{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,8]],"date-time":"2025-10-08T15:39:11Z","timestamp":1759937951647},"publisher-location":"Cham","reference-count":38,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030321000"},{"type":"electronic","value":"9783030321017"}],"license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"tdm","delay-in-days":0,"URL":"http:\/\/www.springer.com\/tdm"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019]]},"DOI":"10.1007\/978-3-030-32101-7_13","type":"book-chapter","created":{"date-parts":[[2019,10,11]],"date-time":"2019-10-11T07:04:00Z","timestamp":1570777440000},"page":"201-221","update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Designed to Be Broken: A Reverse Engineering Study of the 3D Secure 2.0 Payment Protocol"],"prefix":"10.1007","author":[{"given":"Mohammed Aamir","family":"Ali","sequence":"first","affiliation":[]},{"given":"Aad","family":"van Moorsel","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2019,9,30]]},"reference":[{"key":"13_CR1","doi-asserted-by":"publisher","unstructured":"Ahmad, Z., Francis, L., Ahmed, T., Lobodzinski, C., Audsin, D., Jiang, P.: Enhancing the security of mobile applications by using TEE and (U)SIM. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing, pp. 575\u2013582, December 2013. \n https:\/\/doi.org\/10.1109\/UIC-ATC.2013.76","DOI":"10.1109\/UIC-ATC.2013.76"},{"key":"13_CR2","unstructured":"Alexa: Alexa - Top Sites by Category: Business\/E-Commerce (2018). \n https:\/\/goo.gl\/V52tcs"},{"issue":"2","key":"13_CR3","doi-asserted-by":"publisher","first-page":"78","DOI":"10.1109\/MSP.2017.27","volume":"15","author":"MA Ali","year":"2017","unstructured":"Ali, M.A., Arief, B., Emms, M., van Moorsel, A.: Does the online card payment landscape unwittingly facilitate fraud? IEEE Secur. Priv. 15(2), 78\u201386 (2017)","journal-title":"IEEE Secur. Priv."},{"key":"13_CR4","unstructured":"AOWASP: Cross-site scripting (XSS) OWASP (2018). \n https:\/\/goo.gl\/x54ner"},{"key":"13_CR5","doi-asserted-by":"crossref","unstructured":"Barth, A., Caballero, J., Song, D.: Secure content sniffing for web browsers, or how to stop papers from reviewing themselves. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 360\u2013371. IEEE (2009)","DOI":"10.1109\/SP.2009.3"},{"key":"13_CR6","unstructured":"van den Breekel, J., Ortiz-Yepes, D.A., Poll, E., de Ruiter, J.: EMV in a nutshell. Technical report, Radboud Universiteit Nijmegen (2016)"},{"key":"13_CR7","unstructured":"CardinalCommerce: Use of consumer authentication in ecommerce, annual survey 2017: The fraud practice (2017). \n https:\/\/goo.gl\/z2mByt"},{"key":"13_CR8","doi-asserted-by":"publisher","unstructured":"Emms, M., Arief, B., Freitas, L., Hannon, J., van Moorsel, A.: Harvesting high value foreign currency transactions from EMV contactless credit cards without the PIN. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 716\u2013726. ACM, New York (2014). \n https:\/\/doi.org\/10.1145\/2660267.2660312\n \n . \n http:\/\/doi.acm.org\/10.1145\/2660267.2660312","DOI":"10.1145\/2660267.2660312"},{"key":"13_CR9","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"313","DOI":"10.1007\/978-3-642-39884-1_26","volume-title":"Financial Cryptography and Data Security","author":"M Emms","year":"2013","unstructured":"Emms, M., Arief, B., Little, N., van Moorsel, A.: Risks of offline verify PIN on contactless cards. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 313\u2013321. Springer, Heidelberg (2013). \n https:\/\/doi.org\/10.1007\/978-3-642-39884-1_26"},{"key":"13_CR10","unstructured":"EMVCo: 3D Secure 2.0 (2017). \n https:\/\/goo.gl\/d1ksLf"},{"key":"13_CR11","unstructured":"E.solutions: Live HTTP Header (2018). \n https:\/\/www.esolutions.se\/"},{"key":"13_CR12","doi-asserted-by":"crossref","unstructured":"Etaher, N., Weir, G.R., Alazab, M.: From ZeuS to ZitMo: trends in banking malware. In: 2015 IEEE Trustcom\/BigDataSE\/ISPA, vol. 1, pp. 1386\u20131391. IEEE (2015)","DOI":"10.1109\/Trustcom.2015.535"},{"key":"13_CR13","unstructured":"EU Council: Directive (EU) 2015\/2366 (2015). \n https:\/\/goo.gl\/psyvps"},{"key":"13_CR14","unstructured":"GoogleAndroid: Android pay (2014). \n https:\/\/www.android.com\/pay\/"},{"key":"13_CR15","unstructured":"Nayyar, H.: