Deployed Payment Systems
In this section, we provide an overview of payment systems that have been already deployed.
Zero-Knowledge Systems (ZKS) was a company founded in 1997 to offer primarily privacy-preserving services. ZKS is well known for Freedom network, its privacypreserving network service.
The main differentiator of ZKS was the strong privacy provisions offered within their services. ZKS technologies leveraged privacy-preserving cryptographic primitives at the time introduced by Brands along the lines of the schemes described in Section 2.3.2.
Established in 1998, PayPal started as a company offering its clients the ability to transfer funds electronically between individuals, organizations, or businesses . Clients of PayPal have to register accounts and once these accounts are connected to their bank/credit/debit account, they are able to send funds to anyone in possession of a PayPal account.
PayPal accounts are traditionally associated to an email address, and knowledge of an email address is the minimum knowledge needed to move money to the account owned by that address. PayPal transactions are pseudonymous and allows users to register several accounts, each linked to a given bank account or email address. Therefore, one could argue that PayPal does not offer transactional privacy as defined in the previous sections.
Currently, a number of online markets, such as eBay and Amazon, accept PayPal payments. In typical cases, PayPal accounts are automatically refilled by their owners's bank account. To secure the PayPal account refill process, PayPal introduced two-factor authentication mechanisms. In particular, users would have to authenticate using their username and password and answer an additional challenge to be able to log in. The challenge was either a secret code sent to the user's mobile phone or a number that the user was supposed to feed to a pre-agreed hardware security module. This two-level authentication would prevent a potential attacker from modifying any transaction: the attacker would have to obtain access to the user's password and would also need to obtain the right answer to the challenge (by compromising another user device). Notice that the PayPal implementation of two- factor authentication does not seem to solve the issue of man-in-the-middle-attack since a potential attacker could try to impersonate the PayPal website to the user (and vice versa) just by forwarding responses from one end to the other.
PayPal is a mediator-based system that enables payments to users who maintain accounts through PayPal. The system does not offer privacy and requires trust to be placed in the mediator—who has to be online for the payment to complete.