Virtual World Authentication Using the Smart Card Web Server

  • Lazaros Kyrillidis
  • Graham Hili
  • Sheila Cobourne
  • Keith Mayes
  • Konstantinos Markantonakis
Part of the Communications in Computer and Information Science book series (CCIS, volume 377)


Virtual Worlds (VWs) are persistent, immersive digital environments, in which people utilise digital representation of themselves. Current management of VW identity is very limited, and security issues arise, such as identity theft. This paper proposes a two-factor user authentication scheme based on One Time Passwords (OTPs), exploiting a Smart Card Web Server (SCWS) hosted on the tamper-resistant Subscriber Identity Module (SIM) within the user’s mobile phone. Additionally, geolocation attributes are used to compare phone and PC locations, introducing another obstacle for an attacker. A preliminary security analysis is done on the protocol, and future work is identified.


Smart Card Web Server Virtual Worlds Authentication Mobile phones SIM cards One Time Passwords 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bell, M.: Virtual Worlds Research: Past, Present & Future July 2008: Toward a definition of “Virtual Worlds” (2008)Google Scholar
  2. 2.
    KZero: Virtual worlds: Industry and user data universe (March 2012)Google Scholar
  3. 3.
    Second Life Official Website,
  4. 4.
    World of Warcraft,
  5. 5.
    McGraw, G., Chow, M.: Guest editors’ introduction: Securing online games: Safeguarding the future of software security: How world of warcraft almost ruined my credit rating. IEEE Security & Privacy, 11–12 (2009)Google Scholar
  6. 6.
    Jorstad, I., Jonvik, T., et al.: Strong authentication with mobile phone as security token. In: Mobile Adhoc and Sensor Systems, MASS 2009, pp. 777–782. IEEE (2009)Google Scholar
  7. 7.
    Vapen, A., Byers, D., Shahmehri, N.: 2-clickauth optical challenge-response authentication. In: Availability, Reliability, and Security, ARES 2010, pp. 79–86. IEEE (2010)Google Scholar
  8. 8.
    Juniper Networks Inc.: Mobile Threats Report (2011)Google Scholar
  9. 9.
    Open Mobile Alliance: Smartcard-Web-Server, Candidate Version 1.2, OMA-TS-Smartcard_Web_Server-V1_1_2-20120927-C, Open Mobile Alliance (OMA), Version 1.2 (September 27, 2012)Google Scholar
  10. 10.
    Neustar: IP Geolocation: A Valuable Weapon to Fight Online Card-Not-Present Payment Fraud,
  11. 11.
    Mayes, K.E., Markantonakis, K. (eds.): Smart Cards, Tokens, Security and Applications. Springer (2008)Google Scholar
  12. 12.
    Calvin, J., Dickens, A., Gaines, B., Metzger, P., Miller, D., Owen, D.: The SIMNET virtual world architecture. In: Virtual Reality Annual International Symposium, pp. 450–455. IEEE (1993)Google Scholar
  13. 13.
    Frecon, E., Stenius, M.: DIVE: A scaleable network architecture for distributed virtual environments. In: Distributed Systems Engineering 5.3 (1998)Google Scholar
  14. 14.
    Fernandes, S., Antonello, R., Moreira, J., Kamienski, C., Sadok, D.: Traffic analysis beyond this world: the case of Second Life. In: 17th International Workshop on Network and Operating Systems Support for Digital Audio and Video. University of Illinois, Urbana-Champaign (2007)Google Scholar
  15. 15.
    RFC 2818: Hypertext Transfer Protocol over TLS protocol (May 2000),
  16. 16.
  17. 17.
    GlobalPlatform: Remote Application Management over HTTP Card Specification v2.2 Amendment B Version 1.1.1 (2012)Google Scholar
  18. 18.
    RFC 4226: HOTP: An HMAC-Based One-Time Password Algorithm (December 2005),
  19. 19.
    OWASP, The Open Web Application Security Project: OWASP Top Ten Project,
  20. 20.
    Shetty, S.: Symantec: Introduction to Spyware Keyloggers (November 2010),
  21. 21.
    Goodin, D.: Crack in Internet’s foundation of trust allows HTTPS session hijacking (September 2012),
  22. 22.
    SANS Institute InfoSec Reading Room: Introduction to IP Spoofing (November 2000)Google Scholar
  23. 23.
    Gill, P., Ganjali, Y., Wong, B., Lie, D.: Dude, where’s that IP? Circumventing measurement-based IP geolocation. In: Proceedings of the 19th USENIX Conference on Security, Berkeley, CA, USA (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Lazaros Kyrillidis
    • 1
  • Graham Hili
    • 1
  • Sheila Cobourne
    • 1
  • Keith Mayes
    • 1
  • Konstantinos Markantonakis
    • 1
  1. 1.Smart Card Centre, Information Security GroupRoyal Holloway, Univ. of LondonEghamUK

Personalised recommendations