pretense : a new threat to electronic settlement systems inet98 track3: commerce and finance...
TRANSCRIPT
![Page 1: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/1.jpg)
Pretense: A New Threat to Electronic Settlement Systems
INET98Track3: Commerce and Finance
S.Miwa and Y.ShinodaSchool of Informational Science
JAIST
![Page 2: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/2.jpg)
Contents
• Introduction
• Electronic Settlement Systems Overview
• A new threat to ESS : “Pretense”
• Improvements to ESS to resist “Pretense”
• Conclusion
![Page 3: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/3.jpg)
Introduction
• Practical use in the near future– Various Electronic Settlement Systems (ESS) – ESS for Open-network systems like the Internet
• But existing ESS has drawbacks
![Page 4: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/4.jpg)
Electronic Settlement Systems
• To settle, an ESS must correctly communicate– information about a payment
• “who”, “whom” and “how much”– among correct peers
• a payer, a payee and a settlement institution– using 2-way authentication technology to specify
the correct peer
![Page 5: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/5.jpg)
ESS on open network systems
• Exposed to various threats– eavesdropping, interpolation and impersonation
• ESS can prevent existing these threats with– 2-way authentication technology– cryptography– electronic signature technology
• But, a new threat “Pretense” does exist
![Page 6: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/6.jpg)
Designation of the payee
• ESS on open network systems are composed of– Designation, Authentication and Communication
The Payer The Payee
1) Designates the Payee
2) Authenticates mutually
3) Communicates payment information
![Page 7: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/7.jpg)
Can Payer designate the correct Payee?
• Payer cannot always specify who is the correct Payee– If Payer already knows the correct Payee
• Payer never designates the wrong Payee– If Payer doesn’t know the correct Payee
• It is difficult for that Payer to designate the correct Payee
![Page 8: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/8.jpg)
Payer Cannot always designate the correct Payee
• Malicious entity alters the correct ID to its ID– The correct ID
• Payer designates the correct Payee – The ID is altered
• Payer then designates the wrong Payee
• This injustice is called “Pretense”– The entity can receive the payment as a correct Payee
![Page 9: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/9.jpg)
What is “Impersonation”?
The Payer
1) Designates the correct Payee
2) Communicates payment information
The CorrectPayee
The ImpersonatedPayee
2’) Communicates payment information
ImpersonationImpersonation
![Page 10: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/10.jpg)
What is “Pretense”?
The Payer
1) Designates the correct Payee
The CorrectPayee
The PretendedPayee
2’) Communicates payment information
1’) Designates the pretended Payee
PretensePretense
![Page 11: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/11.jpg)
Threat arising from “Pretense”
• The correct Payee on existing ESS– Anyone who was designated by Payer– Pretended payee can be paid the right payment as
the correct Payee
• Existing ESS are not immune to “Pretense”
![Page 12: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/12.jpg)
Is demand for a refund possible?
• Key factors for refund– Identifying the pretended payee– The legal basis of a refund
• Is establishing the “Pretense” as an imposture possible?
![Page 13: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/13.jpg)
Identifying the pretended payee
• Payer must identify “whom” Payer paid– On ESS which does not provide anonymity
• Payer may be able to identify Pretended Payee– Most of ESS which provide anonymity
• Payer cannot identify Pretended Payee– Newer ESS provides anonymity that is cancelable
• Payer can identify Pretended Payee
![Page 14: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/14.jpg)
The legal basis of a refund
• If “Pretense” was to take place, is there any breach of contract?– The legal basis of a refund is required– Generally, it is breach of contract
![Page 15: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/15.jpg)
Contract of generic mail-order
The Customer The Merchant
1) Presentation of the goods
2) Order
3) Receipt of the goods
4) Payment (Customer’s fulfillment)
5) Delivery of the goods (Merchant fulfillment)
Breach of Contract
Non fulfillmentNon fulfillment
![Page 16: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/16.jpg)
Contract of online-shopping1) Presentation of the goods
2) Order
3) Receipt of the goods
4) Payment with ESSThe Customer The Correct
Merchant
The PretendedMerchant
PretensePretense4’) Payment with ESS
No Breach of Contract
Even if Pretended Merchant Even if Pretended Merchant doesn’t deliver the ordered goodsdoesn’t deliver the ordered goods
![Page 17: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/17.jpg)
Payer cannot be refundedunder “Pretense”
• Existing ESS doesn’t manage Sales Contract– Even if Payer concludes Sales Contract with
Pretended Payee• Payer cannot prove Link between Payment and
Sales Contract• Payer cannot prove breach of contract
– Refund cannot be demanded on breach of contract
![Page 18: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/18.jpg)
“Pretense” as an imposture
• Existing ESS cannot prove that “Pretense” was committed– can prove only about the payment
• “who”, “whom” and “how much”– can do nothing against “Pretense”
• But, ESS must resist “Pretense”
![Page 19: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/19.jpg)
ESS to resist pretense
• An immediate and intuitive solution– Make the information for designating Payee public– Communicate over the secure communication route
• 2 improvements for ESS to resist pretense– Traceability– Contract Function
![Page 20: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/20.jpg)
Providing Traceability
• Some of ESS doesn’t provide anonymity– Electronic Check System– Secure Credit Card Payment System– They are already providing traceability
• Newer ESS has function to cancel anonymity– These ESS provide traceability
• With this, Pretended payee can be identified
![Page 21: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/21.jpg)
Providing Contract Function
• ESS must manage the sales contract– Make the legal basis of a refund clear
• Add a function that– Conclude the sales contract
• Manage Link between– Sales Contract– Payment
![Page 22: Pretense : A New Threat to Electronic Settlement Systems INET98 Track3: Commerce and Finance S.Miwa and Y.Shinoda School of Informational Science JAIST](https://reader036.vdocuments.site/reader036/viewer/2022081520/5697bfc21a28abf838ca5167/html5/thumbnails/22.jpg)
Conclusion
• Existing ESS cannot resist “Pretense”– By examining both technical and legal aspect of
“Pretense”
• Have proposed 2 improvements– Traceability– Contract Function
• ESS can be made “Pretense Resistant”– NECS extension