You could be tracked by your payment-enabled phone

Contactless-enabled mobile phones could be giving out an identifiable number which hackers could use to track your movements...
01 July 2016


Mobile payment


Contactless-enabled mobile phones could be giving out an identifiable number which hackers could use to track your movements, say researchers who are working on a crafty way of covering your tracks...

Mobile payment

Contactless payment in both phones and bank cards employ a near field communication (NFC) chip, which uses short-range wireless technology to transfer packets of information between two points over a short distance.

The Issue

The security of online transactions is important if businesses are to be able to make the best possible use of the internet.

That's why securing online transactions is one of the main objectives of the EU's Cybersecurity Strategy.

The EU is also helping businesses get the most out of the opportunities offered by the internet by working to establish a single market across Europe for goods and services bought online.

It works by sending out an identifiable public number - or key - which can then be securely linked to your payment method. However, the problem is that this public key could be read by any hacker who has the right equipment to decipher the NFC signal.

'Once somebody knows this public number belongs to me as a person, then I can be tracked,' explained Holger Bock of Infineon Technologies, Austria, who is coordinating the work as part of the EU-funded MATTHEW project, which is looking at different ways of improving mobile phone payments.

The MATTHEW project is proposing a canny way to anonymise the public number, by using group signatures. Instead of each person being identified by their entire public key, a group of people all generate a code that is read and verified by the reader.

This method disguises people's individual identities while proving they are part of a group.

'The idea is that you should not be traceable,' said Bock, adding that identities can only be revealed by a special key owned by an inspector if someone begins to abuse the system.

They also used a system called Attribute-Based Credentials (ABCs) - which includes information specific to someone's persona, such as their age or their transport subscription - to verify someone is part of an authorised group.

'You check a certain attribute or you check that the person who has some credentials is a member of a group without revealing who he or she is,' said Bock.

Last year, the project was able to show a working prototype. The final six months of the project will focus on further improving the privacy and group signature and ABC procedures.

Password overload

Another problem facing smartphone users is password overload. Paying by mobile may be easy, but if you forget your password, the queue at the café will soon begin to grow.

The EU-funded ReCRED project is designing a way of bringing a person's online identities together to securely allow access through one single point.

The project has developed a programme that can consolidate all your online identities - such as your email, Facebook, Reddit and Amazon logins - into one online persona. This persona can then be securely linked to you via security measures on your phone or computer to ensure that only you have access.

'The idea is that you should not be traceable.' Holger Bock, Infineon Technologies

'Sometimes we need a proof of our age or our profession but we don't want to disclose the whole attributes of our identities,' said project coordinator Professor Christos Xenakis of the University of Piraeus, Greece.

'In ReCRED, the user is authenticated to his smartphone, using easy-to-use password-less techniques, while the phone is authenticated to the online payment service,' he said.

Similar to MATTHEW, the ReCRED project does this by using attributes. However, in this case, they can be generated from typing patterns, face recognition, and mobility signatures - for example, the unique signal trail you leave as you go from house to work can be used to authenticate the login.

'These signatures are kept encrypted within the hardware and it's impossible for someone that is not authenticated on the device to take this signature out,' said Prof. Xenakis.

The project is now completing the design of its programs, and will launch experiments next year.


Add a comment