1 Simulator Problem in User Centric Smart Card Ownership Model Raja Naeem Akram, Konstantinos Markantonakis, and Keith Mayes Information Security Group, Smart Card Centre, Royal Holloway, University of London. Egham, United Kingdom. Email: {R.N.Akram, K.Markantonakis, Keith.Mayes}@rhul.ac.uk Abstract—The Issuer Centric Smart Card Ownership Model (ICOM) gives complete control of smart cards to their respective card issuers, enabling them to install, modify or delete applica- tions remotely, in a secure manner. However, the User Centric Smart Card Ownership Model (UCOM) delegates the ownership of smart cards to their users, entitling them to install or delete any application according to their requirements. In the UCOM there might be no off-card relationship between a smart card and an application provider, referred to as a Service Provider, which is the cornerstone of the ICOM security framework. Therefore, this creates unique security issues like the simulator problem, in which a malicious user may simulate the smart card environment on a computing device and requests installation of an application. Following this, it might be possible to retrieve sensitive application data by reverse engineering. In this paper, we analyse the simulator problem, how it affects the UCOM and propose a possible solution. I. INTRODUCTION A multi-application smart card initiative enables interrelated and corroborative applications from diverse industries [1] that co-exist and augment each other’s functionality. Until recently, it was not widely deployed because of issues relating to own- ership, branding, and business objectives. However, Near Field Communication (NFC) [2] has invigorated the convergence of different services (applications) onto a single smart card. In most of the NFC-based field trials, the adopted ownership model could be considered an extension of the Issuer Centric Smart Card Ownership Model (ICOM), and is based on the concept of the ”Trusted Service Manager” (TSM) [3]. TSMs have administrative authority on smart cards, and no application can be installed or deleted without their prior authorisation [4]–[6]. The main difference from the traditional ICOM is that the TSMs might be a neutral card management authority and would not install their application onto the cards [7]. This trend is encouraging, as it is attracting commercial interest. However, we consider that a true multi-application smart card would give the freedom to choose an application to cardholders without restricting it to a centralised authority. Contrary to the ICOM, the User Centric Smart Card Owner- ship Model (UCOM) delegates the ownership of smart cards to their users. The term ”ownership” means the freedom of ”choice” of applications that users can install or delete on their smart cards, in a ubiquitous and seamless manner [8]. New frameworks create unique security issues of their own though, and the UCOM is no exception. Allowing users to install applications as they desire raises distinctive security issues, one of which is the simulator problem, which is the focus of this paper. Section two briefly discusses the ICOM and UCOM. In sec- tion three, the simulator problem, possible attack scenarios and the requirements that a solution should satisfy are described. A proposed solution to the simulator problem is detailed in section four. We analyse the proposal in section five. Section six lists future research directions, and a conclusion is provided in section seven. II. SMART CARD OWNERSHIP MODELS Smart card ownership models relate to who owns smart cards and in this section, two contrary models are discussed. A. Issuer Centre Smart Card Ownership Model In the Issuer Centric Smart Card Ownership Model, organ- isations referred as card issuers (i.e., banks, telecoms, and transport, etc.) acquire smart cards from card manufacturers to support their smart card-based service architecture. The card issuers then distribute them to their individual customers, who then use them at service access points to request services entitled by the card, as shown in figure 1. Smart Card Issuer Smart Card Manufacturer Smart Card User 1. Smart Card Ordered 2. Smart Card Delivered 6. Response 5. Request 3. Smart Card Issued 4. Service Request 7. Service Response Service Access Point Figure 1. Issuer Centric Smart Card Ownership Model Although multi-application smart cards allow applications from different organisations to co-exist in a secure and reliable manner, the card issuer retains ownership of smart cards and control over which applications can be installed or deleted. The ownership issues along with branding, and varying business objectives has decelerated the multi-application smart card adoption [9]. The advantages of this approach are issuance control, se- curity control, modification control, and communication and