Security of Transaction performed using credit card reader for smartphones and Tablets. Author Falade Tunde Supervisor - Dr Kris Gaj

Similar documents
Getting Started with Blackbaud MobilePay

Point ipos Implementation Guide. Hypercom P2100 using the Point ipos Payment Core Hypercom H2210/K1200 using the Point ipos Payment Core

PCI PA-DSS Implementation Guide

iphone User Guide & Manual

PCI Compliance. What is it? Who uses it? Why is it important?

Security in NFC Readers

PAYware Mobile. January 2013

A QUICK PRIMER ON PCI DSS VERSION 3.0

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.0 for Onslip S80, Onslip S90

Verifone Finland PA-DSS

Point PA-DSS. Implementation Guide. Banksys Yomani VeriFone & PAX VPFIPA0201

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Square Credit Card Reader Customer Service Phone Number

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Mobile Payment Application Security. Security steps to take while developing Mobile Application s. SISA Webinar.

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Donor Credit Card Security Policy

Web Tap Payment Authentication and Encryption With Zero Customer Effort

Google Cloud Platform: Customer Responsibility Matrix. April 2017

PCI PA - DSS. Point Vx Implementation Guide. Version For VeriFone Vx520, Vx680, Vx820 terminals using the Point Vx Payment Core (Point VxPC)

PA-DSS Implementation Guide For

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

MX900 SERIES PCI PTS POI SECURITY POLICY

PCI DSS Compliance. White Paper Parallels Remote Application Server

Navigating the PCI DSS Challenge. 29 April 2011

6 Vulnerabilities of the Retail Payment Ecosystem

GLOBAL PAYMENTS AND CASH MANAGEMENT. Security

AMP 8000 Security Policy V 1.0.0

University of Sunderland Business Assurance PCI Security Policy

AMP 8200 Security Policy

University of Maine System Payment Card Industry Data Security Standard (PCI DSS) Guide for Completing Self Assessment Questionnaire (SAQ) SAQ C

Ch 9: Mobile Payments. CNIT 128: Hacking Mobile Devices. Updated

SwipeSimple Merchant FAQ

Clover Flex Security Policy

PCI DSS and the VNC SDK

Payment Card Industry - Data Security Standard (PCI-DSS)

PA-DSS Implementation Guide for Sage MAS 90 and 200 ERP. and Sage MAS 90 and 200 Extended Enterprise Suite

Jordan Levesque Making sure your business is PCI compliant

ACS MobileMate (for Android)

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

PCI Compliance Updates

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

AIT 682: Network and Systems Security

Authentication. Identification. AIT 682: Network and Systems Security

Advanced Certifications PA-DSS and P2PE. Erik Winkler, VP, ControlCase

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

SECURITY PRACTICES OVERVIEW

PCI DSS and VNC Connect

User Guide. Accept EFTPOS, Visa and Mastercard payments on the go with Kiwibank QuickPay.

The Devil is in the Details: The Secrets to Complying with PCI Requirements. Michelle Kaiser Bray Faegre Baker Daniels

NEW9210 Security Policy

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

II. LITERATURE SURVEY

ucube USER MANUAL VERSION 1.2

Authentication Technology for a Smart eid Infrastructure.

Advanced Mobile Payment Inc. AMP 6500

FairWarning Mapping to PCI DSS 3.0, Requirement 10

RSA SecurID Implementation

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

Mobile Payment Security, Threats, and Challenges

19.1. Security must consider external environment of the system, and protect it from:

Payment Card Industry (PCI) Data Security Standard

PCI PA DSS. MultiPOINT Implementation Guide

June 2013 PCI DSS COMPLIANCE GUIDE. Look out for the tips in the blue boxes if you use Fetch TM payment solutions.

HOSTED EXCHANGE SETTING UP ON SMARTPHONES & TABLETS

Ready Theatre Systems RTS POS

User Guide. Accept EFTPOS, Visa and Mastercard payments on the go with Kiwibank QuickPay.

MYOB PayDirect Mobile quick start guide. quick start guide

COMPLETING THE PAYMENT SECURITY PUZZLE

Sacred Heart University Office 365 Multi-Factor Authentication (MFA)

Implementation Guide paypoint version 5.08.xx, 5.11.xx, 5.13.xx, 5.14.xx, 5.15.xx

QuickSale for QuickBooks Version 2.2.*.* Secure Payment Solutions Client Implementation Document PA-DSS 3.2 Last Revision: 03/14/2017

Keep this information secure

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

Total Security Management PCI DSS Compliance Guide

Secure Messaging Plus Website. User s Guide

The Honest Advantage

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Segmentation, Compensating Controls and P2PE Summary

mpos Merchant User Guide

Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy

PCI DSS COMPLIANCE 101

e-commerce Study Guide Test 2. Security Chapter 10

Going Mobile at Northwestern

Implementation Guide paypoint v5.08.x, 5.11.x, 5.12.x, 5.13.x and 5.14.x

PCI COMPLIANCE IS NO LONGER OPTIONAL

PCI PA DSS. PBMUECR Implementation Guide

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Xerox Audio Documents App

Payment Card Industry (PCI) PIN Transaction Security (PTS) Point of Interaction (POI) Modular Evaluation Vendor Questionnaire Version 3.

