IoT-Based Payment Protocols: History
Please note this is an old version of this entry, which may differ significantly from the current revision.
Contributor:

Financial services and the payment industry are constantly evolving to meet customer requirements and to create a competitive advantage by providing better banking and financial services, improving operational efficiency and reducing costs. After plastic cards were successfully replaced by the mobile wallet (m-Wallet), the Internet of Things (IoT) leaves the door wide open for consumers to use their connected devices to access their bank accounts and perform routine banking activities from anywhere, anytime, and with any device.

  • IoT-based payment protocols
  • Contactless Payment
  • Mobile Wallet
  • Electronic Payment Systems
  • FinTech

1. Introduction

Financial services and the payment industry are constantly evolving to meet customer requirements and to create a competitive advantage by providing better banking and financial services, improving operational efficiency and reducing costs. After plastic cards were successfully replaced by the mobile wallet (m-Wallet) [1], the Internet of Things (IoT) leaves the door wide open for consumers to use their connected devices to access their bank accounts and perform routine banking activities from anywhere, anytime, and with any device. For instance, a connected watch can be used by a customer to conduct payment at a store, while a driver can pay for parking and fuel via a connected car. Furthermore, more milk can be bought automatically through a connected refrigerator. All these payment scenarios are categorized in the so-called IoT-based payment systems. The trend toward IoT-based payment systems started in the last few years and accelerated in 2018 [2].
As one of the effective methods of IoT-based payment systems, an in-vehicle payment solution has recently been launched by two leading credit card companies: Visa and MasterCard. In this solution, the driver is alerted when he/she is near a smart parking meter or fuel pump. At payment time, the amount of the purchased service is displayed in the dashboard. Afterwards, the entire payment process is simply completed with just a touch of a button. In addition to in-vehicle payments, wearable payment systems [3][4] have innovatively integrated payment methods into wearable devices such as smartwatches, jewelry, wristbands, fitness bands, and other adaptable wearables.
An IoT-based payment system offers substantial efficiency benefits for both buyers and sellers, and both individuals and businesses. The consumers receive shorter transaction time with high comfort and fast real-time response. Furthermore, their financial habits will improve as the IoT-based payment system supports them to spend their money wisely. For example, to prevent oversupply, reordering only occurs when the product is running low. On the other hand, the traders can gain more customers by ensuring IoT-friendliness, automating their logistics processes using smart shelves, and optimizing checkout and customer service by accepting IoT wallets.
Along with the many benefits of the IoT-based payment system, the associated risks and threats [5][6] cannot be omitted. With so many payment data shared across many IoT devices and things, it is inevitable that hackers and malicious users will try to obtain access to these most valuable and vulnerable data.

2. Electronic Payment Systems

The financial technology (FinTech) sector [7] is an industry that leverages new technologies to provide secure, instant, and efficient financial services. Its services (e.g., mobile banking apps) have been widely adopted by financial institutions. However, as revealed by the recent study [8], the FinTech financial services are not as secure as we expected. The study discovered thousands of vulnerabilities in 693 banking apps across over 80 countries, many of which could cause serious consequences, such as sensitive information leakage (e.g., PIN code, user name, or users’ credentials). Once the users’ credentials are stolen, hackers misuse them to gain illegal access to the victim’s account, defraud institutions, and other such financial and identity crimes.
In academia, many electronic payment systems have been proposed [9][10][11][12][13]. These systems aim to deliver payments from consumers to merchants in the most effective, efficient, and error-free way, particularly in combination with attractive security properties. Unfortunately, each system is limited in some aspect.

