaction protection on the web was considered. Companies that cooperated include Netscape, IBM, Microsoft, RSA,Verisign and Terisa in the development of SET. Later, it was reinforced by VISA Inc. and like MasterCard major companies. When SET was developed, it was intended to operate in a wired technology infrastructure [4, 5], but it can also be applied in wireless environment and its transaction, security mechanism are of interest to us. The SET is a development of the present credit-card oriented e-transaction system. SET ensures greater security for epayers information transfer and confirms to banks that participating consumers are authentic. For this to suit, SET uses hashing, digitally signed and encryption by shared public key standard. There are six parties involved in SET operation: cardholder/customer/user, issuing bank, merchant, acquiring bank, authentication center on the bank server side and payment gateway [18].It was developed to assure authentication of consumer credential, integrity of exchanged information and maintain privacy of all parties involved. SET enforce e-consumers authenticates themselves. Basic operating steps involved in SET are as: 1.

2.

3.

4. 5.

6.

7. 8.

9.

4

Consumer browses merchant web or goes to specialized point of sales centers, selects goods or service rendered by provider. Then merchant or provider prepare voucher or order information (OI) and payment information (PI). While choosing payment method the system ask for, consumer selects credit or debit card to pay through SET. Then, a special wallet in the consumers PC activates and ask to select consumer the card to be used in transaction process, which was preregistered to the system. E-consumer chooses the card and corresponding SET transaction process underway. Merchant after receiving details from consumer’s bank and payment information, proceeds authorization though its acquirer bank for payment. Then acquirer bank gets details from merchant about consumer’s bank, proceeds for payment authorization. After successful transaction from consumer’s bank, merchant will be notified. At the same time, an SMS notification goes to consumer through its banks that the transaction has been processed. SET uses SSL based method to encrypt data and it’s pretty good example, where e-consumer’s privacy are unveiled to another partyin the middle[6], as end to end privacy are not preserved here.

Figure 2: Depicts Information exchanged between Mobile NFC Terminal &Merchant NFC tags. Presently, SET does not fully comply with security requirements (privacy, authentication, non-repudiation), as [18]user remain unaware about the merchant if authentic or not, due to this core uncertainty, user remain reluctant to give their private information towards unreliable merchant. According to [19], authentication problem exists due to SET’s encryption algorithm has major limitation, so is easily breakable and denial of transaction. In[3],SET does not assure end to end security. So in the middle of transaction, if anywhere information is tempered by hacker/merchant, consumer may lead to pay more than actual money without acknowledgement. According to [20],confidentiality of consumer credential is not ensured in SET. Even in 3D set, user information remain in bank, and this can lead to misuse or third party access. V. TKN BASED PKI ENABLED PROTOCOL

The proposed dynamic token based protocol to mitigate the customer concerns, i.e. maintaining end to end security, credential confidentiality, customer satisfaction. In this protocol, five parties involved namely; cardholder/user, merchant, card issuing bank, merchant bank or acquiring bank and an electronic transaction center (ETC).Each party has its own digital certificate and public private key pairs. Information passes among parties while hashing, digitally signed and encryption with publiclyshared key. While purchasing, the customer first activates the wallet by fingerprint in touch ID or PIN and then first chooses which card to use. The corresponding DAN activates and contacts to issuing server or payment network for the transaction specific code TKN. This code created dynamically and specific to each transaction. Along with TKN, one or more code and other data could be included while sharing to ETC varying on the transaction requirements. Here, based on different type of transaction, may integrate during the code calculation, like: random number from wallet, random number from NFC terminal for NFC based transaction.


Manuscript Title

A. Electronic Transaction Center (ETC) ETC is an arbitrator/mediator application, which moderates and control transaction between the parties involved. Usually ETC uses transport layer security (TLS) for personalization of the participants, maintain identity, define, approve digital certificates request andauthenticates for each transaction. ETC hold time stamp (TS), stores transaction logs, which mitigates dispute.ETC hold trust factor of merchant, while in transaction, consumer analyze trust factor of merchant before indulging in business deal. This arbitrary body fasten and make ease of the information exchanged between parties. B. TKN Format TKN is an important factor in e-payment transaction that is generated by consumer bank against particular DAN assigned to consumer’s device. TKN contains information about cost of products Ct, digital certificate of consumer or user Dcertu, digital certificate of merchant Dcertm, Token ID (TKID) and time stamp TS. Ct

