Every form of electronic payment, may it be to book an online ticket or bill payment online, inevitable leaves some kind of traces that define potential threats for data security. However, users are often not aware of such risks and, therefore, researchers worked on solving the issue. A team made of researchers from Karlsruhe Institute of Technology (KIT) have developed a secure and anonymous system to solve the privacy issue, and have presented it at the ACM Conference on Computer and Communications Security (CCS) 2007 in the USA a few days ago.

The computer scientist Andy Rupp, member of the “Cryptography and Security” working group of KIT identified an huge issue in the lack of awareness toward potential risk: “I observed that only few users are aware of the fact that by using such bonus or payment systems they disclose in detail how and what they consume or which routes they have taken.”

To avoid the intromission of dishonest third parties in the daily transactions of customers, account balances of payment and bonus systems and customer data are usually administrated exploiting a central database. Every time a payment is done, the paying customer is identified and the details concerning the transactions are communicated and transmitted to the central database. Such exchange of information creates data trace which could be exploited by the provider or thirds parties for dishonest uses.

Mr Rupp wanted to find a solution to the issue which put users between a rock and a hard place, with the system supposed to protect privacy representing an issue for security. Therefore, together with Gunnar Hartung and Matthias Nagel of KIT and Max Hoffmann of Ruhr-Universität Bochum, he has now presented the basics of an “electronic purse” that works anonymously, but prevents misuse at the same time.

The “black-box accumulation plus” (BBA+) protocol created by the researchers transfers all necessary account data to the card used or the smartphone and guarantees their confidentiality exploiting cryptographic methods. Furthermore, BBA+ offers security guarantees for the operator of the bonus or payment system: in fact, the protocol guarantees a correct account balance and is mathematically constructed such that the identity of the user is disclosed as soon as the attempt is made to pay with a manipulated account.

The new protocol can be considered as an improved successor of a previously created an anonymous bonus card system, also developed by the KIT research group, which required an internet connection to prevent misuse. “Our new protocol guarantees privacy and security for customers during offline operation as well,” Andy Rupp explained. “This is needed for ensuring the payment system’s suitability for daily use. Think of a subway turnstile or a toll bridge. There you may have no internet connection at all or it is very slow.” Also, its high efficiency makes the protocol suited for everyday use. In fact, during the test, researchers executed payments within about one second.

Written by: Pietro Paolo Frigenti

Source: KIT Press Release. (2017). Secure Payment without Leaving a Trace. Press release 152/2017. Released on October 17, 2017