About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6–9, 2021, Proceedings, Part II

Research Article

An Empirical Study on Mobile Payment Credential Leaks and Their Exploits

Download(Requires a free EAI acccount)
9 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-030-90022-9_5,
        author={Shangcheng Shi and Xianbo Wang and Kyle Zeng and Ronghai Yang and Wing Cheong Lau},
        title={An Empirical Study on Mobile Payment Credential Leaks and Their Exploits},
        proceedings={Security and Privacy in Communication Networks. 17th EAI International Conference, SecureComm 2021, Virtual Event, September 6--9, 2021, Proceedings, Part II},
        proceedings_a={SECURECOMM PART 2},
        year={2021},
        month={11},
        keywords={Mobile payment Payment credentials Security testing},
        doi={10.1007/978-3-030-90022-9_5}
    }
    
  • Shangcheng Shi
    Xianbo Wang
    Kyle Zeng
    Ronghai Yang
    Wing Cheong Lau
    Year: 2021
    An Empirical Study on Mobile Payment Credential Leaks and Their Exploits
    SECURECOMM PART 2
    Springer
    DOI: 10.1007/978-3-030-90022-9_5
Shangcheng Shi,*, Xianbo Wang, Kyle Zeng, Ronghai Yang, Wing Cheong Lau
    *Contact email: ss016@ie.cuhk.edu.hk

    Abstract

    Recently, mobile apps increasingly integrate with payment services, enabling the user to pay orders with a third-party payment service provider, namely Cashier. During the payment process, both the app and Cashier rely on some credentials to secure the service. Despite the importance, many developers tend to overlook the protection of payment credentials and inadvertently expose them to the wild. Such leaks severely affect the security of end-users and the merchants associated with the apps, resulting in privacy violations and actual financial loss. In this paper, we study the payment credential leaks for four top-tiered Cashiers that serve over one billion users and tens of millions of merchants globally. Through studying practical mobile payment systems, we identify new leaking sources of payment credentials and find 4 types of exploits with severe consequences, which are caused by the credential leaks and additional implementation flaws. Besides, we design an automatic tool, PayKeyMiner, and use it to discover around 20,000 leaked payment credentials, affecting thousands of apps. We have reported our findings to the Cashiers. All of them have confirmed the issue and pledged to notify the affected merchant apps, while some of these apps have updated the leaked payment credentials afterward.

    Keywords
    Mobile payment Payment credentials Security testing
    Published
    2021-11-04
    Appears in
    SpringerLink
    http://dx.doi.org/10.1007/978-3-030-90022-9_5
    Copyright © 2021–2025 ICST
    EBSCOProQuestDBLPDOAJPortico
    EAI Logo

    About EAI

    • Who We Are
    • Leadership
    • Research Areas
    • Partners
    • Media Center

    Community

    • Membership
    • Conference
    • Recognition
    • Sponsor Us

    Publish with EAI

    • Publishing
    • Journals
    • Proceedings
    • Books
    • EUDL