Biblio

Authenticating a person's identity has always been a challenge. While attempts are being made by government agencies to address this challenge, the citizens are being exposed to a new age problem of Identity management. The sharing of photocopies of identity cards in order to prove our identity is a common sight. From score-card to Aadhar-card, the details of our identity has reached many unauthorized hands during the years. In India the identity thefts accounts for 77% [1] of the fraud cases, and the threats are trending. Programs like e-Residency by Estonia[2], Bitnation using Ethereum[3] are being devised for an efficient Identity Management. Even the US Home Land Security is funding a research with an objective of “Design information security and privacy concepts on the Blockchain to support identity management capabilities that increase security and productivity while decreasing costs and security risks for the Homeland Security Enterprise (HSE).” [4] This paper will discuss the challenges specific to India around Identity Management, and the possible solution that the Distributed ledger, hashing algorithms and smart contracts can offer. The logic of hashing the personal data, and controlling the distribution of identity using public-private keys with Blockchain technology will be discussed in this paper.

Blockchain, the technology behind the popular Bitcoin, is considered a "security by design" system as it is meant to create security among a group of distrustful parties yet without a central trusted authority. The security of blockchain relies on the premise of honest-majority, namely, the blockchain system is assumed to be secure as long as the majority of consensus voting power is honest. And in the case of proof-of-work (PoW) blockchain, adversaries cannot control more than 50% of the network's gross computing power. However, this 50% threshold is based on the analysis of computing power only, with implicit and idealistic assumptions on the network and node behavior. Recent researches have alluded that factors such as network connectivity, presence of blockchain forks, and mining strategy could undermine the consensus security assured by the honest-majority, but neither concrete analysis nor quantitative evaluation is provided. In this paper we fill the gap by proposing an analytical model to assess the impact of network connectivity on the consensus security of PoW blockchain under different adversary models. We apply our analytical model to two adversarial scenarios: 1) honest-but-potentially-colluding, 2) selfish mining. For each scenario, we quantify the communication capability of nodes involved in a fork race and estimate the adversary's mining revenue and its impact on security properties of the consensus protocol. Simulation results validated our analysis. Our modeling and analysis provide a paradigm for assessing the security impact of various factors in a distributed consensus system.

Bitcoin was the first successful decentralized cryptocurrency and remains the most popular of its kind to this day. Despite the benefits of its blockchain, Bitcoin still faces serious scalability issues, most importantly its ever-increasing blockchain size. While alternative designs introduced schemes to periodically create snapshots and thereafter prune older blocks, already-deployed systems such as Bitcoin are often considered incapable of adopting corresponding approaches. In this work, we revise this popular belief and present CoinPrune, a snapshot-based pruning scheme that is fully compatible with Bitcoin. CoinPrune can be deployed through an opt-in velvet fork, i.e., without impeding the established Bitcoin network. By requiring miners to publicly announce and jointly reaffirm recent snapshots on the blockchain, CoinPrune establishes trust into the snapshots' correctness even in the presence of powerful adversaries. Our evaluation shows that CoinPrune reduces the storage requirements of Bitcoin already by two orders of magnitude today, with further relative savings as the blockchain grows. In our experiments, nodes only have to fetch and process 5GiB instead of 230GiB of data when joining the network, reducing the synchronization time on powerful devices from currently 5h to 46min, with even more savings for less powerful devices.

We investigate what we call the "Bitcoin Generator Scam" (BGS), a simple system in which the scammers promise to "generate" new bitcoins using the ones that were sent to them. A typical offer will suggest that, for a small fee, one could receive within minutes twice the amount of bitcoins submitted. BGS is clearly not a very sophisticated attack. The modus operandi is simply to put up some web page on which to find the address to send the money and wait for the payback. The pages are then indexed by search engines, and ready to find for victims looking for free bitcoins. We describe here a generic system to find and analyze scams such as BGS. We have trained a classifier to detect these pages, and we have a crawler searching for instances using a series of search engines. We then monitor the instances that we find to trace payments and bitcoin addresses that are being used over time. Unlike most bitcoin-based scam monitoring systems, we do not rely on analyzing transactions on the blockchain to find scam instances. Instead, we proactively find these instances through the web pages advertising the scam. Thus our system is able to find addresses with very few transactions, or even none at all. Indeed, over half of the addresses that have eventually received funds were detected before receiving any transactions. The data for this paper was collected over four months, from November 2019 to February 2020. We have found more than 1,300 addresses directly associated with the scam, hosted on over 500 domains. Overall, these addresses have received (at least) over 5 million USD to the scam, with an average of 47.3 USD per transaction.

