@inproceedings{a83e5fa0c9a14b4f87946dfc5aeb29b8,
title = "Dynamic Offline TrustZone Virtual Credit Card Generator for Financial Transactions",
abstract = "Mobile devices are utilized in every aspect of our lives. They are commonly used for mobile payments which save the cardholder form carrying credit cards everywhere they go. Unfortunately, mobile devices operating systems are quite vulnerable as developers push more features which introduce security issues. Most mobile devices run on ARM architecture which supports TrustZone hardware-based security. TrustZone is used in many operations, e.g., fingerprint authentication, cryptography, etc. but it is still limited to the vendor will and some authorized third-party developers. In earlier works we secured merchant-presented (buyer-scanned) QR payments using the TrustZone. Other works have previously secured buyer-presented QR codes and such solutions work well for static QR codes which only need be generated once. In this work, we designed a novel virtual credit card generation algorithm which works offline and under the TrustZone environment. Virtual credit cards can protect users from credit card information theft which can happen in both physical and digital means. It is common to hear about hacked merchant databases which lead to massive leak of credit card information. This risk can be eliminated by the design we set in this work. Combining this design with mobile phones yields high protection for users{\textquoteright} data. Meanwhile, it is important that the normal-world operating system on the mobile phone never gets this information since it can be under a remote attacker{\textquoteright}s control. Hence this is why we designed the algorithm to work under the TrustZone environment securely. We have proven the system{\textquoteright}s correctness by sending the data over, a simulated network to ensure the proper verification of the generated data. In addition, the level of protection can reach near complete security where any fraudulent act can be foiled. Some options can ensure no one can breach the operations beyond intentional bank or user actions in the TrustZone.",
keywords = "ARM TrustZone, Android, Attack surface, Authorization, Hashing, Mobile security, OP-TEE, Payment fraud prevention, REE, Secret token, TEE, Threat model, Virtual credit card",
author = "Salman, {Ammar S.} and Du, {Wenliang Kevin}",
note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; Future of Information and Communication Conference, FICC 2022 ; Conference date: 03-03-2022 Through 04-03-2022",
year = "2022",
doi = "10.1007/978-3-030-98015-3_65",
language = "English (US)",
isbn = "9783030980146",
series = "Lecture Notes in Networks and Systems",
publisher = "Springer Science and Business Media Deutschland GmbH",
pages = "962--981",
editor = "Kohei Arai",
booktitle = "Advances in Information and Communication - Proceedings of the 2022 Future of Information and Communication Conference, FICC",
address = "Germany",
}