14 research outputs found
e-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2
The introduction of EMV-compliant payment cards, with their
improved cardholder verification and card authentication capabilities,
has resulted in a dramatic reduction in the levels of fraud seen at
Point of Sale (PoS) terminals across Europe. However, this reduction
has been accompanied by an alarming increase in the level of fraud
associated with Internet-based Card Not Present (CNP) transactions.
This increase is largely attributable to the weaker authentication pro-
cedures involved in CNP transactions. This paper shows how the
functionality associated with EMV-compliant payment cards can be
securely emulated in software on platforms supporting Trusted Com-
puting technology. We describe a detailed system architecture encom-
passing user enrollment, card deployment (in the form of software),
card activation, and subsequent transaction processing. Our proposal
is compatible with the existing EMV transaction processing architec-
ture, and thus integrates fully and naturally with already deployed
EMV infrastructure. We show that our proposal, which effectively
makes available the full security of PoS transactions for Internet-based
CNP transactions, has the potential to significantly reduce the oppor-
tunity for fraudulent CNP transactions
Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis
In this paper, we demonstrate how the staged roll out of Trusted
Computing technology, beginning with ubiquitous client-side Trusted
Platform Modules (TPMs), can be used to enhance the security of
Internet-based Card Not Present (CNP) transactions. This approach can be
seen as an alternative to the proposed mass deployment of unconnected
card readers in the provision of CNP transaction authorisation. Using
TPM functionality (and the new PC architecture that will evolve around
it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D
Secure and server-side SET. We highlight how the use of TPM
functionality, as is currently being deployed in the marketplace, is not
a panacea for solving all the problems associated with CNP transactions.
In this instance, a more holistic
approach requiring additional Trusted Computing components incorporating
Operating System, processor and chipset support is required to combat
the threat of malware
Secure Payment Architectures and Other Applications of Trusted Computing
This thesis is divided into two distinct parts. The first part of
the thesis explores the role Trusted Computing can play in securing Internet-based Card Not Present (CNP) transactions. We highlight how Trusted Platform Module (TPM) enabled Platforms, as are currently available in the marketplace, can be used as adjuncts to CNP enabling protocols, such as SSL and 3-D Secure. As an extension to this, we demonstrate how newer Trusted Computing technologies, such
as processor, chipset and operating system extensions, can provide a measured virtualisation layer on top of which emulated EMV (chip and pin) cards can run.
The second part of this thesis looks at how Trusted Computing can be used to add security functionality to a number of computing paradigms. Firstly, we examine how Trusted Computing can be used to provide stable pseudonymous identities on top of which reputation
systems can be built for Peer-to-Peer systems. Secondly, we examine the role Trusted Computing can play in protecting mobile agent systems. In this regard, we examine how mechanisms for protecting both agent hosts and mobile agents can be achieved by augmenting agent systems with Trusted Computing functionality
Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2)
In this paper, we demonstrate how Trusted Computing technology can
be used to enhance the security of Internet-based Card Not Present
(CNP) transactions. We take a pragmatic approach, focusing here on
exploiting features of Trusted Computing as it is being deployed
today. Thus we rely only on the presence of client-side Trusted
Platform Modules, rather than upon the ``idealised'' deployment in
which Trusted Computing functionality is fully integrated with OS
and CPU, and which still seems to be a distant prospect. In essence,
our approach uses features of the Public Key Infrastructure that is
inherent in Trusted Computing to build lightweight client-side
enrollment and certification processes; public key certificates are
then used to underpin authentication for CNP payments. Using this
approach we demonstrate how Trusted Platform Module (TPM) enabled
platforms can integrate with SSL and 3-D Secure. We discuss the
threats to CNP transactions that remain even with our enhancements
in place, focussing in particular on the threat of malware, and how
it can be ameliorated
Towards Secure E-Commerce Based on Virtualization and Attestation Techniques
We present a secure e-commerce architecture that is resistant to client compromise and man-in-the-middle attacks on SSL. To this end, we propose several security protocols that use attestation techniques offered by the Trusted Computing Group (TCG). Using these protocols, we can ensure that the client configuration remains untampered and trusted for the duration of the transaction. In addition, confidential data, such as authentication passwords, are only accessible by the electronic commerce server to which the users intend to transfer their data. Since we employ a trusted third party that is responsible for verifying a client’s platform configuration, our approach does not depend on trusted computing at the server but instead only requires minor modification to server logic
e-EMV: Emulating EMV for Internet Payments using Trusted Computing Technology
The introduction of Static Data Authentication (SDA) compliant EMV cards
with their improved cardholder verification and card authentication
capabilities has resulted in a dramatic reduction in the levels of fraud
seen at Point of Sale (POS) terminals. However, with this POS-based
reduction has come a corresponding increase in the level of fraud
associated with Internet-based Card Not Present (CNP) transactions. This
increase is largely attributable to the fact that Internet-based CNP
processing has no easy way of integrating EMV into its transaction
architecture. In this regard, payment is reliant on Mail Order Telephone
Order (MOTO) based processing where knowledge of card account details is
deemed a sufficient form of transaction authorisation.
This report aims to demonstrate how Trusted Computing technology can be
used to emulate EMV for use in Internet-based CNP
transactions. Through a combination of a Trusted Platform Module,
processor (with chipset extensions) and OS support we show how we can
replicate the functionality of standard EMV-compliant cards. The usage
of Trusted Computing in this setting allows a direct migration to more
powerful Combined DDA and application cryptogram generation (CDA) cards
as well as offering increased security benefits over those seen in EMV's
deployment for POS transactions. Customer to Merchant interaction in our
setting mirrors transaction processing at traditional POS terminals. We
build upon the services offered by Trusted Computing in order to provide
a secure and extensible architecture for Internet-based CNP transactions