商业银行移动支付安全研究

陈曦; 田有亮; 马卓; 马建峰

doi:10.3969/j.issn.1000-436x.2014.z2.018

您当前的位置：

首页 >

文章列表页 >

商业银行移动支付安全研究

学术论文 | 更新时间：2024-06-05

- 商业银行移动支付安全研究
- Research on security of mobile payment for commercial bank
- 通信学报 2014年35卷第Z2期页码：131-139
- 作者机构：
  
  1. 招商银行总行博士后科研工作站，广东深圳 518067
  2. 招商银行总行信息技术部，广东深圳 518067
  3. 贵州大学理学院，贵州贵阳 550025
  4. 西安电子科技大学计算机学院，陕西西安 710071
- 作者简介：
  
  [ "陈曦（1984-），男，浙江绍兴人，博士，招商银行总行博士后，主要研究方向为移动支付安全、逆向分析、安全协议等。" ]
  [ "田有亮（1982-），男，贵州盘县人，中国科学院信息工程研究所信息安全国家重点实验室博士后，贵州大学副教授，中国计算机学会、中国密码学会、ACM会员，主要研究方向为博弈论、安全协议分析及分布式密码体制等。" ]
  [ "马卓（1980-），男，陕西西安人，西安电子科技大学副教授，中国计算机学会、ACM、中国密码学会会员，主要研究方向为可信计算、网络安全等。" ]
  [ "马建峰（1963-），男，陕西西安人，西安电子科技大学教授、博士生导师，主要研究方向为密码学、计算机网络与信息安全。" ]
- 基金信息：
  
  国家科技部重大专项基金资助项目(2011ZX03005-002);国家自然科学基金资助项目(61363068);国家自然科学基金资助项目(60872041);国家自然科学基金资助项目(61072066);国家自然科学基金资助项目(61100233);中央高校基本科研业务费基金资助项目(JY10000903001);中央高校基本科研业务费基金资助项目(JY10000901034);中国银行业监督管理委员银行业信息科技风险管理课题
- DOI：10.3969/j.issn.1000-436x.2014.z2.018
  中图分类号： TP393
- 网络出版日期：2014-11，
  
  纸质出版日期：2014-11-30
- 稿件说明：
移动端阅览
陈曦, 田有亮, 马卓, 等. 商业银行移动支付安全研究[J]. 通信学报, 2014,35(Z2):131-139.

Xi CHEN, You-liang TIAN, Zhuo MA, et al. Research on security of mobile payment for commercial bank[J]. Journal on communications, 2014, 35(Z2): 131-139.
陈曦, 田有亮, 马卓, 等. 商业银行移动支付安全研究[J]. 通信学报, 2014,35(Z2):131-139. DOI： 10.3969/j.issn.1000-436x.2014.z2.018.

Xi CHEN, You-liang TIAN, Zhuo MA, et al. Research on security of mobile payment for commercial bank[J]. Journal on communications, 2014, 35(Z2): 131-139. DOI： 10.3969/j.issn.1000-436x.2014.z2.018.

摘要

移动支付无疑是目前互联网金融领域最为引人关注的焦点。然而，用户在享受移动支付方便快捷服务的同时，却面临着严峻的安全问题：手机木马、隐私泄露等事件层出不穷，大量具有完整攻击行为的金融支付类病毒，可在远程/近场支付过程中对用户的账户、密码、验证码等信息进行直接窃取。安全性问题已经严重阻碍了移动支付市场的进一步发展。针对上述问题，以金融机构的角度，全面梳理移动支付中的安全问题，包括移动终端安全、支付安全（包括近场支付、远程支付）、网络安全、业务交互逻辑安全等。此外，对学术界与产业界中相关安全关键技术的研究现状进行了分析与归纳。最终，基于上述阶段性的研究成果，给出移动支付安全体系设计架构与规划建议，指引未来商业银行在移动金融领域的信息安全研究重点与方向。

Abstract

There is no doubt that mobile payment is the spotlight in Internet finance now.Although users can enjoy quick and convenient services

they have to face with more severe security problems at the same time:the attack incidents

such as cellphone Trojan and privacy leaks emerge endlessly.Lots of viruses which are designed for attacking financial payments can steal users’ personal information including account

password and verification code in the proceedings of remote payment and near field communication.Security issues have already seriously impeded the further development of the mobile payment market.To solve the above problems

discusses the security issues in mobile terminals

payments

network and interactive logic of banking business from financial institutions’ perspective was discussed systematically.In addition

current status of relevant security key technologies are summarized from academic research community and industry fields.Finally

based on related research achievements

the design of system architecture and suggestions for mobile payment security are proposed

which can guide the future development of commercial bank.