Bitcoin is gaining traction as an alternative store of value. Its market capitalization transcends all other cryptocurrencies in the market. But its high monetary value also makes it an attractive target to cyber criminal actors. Hacking campaigns usually target the weakest points in an ecosystem. In Bitcoin, these are currently the exchange platforms. As each exchange breach potentially decreases Bitcoin's market value by billions, it is a threat not only to direct victims, but to everyone owning Bitcoin. Based on an extensive analysis of 36 breaches of Bitcoin exchanges, we show the attack patterns used to exploit Bitcoin exchange platforms using an industry standard for reporting intelligence on cyber security breaches. Based on this we are able to provide an overview of the most common attack vectors, showing that all except three hacks were possible due to relatively lax security. We also show that while the security regimen of Bitcoin exchanges is not on par with other financial service providers, the use of stolen credentials, which does not require any hacking, is decreasing. We also show that the amount of BTC taken during a breach is decreasing, as well as the exchanges that terminate after being breached. With exchanges being targeted by nation-state hacking groups, security needs to be a first concern.

As a collection of innovative technologies, blockchain has solved the problem of reliable transmission and exchange of information on untrusted networks. The underlying implementation is the basis for the reliability of blockchain, which consists of various cryptographic algorithms for the use of identity authentication and privacy protection of distributed ledgers. The cryptographic algorithm plays a vital role in the blockchain, which guarantees the confidentiality, integrity, verifiability and non-repudiation of the blockchain. In order to get the most suitable cryptographic algorithm for the blockchain system, this paper proposed a method using Fuzzy Analytic Hierarchy Process (FAHP) to evaluate and score the comprehensive performance of the three types of cryptographic algorithms applied in the blockchain, including symmetric cryptographic algorithms, asymmetric cryptographic algorithms and hash algorithms. This paper weighs the performance differences of cryptographic algorithms considering the aspects of security, operational efficiency, language and hardware support and resource consumption. Finally, three cryptographic algorithms are selected that are considered to be the most suitable ones for block-chain systems, namely ECDSA, sha256 and AES. This result is also consistent with the most commonly used cryptographic algorithms in the current blockchain development direction. Therefore, the reliability and practicability of the algorithm evaluation pro-posed in this paper has been proved.

In this paper, we apply machine learning to distributed private data owned by multiple data owners, entities with access to non-overlapping training datasets. We use noisy, differentially-private gradients to minimize the fitness cost of the machine learning model using stochastic gradient descent. We quantify the quality of the trained model, using the fitness cost, as a function of privacy budget and size of the distributed datasets to capture the trade-off between privacy and utility in machine learning. This way, we can predict the outcome of collaboration among privacy-aware data owners prior to executing potentially computationally-expensive machine learning algorithms. Particularly, we show that the difference between the fitness of the trained machine learning model using differentially-private gradient queries and the fitness of the trained machine model in the absence of any privacy concerns is inversely proportional to the size of the training datasets squared and the privacy budget squared. We successfully validate the performance prediction with the actual performance of the proposed privacy-aware learning algorithms, applied to: financial datasets for determining interest rates of loans using regression; and detecting credit card frauds using support vector machines.

Big Data Platform provides business units with data platforms, data products and data services by integrating all data to fully analyze and exploit the intrinsic value of data. Data accessed by big data platforms may include many users' privacy and sensitive information, such as the user's hotel stay history, user payment information, etc., which is at risk of leakage. This paper first analyzes the risks of data leakage, then introduces in detail the theoretical basis and common methods of data desensitization technology, and finally puts forward a set of effective market subject credit supervision application based on asccii, which is committed to solving the problems of insufficient breadth and depth of data utilization for enterprises involved, the problems of lagging regulatory laws and standards, the problems of separating credit construction and market supervision business, and the credit constraints of data governance.

In online payment, customers must transmit their personal and financial information through the website to conclude their purchase and pay the services or items selected. They may face possible fears from online transactions raised by their risk perception about financial or privacy loss. They may have concerns over the payment decision with the possible negative behaviors such as shopping cart abandonment. Therefore, customers have three major players that need to be addressed in online payment: the online seller, the payment page, and their own perception. However, few studies have explored these three players in an online purchasing environment. In this paper, we focus on the customer concerns and examine the antecedents of trust, payment security perception as well as their joint effect on two fundamentally important customers' aspects privacy concerns and financial fear perception. A total of 392 individuals participated in an online survey. The results highlight the importance, of the seller website's components (such as ease of use, security signs, and quality information) and their impact on the perceived payment security as well as their impact on customer's trust and financial fear perception. The objective of our study is to design a research model that explains the factors contributing to an online payment decision.