Dcertu

Dcertm

TKID

TS

Figure 4: The Token Structure. In the TKN structure, first slot contains the cost of products to be paid by consumer bank, which is decrypted from OI supplied by merchant through consumer. Then digital certificate of consumer and merchant are incorporated to verify particular consumer for merchant. Then unique token ID TKID generated by the consumer bank that never regenerated again. TKID is 256 bit codes encrypted with AES symmetric key with the Rijndael algorithm [21]. As consumer bank initiates to pay, it decrypts TKID and generates symmetric key to check for any tamper has happened. If found any tamper, bank immediately halts transaction and inform ETC through corresponding consumer and process repeats again. Otherwise bank obliged to pay the money mentioned in the Ct. TKN also incorporates a time stamp TS, where date and time of transaction preserved. So if any dispute arises, the arbitrator have proof of whole transaction process. Thus TKN plays a vital role maintaining end to end authenticity and integrity. C. Explanation of the Proposed PKI Enabled Security Model Step 1: Consumer will go to the merchant site and choses products to buy and finalize lists. Merchants prepares final list to order information (OI), payment information (PI)to pay bill to acquirer bankalong with a transaction specific token TDIM. As consumer activates his/her mobile wallet and initiates to pay, pre assigned DAN represented to merchant’s NFC tag. As shown in fig 2; DAN will be hashed and digitally signed with consumer’s Dcertuand finally encrypted with merchant’s public key PKm.

Step 2: Merchant supplyits TDIM, OI to consumer wallet by NFC enabled tag, all arehashed, digitally signedwith Dcertm and encrypted withPKu. Step 3: Merchant supply its TDIM, PI to electronic transaction center (ETC), all are hashed, digitally signed with Dcertm and encrypted with PKetc. Step 4: Consumer then checks for merchant’s trust factor with ETC, if gets positive result, and then moves to attain a transaction specific TKN code from issuer server. This trust factor is unique indication to consider. Merchant’s trust factor is built on its transaction history, longevity in the market, rating feedback from consumer, trustiness from card issuer and other indicators as well. Step 5:Consumer get positive ACK or specific rating about merchant’s trust factor. Step 6: Wallet in consumer/user mobile apply for unique transaction TKN to card issuer serveragainst specific DAN.Wallet sends OI, merchant issued TDIM along with DAN.All are hashed, digitally signed by Dcertuand encrypted with PKiss. Step 7: Card issuer bank issues fresh TKN against specific DAN and sends it to consumer’s wallet hashed, digitally signed (Dcertiss) and encrypted with user’s public key: PKu. In this stage, issuer bank can issue more code based on type, nature and amount of transaction. Step 8: Consumer/user sends DAN, TKN and TDIM by hashing, signing and encrypting to ETC. No order details are delivered to ETC and next transactions are take placed based on DAN, TKN and TIDM. Step 9: ETC issues temporary acknowledgement confirmation from consumer to merchant. Step 10: Merchant deliver intended products, goodsor service to consumer/user. Step 11: After verifying the products, consumer if agrees with the quality of merchant’s service, then ask ETC to release the TKN and TDIM. Step 12: ETC releases TKN and TDIM to merchant’s/acquirer bank. All are hashed, digitally signed by Dcertetcand encrypted with PKacc. Step 13: Merchant bank send TDIM and TKN against DAN to card issuer bank for payment. All are hashed, digitally signed by Dcertaccand encrypted with PKiss.


5


Step 14: Issuer bank checks the TKN it’s issued against particular DAN, verifies associated TDIM with the TKN. Then acknowledge and issue due payment to acquirer bank and SMS to consumer/user.

