Risk Assessment of Mobile Payment System Based on STRIDE and Fuzzy Comprehensive Evaluation

doi:10.3969/j.issn.1671-1122.2020.02.007

Abstract

Abstract:

With the development of mobile communication technology and the popularity of smart phones, mobile payment is becoming more and more popular. However, the security weaknesses of wireless networks, system vulnerabilities in mobile devices, and account hijacking have all contributed to the security of mobile payments. This paper starts with the mobile payment transaction process, analyzes the security threat of mobile payment system, and proposes a risk assessment method, so that both parties can conduct security assessment on the transaction process to make security decisions. The method uses the STRIDE threat model to build an indicator system and uses a fuzzy comprehensive evaluation method to assess the risk of the transaction. A threat mitigation model based on trusted network connection (TNC) is established, and the security of mobile payment system is enhanced according to the evaluation result. Quantitative indicators are used in the assessment and a transaction-level fine-grained risk assessment is achieved. At the end of this paper, the risk assessment method is validated and analyzed by using two typical application scenarios.

Key words: mobile payment, risk assessment, fuzzy comprehensive evaluation

CLC Number:

TP309

LIU Yonglei, JIN Zhigang, HAO KUN, ZHANG Weilong. Risk Assessment of Mobile Payment System Based on STRIDE and Fuzzy Comprehensive Evaluation[J]. Netinfo Security, 2020, 20(2): 49-56.

Figures/Tables 7

References 20

[1]	SUN Jing, CHI Ting, Law R.Investigating the Adoption of Apparel M-commerce in the US Market[J]. International Journal of Clothing Science and Technology, 2019, 31(4): 544-563.
[2]	CHUN S H.E-Commerce Liability and Security Breaches in Mobile Payment for e-Business Sustainability[J]. Sustainability, 2019, 11(3): 715
[3]	AGHILI S F, MALA H, Security Analysis of An Ultra-lightweight RFID Authentication Protocol for M-commerce[J]. International Journal of Communication Systems, 2019, 32(3): 37-38
[4]	YANG Wenbo, LI Juanru, ZHANG Yuanyuan, et al. Security Analysis of Third-party in App Payment in Mobile Applications[EB/OL]. , 2019-4-15.
[5]	OBAID M, BAYRAM Z, SALEH M. Instant Secure Mobile Payment Scheme[EB/OL]. , 2019-4-15.
[6]	SONG Bo, YAN Wei, ZHANG Tianjiao.Cross-border E-commerce Commodity Risk Assessment Using Text Mining and Fuzzy Rule-based reasoning[J]. Advanced Engineering Informatics, 2019, 40(5): 69-80.
[7]	ZHANG Xinmin, ZHAO Xumin, WU Na.Credit Risk Assessment Model for Cross-border E-commerce in a BP Neural Network Based on PSO-GA[J]. Agro Food Industry Hi-Tech, 2017, 28(1): 411-414.
[8]	ZHUANG Zhengyun, LIN Changching, CHEN Chihyung, et al. Rank-Based Comparative Research Flow Benchmarking the Effectiveness of AHP-GTMA on Aiding Decisions of Shredder Selection by Reference to AHP-TOPSIS[EB/OL]. , 2019-4-15.
[9]	ZHANG Yajuan, DENG Xinyang, WEI Daijun, et al.Assessment of E-Commerce Security Using AHP and Evidential Reasoning[J]. Expert Systems with Applications, 2012, 39(3): 3611-3623.
[10]	KAROUI Kamel.Security Novel Risk Assessment Framework Based on Reversible Metrics: A Case Study of DDoS Attacks on An E-commerce Web Server[J]. International Journal of Network Management, 2016, 26(6): 553-578.
[11]	DAI Yue, VIKEN G, JOO E, et al.Risk Assessment in E-commerce: How Sellers’ Photos, Reputation Scores, and the Stake of Atransaction in Fluence Buyers’ Purchase Behavior and Information Processing[J]. Computers in Human Behavior, 2018, 84(5): 342-351.
[12]	ADAM Shostack.Threat Modeling Designing for Security[M]. Beijng: China Machine Press, 2015.
	亚当·斯塔克.威胁建模设计和交付更安全的软件[M].北京:机械工业出版社,2015.
[13]	Trusted Computing Group. TCG Guidance for TPM 2.0 Mobile Implementations[EB/OL]. , 2019-4-15.
[14]	Cloud Security Alliance. The Treacherous 12-Top Threats to Cloud Computing[EB/OL]. , 2019-4-15.
[15]	XU Junfeng, WU Shizhong, ZHANG Li.Survey on Attack and Defense Technologies of Android Software Security[J]. Transactions of Beijing Institute of Technology, 2017, 37(2): 163-167.
	徐君锋,吴世忠,张利. Android软件安全攻防对抗技术及发展[J]. 北京理工大学学报,2017,37(2):163-167.
[16]	BARROWCLOUGH J P, ASIF R. Securing Cloud Hypervisors: A Survey of the Threats, Vulnerabilities, and Countermeasures[EB/OL]. , 2019-4-15.
[17]	JU Pinghua, HUANG Guangquan, XIAO Liming, et al.Optimization Method of Assembly Sequence Based on Multi-objective Fuzzy Comprehensive Evaluation[J]. Journal of Harbin Institute of Technology, 2018, 50(7): 154-163.
	鞠萍华,黄广全,肖莉明,等.多目标模糊综合评价的装配序列优选方法[J]. 哈尔滨工业大学学报,2018,50(7):154-163.
[18]	WANG Shuang, LI Zhiping, XIN Qian, et al.Overall Safety Assessment of Fuzzy Comprehensive Evaluation Method[J]. Modern Electronics Technique, 2019, 42(11): 82-86.
	王双,李志平,辛倩,等.模糊综合评价法的整体安全评估[J]. 现代电子技术,2019,42(11):82-86.
[19]	Trusted Computing Group. TCG Trusted Network Communications TNC Architecture for Interoperability Specification Version 2.0[EB/OL]. , 2019-4-15.
[20]	ZHAO Bo, XIANG Cheng, ZHANG Huanguo.A Trusted Network Connect Protocol for Resisting Man-in-the-Middle Attack[J]. Chinese Journal of Computers, 2019, 42(5): 1137-1148.
	赵波,向程,张焕国.一种抵御中间人攻击的可信网络连接协议[J]. 计算机学报,2019,42(5):1137-1148.

指标	名称	威胁	示例说明
1	信誉	T	恶意刷评价
2	交易数据安全	T、I	窃取隐私数据、数据丢失
3	通信安全	S、T、R、I、D、E	4G、Wi-Fi安全
4	移动设备安全	S、T、R、I、E	手机病毒、非法接口、恶意APP
5	云服务器安全	T、I、E	虚拟化安全、认证和接入安全
6	移动支付协议安全	S、T、R、I	认证漏洞、公平性问题、信任危机
7	拒绝服务攻击	D	资源耗尽攻击、分布式DoS
8	系统漏洞	S、T、R、I、D、E	操作系统内核、类库、应用程序漏洞
9	APT攻击	I、E	长期隐蔽攻击
10	身份认证安全	S、T、R、I、D、E	账号窃取

安全等级	区间	定义	离散值T
危险	(0,1)	面临严重安全危险	0
低	[1,2)	面临较高安全风险	1
中	[2,3)	面临中等安全风险	2
较高	[3,4)	面临较低安全风险	3
高	[4,5)	面临低安全风险	4