A security breach often makes companies react by changing their attitude and approach to security within the organization. This paper presents an in-depth case study of post-breach security changes made by a company and the consequences of those changes. We employ the principles of participatory action research and humble inquiry to conduct a long-term study with employee interviews while embedded in the organization's security division. Despite an extremely high level of financial investment in security, and consistent attention and involvement from the board, the interviews indicate a significant level of friction between employees and security. In the main themes that emerged from our data analysis, a number of factors shed light on the friction: fear of another breach leading to zero risk appetite, impossible security controls making non-compliance a norm, security theatre underminining the purpose of security policies, employees often trading-off security with productivity, and as such being treated as children in detention rather than employees trying to finish their paid jobs. This paper shows that post-breach security changes can be complex and sometimes risky due to emotions often being involved. Without an approach considerate of how humans and security interact, even with high financial investment, attempts to change an organization's security behaviour may be ineffective.

Financial fraud is commonly represented by the use of illegal practices where they can intervene from senior managers until payroll employees, becoming a crime punishable by law. There are many techniques developed to analyze, detect and prevent this behavior, being the most important the fraud triangle theory associated with the classic financial audit model. In order to perform this research, a survey of the related works in the existing literature was carried out, with the purpose of establishing our own framework. In this context, this paper presents FraudFind, a conceptual framework that allows to identify and outline a group of people inside an banking organization who commit fraud, supported by the fraud triangle theory. FraudFind works in the approach of continuous audit that will be in charge of collecting information of agents installed in user's equipment. It is based on semantic techniques applied through the collection of phrases typed by the users under study for later being transferred to a repository for later analysis. This proposal encourages to contribute with the field of cybersecurity, in the reduction of cases of financial fraud.

Transacting IoT data must be different in many from traditional approaches in order to build much-needed trust in data marketplaces, trust that will be the key to their sustainability. Data generated internally to an organization is usually not enough to remain competitive, enhance customer experiences, or improve strategic decision-making. In this paper, we propose a decentralized and trustless architecture through the posting of trade records while including the transaction process on distributed ledgers. This approach can efficiently enhance the degree of transparency, as all contract-oriented interactions will be written on-chain. Storage via an end-to-end encrypted message channel allows transmitting and accessing trusted data streams over distributed ledgers regardless of the size or cost of the device, while simultaneously making a verifiable Auth-compliant request to the platform. Furthermore, the platform will complete matching, trading and refunding processes with-out human intervention, and it also protects the rights of data providers and consumers through trading policies which apply revolutionary game theory to the machine economy.

Since Bitcoin, the first cryptocurrency that applied blockchain technology was developed by Satoshi Nakamoto, the cryptocurrency market has grown rapidly. Along with this growth, many vulnerabilities and attacks are threatening the Bitcoin ecosystem, which is not only at the bitcoin network-level but also at the service level that applied it, according to the survey. We intend to analyze and detect DDoS attacks on the premise that bitcoin's network-level data and service-level DDoS attacks with bitcoin are associated. We evaluate the results of the experiment according to the proposed metrics, resulting in an association between network-level data and service-level DDoS attacks of bitcoin. In conclusion, we suggest the possibility that the proposed method could be applied to other blockchain systems.

There are some registry agreements that may be appropriate for the Internet of Things (IoT), including Bitcoin, Hyperledger Fabric and IOTA. This article presents quickly and examines them in terms of the progress of Internet applications. Block-dependent IoT applications can consolidate the chain's rationale (smart contracts) and front-end, portable or front-end web applications. We present three possible designs for BC IoT front-end applications. They vary depending on the Bitcoin block chain customer (neighborhood gadget, remote server) and the key location needed to manage active exchanges. The vital requirements of these projects, which use Bitcoin to organize constructive exchanges, are the volumes of information, the area and time of the complete block and block block, and the entry of the Bitcoin store. The implications of these surveys show that it is unlikely that a full Bitcoin distributor will continue to operate reliably with a mandatory IoT gadget. Then, designing with remote Bitcoin customers is, in all respects, a suitable methodology in which there are two minor alternatives and vary in key storage / management. Similarly, we recommend using the design with a unique match between the IoT gadget and the remote blockchain client to reduce system activity and improve security. We hope you also have the ability to operate with versatile verses with low control and low productivity. Our review eliminates the contradictions between synthesis methodologies, but the final choice for a particular registration agreement and the original technique completely depends on the proposed use case.