Clash of the Titans: ZeuS v SpyEye. SANS Institute InfoSec Reading Room (2010). \n https:\/\/www.sans.org\/reading-room\/whitepapers\/malicious\/clash-titans-zeus-spyeye-33393"},{"key":"13_CR16","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"230","DOI":"10.1007\/978-3-642-03549-4_14","volume-title":"Financial Cryptography and Data Security","author":"C Herley","year":"2009","unstructured":"Herley, C., van Oorschot, P.C., Patrick, A.S.: Passwords: if we\u2019re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230\u2013237. Springer, Heidelberg (2009). \n https:\/\/doi.org\/10.1007\/978-3-642-03549-4_14"},{"key":"13_CR17","unstructured":"HTTP Watch: HttpWatch 11: HTTP Sniffer for Chrome, IE, iPhone and iPad (2018). \n https:\/\/www.httpwatch.com\/"},{"key":"13_CR18","unstructured":"Intelligent Systems Lab: JS NICE: Statistical renaming, Type inference and Deobfuscation (2018). \n http:\/\/jsnice.org\/"},{"key":"13_CR19","doi-asserted-by":"publisher","unstructured":"Kim, D., Kwon, B.J., Dumitra\u015f, T.: Certified malware: measuring breaches of trust in the windows code-signing PKI. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1435\u20131448. ACM, New York (2017). \n https:\/\/doi.org\/10.1145\/3133956.3133958\n \n . \n http:\/\/doi.acm.org\/10.1145\/3133956.3133958","DOI":"10.1145\/3133956.3133958"},{"key":"13_CR20","unstructured":"King, R.: Verified by Visa: bad for security, worse for business - Richard\u2019s Kingdom (2009). \n https:\/\/goo.gl\/NgUUvn"},{"key":"13_CR21","unstructured":"MalShare: Malware Repository for Researchers (2018). \n https:\/\/malshare.com\/"},{"key":"13_CR22","unstructured":"Mastercard: Merchant SecureCode implementation guide (2014). \n https:\/\/goo.gl\/DyQ7Jb"},{"key":"13_CR23","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"336","DOI":"10.1007\/978-3-642-14577-3_27","volume-title":"Financial Cryptography and Data Security","author":"SJ Murdoch","year":"2010","unstructured":"Murdoch, S.J., Anderson, R.: Verified by visa and mastercard securecode: or, how not to design authentication. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 336\u2013342. Springer, Heidelberg (2010). \n https:\/\/doi.org\/10.1007\/978-3-642-14577-3_27"},{"key":"13_CR24","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"21","DOI":"10.1007\/978-3-662-45472-5_2","volume-title":"Financial Cryptography and Data Security","author":"SJ Murdoch","year":"2014","unstructured":"Murdoch, S.J., Anderson, R.: Security protocols and evidence: where many payment systems fail. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 21\u201332. Springer, Heidelberg (2014). \n https:\/\/doi.org\/10.1007\/978-3-662-45472-5_2"},{"key":"13_CR25","doi-asserted-by":"publisher","unstructured":"Murdoch, S.J., Drimer, S., Anderson, R., Bond, M.: Chip and PIN is broken. In: 2010 IEEE Symposium on Security and Privacy, pp. 433\u2013446. IEEE (2010). \n https:\/\/doi.org\/10.1109\/SP.2010.33","DOI":"10.1109\/SP.2010.33"},{"key":"13_CR26","unstructured":"PayPal: PayPal Pro - 3D secure developer guide (2018). \n https:\/\/goo.gl\/7mPWWt"},{"key":"13_CR27","unstructured":"PCIDSS: Payment card industry (PCI) data security standard requirements and security assessment procedures (2016). \n https:\/\/goo.gl\/PNSEq3"},{"key":"13_CR28","unstructured":"PCISCC: Payment card industry (PCI) hardware security module (HSM) security requirements (2009). \n https:\/\/goo.gl\/JQKH3T"},{"key":"13_CR29","unstructured":"RedTeam Pentesting: Man-in-the-Middle Attacks against the chipTAN comfort Online Banking System. Technical report, RedTeam Pentesting (2009). \n https:\/\/www.redteam-pentesting.de\/publications\/2009-11-23-MitM-chipTAN-comfort_RedTeam-Pentesting_EN.pdf"},{"key":"13_CR30","unstructured":"RedTeam Pentesting: New banking security system iTAN not as secure as claimed. Technical report, RedTeam Pentesting (2009). \n https:\/\/www.redteam-pentesting.de\/en\/advisories\/rt-sa-2005-014\/-new-banking-security-system-itan-not-as-secure-as-claimed"},{"issue":"2","key":"13_CR31","doi-asserted-by":"publisher","first-page":"236","DOI":"10.1109\/TDSC.2014.2382590","volume":"13","author":"AK Sood","year":"2016","unstructured":"Sood, A.K., Zeadally, S., Enbody, R.J.: An empirical study of HTTP-based financial botnets. IEEE Trans. Dependable Secure Comput. 