We are always being told that credit card transactions on the Internet are safe as long as the application is using the SSL (Secure Socket Layer) protocol to protect the transaction data in transit over the Internet. Unfortunately this also means that it protects the person who has stolen your credit card unknown to you, and is using it to perform online credit transaction to your account. So the Asecurity is not ensuring a true authorisation of a transaction by the account holder.
At first sight Chip and PIN techniques will provide an answer for Internet credit card transactions by adding a standard smart card reader to the home PC. The transaction software could read the account information from the smart card and validate it with the issuing bank over the Internet, and then prompt the user to enter their PIN to authorise the transaction. Assuming the correct PIN is entered and the authorisation process completes successfully this is equivalent to aAcard present transaction.
Unfortunately this assumes that the home PC is a secure device! When this transaction was being performedthere may have been a virus resident in the PC. This virus scanned the video output for text words such as AName, AAmount, APIN, AEnter etc. Whenever one of these trigger words is detected the virus records all keys typed at the keyboard and forwards them to an e-mail address. Somewhere in that keyboard data will be the PIN number, now made known to the attacker.
Other simpler Asocial engineering attacks such as displaying a message on the users screen requesting them to enter their PIN number, work in a surprising number of cases! This must mean that the PC is NOT a device into which PIN numbers should be typed – EVER!
To perform an online Acard present transaction securely, the standard smart card reader should be replaced with another piece of equipment. This new device has its own processor, key pad, LCD display and smart card interface all built into one tamper proof enclosure, with a USB, serial or wireless interface to allow connection to the PC. To be acceptable to the banks the device must meet certain requirements, namely (i) any key pressed on the PIN pad must never be output on its interface (ii) any data received on the interface must never be displayed on the LCDand (iii) the device itself must be able to process the authorisation algorithm. This type of device is some times called a Finread device.
With such a device secure online Acard present transactions can be performed. The Web shop initiates a session with the payment authority, which sends a digitally signed information record back to the users PC, which can pass the information on to the attached FINREAD device, which can pass the necessary information to the smart card for authentication. The device can then extract the transaction value from the received information and display it on the LCD for the user to accept. The smart card then uses the entered PIN to release information to allow it to sign the transaction record (again with encryption keys stored within the smart card). The device can then send the processed transaction record back to the PC which forwards it over the Internet to the payment authority that was controlling the transaction.
The FINREAD device effectively provides the secure "sandbox", programmatically isolated from the PC, in which financial transactions can be authorised by the true owner of the credit card, when it really will be secure to purchase items using a PC connected to the Internet!< BR>
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.