Transaction Security Challenges & Solutions

Have you updated your security lately?

Security

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

User Guide Mobile Point-of-Sale (mpos), Version 2.0

Effective Strategies for Managing Cybersecurity Risks

SAP Anywhere Security Guide

CASE STUDY - Preparing for a PCI-DSS Audit using Cryptosense Analyzer

DynaPro Go. Secure PIN Entry Device PCI PTS POI Security Policy. September Document Number: D REGISTERED TO ISO 9001:2008

Transcription:

Security of Transaction performed using credit card reader for smartphones and Tablets Author Falade Tunde Supervisor - Dr Kris Gaj

Purpose The reason for taking on this project is to analyze the security of transactions that involve the use of card reader with smartphone and tablets. Why is this important?

Focus Focus will be on the Square card reader It fits into the 3.5mm audio jack of smartphones and tablets.

Square card reader First introduced in 2010 by Square Inc. under the leadership of Jack Dorsey First version 2.5cm by 1.2cm Does not support encryption Short-circuit issue with iphone It was a passive device.

Greatly improved Second Version Short-circuit eliminated Supports Encryption Also passive device Inclusion of TI MSP430G2412 microcontroller and an additional IC to amplify the audio output signal

The Whole Picture A credit card reader of a square shape that connects to the audio jack of a smartphone or tablet. This will be in the possession of the merchants that sign up to Square Smartphone app downloaded that decodes the audio of credit card swipes as received from the reader. These apps also dictate how the merchant interacts with the card reader and the data it receives from credit cards And lastly, a backend authorization and credit card processing system

How secure are your transactions? Three factors that are important Security Trust Privacy How does Square implements these 3 factors in their security protocol?

Security Security - PCI-DSS Compliant new version has TI MSP430G2412 micro controller, it has a build in Data Encryption Standard (DES) as a block cipher that uses shared secret encryption based on symmetric key algorithm system the symmetric cryptographic keys are required to be at least 128 bits long and the in the case of asymmetric key, at least 2048 bits long. square website and API is accessible through 128-bit extended-validation SSL certificate that is issued by VeriSign connection between networks are protected by restrictive firewalls, the sensitive data from the magnetic stripes are not stored in the device

Trust access to sensitive data, application data and cryptographic keys are controlled by Square, which means that encryption of the data starts at the swipe of the credit card two-factor authentication and strong password controls are required for administrative access to systems, access to secure services audit logs are reviewed regularly detailed incident response plans have been prepared to ensure proper protection of data in an emergency

Privacy Sensitive information transmitted while using the square card reader is protected according to the square privacy policy. Transaction information, location information, device information, use information(how the services is used), information collected by cookies and web beacons are all protected.

Threats to Security of mobile payment using smartphones and tablets Network Communication Issue Malicious Applications Forged Application A compromised Operating System

Square and its competition Intuit GoPayment PCI-DSS compliant Works with these OS: ios, Android and Blackberry Automatically regenerates the keys used to encrypt card data once per year Provides merchants with the tool to manually generate new encryption keys if a breach of security is suspected It automatically erase card data information from stored transactions after 60 day It logs every transaction, changes to encryption keys

PayPal Here Square and its competition PCI-DSS complaint cont d PayPal encrypted both the card reader and the app that is downloaded onto the smartphone or tablet Triangular shape was intended to address two drawback of the square card reader: its tendency to swing around its single point of contact and the challenge of keeping the card s edge flat against what amounts to a one-inch card slot The wide base of the triangle provides a longer runway for the bottom edge of the card Support same OS as square.

Test skimmer app will listen to the audio of the credit card swipes The.wav audio file will be demodulated into a bitstream and the sensitive data of the credit card like the CCN, expiration date and encrypted PIN will be decoded The.wav audio files can be offloaded from the smartphone and copied to a PC A playback cable connecting the smartphone audio jack to the PC headphone input can be used to playback the.wav files back into the smartphone in place of an actual credit card swipe

QUESTIONS? Example

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback