publications | Raja Hasnain Anwar

2024

In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping

Raja Hasnain Anwar , Syed Rafiul Hussain , and Muhammad Taqi Raza

In USENIX Security Symposium , 2024

Abs Bib PDF

Digital wallets are a new form of payment technology that provides a secure and convenient way of making contactless payments through smart devices. In this paper, we study the security of financial transactions made through digital wallets, focusing on the authentication, authorization, and access control security functions. We find that the digital payment ecosystem supports the decentralized authority delegation which is susceptible to a number of attacks. First, an attacker adds the victim’s bank card into their (attacker’s) wallet by exploiting the authentication method agreement procedure between the wallet and the bank. Second, they exploit the unconditional trust between the wallet and the bank, and bypass the payment authorization. Third, they create a trap door through different payment types and violate the access control policy for the payments. The implications of these attacks are of a serious nature where the attacker can make purchases of arbitrary amounts by using the victim’s bank card, despite these cards being locked and reported to the bank as stolen by the victim. We validate these findings in practice over major US banks (notably Chase, AMEX, Bank of America, and others) and three digital wallet apps (ApplePay, GPay, and PayPal).
@inproceedings{anwar2023wallet, title = {In Wallet We Trust: Bypassing the Digital Wallets Payment Security for Free Shopping}, author = {Anwar, Raja Hasnain and Hussain, Syed Rafiul and Raza, Muhammad Taqi}, booktitle = {USENIX Security Symposium}, pages = {541--558}, year = {2024}, url = {https://www.usenix.org/conference/usenixsecurity24/presentation/anwar}, }
Characterizing Encrypted Application Traffic through Cellular Radio Interface Protocol

Md Ruman Islam , Raja Hasnain Anwar , Spyridon Mastorakis , and 1 more author

In IEEE International Conference on Mobile Ad-Hoc and Smart Systems (MASS) , 2024

Abs Bib PDF

Modern applications are end-to-end encrypted to prevent data from being read or secretly modified. 5G tech nology provides ubiquitous access to these applications without compromising the application-specific performance and latency goals. In this paper, we empirically demonstrate that 5G radio communication becomes the side channel to precisely infer the user’s applications in real-time. The key idea lies in observing the 5G physical and MAC layer interactions over time that reveal the application’s behavior. The MAC layer receives the data from the application and requests the network to assign the radio resource blocks. The network assigns the radio resources as per application requirements, such as priority, Quality of Service (QoS) needs, amount of data to be transmitted, and buffer size. The adversary can passively observe the radio resources to fingerprint the applications. We empirically demonstrate this attack by considering four different categories of applications: online shopping, voice/video conferencing, video streaming, and Over-The-Top (OTT) media platforms. Finally, we have also demonstrated that an attacker can differentiate various types of applications in real-time within each category.
@inproceedings{islam2024characterizing, title = {Characterizing Encrypted Application Traffic through Cellular Radio Interface Protocol}, author = {Islam, Md Ruman and Anwar, Raja Hasnain and Mastorakis, Spyridon and Raza, Muhammad Taqi}, booktitle = {IEEE International Conference on Mobile Ad-Hoc and Smart Systems (MASS)}, year = {2024}, url = {https://arxiv.org/pdf/2407.07361}, }

2023

Redefining the Driver’s Attention Gauge in Semi-Autonomous Vehicles

Raja Hasnain Anwar , Fatima Muhammad Anwar , Muhammad Kumail Haider , and 2 more authors

In Proceedings of the Int’l ACM Conference on Modeling Analysis and Simulation of Wireless and Mobile Systems (MSWiM) , 2023

Abs Bib PDF

Driver distraction caused by over-reliance on automotive technology is one of the leading causes of accidents in semi-autonomous vehicles. Existing driver’s attention-gauging approaches are intrusive and as such emphasize constant driver engagement. In case of an urgent traffic event, they fail to measure the event’s criticality and subsequently generate timely alerts. In this paper, we re-position the driver’s attention-gauging approach as a way to improve the driver’s situational awareness during critical situations. We exploit how a vehicle captures its surroundings information to convert an automotive decision into defining the criticality and timeliness of an alert. For this, we identify the relationship between the traffic event, the type of automotive sensing technologies, and its processing resources to capture that event to design the driver’s attention gauge. We evaluate the timeliness of alerts for different traffic scenarios over a prototype built using NVIDIA Jetson Xavier AGX and Carla. Our results show that we can improve the timeliness of an alert by up to 75x as compared to existing state-of-the-art approaches, while also providing feedback on its criticality.
@inproceedings{anwar2023redefining, title = {Redefining the Driver's Attention Gauge in Semi-Autonomous Vehicles}, author = {Anwar, Raja Hasnain and Anwar, Fatima Muhammad and Haider, Muhammad Kumail and Efrat, Alon and Raza, Muhammad Taqi}, booktitle = {Proceedings of the Int'l ACM Conference on Modeling Analysis and Simulation of Wireless and Mobile Systems (MSWiM)}, pages = {307--311}, year = {2023}, url = {https://dl.acm.org/doi/10.1145/3616388.3617544}, }
Detecting Privacy Threats with Machine Learning: A Design Framework for Identifying Side-Channel Risks of Illegitimate User Profiling

Raja Hasnain Anwar , Yi Zoe Zou , and Muhammad Taqi Raza

In Proceedings of the Americas Conference on Information Systems (AMCIS) , 2023

Abs Bib PDF

Privacy leakage has become prevalent and severe with the increasing adoption of the internet of things (IoT), artificial intelligence (AI), and blockchain technologies. Such data-intensive systems are vulnerable to side-channel attacks in which hackers can extract sensitive information from a digital device without actively manipulating the target system. Nevertheless, there is a scarcity of IS research on how businesses can effectively detect and safeguard against side-channel attacks. This study adopts the design science paradigm and lays the groundwork for systematic inquiry into the assessment of privacy risks related to side-channels. In this paper, we a) highlight the privacy threats posed by side-channel attacks, b) propose a machine learning-driven design framework to identify side-channel privacy risks, and c) contribute to the literature on privacy analytics using machine learning techniques. We demonstrate a use case of the proposed framework with a text classification model that uses keystroke timings as side-channel.
@inproceedings{anwar2023detecting, title = {Detecting Privacy Threats with Machine Learning: A Design Framework for Identifying Side-Channel Risks of Illegitimate User Profiling}, author = {Anwar, Raja Hasnain and Zou, Yi Zoe and Raza, Muhammad Taqi}, booktitle = {Proceedings of the Americas Conference on Information Systems (AMCIS)}, year = {2023}, url = {https://aisel.aisnet.org/amcis2023/sig_sec/sig_sec/7/}, }

2021

ICIS

Keeping eyes on the road: the role of situated IS delegation in influencing drivers’ situational awareness

Raja Hasnain Anwar , Taqi Raza , and Yi Zoe Zou

In International Conference on Information Systems (ICIS) TREOs , 2021

Bib

@inproceedings{anwar2021keeping,
  title = {Keeping eyes on the road: the role of situated IS delegation in influencing drivers' situational awareness},
  author = {Anwar, Raja Hasnain and Raza, Taqi and Zou, Yi Zoe},
  booktitle = {International Conference on Information Systems (ICIS) TREOs},
  year = {2021}
}