Security Analysis of Transaction Authorization Methods for Next Generation Electronic Payment Services

摘要

Real-world and ubiquitous human-computer interactions require payment processes that have to be instant, convenient and interoperable. However, these functional requirements are in opposition to one of the most significant non-functional requirement: security of the payment process. A number of various attacks on confidentiality of payment or payer data, integrity, authenticity and non-repudiation of payment transaction, as well as on availability of the payment service are reported. Next generation electronic payment services utilize wide range of payment authorization methods. Security analysis of authorization methods described in this paper includes four sequential phases. The first one is identification of relevant authorization methods related to payment authorization in various scenarios. The second one is identification of classes of vulnerabilities and threats that are, or potentially can be, related to transaction authorization processes. The third phase comprises analysis of risks resulting from possible impact of the threats on the authorization methods. The fourth phase covers identification of all types of countermeasures that can be applied against risks identified in the previous phase. The result of presented work can be useful in a number of risk analysis scenarios. Especially in those, where security of composed system is analyzed, which means a system that supports a number of assets, electronic payments methods, and countermeasures or security controls in various scenarios when they are simultaneously used and interact with each other.