关键词

Keywords

references

MÜLLER-VEERSE F . Mobile Commerce Report [R ] . Technical Report,Durlacher Research Ltd , 1999 .

艾瑞咨询 . 2012-2013 年中国移动支付用户调研报告简版 [EB/OL ] . www.iresearch.com.cn,2013 www.iresearch.com.cn,2013 .

iResearch . 2012-2013 China Mobile Payment User Behavior Report [EB/OL ] . http://www.iresearch.com.cn,2013 http://www.iresearch.com.cn,2013 .

艾瑞咨询 . 2013 年中国第三方移动支付数据报告 [EB/OL ] . http://www.iresearch.com.cn,2014 http://www.iresearch.com.cn,2014 .

iResearch . 2013 China Third-party Payment Platforms Data Report [EB/OL ] . http://www.iresearch.com.cn,2014 http://www.iresearch.com.cn,2014 .

艾瑞咨询 . 2013 年中国移动安全数据报告 [EB/OL ] . http://www.iresearch.com.cn,2014 http://www.iresearch.com.cn,2014 .

iResearch . 2013 China Mobile Security Report [EB/OL ] . http://www.iresearch.com.cn,2014 http://www.iresearch.com.cn,2014 .

ENCK W , ONGTANG M , MCDANIEL P . Understanding android security [J ] . Security ＆ Privacy , 2009 , 7 ( 1 ): 50 - 57 .

ENCK W , OCTEAU D , MCDANIEL P , et al . A study of android application security [A ] . USENIX Security Symposium [C ] . 2011 .

DAVI L , DMITRIENKO A , SADEGHI A R , et al . Privilege Escalation Attacks on Android [M ] . Information Security . Springer Berlin Heidelberg , 2011 . 346 - 360 .

ENCK W , ONGTANG M , MCDANIEL P . On lightweight mobile phone application certification [A ] . Proceedings of the 16th ACM Conference on Computer and Communications Security [C ] . 2009 . 235 - 245 .

CHIN E , FELT A,P , GREENWOOD K , et al . Analyzing inter-application communication in android [A ] . Proceedings of the 9m International Conference on Mobile System,Applications and Services [C ] . 2011 .

BARRERA D , KAYACIK H G , VAN OORSCHOT P C , et al . A methodology for empirical analysis of permission-based security models and its application to android [A ] . Proceedings of the 17th ACM Conference on Computer and Communications Security [C ] . 2010 . 73 - 84 .

FELT A P , CHIN E , HANNA S , et al . Android permissions demystified [A ] . Proceedings of the 18th ACM Conference on Computer and Communications Security [C ] . 2011 . 627 - 638 .

SHIN W , KIYOMOTO S , FUKUSHIMA K , et al . A formal model to analyze the permission authorization and enforcement in the Android framework [A ] . 2010 IEEE Second International Conference on Social Computing (SocialCom) [C ] . 2010 . 944 - 951 .

张中文 , 雷灵光 , 王跃武 . Android Permission 机制的实现与安全分析 [J ] . 信息网络安全 , 2012 ,( 8 ): 3 - 6 .

ZHANG Z W , LEI L G , WANG Y W . Studying the implementation and security of the permission mechanism in Android [J ] . Netinfo Security , 2012 ,( 8 ): 3 - 6 .

CHAN P P F , HUI L C K , YIU S M . Droidchecker:analyzing android applications for capability leak [A ] . Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks [C ] . 2012 . 125 - 136 .

ENCK W , GILBERT P , CHUN B , et al . TaintDroid:an information-flow tracking system for realtime privacy monitoring on smartphones [A ] . Proceedings of the 9m USENIX Symposium on Operating Systems Design and Implementation [C ] . 2010 .

ZHOU Y J , ZHANG X W , JIANG X X , et al . Taming information-stealing smartphone applications on android [A ] . TRUST [C ] . 2011 . 93 - 107 .

LUO T B , HAO H , DU W L , et al . Attacks on Web view in the android system [A ] . Proceedings of the Annual Computer Security Application Conference [C ] . 2011 .

