Biblio

The term cryptocurrency refers to a digital currency based on cryptographic concepts that have become popular in recent years. Bitcoin is a decentralized cryptocurrency that uses the distributed append-only public database known as blockchain to record every transaction. The incentive-compatible Proof-of-Work (PoW)-centered decentralized consensus procedure, which is upheld by the network's nodes known as miners, is essential to the safety of bitcoin. Interest in Bitcoin appears to be growing as the market continues to rise. Bitcoins and Blockchains have identical fundamental ideas, which are briefly discussed in this paper. Various studies discuss blockchain as a revolutionary innovation that has various applications, spanning from bitcoins to smart contracts, and also about it being a solution to many issues. Furthermore, many papers are reviewed here that not only look at Bitcoin’s fundamental underpinning technologies, such as Mixing and the Bitcoin Wallets but also at the flaws in it.

Blockchain technology has made it possible to store and send digital currencies. Bitcoin wallets and marketplaces have made it easy for nontechnical users to use the protocol. Since its inception, the price of Bitcoin is going up and the number of nodes in the network has increased drastically. The increasing popularity of Bitcoin has made exchanges and individual nodes a target for an attack. Understanding the Bitcoin protocol better helps security engineers to harden the network and helps regular users secure their hot wallets. In this paper, Bitcoin protocol is presented with description of the mining process which secures transactions. In addition, the Bitcoin algorithms and their security are described with potential vulnerabilities in the protocol and potential exploits for attackers. Finally, we propose some security solutions to help mitigate attacks on Bitcoin exchanges and hot wallets.

Bitcoin is a famously decentralized cryptocurrency. Bitcoin is excellent because it is a digital currency that provides convenience and security in transactions. Transaction security in Bitcoin uses a consensus involving a distributed system, the security of this system generates a hash sequence with a Proof of Work (PoW) mechanism. However, in its implementation, various attacks appear that are used to generate profits from the existing system. Attackers can use various types of methods to get an unfair portion of the mining income. Such attacks are commonly referred to as Mining attacks. Among which the famous is the Selfish Mining attack. In this study, we simulate the effect of changing decision matrix, attacker region, attacker hash rate on selfish miner attacks by using the opensource NS3 platform. The experiment aims to see the effect of using 1%, 10%, and 20% decision matrices with different attacker regions and different attacker hash rates on Bitcoin selfish mining income. The result of this study shows that regional North America and Europe have the advantage in doing selfish mining attacks. This advantage is also supported by increasing the decision matrix from 1%, 10%, 20%. The highest attacker income, when using decision matrix 20% in North America using 16 nodes on 0.3 hash rate with income 129 BTC. For the hash rate, the best result for a selfish mining attack is between 27% to 30% hash rate.

Mobile terminals especially smartphones are changing people's work and life style. For example, mobile payments are experiencing rapid growth as consumers use mobile terminals as part of lifestyles. However, security is a big challenge for mobile application services. In order to reduce security risks, mobile terminal security assessment should be conducted before providing application services. An approach of comprehensive security assessment is proposed in this paper by defining security metrics with the corresponding scores and determining the relative weights of security metrics based on the analytical hierarchy process (AHP). Overall security assessment of Android-based mobile terminals is implemented for mobile payment services with payment fraud detection accuracy of 89%, which shows that the proposed approach of security assessment is reasonable.

The current face recognition technology has rapidly come into the public life, from unlocking cell phone face to mobile payment, which has brought a lot of convenience to life. However, it is undeniable that it also brings security challenges. Based on this paper, we will discuss the risks of face recognition in the mobile payment and put forward relevant suggestions.

Mobile devices have been widely used to deploy security-sensitive applications such as mobile payments, mobile offices etc. SM2 digital signature technology is critical in these applications to provide the protection including identity authentication, data integrity, action non-repudiation. Since mobile devices are prone to being stolen or lost, several server-aided SM2 cooperative signature schemes have been proposed for the mobile scenario. However, existing solutions could not well fit the high-concurrency scenario which needs lightweight computation and communication complexity, especially for the server sides. In this paper, we propose a SM2 cooperative signature algorithm (SM2-CSA) for the high-concurrency scenario, which involves only one-time client-server interaction and one elliptic curve addition operation on the server side in the signing procedure. Theoretical analysis and practical tests shows that SM2-CSA can provide better computation and communication efficiency compared with existing schemes without compromising the security.

