Dynamic Offline TrustZone Virtual Credit Card Generator for Financial Transactions

Ammar S. Salman, Wenliang Kevin Du

Research output: Chapter in Book/Entry/PoemConference contribution

Abstract

Mobile devices are utilized in every aspect of our lives. They are commonly used for mobile payments which save the cardholder form carrying credit cards everywhere they go. Unfortunately, mobile devices operating systems are quite vulnerable as developers push more features which introduce security issues. Most mobile devices run on ARM architecture which supports TrustZone hardware-based security. TrustZone is used in many operations, e.g., fingerprint authentication, cryptography, etc. but it is still limited to the vendor will and some authorized third-party developers. In earlier works we secured merchant-presented (buyer-scanned) QR payments using the TrustZone. Other works have previously secured buyer-presented QR codes and such solutions work well for static QR codes which only need be generated once. In this work, we designed a novel virtual credit card generation algorithm which works offline and under the TrustZone environment. Virtual credit cards can protect users from credit card information theft which can happen in both physical and digital means. It is common to hear about hacked merchant databases which lead to massive leak of credit card information. This risk can be eliminated by the design we set in this work. Combining this design with mobile phones yields high protection for users’ data. Meanwhile, it is important that the normal-world operating system on the mobile phone never gets this information since it can be under a remote attacker’s control. Hence this is why we designed the algorithm to work under the TrustZone environment securely. We have proven the system’s correctness by sending the data over, a simulated network to ensure the proper verification of the generated data. In addition, the level of protection can reach near complete security where any fraudulent act can be foiled. Some options can ensure no one can breach the operations beyond intentional bank or user actions in the TrustZone.

Original languageEnglish (US)
Title of host publicationAdvances in Information and Communication - Proceedings of the 2022 Future of Information and Communication Conference, FICC
EditorsKohei Arai
PublisherSpringer Science and Business Media Deutschland GmbH
Pages962-981
Number of pages20
ISBN (Print)9783030980146
DOIs
StatePublished - 2022
EventFuture of Information and Communication Conference, FICC 2022 - Virtual, Online
Duration: Mar 3 2022Mar 4 2022

Publication series

NameLecture Notes in Networks and Systems
Volume439 LNNS
ISSN (Print)2367-3370
ISSN (Electronic)2367-3389

Conference

ConferenceFuture of Information and Communication Conference, FICC 2022
CityVirtual, Online
Period3/3/223/4/22

Keywords

  • ARM TrustZone
  • Android
  • Attack surface
  • Authorization
  • Hashing
  • Mobile security
  • OP-TEE
  • Payment fraud prevention
  • REE
  • Secret token
  • TEE
  • Threat model
  • Virtual credit card

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Signal Processing
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Dynamic Offline TrustZone Virtual Credit Card Generator for Financial Transactions'. Together they form a unique fingerprint.

Cite this