Step 15: Upon getting acknowledgement from issuer bank,acquirer bank notify and issue confirmation SMS to merchant. Step 16: Issuer consumer/User.

bank

issues

confirmation

SMS

to

Figure 3: Depicts transaction process in devised PKI enabled security model

VI. E-PAYMENT SECURITY CHALLENGES AND PROPOSEDPKI ENABLED MODEL ANALYSIS As participants private banks and other information passed over public network while e-payment transaction, which is insecure and vulnerable, so a rigorous end to end cryptographic encryption mechanism is required to preserve 6

non-repudiation, confidentiality, integrity, mutual authentication, privacy and to protect from double spending prevention. Here, a brief details of above requirements with technique how to meet all challenges noted below:


Manuscript Title

A. .Authentication During transaction, the merchant or service value provider,consumer and banksauthenticate each other so that false transactions are not happened. This concern is resolved by applying authentication properties such hash function, digital signature, its expiration date, transaction history, even GPS location of users. ETC promotes transaction after parties are authenticated.

User

[DcertU{ H(DAN)}]

Merchant

B. Confidentiality Consumer requires that, their private information are exchanged in such a manner that,third party cannot access it; further each of the participants should only know his desired information only. This is pretty ensured by hashing and encrypting credentials with public and private keys end to end.

User

[DcertU{ H(DAN, TKN)} ] PKm

Merchant

C. Integrity Information should be encrypted that no one can alter or modify it. To protect the integrity of exchanged information, hashing and comparing techniques are applied.

H(DAN, TKN) D. Non-repudiation After having transaction, the participants cannot deny their role. To ensure the non-repudiation,dynamic token used in transaction, which is specific for particular payment is stored in ETC and also in bank server, so that it never reused. E. Double spending prevention The merchant must not be able to replay the payment voucher second time. So the server must refuse to reuse of same TKN, and thus corresponding payment voucher. This is assured by dynamic token technique issued by issuer bank server against particular DAN. Token is stored in server and same token reissuing protected by ETC. F. End to End Security In this devised protocol, all credential are exchanged end to end by hashing, digitally signed and public key encryption. No options here to decrypt the TKN and compromise the embedded data. If TKN is tempered, consumer bank can detects it comparing it with stored TKN in the database. If any discrepancy found, can immediately halt the transaction and generate new TKN. G. Merchant Trustworthiness This protocol provides extra value consumer to check the trust worthiness of the merchant to buy products with.Before purchasing, consumer can check to ETC about the trust factor, if it’s high, will advance to buy, halt otherwise. Trust factor comprised of the value and quality of service provided by the merchant to the consumer. It’s evaluated by the ETC taking inputs from consumer.

VII. RELATED STUDY ASSESSMENT While in studying current SET protocol, we discussed its limitation to meet full security needs, including not specific time indication, proposed in this protocol (TS), which will preserve the non-repudiation of parties involved in transaction. We evaluated some similar protocols, where same ETC or trusted third party (TTP) proposed [17][22]. In [17] Hasan AlRafei etal emphasized on payment phase using enhanced SET. In [22] Rajdeep Borgohain etal suggested TTP, trusted factor, here overall diagrammatic elaboration given, where steps defined. Al-Qayedi et al. [2] proposed SMS mechanism but have not used real time response in their protocol or biometric mechanism not used there. Ayu Tiwari, Sudip Sanyal et al. (2011) [3] proposed multifactor authentication using TIC (transaction identification code), where consumer bank requires separate authorization management server for TIC, which will issue bunch of static TICs for consumers for a constant time period. Additionally, TIC needs to renew after a certain period of time.

In PKI enabled paper, security challenges are clearly addressed, constraints elements exchanged between parties are elaborated, which adds value to SET. Here device specific number (DAN) clearly protects card information from unveiling, wallet facilitates trusted addition of more than one card as well as secure maintenance, NFC enables secure transfer of credentials, TS perfectly identify specific transaction, which are all significant improvement to SET, ensuring consumer’s privacy, resolving disputes, maintaining end to end security, ensuring merchants trustworthiness. VIII. CONCLUSION In this paper, we emphasize on end to end security approach by PKI & merchant authenticity by trust factor, simplifying and integrating with existing SET technology, creating account number against each particular mobile or PDA device (DAN),where each transaction is preserved by distinguished dynamic TKN as well as others deterministic criteria about type and time of transaction TS, level of confidence, which assures both consumer and merchant to build the extreme confidence on each other by ETC. As merchant’s measuring criteria exist by ETC, it will always try to provide possible best quality service. This solution can be easily implemented within existing TLS, certifying authority (CA), PKI based encryption decryption mechanism, with unmodified wireless network infrastructure or underlying protocols. Transaction specific dynamic TKN code generation in the bank& Fintechs servers also be an easy task to avoid repeated transaction among bank or financial institution.