Security is a most concerning matter for client's data in today's emerging technological world in each field, like banking, management, retail, shopping, communication, education, etc. Arise in cyber-crime due to the black hat community, there is always a need for a better way to secure the client's sensitive information, Security is the key point in online banking as the threat of unapproved online access to a client's data is very significant as it ultimately danger to bank reputation. The more secure and powerful methods can allow a client to work with untrusted parties. Paper is focusing on how secure banking transaction system can work by using homomorphic encryption and steganography techniques. For data encryption NTRU, homomorphic encryption can be used and to hide details through the QR code, a cover image can be embed using steganography techniques.

A Quick Response (QR) Code is a type of barcode that can be read by the digital devices and which stores the information in a square-shaped. The QR Code readers can extract data from the patterns which are presented in the QR Code matrix. A QR Code can be acting as an attack vector that can harm indirectly. In such case a QR Code can carry malicious or phishing URLs and redirect users to a site which is well conceived by the attacker and pretends to be an authorized one. Once the QR Code is decoded the commands are triggered and executed, causing damage to information, operating system and other possible sequence the attacker expects to gain. In this paper, a new model for QR Code authentication and phishing detection has been presented. The proposed model will be able to detect the phishing and malicious URLs in the process of the QR Code validation as well as to prevent the user from validating it. The development of this application will help to prevent users from being tricked by the harmful QR Codes.

Bitcoin is a virtual encrypted digital currency based on a peer-to-peer network. In recent years, for higher anonymity, more and more Bitcoin users try to use Tor hidden services for identity and location hiding. However, previous studies have shown that Tor are vulnerable to traffic fingerprinting attack, which can identify different websites by identifying traffic patterns using statistical features of traffic. Our work shows that traffic fingerprinting attack is also effective for the Bitcoin hidden nodes detection. In this paper, we proposed a novel lightweight Bitcoin hidden service traffic fingerprinting, using a random decision forest classifier with features from TLS packet size and direction. We test our attack on a novel dataset, including a foreground set of Bitcoin hidden node traffic and a background set of different hidden service websites and various Tor applications traffic. We can detect Bitcoin hidden node from different Tor clients and website hidden services with a precision of 0.989 and a recall of 0.987, which is higher than the previous model.

To improve efficiency of stegosystem on blockchain and balance the time consumption of Encode and Decode operations, we propose a new blockchain-based steganography scheme, called Keys as Secret Messages (KASM), where a codebook of mappings between bitstrings and public keys can be pre-calculated by both sides with some secret parameters pre-negotiated before covert communication. By applying properties of elliptic curves and pseudorandom number generators, we realize key derivation of codebook item, and we construct the stegosystem with provable security under chosen hiddentext attack. By comparing KASM with Blockchain Covert Channel (BLOCCE) and testing on Bitcoin protocol, we conclude that our proposed stegosystem encodes hiddentexts faster than BLOCCE does and can decode stegotexts in highly acceptable time. The balanced time consumption of Encode and Decode operations of KASM make it applicable in the scene of duplex communication. At the same time, KASM does not leak sender’s private keys, so sender’s digital currencies can be protected.

Mobile payment protocols have attracted widespread attention over the past decade, due to advancements in digital technology. The use of these protocols in online industries can dramatically improve the quality of online services. However, the central issue of concern when utilizing these types of systems is their accountability, which ensures trust between the parties involved in payment transactions. It is, therefore, vital for researchers to investigate how to handle the accountability of mobile payment protocols. In this research, we introduce a secure mobile payment protocol to overcome this problem. Our payment protocol combines all the necessary security features, such as confidentiality, integrity, authentication, and authorization that are required to build trust among parties. In other words, is the properties of mutual authentication and non-repudiation are ensured, thus providing accountability. Our approach can resolve any conflicts that may arise in payment transactions between parties. To prove that the proposed protocol is correct and complete, we use the Scyther and AVISPA tools to verify our approach formally.

