Abstract

Introduction

Market analysts have predicted that mobile payments will overtake the traditional marketplace, thus providing greater convenience to consumers and new sources of revenue to many companies [1]. This scenario produces a shiftin purchasemethods from classic credit cards to new approaches such as mobile-based payments, giving new market entrants novel business chances. Widely supported by recent hardware, mobile payment technology is still at its early stages of evolution but it is expected to rise in the near future as demonstrated by the growing interest in crypto-currencies. The first pioneering micro-payment scheme, was proposed by Rivest and Shamir (see Payword [2]) back in 1996. Nowadays, crypto-currencies and decentralized payment systems (e.g. Bitcoin [3]) are increasingly popular, fostering a shift from physical to digital currencies. However, such payment techniques are not yet commonplace, due to several unresolved issues, including a lack of widely-accepted standards, limited interoperability among systems and, most importantly, security.

Problem and Objective

Over the last years, several retail organizations have been victims of information security breaches and payment data theft targeting consumer payment card data and Personally Identifiable Information (PII) [4], [5]. Although PoS breaches are declining [4], they still remain an extremely lucrative endeavor for criminals [6]. Customer data can be used by cybercriminals for fraudulent operations, and this led the payment card industry security standards council to establish data security standards for all those organizations that handle credit, debit, and ATM cardholder information. Regardless of the structure of the electronic payment system, PoS systems always handle critical information and, oftentimes, they also require remote management [7]. Usually, as depicted in Figure 1, PoS systems act as gateways and require some sort of network connection in order to contact external credit card processors. This is mandatory to validate transactions. However, larger businesses that wish to tie their PoSes with other back-end systems may connect the former to their own internal networks. In addition, to reduce cost and simplify administration and maintenance, PoS devices may be remotely managed over these internal networks. However, a network connection might not be available due to either a temporary network service disruption or due to a permanent lack of network coverage. Last, but not least, such on-line solutions are not very efficient since remote communication can introduce delays in the payment process. Most PoS attacks can be attributed to organized criminal groups [4]. Brute forcing remote access connections and using stolen credentials remain the primary vectors for PoS intrusions. However, recent developments show the resurgence of RAMscraping malware [5], [6]. Such attacks, once such malware is installed on a PoS terminal, can monitor the system and look for transaction data in plain-text, i.e. before it is encrypted.

Contribution

This paper introduces and discusses FRoDO, a secure off-line micro-paymentapproachusingmultiplephysicalunclonablefunctions. FRoDO features an identity element to authenticate the customer, and a coin element where coins are not locally stored, but are computed on-the-fly when needed. The communication protocol used for the payment transaction does not directly read customer coins. Instead, the vendor only communicates with the identity element in order to identify the user. This simplification alleviates the communication burden with the coin element that affectedourpreviousapproach(seeSection2).Themainbenefitis a simpler,faster,and more secure interaction between  the involved actors/entities. Among other properties, this two-steps protocol allows the bank or the coin element issuer to design digital coins to be readonly by a certain identity element,i.e.by a specific user. Furthermore, the identity element used to improve the security of the users can also be used to thwart malicious users. To the best of our knowledge, this is the first solution that can provide secure fully off-line payments while being re silient to all currently known PoS breaches.

Related Work

 The main issue with a fully off-line approach is the difficulty of checking the trust worthiness of a transaction without a trusted third party. In fact, keeping track of past transactions with no available connection to external parties or shared databases can be quite difficult, as it is difficult for a vendor to check if some digital coins have already been spent. This is the main reason why during last few years, many different approaches have been proposed to provide a reliable offline payment scheme. Although many works have been published, they all focused on transaction anonymity and coin unforgeability. However, previous solutions lack a thorough security analysis. While they focus on theoretical attacks, discussion on real world attacks such as skimmers, scrapers and data vulnerabilities is missing. As regards physical unclonable functions [19], a key component of our solution, other applications on banking scenarios have already been proposed in the past [20]. However such strong functions are generally used for authentication purposes only. As such,they only guarantee that data has been computed on the right device but they can not  provide any proof about the trust worthiness of the data itself. It is worth mentioning here our previous work called FORCE [8] that, similarly to FRoDO, was built using a PUF-based architecture.FORCE provided a weak prevention strategy based on data obfuscation and did not address the most relevant attacks aimed at threatening customer sensitive data (see Table 1), thus being vulnerable to many advanced attack techniques (see Table 4). The solution proposed in this work overcomes the limitations introduced above and brings further improvements:

• Architecture: differently from [8], that used a single hardware component, in the FRoDO approach a coin element is used to read digital coins in a trusted way, while an identity element is leveraged to tie a specific coin element to a specific user/device. This new design provides a twofactor authentication to the customer. In fact, by linking a coin element to an identity element, it will not be possible for a malicious user to steal and use coins that belong to other users. A specific coin element can be read only by a specific identity element (i.e. by a specific device). Furthermore, whereas in [8] physical unclonable functions were used only toauthenticateaccessestothescratchcard,FRoDOcanmake use of multiple physical unclonable functions to authenticate both an identity element and a coin element. One of the most relevant differences between[8]and FRoDO is the technology used to compute digital coins. FORCE [8] used a read-once memory to randomly store digital coins and a physical unclonable function to recover their layout. This approach has been proven resilient against casual fraudsters. However, FORCE is vulnerable to advanced attacks based on the exfiltration of sensitive data when they are in transit or at rest (see Section 6.3). To mitigate such threats FRoDO does not use persistent memories at all but an erasable physical unclonable function.(details in Section 5.1);

