IoT-Based Payment Protocols: Comparison
Please note this is a comparison between Version 1 by Abubaker Wahaballa and Version 2 by Camila Xu.

Financial services and the payment industry are constantly evolving to meet customer requirements and to create a competitive advantage by providing better banking and financial services, improving operational efficiency and reducing costs. After plastic cards were successfully replaced by the mobile wallet (m-Wallet), the Internet of Things (IoT) leaves the door wide open for consumers to use their connected devices to access their bank accounts and perform routine banking activities from anywhere, anytime, and with any device.

  • IoT-based payment protocols
  • Contactless Payment
  • Mobile Wallet
  • Electronic Payment Systems
  • FinTech

1. Introduction

Financial services and the payment industry are constantly evolving to meet customer requirements and to create a competitive advantage by providing better banking and financial services, improving operational efficiency and reducing costs. After plastic cards were successfully replaced by the mobile wallet (m-Wallet) [1], the Internet of Things (IoT) leaves the door wide open for consumers to use their connected devices to access their bank accounts and perform routine banking activities from anywhere, anytime, and with any device. For instance, a connected watch can be used by a customer to conduct payment at a store, while a driver can pay for parking and fuel via a connected car. Furthermore, more milk can be bought automatically through a connected refrigerator. All these payment scenarios are categorized in the so-called IoT-based payment systems. The trend toward IoT-based payment systems started in the last few years and accelerated in 2018 [2].
As one of the effective methods of IoT-based payment systems, an in-vehicle payment solution has recently been launched by two leading credit card companies: Visa and MasterCard. In this solution, the driver is alerted when he/she is near a smart parking meter or fuel pump. At payment time, the amount of the purchased service is displayed in the dashboard. Afterwards, the entire payment process is simply completed with just a touch of a button. In addition to in-vehicle payments, wearable payment systems [3][4][3,4] have innovatively integrated payment methods into wearable devices such as smartwatches, jewelry, wristbands, fitness bands, and other adaptable wearables.
An IoT-based payment system offers substantial efficiency benefits for both buyers and sellers, and both individuals and businesses. The consumers receive shorter transaction time with high comfort and fast real-time response. Furthermore, their financial habits will improve as the IoT-based payment system supports them to spend their money wisely. For example, to prevent oversupply, reordering only occurs when the product is running low. On the other hand, the traders can gain more customers by ensuring IoT-friendliness, automating their logistics processes using smart shelves, and optimizing checkout and customer service by accepting IoT wallets.
Along with the many benefits of the IoT-based payment system, the associated risks and threats [5][6][5,6] cannot be omitted. With so many payment data shared across many IoT devices and things, it is inevitable that hackers and malicious users will try to obtain access to these most valuable and vulnerable data.

2. Electronic Payment Systems

The financial technology (FinTech) sector [7][10] is an industry that leverages new technologies to provide secure, instant, and efficient financial services. Its services (e.g., mobile banking apps) have been widely adopted by financial institutions. However, as revealed by the recent study [8][11], the FinTech financial services are not as secure as we expected. The study discovered thousands of vulnerabilities in 693 banking apps across over 80 countries, many of which could cause serious consequences, such as sensitive information leakage (e.g., PIN code, user name, or users’ credentials). Once the users’ credentials are stolen, hackers misuse them to gain illegal access to the victim’s account, defraud institutions, and other such financial and identity crimes. In academia, many electronic payment systems have been proposed [9][10][11][12][13][12,13,14,15,16]. These systems aim to deliver payments from consumers to merchants in the most effective, efficient, and error-free way, particularly in combination with attractive security properties. Unfortunately, each system is limited in some aspect.

3. Contactless Payment

Google Wallet launched the first (contactless) payment system in 2011. Subsequently, it was followed by both Apple and Samsung Pay in 2014 and 2015, respectively. Additionally in 2015, Android Pay was announced as a new contactless system. Traditional contactless payments use cards. Now, the majority of them follow Europay, MasterCard, and Visa (EMV) contactless specifications [14][17]. In a mobile contactless payment system, the user is allowed to use the virtual debit and credit card information to securely pay for the purchases in store with those cards by waving the smart phone in front of the near-field communication point-of-sale (NFC-POS). The contactless payment can be classified according to the amount of money transferred into two main types: micro and macro [15][18]. In a micro payment, the user makes a small contactless transaction with touch-and-go practice, while in the macro payment, the user conducts a big amount transaction with touch-and-confirm practice. Despite the great convenience brought by mobile contactless payment systems, fraud remains a significant consumer concern. Recent research [16][19] showed that 38% of users have a strong feeling that contactless payments are insecure, and around half (51%) are very or extremely concerned about fraud. As a result, 30% of all users with contactless cards still do not use them.

4. Mobile Wallet

A mobile wallet (m-Wallet) is a virtual wallet that keeps payment card information on a mobile device. Mobile wallets are a convenient way for a consumer to conduct in-store, in-app, or online payments. In 2017, Qin et al. [1] introduced a secure and privacy-preserving mobile wallet by incorporating the certificateless signature and pseudo identity technique. Their approach significantly reduces the computation overhead in a resource-limited mobile device by offloading the heavy computation overhead on the user side to the untrusted cloud server. However, their payment protocol is insecure against a collusion attack between the customer, Alice, and the cloud server at the server-aided verification phase, as proved in [17][20]. Because the cloud server is untrusted, there is no way to verify whether the returned information is valid or not. By considering the benefits of certificate-free property, Yeh and Chen et al. [18][19][21,22] proposed IoT-based payment protocols based on certificateless cryptography primitives. However, despite the security proofs, Zirui et al. [20][23] proved that the Yeh [18][21] protocol is insecure against public key replacement attack, while Chen et al. [19][22] suffers from perfect forward secrecy and replay attacks, as shown in [21][24]. The work by Şengel et al. [22][25] proposed a new mobile payment cryptographic solution model, and this solution stores clients’ credentials in the memory of the device; however, keeping users’ credentials (private keys and PIN) in the memory of a handset is very risky as these credentials can be easily compromised. A fully offline transaction e-commerce system model based on mobile payment, which includes the offline POS terminal, mobile device, and payment center, was proposed by Li et al. [23][26], but it has limitations in day-to-day customer–merchant transactions, as it requires an additional POS terminal. Despite the security requirements of IoT-based payment seeming similar to those identified in the literature, the limited resources of IoT devices such as storage capacity, processing capabilities, communication bandwidth, and battery lifetime make the problem very novel and challenging.