Digital wallets are a new form of payment technology that provides a secure and convenient way of making contactless payments through smart devices. In this paper, we study the security of financial transactions made through digital wallets, focusing on the authentication, authorization, and access control security functions. We find that the digital payment ecosystem supports the decentralized authority delegation which is susceptible to a number of attacks. First, an attacker adds the victim’s bank card into their (attacker’s) wallet by exploiting the authentication method agreement procedure between the wallet and the bank. Second, they exploit the unconditional trust between the wallet and the bank, and bypass the payment authorization. Third, they create a trap door through different payment types and violate the access control policy for the payments. The implications of these attacks are of a serious nature where the attacker can make purchases of arbitrary amounts by using the victim’s bank card, despite these cards being locked and reported to the bank as stolen by the victim. We validate these findings in practice over major US banks (notably Chase, AMEX, Bank of America, and others) and three digital wallet apps (ApplePay, GPay, and PayPal).
2023
Redefining the Driver’s Attention Gauge in Semi-Autonomous Vehicles
Raja Hasnain Anwar , Fatima Muhammad Anwar , Muhammad Kumail Haider , and 2 more authors
In Proceedings of the Int’l ACM Conference on Modeling Analysis and Simulation of Wireless and Mobile Systems (MSWiM) , 2023
Driver distraction caused by over-reliance on automotive technology is one of the leading causes of accidents in semi-autonomous vehicles. Existing driver’s attention-gauging approaches are intrusive and as such emphasize constant driver engagement. In case of an urgent traffic event, they fail to measure the event’s criticality and subsequently generate timely alerts. In this paper, we re-position the driver’s attention-gauging approach as a way to improve the driver’s situational awareness during critical situations. We exploit how a vehicle captures its surroundings information to convert an automotive decision into defining the criticality and timeliness of an alert. For this, we identify the relationship between the traffic event, the type of automotive sensing technologies, and its processing resources to capture that event to design the driver’s attention gauge. We evaluate the timeliness of alerts for different traffic scenarios over a prototype built using NVIDIA Jetson Xavier AGX and Carla. Our results show that we can improve the timeliness of an alert by up to 75x as compared to existing state-of-the-art approaches, while also providing feedback on its criticality.
Detecting Privacy Threats with Machine Learning: A Design Framework for Identifying Side-Channel Risks of Illegitimate User Profiling
Raja Hasnain Anwar , Yi Zoe Zou , and Muhammad Taqi Raza
In Proceedings of the Americas Conference on Information Systems (AMCIS) , 2023
Privacy leakage has become prevalent and severe with the increasing adoption of the internet of things (IoT), artificial intelligence (AI), and blockchain technologies. Such data-intensive systems are vulnerable to side-channel attacks in which hackers can extract sensitive information from a digital device without actively manipulating the target system. Nevertheless, there is a scarcity of IS research on how businesses can effectively detect and safeguard against side-channel attacks. This study adopts the design science paradigm and lays the groundwork for systematic inquiry into the assessment of privacy risks related to side-channels. In this paper, we a) highlight the privacy threats posed by side-channel attacks, b) propose a machine learning-driven design framework to identify side-channel privacy risks, and c) contribute to the literature on privacy analytics using machine learning techniques. We demonstrate a use case of the proposed framework with a text classification model that uses keystroke timings as side-channel.