Smart Cards to Enhance Security and Privacy in Biometrics

Smart cards are portable secure devices designed to hold personal and service information for many kind of applications. Examples of the use of smart cards are cell phone user identification (e.g. GSM SIM card), banking cards (e.g. EMV credit/debit cards) or citizen cards. Smart cards and Biometrics can be used jointly in different kinds of scenarios. Being a secure portable device, smart cards can be used for storing securely biometric references (e.g. templates) of the cardholder, perform biometric operations such as the comparison of an external biometric sample with the on-card stored biometric reference, or even relate operations within the card to the correct execution and result of those biometric operations. In order to provide the reader of the book with an overview of this technology, this chapter provides a description of smart cards, from their origin till the current technology involved, focusing especially in the security services they provide. Once the technology and the security services are introduced, the chapter will detail how smart cards can be integrated in biometric systems, which will be summarized in four different strategies: Store-on-Card, On-Card Biometric Comparison, Work-sharing Mechanism, and System-on-Card. Also the way to evaluate the joint use of smart cards and Biometrics will be described; both at the performance level, as well as its security. Last, but not least, this chapter will illustrate the collaboration of both technologies by providing two examples of current major deployments.Publicad

Maintaining consumer confidence in electronic payment mechanisms

Credit card fraud is already a significant factor inhibiting consumer confidence in e-commerce. As more advanced payment systems become common, what legal and technological mechanisms are required to ensure that fraud does not do long-term damage to consumers' willingness to use electronic payment mechanisms

Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

Strong Electronic Identification: Survey & Scenario Planning

The deployment of more high-risk services such as online banking and government services on the Internet has meant that the need and demand for strong electronic identity is bigger today more than ever. Different stakeholders have different reasons for moving their services to the Internet, including cost savings, being closer to the customer or citizen, increasing volume and value of services among others. This means that traditional online identification schemes based on self-asserted identities are no longer sufficient to cope with the required level of assurance demanded by these services. Therefore, strong electronic identification methods that utilize identifiers rooted in real world identities must be provided to be used by customers and citizens alike on the Internet. This thesis focuses on studying state-of-the-art methods for providing reliable and mass market strong electronic identity in the world today. It looks at concrete real-world examples that enable real world identities to be transferred and used in the virtual world of the Internet. The thesis identifies crucial factors that determine what constitutes a strong electronic identity solution and through these factors evaluates and compares the example solutions surveyed in the thesis. As the Internet become more pervasive in our lives; mobile devices are becoming the primary devices for communication and accessing Internet services. This has thus, raised the question of what sort of strong electronic identity solutions could be implemented and how such solutions could adapt to the future. To help to understand the possible alternate futures, a scenario planning and analysis method was used to develop a series of scenarios from underlying key economic, political, technological and social trends and uncertainties. The resulting three future scenarios indicate how the future of strong electronic identity will shape up with the aim of helping stakeholders contemplate the future and develop policies and strategies to better position themselves for the future

Modelling Smart Card Security Protocols in SystemC TLM

Smart cards are an example of advanced chip technology. They allow information transfer between the card holder and the system over secure networks, but they contain sensitive data related to both the card holder and the system, that has to be kept private and confidential. The objective of this work is to create an executable model of a smart card system, including the security protocols and transactions, and to examine the strengths and determine the weaknesses by running tests on the model. The security objectives have to be considered during the early stages of systems development and design, an executable model will give the designer the advantage of exploring the vulnerabilities early, and therefore enhancing the system security. The Unified Modeling Language (UML) 2.0 is used to model the smart card security protocol. The executable model is programmed in SystemC with the Transaction Level Modeling (TLM) extensions. The final model was used to examine the effectiveness of a number of authentication mechanisms with different probabilities of failure. In addition, a number of probable attacks on the current security protocol were modeled to examine the vulnerabilities. The executable model shows that the smart card system security protocols and transactions need further improvement to withstand different types of security attacks

One-Time Code Cardholder Verification Method in Electronic Funds Transfer Transactions

Card payments are getting more and more popular across the world. The dominantstandard used for Electronic Funds Transfer transaction is EMV. It is widely used across Europeand Canada, and currently it is being introduced in the USA. The most frequently used CardholderVerification Method in EMV transaction is PIN, which requires from the payment terminal to beequipped with pinpad - which increases the cost of the whole payment device. In this article I presentan alternative Cardholder Verification Method (CVM) that can be used instead of traditional PIN.The key advantage of the presented mechanism is that it can be easily implemented in currentlyutilized authorization protocols, it does not affect rules of EMV specification and may decrease timeof transaction processing

A Security Formal Verification Method for Protocols Using Cryptographic Contactless Smart Cards

We present a method of contactless smart card protocol modeling suitable for finding vulnerabilities using model checking. Smart cards are used in applications that require high level of security, such as payment applications, therefore it should be ensured that the implementation does not contain any vulnerabilities. High level application specifications may lead to different implementations. Protocol that is proved to be secure on high level and that uses secure smart card can be implemented in more than one way, some of these implementations are secure, some of them introduce vulnerabilities to the application. The goal of this paper is to provide a method that can be used to create a model of arbitrary smart card, with focus on contactless smart cards, to create a model of the protocol, and to use model checking to find attacks in this model. AVANTSSAR Platform was used for the formal verification, the models are written in the ASLan++ language. Examples demonstrate the usability of the proposed method

Security of the Lin-Lai smart card based user authentication scheme

The remote user authentication scheme of Lin and Lai, that uses a smart card and a fingerprint measurement, is reviewed and shown to possess significant security issues

Review and Analysis of Current and Future European e-ID Schemes

The purpose of this report is to accomplish the following objectives: 1. Review and analysis of existing and future e-ID standards and technologies 2. Review and analysis of national e-ID card schemes (in Europe), including their objectives and the policy drivers (motivation). 3. A review of the applications that e-ID cards enable, both for public policy purposes and commercial usage (planned & actual). 4. Lessons learned from existing e-ID card schemes (successes and failures) and determine whether new international schemes/standards will address past short-comings or not. As a result of attempting to accomplish these objectives, it became apparent that across Europe we are still in a fairly early stage of development. More importantly, there is no coordinated effort across Europe to implement e-ID cards. Leading e-ID card schemes to be designed and implemented at a national level has lead to a heterogeneous collection of scheme types. Not only is there an inconsistency in the primary objectives of e-ID cards, the use of different standards and technologies has lead to a lack of interoperability between schemes