PESTO Research team
The rise of the Internet and the ubiquity of electronic devices have changed our way of life. Many face to face and paper transactions have nowadays digital counterparts: home banking, electronic commerce, e-voting, ... and even partially our social life. This digitalisation of the world comes with tremendous risks for our security and privacy as illustrated by the following examples.
Financial transactions. According to the FEVAD (French federation of remote selling and e-commerce), in France 51.1 billion euros have been spent through e-commerce in 2013 and fraud is estimated to 1.9 billion euros by certissim. Livre Blanc : La fraude dans le e-commerce, certissim. As discussed in another white paper Dissecting Operation High Roller. https://en.wikipedia.org/wiki/Operation_High_Roller by Dave Marcus (Director of Advanced Research and Threat Intelligence, McAfee) and Ryan Sherstobitoff (Threat Researcher, Guardian Analytics) bank fraud has changed dramatically. Fraudsters are aiming to steal increasingly higher amounts from bank accounts (with single transfers over 50,000 euros) and develop fully automated attack tools to do so. As a consequence, protocols need to implement more advanced, multi-factor authentication methods.
Electronic voting. In the last few years several European countries (Estonia, France, Norway and Switzerland) organised legally binding political elections that allowed (part of the) voters to cast their votes remotely via the Internet. For example, in June 2012 French people living abroad (“expats”) were allowed to vote via the Internet for parliament elections. An engineer demonstrated that it was possible to write a malware that could change the value of a cast vote without any way for the voter to notice. A video explaining the attack is available at http://www.youtube.com/watch?v=AsvLxY478xc In Estonia in the 2011 parliament election, a similar attack was reported by computer scientist Paavo Pihelgas who conducted a real life experiment with aware consenting test subjects. The Supreme Court dismissed an electoral complaint regarding e-voting security. http://www.nc.ee/?id=1235
Privacy violations. Another security threat is the violation of an individual person's privacy. For instance the use of radio-frequency identification (RFID) technology can be used to trace persons, e.g. in automatic toll-paying devices A Pass on Privacy? The New York Times, July 17, 2005. http://www.nytimes.com/2005/07/17/magazine/17WWLN.html or in public transportation. Even though security protocols are deployed to avoid tracing by third parties, protocol design errors enabled tracing of European e-passports. Defects in e-passports allow real-time tracking. The Register, January 26, 2010. http://www.theregister.co.uk/2010/01/26/epassport_rfid_weakness/ Recently, a flaw was identified in the 3G mobile phone protocols that allows a third party, i.e., not only the operator, to trace telephones . Also, anonymised data of social networks has been effectively used to identify persons by comparing data from several social networks. Social sites dent privacy efforts. BBC, March 27, 2009. http://news.bbc.co.uk/2/hi/technology/7967648.stm