Security solutions for e-banking and e-commerce with credit/debit cards, Part 2 :The best solution (in terms of security)

Omar A. Herrera Reyna – CISA, CISSP
(omar.herrera@oissg.org)
November 2005

See Also: The Power of Identity in Financial Services

(If you missed Security solutions for e-banking and e-commerce with credit/debit cards,- Part 1: Analyzing the Security Issues click here)

While there are some good solutions available from a security perspective, I believe that we already have the required technology to make financial transactions very secure. In fact, I believe that at a reasonable cost, the technology is available which offers many more types of secure credit and debit cards services.

Similar solutions have been explored by several financial institutions, but they are often abandoned due to high production costs, and increased complexity for customers. However, it is my personal opinion that this limited view is only adequate if the corporation’s intent is to stagnate their capability to offer new services.

However, if Institutions seriously consider the financial benefits of providing a wider range of services that provide increased security, they might consider this a cost-effective solution.

My proposal for optimizing credit card security can be summarized in a few words: Bring the benefits of Chip and Pin to the home and workplaces of customers. And basically this is how it works:

Customers use smartcards to identify themselves and authenticate financial transactions at e-commerce and e-banking sites (i.e. they will digitally sign transactions using the capabilities of smartcards). For this we need a smart card reader and some software that will connect to the e-banking site.

Transactions will be encrypted and digitally signed, but not by the software itself, but by the chip in the card. This provides point to point security from the card to the system processing the transactions. So far we are complying with the first two security laws for online financial transactions that we mentioned previously: Tamper proof chips provide far more security that codes printed on the card, and the fact that the card does the encryption and signature on chip provides the required point to point security for the transaction. The software will only be used to establish a connection with the Bank/Card issuer to authorize the payment.

For payments on e-commerce sites, a customer would need to follow either of these protocols:

Protocol 1

1. Select items to purchase and review order
   
2. Complete card and personal information on the site form as usual
   
3. Accept and submit the payment
   
4. Connect to the Bank/Card issuer server using the software, review the payments pending authorization and authorize the transaction using the smart card (i.e. digitally signing the transaction which includes information such as date, time, store information, customer information, card information and etcetera)

1. Select items to purchase and review order
   
2. Connect to the Bank/Card issuer server using the software, and pre-authorize the transaction, using the smart card (specifying the amount and store, and possibly a timeout for the transaction that will take place soon)
   
3. Complete card and personal information on the site form as usual
   
4. Accept and submit the payment at the e-commerce website

   Protocol 1 would be available only after banks/card issuers’ partner with e-commerce sites to accept temporarily unauthorized orders (obviously, the site will not process the order until it has been authorized). Many e-commerce sites do on-line verification of cards and cancel the order immediately if the payment is not authorized. This is where protocol 2 might be more useful, as it will allow for a quick implementation of the solution without involving the e-commerce site merchants.

For e-banking, the same card and pin can be used to login securely to the e-banking site. This can be accomplished by making use of public key cryptography to establish a secure connection. The difference between this and traditional secure channels (e.g. SSL and TLS) is that the authentication is done in the card (exploiting the cryptographic capabilities of the chip). This allows 2 factor authentication systems (requiring something that the user knows, the card’s pin, and something that the user has (the credit/debit card)). As a result, even if the customer’s computer is compromised, and their card’s PIN is stolen (by capturing the keystrokes if the card reader has no keypad), the attacker still will not be able to log into the e-banking site. They would still need to possess the card as well. This complies with our third security law for online financial transactions.

Of course, the main disadvantages are the requirement of card readers and their software, but the solution is almost transparent for merchants, and the increase in security is enormous. Standardization also offers the possibility of using most (if not all) of the existing cards that have chips right away.

 

Banks and card issuers, as previously stated, might need to fully exploit the chip on card to compensate the costs of implementing this scheme. However, the considerable amount of memory on the chip (compared to that offered by magnetic band) and the cryptographic functions of the card, offer a great number of possibilities for new services.

• Storing a number of the most recent transactions in a circular log (providing customers and banks/card issuers with a way to easily review and proof/disprove the authorization of specific transactions)
  
• Usernames/passwords and confidential information wallets (storing the information encrypted, in protected areas of the chip memory)
  
• Storage and application of e-Coupons
  
• Online Digital signature capabilities (for this service, the Bank/card issuer might act as an independent third party that verifies the identity of the cardholder and the authenticity of the digital signature, by providing digital certificates on-card for its customers).
  
• Storage of emergency information in non-encrypted memory within the chip (e.g. medical information that could be read at hospitals in case of an emergency)
  
• Storing of images in the autograph signature and a picture of the user in the chip, providing more physical verification mechanisms.
  
• Storing e-money (credit and debit capabilities in one card, loading cash on the credit card through e-banking services)
  
• Two or more different logical cards merged in one physical card (differentiated by the PIN the user uses to activate the card)

  To reduce the costs of implementation for financial institutions, a number of these services that accompany the smart card reader and software might be sold to security concerned customers that constantly make online transactions. In many ways, this service then differs some of the costs of the added security, and extends benefits to the customer. The cost of the hardware and software (provided they already have a credit card with chip technology) might be similar or even lower than that of what customers are paying for an annual subscription to their antivirus provider.

Conclusions

There are a number of security solutions that try to minimize the risk of fraud with credit/debit cards, with diverse costs of implementation and degrees of security.

The best solution in terms of security has been devised by many years ago, but several obstacles have prevented its use. However, Banks/Credit card issuers might reconsider the implementation of this type of solution by offering potential new services and taking full advantage of the technology.

Therefore, there should be no excuse for not offering credit/debit card alternatives to customers that increase the security of financial transactions.

References