7


REFERENCES [1] S. A. Chaudhry et al (2015) “A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography” Springer Science+Business Media New York 2015. [2] W. Adi, A. Mabrouk, A. Al-Qayedi, A. Zahro (2004), “Combined Web/Mobile Authentication for Secure Web Access Control, Wireless communications and Networking conference”, IEEE Communications Society, pp. 677- 681. [3] Ayu Tiwari, SudipSanyal, Ajith Abraham, Svein Johan Knapskog, SugataSanyal (2010) ”A Multifactor Security Protocol For Wireless Payment- Secure web Authentication using Mobile Devices”. [4] Halevi Shai, Krawczyk Hugo, (1999), “Public-key cryptography and password protocols, Proceedings of the 5th ACM conference on Computer and communications security”, San Francisco, Vol. 2, Issue 3, pp. 230 – 268. [5] Singh Sh., “An Empirical Investigation of the Determinants of Users Acceptance of E-Banking in Singapore (A Technology Acceptance Model)” International Journal of Management Business Research., 2 (1),pp.69- 84, Winter 2012. [6] Chen, S., and Ning, J. (2002). “Constraints on e-commerce in less developed countries: The case of china”. Electronic Commerce Research, 2(12), 3142. doi:10.1023/A:1013331817147. [7] Soriano M. and Ponce D., (2002), “A Security and Usability Proposal for Mobile Electronic Commerce”, IEEE Communication Magazines, Vol. 40, pp. 62- 67. [8] MasterCard Inc., (1997), “SET Secure Electronic Transaction Specification”, Book1: Business Description, MasterCard Inc. [9]Weblinks on biometric skimming attack: http://www.securityweek.com/ cybercriminals-developing-biometric-skimmers atmattacks?utm_content=buffer41cc1&utm_medium=social&utm_source =linkedin.com&utm_campaign=buffe

8

[10] S. Farrell and M. Zolotarev, “XML and PKI-what’s the story?”Network Security, vol. 2001, pp. 7-10, September 2001. [11]Muhammad F. Mridha et al (2017) “A Security-Aware Near Field Communication Architecture” [12]M, app. Riyazuddin, “NFC: A review of the technology lications and security,” ABI Research, 2011 [13]N.A. Chattha, “NFC—Vulnerabilities and defense,” IEEE Conferenceon Info. Assurance and Cyber Security (CIACS), pp. 35-38, June 2014. [14]V. Coskun, B. Ozdenizci, and K. Ok, “The Survey on Near FieldCommunication,” Sensors, Vol. 15, No. 6, pp.13348-13405, 2015. [15]White paper(iOS security): https://support.apple.com/en-us/HT203027 [16]Web links Difference between apple and google pay: http:// www.investopedia.com/articles/personal-finance/010215/apple-pay-vsgoogle-wallet-how-they-work.asp [17]H Al-Rafei et al (2014) “Enhanced model of Payment phases for SET Protocol” 145801-7676-IJVIPNS-IJENS (C) February 2014 [18]Ren, X.Y., Wei, L.L,Zhang, J.F andMa, X., “The Improvement of SET Protocol based on Security Mobile Payment”, Journal of Convergence Information Technology, Volume 6, Number 7, 2011, pp. 22-28. [19]Zihao Shen, Hui Wang, (2010). “An Improved SET protocol payment System,” CCTAE, 2010 international conference on, vol1.1, no.,pp.400403,12-13 June 2010. [20]Hwang, J.J., Yeh, T.C and Li, J.B., “Securing on-line credit card payments without disclosing privacy information”. Computer Standards and Interfaces, Volume 25, Number 2, 2003,pp. 119-129. [21]Daemen, J andRijmen, V., “The Design of Rijndael: AES - The Advanced Encryption Standard.” Springer, 2002. ISBN 3-540-42580-2. [22]Rajdeep Borgohain et al (2012), “TSET: Token based Secure Electronic Transaction”, International Journal of Computer Applications”, Volume 45-No.5, May 2012.