• Protocol: while in [8] the vendor had to directly interact with the coin card, in FRoDO the vendor only interacts with the identity element. Such an element identifies a user (i.e. his device) and has the burden to communicate with the coin element.This new approach provides a number of advantages with respect to FORCE. On the one hand, customers’ privacy protection is enhanced as the vendor device is not aware of the amount and size of the digital coins written into the coin element. The vendor just sends a payment request message containing the required amount of money. It is the identity element that will locally and internally interact with the coin element to check for fund availability. On the other hand, this new design provides seamless and faster transactions. In fact,justonemessageissentfromthevendortothecustomer and another one is sent back from the customer to the vendor containingalltherequireddigitalcoins,ifavailable.Allother messages exchanged during the payment protocol will be managed internally inside the customer device. Furthermore, differently from our preliminary work [8], in FRoDO digital coins are directly computed in hardware by challenging the erasable PUF rather than being built in software. This avoids the usage of memories in the coin reconstruction process, thus mitigating any chance of attacks based on data vulnerabilities;

• Security Properties: differently from [8], the double-step communication protocol between the identity and the coin element allows, on the one hand, a bank/coin element issuer to design digital coins that can be read only by a certain identity element, i.e. by a specific user/device. This means that even though the coin element is lost or stolen by an attacker, such an element will not work without the associated identity element —hence providing a two-factor authentication for each transaction. On the other hand, the identity element can be used to thwart fraudsters. If an identity element is considered malicious and it is blacklisted, no matter which is the coin element used in the transaction, all payment requests will be rejected. Whilst in [8] the physical unclonable function was used only to authenticate core elements of the architecture, in this improved version multiple physical unclonable functions are also used to allow all the elements to interact in a secure way.

Proposed Model

The solution proposed in this work, FRoDO, is based on strong physical unclonable functions [27], [28] but does not require any pre-computed challenge-response pair [29]. Physical unclonable functions (for short, PUFs) were introduced by Ravikanth [29] in 2001. He showed that, due to manufacturing process variations, every transistor in an integrated circuit has slightly different physical properties that lead to measurable differences in terms of electronic properties. Since these process variations are not controllable during manufacturing, the physical properties of a device cannot be copied or cloned. As such, they are unique to that device and can be used for authentication purposes. FRoDO is the first solution that neither requires trusted third parties, nor bank accounts, nor trusted devices to provide resiliency against frauds based on data breaches in a fully off-line electronic payment systems. Furthermore, by allowing FRoDO customers to be free from having a bank account, makes it also particularly interesting as regards to privacy. In fact, digital coins used in FRoDO are just a digital version of real cash and, as such, they are not linked to anybody else than the holder of both the identity and the coin element. Differently from other payment solutions based on tamper-proof hardware, FRoDO assumes that only the chips built upon PUFs can take advantage from the tamper evidence feature. As a consequence, our assumptions are much less restrictive than other approaches. As depicted in Fig. 4, FRoDO can be applied to any scenario composed of a payer/customer device and a payee/ vendor device. All involved devices can be tweaked by an attacker and are considered untrusted except from a storage device, that we assume is kept physically secure by the vendor. Furthermore, it is important to highlight that FRoDO has been designed to be a secure and reliable encapsulation scheme of digital coins. This makes FRoDO also applicable to multiple-bank scenarios. Indeed, as for credit and debit cards where trusted third parties (for short, TTPs) such as card issuers guarantee the validity of the cards, some common standard convention can be used in FRoDO to make banks able to produce and sell their own coin element. Any bank will then be capable of verifying digital coins issued by other banks by requiring banks and vendors to agree on the same standard formats. FRoDOdoesnotrequireanyspecialhardwarecomponent apart from the identity and the coin element that can be either plugged into the customer device or directly embedded into the device. Similarly to secure elements, both the identity and the coin element can be considered tamperproof devices with a secure storage and execution environment for sensitive data. Thus, as defined in the ISO7816-4 standard, both of them can be accessed via some APIs while maintaining the desired security and privacy level.Such software components (i.e., APIs) are not central to the security of our solution and can be easily and constantly updated. This renders infrastructure maintenance easier.

Conclusion

In this FRoDO Fraud Resilient Device for Off-Line Micro-Payments paper we have introduced FRoDO that is, to the best of our knowledge, the first data-breach-resilient fully offline micro-payment approach. The security analysis shows that FRoDO does not impose trustworthiness assumptions. Further, FRoDO is also the first solution in the literature where no customer device data attacks can be exploited to compromise the system. This has been achieved mainly by leveraging a novel erasable PUF architecture and a novel protocol design. Furthermore, our proposal has been thoroughly discussed and compared against the state of the art. Our analysis shows that FRoDO is the only proposal that enjoys all the properties required to a secure micro-payment solution, while also introducing flexibility when considering the payment medium (types of digital coins). Finally, some open issues have been identified that are left as future work. In particular, we are investigating the possibility to allow digital change to be spent over multiple off-line transactions while maintaining the same level of security and usability.