Menezes, A. J., P. C. van Oorschot, and S. A. Vanstone, Handbook of Applied Cryptography , Boca Raton, FL: CRC Press, 1996.
Appendix B: Generic Security Threats
The most obvious threat to a communication established between two parties, the sender A(lice) and the receiver B(ob), is a third party E(ve), also called eavesdropper or attacker, who wiretaps the communication channel, as schematized in Figure B.1.
Figure B.1: Communication channel wiretapping.
It can be argued that wiretapping is difficult, but, in fact, it is just a matter of cost. Tapping a telephone line is cheaper than tapping a communication held on a Bluetooth channel, an optical cable, or even a coaxial cable. Tapping an Internet connection is also much easier than penetrating the proprietary communication network of a card association. The attacker's determination to wiretap a communication line is motivated only by the potential gain, which should be higher than the cost of the technologies needed to break in. There are two major wiretapping possibilities. Passive wiretapping consists of listening in on the messages sent on the communication channel, which can result in unauthorized disclosure of information. Active wiretapping consists of intercepting, modifying, and then relaying the messages, which can result in the modification of the information transmitted between parties. Active wiretapping is more difficult than passive wiretapping.
Other threats can be associated with the attempts of the communicating parties to misbehave during the protocols carried out between them, which can result in false statements of the sender or receiver. This category of threats is meaningful for the communication between two parties that are mutually distrustful and try to repudiate a transaction after its completion. As an example, the cardholder and the issuing bank can be considered parties that are mutually distrustful. On one hand the cardholder can deny a previous money withdrawal at an ATM, hoping that the evidence about this transaction provided by the bank to a judge, who is called to arbitrate the dispute, will be not enough to incriminate him or her. On the other hand, a bank can falsely claim that the cardholder withdrew money from her account, while, in fact, this transaction never happened . In the real world the second scenario is less probable then the first scenario. However, a threat analysis has to identify all the possible deviations by parties from the normal behavior. It is also worth noticing that it is not the bank that is mounting the attack (after all, the bank is a role that is played by an actor), but rather a dishonest employee abusing the prerogatives of his position with the bank.
In the remainder of this appendix some of the generic threats related to the communication between two parties are discussed.
Attempting to intercept sensitive information exchanged between two parties is called eavesdropping or monitoring. In the case of electronic payment systems, the threat of eavesdropping consists of obtaining confidential financial information while it is being exchanged between the parties. The attacker can use this information in a variety of scenarios for obtaining material advantages.
The impersonation threat consists of the false association between the entity involved in a transaction and the authorized entity, which is entitled to participate in that transaction. In the context of payment systems, the impersonation threat refers mainly to cardholder impersonation and issuer impersonation, since the business interests of these two roles are the most endangered when the attacks exploiting the impersonation threat succeed. Also, the terminal impersonation can lead to leakage of financial information stored by cards that can be further exploited by an attacker.
The data modification threat targets both the data sent on the communication channel between two parties and the content of data stored in computers representing the parties during protocols. The data modification threat on the communication channel between parties assumes active wiretapping by the attacker who attempts to alter in an undetectable manner the transaction data sent between the parties. The undetectable alteration of the data content stored in the computers of parties participating in a protocol is another form of a data modification threat. When referring to electronic payment systems, the most frequent attack of this kind is the modification of a card content through a successful impersonation of the issuer.
Somehow a paradoxical situation can appear where the sender and receiver have established a secure channel for their communication, protecting against eavesdropping, data origin impersonation, and data modification, but they did not consider the time coordinate in their security implementation. If the receiver has no means to distinguish between identical messages retransmitted at different moments in time, an attacker could use this weakness to mount a replay attack. The attacker taps the communication channel and copies both data and security information, which is replayed later. If the data represents a transaction proof, a dishonest receiver could claim more than one time the payment from the sender.
When the parties participating in a protocol are mutually distrustful, the denial attack consists of false statements of the sender or receiver about their participation in the protocol. The sender could deny the fact that she sent a message to the receiver while the receiver could deny that he ever received the message claimed by the sender. This category of threats is meaningful for the communication between two parties that try to repudiate a transaction after its completion.
The implementation of many security mechanisms involves secret cryptographic parameters, like secret keys for symmetric ciphers, private keys for asymmetric ciphers, and PIN codes for off-line card-holder verification. These secret parameters have to be stored in plaintext in the permanent memory of the device, during its personalization stage. Since cards and terminals are operated in an unprotected environment, there is the threat that an attacker tampers with the device in order to obtain the values of cryptographic parameters stored in the device or to modify sensitive data in the device. Two kinds of attempts can be mentioned: physical penetration and logical penetration. Physical penetration refers to the attempt of directly accessing the hardware resources of a device in order to read, modify, or delete sensitive information. Logical penetration of a device refers to obtaining or modifying sensitive information in a device only through eligible commands with suitably chosen parameters. These commands bring the device in a "sensitive state" that allows functions that are not normally permitted. Logical penetration is sometimes called data manipulation.