Bitcoin is a decentralized digital currency whose transactions are recorded in a common ledger, so called blockchain. Due to the anonymity and lack of law enforcement, Bitcoin has been misused in darknet markets which deal with illegal products, such as drugs and weapons. Therefore from the security forensics aspect, it is demanded to establish an approach to identify newly emerged darknet markets' transactions and addresses. In this paper, we thoroughly analyze Bitcoin transactions and addresses related to darknet markets and propose a novel identification method of darknet markets' addresses. To improve the identification performance, we propose a voting based method which decides the labels of multiple addresses controlled by the same user based on the number of the majority label. Through the computer simulation with more than 200K Bitcoin addresses, it was shown that our voting based method outperforms the nonvoting based one in terms of precision, recal, and F1 score. We also found that DNM's addresses pay higher fees than others, which significantly improves the classification.

Bitcoin [1] as a popular digital currency has been a target of theft and other illegal activities. Key to the forensic investigation is to identify bitcoin addresses involved in bitcoin transfers. This paper presents a framework, FABT, for forensic analysis of bitcoin transactions by identifying suspicious bitcoin addresses. It formalizes the clues of a given case as transaction patterns defined over a comprehensive set of features. FABT converts the bitcoin transaction data into a formal model, called Bitcoin Transaction Net (BTN). The traverse of all bitcoin transactions in the order of their occurrences is captured by the firing sequence of all transitions in the BTN. We have applied FABT to identify suspicious addresses in the Mt.Gox case. A subgroup of the suspicious addresses has been found to share many characteristics about the received/transferred amount, number of transactions, and time intervals.

Frauds are known to be dynamic and have no patterns, hence they are not easy to identify. Fraudsters use recent technological advancements to their advantage. They somehow bypass security checks, leading to the loss of millions of dollars. Analyzing and detecting unusual activities using data mining techniques is one way of tracing fraudulent transactions. transactions. This paper aims to benchmark multiple machine learning methods such as k-nearest neighbor (KNN), random forest and support vector machines (SVM), while the deep learning methods such as autoencoders, convolutional neural networks (CNN), restricted boltzmann machine (RBM) and deep belief networks (DBN). The datasets which will be used are the European (EU) Australian and German dataset. The Area Under the ROC Curve (AUC), Matthews Correlation Coefficient (MCC) and Cost of failure are the 3-evaluation metrics that would be used.

Point of Sale (POS) systems has become the technology of choice for most businesses and offering number of advantages over traditional cash registers. They manage staffs, customers, transaction, inventory, sale and labor reporting, price adjustment, as well as keeping track of cash flow, expense management, reducing human errors and more. Whether traditional on-premise POS, or Cloud-Bases POS, they help businesses to run more efficiently. However, despite all these advantages, POS systems are becoming targets of a number of cyber-attacks. Security of a POS system is a key requirement of the Payment Card Industry Data Security Standard (PCI DSS). This paper undertakes research into the PCI DSS and its accompanying standards, in an attempt to break or bypass security measures using varying degrees of vulnerability and penetration attacks in a methodological format. The resounding goal of this experimentation is to achieve a basis from which attacks can be made against a realistic networking environment from whence an intruder can bypass security measures thus exposing a vulnerability in the PCI DSS and potentially exposing confidential customer payment information.

We aim at creating a society where we can resolve various social challenges by incorporating the innovations of the fourth industrial revolution (e.g. IoT, big data, AI, robot, and the sharing economy) into every industry and social life. By doing so the society of the future will be one in which new values and services are created continuously, making people's lives more conformable and sustainable. This is Society 5.0, a super-smart society. Security and privacy are key issues to be addressed to realize Society 5.0. Privacy-preserving data analytics will play an important role. In this talk we show our recent works on privacy-preserving data analytics such as privacy-preserving logistic regression and privacy-preserving deep learning. Finally, we show our ongoing research project under JST CREST “AI”. In this project we are developing privacy-preserving financial data analytics systems that can detect fraud with high security and accuracy. To validate the systems, we will perform demonstration tests with several financial institutions and solve the problems necessary for their implementation in the real world.

Blockchains are emerging technologies that propose new business models and value propositions. Besides their application for cryptocurrency purposes, as distributed ledgers of transactions, they enable new ways to provision trusted information in a distributed fashion. In this paper, we present our product tagging solution designed to help Small & Medium Enterprises (SMEs) protect their brands against counterfeit products and parallel markets, as well as to enhance UX (User Experience) and promote the brand and product.Our solution combines the use of DLT to assure, in a verifiable and permanent way, the trustworthiness and confidentiality of the information associated to the goods and the innovative CP-ABE encryption technique to differentiate accessibility to the product's information.