13(2), 236\u2013251 (2016)","journal-title":"IEEE Trans. Dependable Secure Comput."},{"key":"13_CR32","unstructured":"Telerik: Fiddler web debugging tool (2018). \n https:\/\/goo.gl\/BURSaH"},{"key":"13_CR33","doi-asserted-by":"crossref","unstructured":"Ter Louw, M., Venkatakrishnan, V.: Blueprint: robust prevention of cross-site scripting attacks for existing browsers. In: 2009 30th IEEE Symposium on Security and Privacy, pp. 331\u2013346. IEEE (2009)","DOI":"10.1109\/SP.2009.33"},{"key":"13_CR34","doi-asserted-by":"publisher","unstructured":"Thomas, K., et al.: Data breaches, phishing, or malware?: understanding the risks of stolen credentials. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, pp. 1421\u20131434. ACM, New York (2017). \n https:\/\/doi.org\/10.1145\/3133956.3134067\n \n . \n https:\/\/doi.acm.org\/10.1145\/3133956.3134067","DOI":"10.1145\/3133956.3134067"},{"key":"13_CR35","unstructured":"Visa Inc: 3D Secure (2017). \n https:\/\/goo.gl\/TZSTEc"},{"key":"13_CR36","unstructured":"Visa Inc: Visa Developer Centre (2018). \n https:\/\/goo.gl\/8dDqWv"},{"key":"13_CR37","unstructured":"WickyBay: FRAUDFOX VM, WickyBay Store (2017). \n https:\/\/goo.gl\/aAZY1K"},{"key":"13_CR38","unstructured":"Zeltser, L.: (2018). \n https:\/\/zeltser.com\/malware-sample-sources\/"}],"container-title":["Lecture Notes in Computer Science","Financial Cryptography and Data Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-32101-7_13","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,10,11]],"date-time":"2019-10-11T07:06:27Z","timestamp":1570777587000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-32101-7_13"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019]]},"ISBN":["9783030321000","9783030321017"],"references-count":38,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-32101-7_13","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2019]]},"assertion":[{"value":"30 September 2019","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"FC","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Financial Cryptography and Data Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"St. Kitts","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Saint Kitts and Nevis","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2019","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"18 February 2019","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"22 February 2019","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"23","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"fc2019","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/fc19.ifca.ai\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Double-blind","order":1,"name":"type","label":"Type","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"HotCRP","order":2,"name":"conference_management_system","label":"Conference Management System","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"178","order":3,"name":"number_of_submissions_sent_for_review","label":"Number of Submissions Sent for Review","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"32","order":4,"name":"number_of_full_papers_accepted","label":"Number of Full Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"7","order":5,"name":"number_of_short_papers_accepted","label":"Number of Short Papers Accepted","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"18% - The value is computed by the equation \"Number of Full Papers Accepted \/ Number of Submissions Sent for Review * 100\" and then rounded to a whole number.","order":6,"name":"acceptance_rate_of_full_papers","label":"Acceptance Rate of Full Papers","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"3,08","order":7,"name":"average_number_of_reviews_per_paper","label":"Average Number of Reviews per Paper","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"7,6","order":8,"name":"average_number_of_papers_per_reviewer","label":"Average Number of Papers per Reviewer","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}},{"value":"Yes","order":9,"name":"external_reviewers_involved","label":"External Reviewers Involved","group":{"name":"ConfEventPeerReviewInformation","label":"Peer Review Information (provided by the conference organizers)"}}]}}