3. Contactless Payment

Google Wallet launched the first (contactless) payment system in 2011. Subsequently, it was followed by both Apple and Samsung Pay in 2014 and 2015, respectively. Additionally in 2015, Android Pay was announced as a new contactless system. Traditional contactless payments use cards. Now, the majority of them follow Europay, MasterCard, and Visa (EMV) contactless specifications [14]. In a mobile contactless payment system, the user is allowed to use the virtual debit and credit card information to securely pay for the purchases in store with those cards by waving the smart phone in front of the near-field communication point-of-sale (NFC-POS).
The contactless payment can be classified according to the amount of money transferred into two main types: micro and macro [15]. In a micro payment, the user makes a small contactless transaction with touch-and-go practice, while in the macro payment, the user conducts a big amount transaction with touch-and-confirm practice.
Despite the great convenience brought by mobile contactless payment systems, fraud remains a significant consumer concern. Recent research [16] showed that 38% of users have a strong feeling that contactless payments are insecure, and around half (51%) are very or extremely concerned about fraud. As a result, 30% of all users with contactless cards still do not use them.

4. Mobile Wallet

A mobile wallet (m-Wallet) is a virtual wallet that keeps payment card information on a mobile device. Mobile wallets are a convenient way for a consumer to conduct in-store, in-app, or online payments. In 2017, Qin et al. [1] introduced a secure and privacy-preserving mobile wallet by incorporating the certificateless signature and pseudo identity technique. Their approach significantly reduces the computation overhead in a resource-limited mobile device by offloading the heavy computation overhead on the user side to the untrusted cloud server. However, their payment protocol is insecure against a collusion attack between the customer, Alice, and the cloud server at the server-aided verification phase, as proved in [17]. Because the cloud server is untrusted, there is no way to verify whether the returned information is valid or not. By considering the benefits of certificate-free property, Yeh and Chen et al. [18][19] proposed IoT-based payment protocols based on certificateless cryptography primitives. However, despite the security proofs, Zirui et al. [20] proved that the Yeh [18] protocol is insecure against public key replacement attack, while Chen et al. [19] suffers from perfect forward secrecy and replay attacks, as shown in [21]. The work by Şengel et al. [22] proposed a new mobile payment cryptographic solution model, and this solution stores clients’ credentials in the memory of the device; however, keeping users’ credentials (private keys and PIN) in the memory of a handset is very risky as these credentials can be easily compromised. A fully offline transaction e-commerce system model based on mobile payment, which includes the offline POS terminal, mobile device, and payment center, was proposed by Li et al. [23], but it has limitations in day-to-day customer–merchant transactions, as it requires an additional POS terminal.
Despite the security requirements of IoT-based payment seeming similar to those identified in the literature, the limited resources of IoT devices such as storage capacity, processing capabilities, communication bandwidth, and battery lifetime make the problem very novel and challenging.