ZHOU W , ZHOU Y , JIANG X , et al . Detecting repackaged smartphone applications in third-party android marketplaces [A ] . Proceedings of the Second ACM Conference on Data and Application Security and Privacy [C ] . 2012 . 317 - 326 .

VIDAS T , CHRISTIN N . Sweetening android lemon markets:measuring and combating malware in application marketplaces [A ] . Proceedings of the Third ACM Conference on Data and Application Security and Privacy [C ] . 2013 . 197 - 208 .

JUNG J H , KIM J Y , LEE H C , et al . Repackaging attack on Android banking applications and its countermeasures [J ] . Wireless Personal Communications , 2013 . 1 - 17 .

ZHOU W , ZHANG X , JIANG X . AppInk:watermarking Android APPS for repackaging deterrence [A ] . Proceedings of the 8th ACM SIGSAC Symposium on Information,Computer and Communications Security [C ] . 2013 . 1 - 12 .

SUAREZ-TANGIL G , TAPIADOR J E,PERIS-LOPEZ P , et al . Dendroid:a text mining approach to analyzing and classifying code structures in Android malware families [J ] . Expert Systems with Applications , 2014 , 41 ( 4 ): 1104 - 1117 .

MADLMAYR G , LANGER J , KANTNER C , et al . NFC devices:security and privacy [A ] . Availability,Reliability and Security,2008 [C ] . ARES 08,Third International Conference on IEEE , 2008 . 642 - 647 .

HASELSTEINER E , BREITFUB K . Security in near field communication (NFC) [A ] . Workshop on RFID Security RFIDSec [C ] . 2006 .

MULLINER C . Vulnerability analysis and attacks on NFC-enabled mobile phones [A ] . Availability,Reliability and Security ARES'09 [C ] . 2009 . 695 - 700 .

HANCKE G P . Practical eavesdropping and skimming attacks on high-frequency RFID tokens [J ] . Journal of Computer Security , 2011 , 19 ( 2 ): 259 - 288 .

CANEY R , DORROS C , KENNEDY S , et al . Mobile Pickpocketing:Exfiltration of Sensitive Data through NFC-enabled Mobile Devices [R ] . Technical Report,CMU-cyLab-13-015,Carnegie Mellon University , 2013 .

DIAKOS T P , BRIFFA J A , BROWN T W C , et al . Eavesdropping near-field contactless payments:a quantitative analysis [J ] . The Journal of Engineering , 2013 , 1 ( 1 ).

ALLAH A , MOSTAFA M . Strengths and weaknesses of near field communication (NFC) technology [J ] . Global Journal of Computer Science and Technology , 2011 , 11 ( 3 ).

ROLAND M . Applying Recent Secure Element Relay Attack Scenarios to the Real World:Google Wallet Relay Attack [R ] . arXiv preprint arXiv:1209.0875 , 2012 .

Charlie Miller . Exploring the nfc attack surface [EB/OL ] . http://media.blackhat.com,2012 http://media.blackhat.com,2012 .

EUN H , LEE H , OH H . Conditional privacy preserving security protocol for NFC applications [J ] . Consumer Electronics,IEEE Transactions on , 2013 , 59 ( 1 ): 153 - 160 .

PARK S W , LEE I Y . Anonymous authentication scheme based on NTRU for the protection of payment information in NFC mobile environment [J ] . Journal of Information Processing Systems , 2013 , 9 ( 3 ).

LEE Y S , KIM E , JUNG M S . A NFC based authentication method for defence of the man in the middle attack [A ] . Proceeding of the 3 rd International Conference on Computer Science and Information Technology (ICCSIT'2013) [C ] . 2013 . 4 - 5 .

GUMMESON J J , PRIYANTHA B , GANESAN D , et al . EnGarde:Protecting the mobile phone from malicious NFC interactions [A ] . Proceeding of the 11th Annual International Conference on Mobile Systems,Applications,and Services [C ] . 2013 . 445 - 458 .

DYKES R . Cloud based electronic wallet:U.S.Patent Application 13/468,686 [P ] .2012-5-10.

KAMARA S , LAUTER K . Cryptographic Cloud Storage [M ] . Financial Cryptography and Data Security,Springer Berlin Heidelberg , 2010 . 136 - 149 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

工控协议安全研究综述

基于六维语义空间的自动驾驶风险评估研究

基于贝叶斯攻击图的网络入侵意图分析模型

APP隐私泄露风险评估与保护方案

人工智能技术在安全漏洞领域的应用