Automated teller machines are affected by two kinds of attacks: physical and logical. It is common for most banks to look for zero-day protection for their devices. The most secure solutions available are based on complex security policies that are extremely hard to configure. The goal of this article is to present a concept of using the modified MajorClust algorithm for generating a sandbox-based security policy based on ATM usage data. The results obtained from the research prove the effectiveness of the used techniques and confirm that it is possible to create a division into sandboxes in an automated way.

Nowadays, smartphones are everywhere. They play an indispensable role in our lives and makes people convenient to communicate, pay, socialize, etc. However, they also bring a lot of security and privacy risks. Keystroke operations of numeric keypad are often required when users input password to perform mobile payment or input other privacy-sensitive information. Different keystrokes may cause different finger movements that will bring different interference to WiFi signal, which may be reflected by channel state information (CSI). In this paper, we propose WiPass, a password-keystroke recognition system for numerical keypad input on smartphones, which especially occurs frequently in mobile payment APPs. Based on only a public WiFi hotspot deployed in the victim payment scenario, WiPass would extracts and analyzes the CSI data generated by the password-keystroke operation of the smartphone user, and infers the user's payment password by comparing the CSI waveforms of different keystrokes. We implemented the WiPass system by using COTS WiFi AP devices and smartphones. The average keystroke segmentation accuracy was 80.45%, and the average keystroke recognition accuracy was 74.24%.

ATM transactions are verified using two-factor authentication. The PIN is one of the factors (something you know) and the ATM Card is the other factor (something you have). Therefore, banks make significant investments on PIN Mailers and HSMs to preserve the security and confidentiality in the generation, validation, management and the delivery of the PIN to their customers. Moreover, banks install surveillance cameras inside ATM cubicles as a physical security measure to prevent fraud and theft. However, in some cases, ATM PIN-Pad and the PIN entering process get revealed through the surveillance camera footage itself. We demonstrate that visibility of forearm movements is sufficient to infer PINs with a significant level of accuracy. Video footage of the PIN entry process simulated in an experimental setup was analyzed using two approaches. The human observer-based approach shows that a PIN can be guessed with a 30% of accuracy within 3 attempts whilst the computer-assisted analysis of footage gave an accuracy of 50%. The results confirm that ad-hoc installation of surveillance cameras can weaken ATM PIN security significantly by potentially exposing one factor of a two-factor authentication system. Our investigation also revealed that there are no guidelines, standards or regulations governing the placement of surveillance cameras inside ATM cubicles in Sri Lanka.

The threat of cybercrime is becoming increasingly complex and diverse on putting citizen's data or money in danger. Cybercrime threats are often originating from trusted, malicious, or negligent insiders, who have excessive access privileges to sensitive data. The analysis of cybercrime insider investigation presents many opportunities for actionable intelligence on improving the quality and value of digital evidence. There are several advantages of applying Deep Packet Inspection (DPI) methods in cybercrime insider investigation. This paper introduces DPI method that can help investigators in developing new techniques and performing digital investigation process in forensically sound and timely fashion manner. This paper provides a survey of the packet inspection, which can be applied to cybercrime insider investigation.

Outsourcing services to cloud server (CS) becomes popular in these years. However, the outsourced services often involve with sensitive activity and CS naturally becomes a target of varieties of attacks. Even worse, CS itself can misuse the outsourced services for illegal profit. Traditional online banking system also can make use of a cloud framework to provide economical and high-speed online services to the consumers, which makes the financial dealing easy and convenient. Most of the banking organizations provide services through passbook, ATM, mobile banking, electronic banking (e-banking) etc. Among these, the e-banking and mobile banking are more convenient and becomes essential. Therefore, it is critical to provide an efficient, reliable and more importantly, secure e-banking services to the consumers. The cloud environment is suitable paradigm to a new, small and medium scale banking organization as it eliminates the requirement for them to start with small resources and increase gradually as the service demand rises. However, security is one of the main concerns since it deals with many sensitive data of the valuable customers. In addition to this, the access of various data needs to be restricted to prevent any unauthorized transaction. Nagaraju et al. presented a framework to achieve reliability and security in public cloud based online banking using multi-factor authentication concept. Unfortunately, the login and authentication protocol of this framework is prone to impersonation attack. In this paper, we have revised the framework to avoid this attack.