Mobile payment has drawn considerable attention due to its convenience of paying via personal mobile devices at anytime and anywhere, and passcodes (i.e., PINs or patterns) are the first choice of most consumers to authorize the payment. This paper demonstrates a serious security breach and aims to raise the awareness of the public that the passcodes for authorizing transactions in mobile payments can be leaked by exploiting the embedded sensors in wearable devices (e.g., smartwatches). We present a passcode inference system, WristSpy, which examines to what extent the user's PIN/pattern during the mobile payment could be revealed from a single wrist-worn wearable device under different passcode input scenarios involving either two hands or a single hand. In particular, WristSpy has the capability to accurately reconstruct fine-grained hand movement trajectories and infer PINs/patterns when mobile and wearable devices are on two hands through building a Euclidean distance-based model and developing a training-free parallel PIN/pattern inference algorithm. When both devices are on the same single hand, a highly challenging case, WristSpy extracts multi-dimensional features by capturing the dynamics of minute hand vibrations and performs machine-learning based classification to identify PIN entries. Extensive experiments with 15 volunteers and 1600 passcode inputs demonstrate that an adversary is able to recover a user's PIN/pattern with up to 92% success rate within 5 tries under various input scenarios.

From financial services platforms to social networks to vehicle control, software has come to mediate many activities of daily life. Governing bodies and standards organizations have responded to this trend by creating regulations and standards to address issues such as safety, security and privacy. In this environment, the compliance of software development to standards and regulations has emerged as a key requirement. Compliance claims and arguments are often captured in assurance cases, with linked evidence of compliance. Evidence can come from testcases, verification proofs, human judgement, or a combination of these. That is, we try to build (safety-critical) systems carefully according to well justified methods and articulate these justifications in an assurance case that is ultimately judged by a human. Yet software is deeply rooted in uncertainty making pragmatic assurance more inductive than deductive: most of complex open-world functionality is either not completely specifiable (due to uncertainty) or it is not cost-effective to do so, and deductive verification cannot happen without specification. Inductive assurance, achieved by sampling or testing, is easier but generalization from finite set of examples cannot be formally justified. And of course the recent popularity of constructing software via machine learning only worsens the problem - rather than being specified by predefined requirements, machine-learned components learn existing patterns from the available training data, and make predictions for unseen data when deployed. On the surface, this ability is extremely useful for hard-to specify concepts, e.g., the definition of a pedestrian in a pedestrian detection component of a vehicle. On the other, safety assessment and assurance of such components becomes very challenging. In this talk, I focus on two specific approaches to arguing about safety and security of software under uncertainty. The first one is a framework for managing uncertainty in assurance cases (for "conventional" and "machine-learned" systems) by systematically identifying, assessing and addressing it. The second is recent work on supporting development of requirements for machine-learned components in safety-critical domains.

Recent years have seen an increased interest in digital wallets for a multitude of use cases including online banking, cryptocurrency, and digital identity management. Digital wallets play a pivotal role in the secure management of cryptographic keys and credentials, and for providing certain identity management services. In this paper, we examine a proof-of-concept digital wallet in the context of Self-Sovereign Identity and provide a practical decentralized key recovery solution using Shamir's secret sharing scheme and Hyperledger Indy distributed ledger technology.

A blockchain is a distributed ledger forming a distributed consensus on a history of transactions, and is the underlying technology for the Bitcoin cryptocurrency. However, its applications are far beyond the financial sector. The transaction verification process for cryptocurrencies is much slower than traditional digital transaction systems. One approach to increase transaction speed and scalability is to identify a solution that offers faster Proof of Work. In this paper, we propose a method for accelerating the process of Proof of Work based on parallel mining rather than solo mining. The goal is to ensure that no more than two or more miners put the same effort into solving a specific block. The proposed method includes a process for selection of a manager, distribution of work and a reward system. This method has been implemented in a test environment that contains all the characteristics needed to perform Proof of Work for Bitcoin and has been tested, using a variety of case scenarios, by varying the difficulty level and number of validators. Preliminary results show improvement in the scalability of Proof of Work up to 34% compared to the current system.

We provide an agent based simulation model of the Swedish payment system. The simulation model is to be used to analyze the consequences of loss of functionality, or disruptions of the payment system for the food and fuel supply chains as well as the bank sector. We propose a gaming simulation approach, using a computer based role playing game, to explore the collaborative responses from the key actors, in order to evoke and facilitate collective resilience.