This entry is adapted from the peer-reviewed paper 10.3390/electronics11213445

References

  1. Qin, Z.; Sun, J.; Wahaballa, A.; Zheng, W.; Xiong, H.; Qin, Z. A Secure and Privacy-preserving Mobile Wallet with Outsourced Verification in Cloud Computing. Comput. Stand. Interfaces 2017, 54, 55–60.
  2. Turban, E.; Outland, J.; King, D.; Lee, J.K.; Liang, T.P.; Turban, D.C. Mobile commerce and the internet of things. In Electronic Commerce; Springer: Cham, Switzerland, 2018; pp. 205–248.
  3. Cha, B.R.; Lee, S.H.; Park, S.B.; Ji, Y.; Lee, G.K. Design of micro-payment to strengthen security by 2 factor authentication with mobile & wearable devices. Adv. Sci. Technol. Lett. 2015, 109, 28–32.
  4. Zhou, T.T.; Zhou, D.T.; Zhou, A.H. One-Touch Payment Using Haptic Control via a Messaging and Calling Multimedia System on Mobile Device and Wearable Device, Currency Token Interface, Point of Sale Device, and Electronic Payment Card. U.S. Patent 8,985,442, 24 March 2015.
  5. Bhardwaj, A.; Kaushik, K.; Kumar, M. Taxonomy of Security Attacks on Internet of Things. In Security and Privacy in Cyberspace; Kaiwartya, O., Kaushik, K., Gupta, S.K., Mishra, A., Kumar, M., Eds.; Springer Nature: Singapore, 2022; pp. 1–24.
  6. Wheelus, C.; Zhu, X. IoT network security: Threats, risks, and a data-driven defense framework. IoT 2020, 1, 259–285.
  7. Chen, C.C.; Liao, C.C. Research on the development of Fintech combined with AIoT. In Proceedings of the 2021 IEEE International Conference on Consumer Electronics-Taiwan (ICCE-TW), Penghu, Taiwan, 15–17 September 2021; pp. 1–2.
  8. Chen, S.; Su, T.; Fan, L.; Meng, G.; Xue, M.; Liu, Y.; Xu, L. Are mobile banking apps secure? What can be improved? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, Lake Buena Vista, FL, USA, 4–9 November 2018; pp. 797–802.
  9. Hassan, M.A.; Shukur, Z.; Hasan, M.K. An efficient secure electronic payment system for e-commerce. Computers 2020, 9, 66.
  10. Wang, F.; Yang, N.; Shakeel, P.M.; Saravanan, V. Machine learning for mobile network payment security evaluation system. Trans. Emerg. Telecommun. Technol. 2021, e4226.
  11. Deng, X.; Gao, T. Electronic payment schemes based on blockchain in VANETs. IEEE Access 2020, 8, 38296–38303.
  12. Tut, D. FinTech and the Covid-19 pandemic: Evidence from electronic payment systems. SSRN 2020.
  13. Shanmugapriyan, J.; Parthasarathy, R.; Sathish, S.; Prasanth, S. Secure Electronic Transaction Using AADHAAR Based QR Code and Biometric Authentication. In Proceedings of the 2022 International Conference on Communication, Computing and Internet of Things (IC3IoT), Chennai, India, 10–11 March 2022; IEEE: Piscataway, NJ, USA, 2022; pp. 1–4.
  14. Basin, D.; Sasse, R.; Toro-Pozo, J. The EMV Standard: Break, Fix, Verify. In Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 24–27 May 2021; pp. 1766–1781.
  15. Gupta, B.B.; Narayan, S. A key-based mutual authentication framework for mobile contactless payment system using authentication server. J. Organ. End User Comput. (JOEUC) 2021, 33, 1–16.
  16. Nilsson, H. Trust issues? The need to secure contactless biometric payment cards. Biom. Technol. Today 2021, 2021, 5–8.
  17. Liao, Y.; He, Y.; Li, F.; Zhou, S. Analysis of a mobile payment protocol with outsourced verification in cloud server and the improvement. Comput. Stand. Interfaces 2018, 56, 101–106.
  18. Yeh, K.H. A secure transaction scheme with certificateless cryptographic primitives for IoT-based mobile payments. IEEE Syst. J. 2017, 12, 2027–2038.
  19. Chen, Y.; Xu, W.; Peng, L.; Zhang, H. Light-weight and privacy-preserving authentication protocol for mobile payments in the context of IoT. IEEE Access 2019, 7, 15210–15221.
  20. Qiao, Z.; Yang, Q.; Zhou, Y.; Zhang, M. Improved Secure Transaction Scheme With Certificateless Cryptographic Primitives for IoT-Based Mobile Payments. IEEE Syst. J. 2022, 16, 1842–1850.
  21. Xiong, H.; Wu, Y.; Jin, C.; Kumari, S. Efficient and Privacy-Preserving Authentication Protocol for Heterogeneous Systems in IIoT. IEEE Internet Things J. 2020, 7, 11713–11724.
  22. Şengel, Ö.; Aydin, M.A.; Sertbaş, A. A survey on white box cryptography model for mobile payment systems. In International Telecommunications Conference; Springer: Berlin/Heidelberg, Germany, 2019; pp. 215–225.
  23. Li, S.; Hu, X.; Fengling; Zhang, Y.; Dong, W.; Ye, J.; Sun, H. Research on Offline Transaction Model in Mobile Payment System. In International Conference on Frontier Computing; Hung, J.C., Yen, N.Y., Hui, L., Eds.; Springer: Singapore, 2019; pp. 1815–1820.
More
This entry is offline, you can click here to edit this entry!