Blockchain is the one of leading technology of this time; it has started to revolutionize several fields like, finance, business, industry, smart home, healthcare, social networks, Internet and the Internet of Things. It has many benefits like, decentralized network, robustness, availability, stability, anonymity, auditability and accountability. The applications of Blockchain are emerging, and it is found that most of the work is focused on its engineering implementation. While the theoretical part is very less considered and explored. In this paper we implemented the simulation of mining process in Blockchain based systems using queuing theory. We took the parameters of one of the mature Cryptocurrency, Bitcoin's real data and simulated using M/M/n/L queuing system in JSIMgraph. We have achieved realistic results; and expect that it will open up new research direction in theoretical research of Blockchain based systems.

Mobile payment has drawn considerable attention due to its convenience of paying via personal mobile devices at anytime and anywhere, and passcodes (i.e., PINs or patterns) are the first choice of most consumers to authorize the payment. This paper demonstrates a serious security breach and aims to raise the awareness of the public that the passcodes for authorizing transactions in mobile payments can be leaked by exploiting the embedded sensors in wearable devices (e.g., smartwatches). We present a passcode inference system, WristSpy, which examines to what extent the user's PIN/pattern during the mobile payment could be revealed from a single wrist-worn wearable device under different passcode input scenarios involving either two hands or a single hand. In particular, WristSpy has the capability to accurately reconstruct fine-grained hand movement trajectories and infer PINs/patterns when mobile and wearable devices are on two hands through building a Euclidean distance-based model and developing a training-free parallel PIN/pattern inference algorithm. When both devices are on the same single hand, a highly challenging case, WristSpy extracts multi-dimensional features by capturing the dynamics of minute hand vibrations and performs machine-learning based classification to identify PIN entries. Extensive experiments with 15 volunteers and 1600 passcode inputs demonstrate that an adversary is able to recover a user's PIN/pattern with up to 92% success rate within 5 tries under various input scenarios.

Recent years have seen an increased interest in digital wallets for a multitude of use cases including online banking, cryptocurrency, and digital identity management. Digital wallets play a pivotal role in the secure management of cryptographic keys and credentials, and for providing certain identity management services. In this paper, we examine a proof-of-concept digital wallet in the context of Self-Sovereign Identity and provide a practical decentralized key recovery solution using Shamir's secret sharing scheme and Hyperledger Indy distributed ledger technology.

Establishing a digital identity plays a vital part in the digital era. It is crucial to authenticate and identify the users in order to perform online transactions securely. For example, internet banking applications normally require a user to present a digital identity, e.g., username and password, to allow users to perform online transactions. However, the username-password approach has several downsides, e.g., susceptible to the brute-force attack. Public key binding using Certificate Authority (CA) is another common alternative to provide digital identity. Yet, the public key approach has a serious drawback: all CAs in the browser/OS' CA list are treated equally, and consequently, all trusts on the certificates could be invalidated by compromising only a single root CA's private key. We propose a Real Digital Identity based approach, or RDI, on decentralized PKI scheme. The core idea relies on a combination of well-known parties (e.g., a bank, a government agency) to certify the identity, instead of relying on a single CA. These parties, collectively known as Trusted Source Certificate Authorities (TSCA), formed a network of CAs. The generated certificates are stored in the blockchain controlled by smart contract. RDI creates a digital identity that can be trusted based on the TSCAs' challenge/response and it is also robust against a single point of trust attack on traditional CAs.

We provide an agent based simulation model of the Swedish payment system. The simulation model is to be used to analyze the consequences of loss of functionality, or disruptions of the payment system for the food and fuel supply chains as well as the bank sector. We propose a gaming simulation approach, using a computer based role playing game, to explore the collaborative responses from the key actors, in order to evoke and facilitate collective resilience.

Bitcoin is the most famous cryptocurrency currently operating with a total marketcap of almost 7 billion USD. This innovation stands strong on the feature of pseudo anonymity and strives on its innovative de-centralized architecture based on the Blockchain. The Blockchain is a distributed ledger that keeps a public record of all the transactions processed on the bitcoin protocol network in full transparency without revealing the identity of the sender and the receiver. Over the course of 2016, cryptocurrencies have shown some instances of abuse by criminals in their activities due to its interesting nature. Darknet marketplaces are increasing the volume of their businesses in illicit and illegal trades but also cryptocurrencies have been used in cases of extortion, ransom and as part of sophisticated malware modus operandi. We tackle these challenges by developing an analytical capability that allows us to map relationships on the blockchain and filter crime instances in order to investigate the abuse in law enforcement local environment. We propose a practical bitcoin analytical process and an analyzing system that stands alone and manages all data on the blockchain in real-time with tracing and visualizing techniques rendering transactions decipherable and useful for law enforcement investigation and training. Our system adopts combination of analyzing methods that provides statistics of address, graphical transaction relation, discovery of paths and clustering of already known addresses. We evaluated our system in the three criminal cases includes marketplace, ransomware and DDoS extortion. These are practical training in law enforcement, then we determined whether our system could help investigation process and training.

When Bitcoin was first introduced to the world in 2008 by an enigmatic programmer going by the pseudonym Satoshi Nakamoto, it was billed as the world's first decentralized virtual currency. Offering the first credible incarnation of a digital currency, Bitcoin was based on the principal of peer to peer transactions involving a complex public address and a private key that only the owner of the coin would know. This paper will seek to investigate how the usage and value of Bitcoin is affected by current events in the cyber environment. Is an advancement in the digital security of Bitcoin reflected by the value of the currency and conversely does a major security breech have a negative effect? By analyzing statistical data of the market value of Bitcoin at specific points where the currency has fluctuated dramatically, it is believed that trends can be found. This paper proposes that based on the data analyzed, the current integrity of the Bitcoin security is trusted by general users and the value and usage of the currency is growing. All the major fluctuations of the currency can be linked to significant events within the digital security environment however these fluctuations are beginning to decrease in frequency and severity. Bitcoin is still a volatile currency but this paper concludes that this is a result of security flaws in Bitcoin services as opposed to the Bitcoin protocol itself.

Bitcoin, one major virtual currency, attracts users' attention by its novel mode in recent years. With blockchain as its basic technique, Bitcoin possesses strong security features which anonymizes user's identity to protect their private information. However, some criminals utilize Bitcoin to do several illegal activities bringing in great security threat to the society. Therefore, it is necessary to get knowledge of the current trend of Bitcoin and make effort to de-anonymize. In this paper, we put forward and realize a system to analyze Bitcoin from two aspects: blockchain data and network traffic data. We resolve the blockchain data to analyze Bitcoin from the point of Bitcoin address while simulate Bitcoin P2P protocol to evaluate Bitcoin from the point of IP address. At last, with our system, we finish analyzing its current trends and tracing its transactions by putting some statistics on Bitcoin transactions and addresses, tracing the transaction flow and de-anonymizing some Bitcoin addresses to IPs.

In order to provide reliable security solution to the people, the concept of smart ATM security system based on Embedded Linux platform is suggested in this paper. The study is focused on Design and Implementation of Face Detection based ATM Security System using Embedded Linux Platform. The system is implemented on the credit card size Raspberry Pi board with extended capability of open source Computer Vision (OpenCV) software which is used for Image processing operation. High level security mechanism is provided by the consecutive actions such as initially system captures the human face and check whether the human face is detected properly or not. If the face is not detected properly, it warns the user to adjust him/her properly to detect the face. Still the face is not detected properly the system will lock the door of the ATM cabin for security purpose. As soon as the door is lock, the system will automatic generates 3 digit OTP code. The OTP code will be sent to the watchman's registered mobile number through SMS using GSM module which is connected with the raspberry Pi. Watchman will enter the generated OTP through keypad which is interfaced with the Pi Board. The OTP will be verified and if it is correct then door will be unlock otherwise it will remain lock.