e-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2

The introduction of EMV-compliant payment cards, with their improved cardholder verification and card authentication capabilities, has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (PoS) terminals across Europe. However, this reduction has been accompanied by an alarming increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the weaker authentication pro- cedures involved in CNP transactions. This paper shows how the functionality associated with EMV-compliant payment cards can be securely emulated in software on platforms supporting Trusted Com- puting technology. We describe a detailed system architecture encom- passing user enrollment, card deployment (in the form of software), card activation, and subsequent transaction processing. Our proposal is compatible with the existing EMV transaction processing architec- ture, and thus integrates fully and naturally with already deployed EMV infrastructure. We show that our proposal, which effectively makes available the full security of PoS transactions for Internet-based CNP transactions, has the potential to significantly reduce the oppor- tunity for fraudulent CNP transactions

Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis

In this paper, we demonstrate how the staged roll out of Trusted Computing technology, beginning with ubiquitous client-side Trusted Platform Modules (TPMs), can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. This approach can be seen as an alternative to the proposed mass deployment of unconnected card readers in the provision of CNP transaction authorisation. Using TPM functionality (and the new PC architecture that will evolve around it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D Secure and server-side SET. We highlight how the use of TPM functionality, as is currently being deployed in the marketplace, is not a panacea for solving all the problems associated with CNP transactions. In this instance, a more holistic approach requiring additional Trusted Computing components incorporating Operating System, processor and chipset support is required to combat the threat of malware

Secure Payment Architectures and Other Applications of Trusted Computing

This thesis is divided into two distinct parts. The first part of the thesis explores the role Trusted Computing can play in securing Internet-based Card Not Present (CNP) transactions. We highlight how Trusted Platform Module (TPM) enabled Platforms, as are currently available in the marketplace, can be used as adjuncts to CNP enabling protocols, such as SSL and 3-D Secure. As an extension to this, we demonstrate how newer Trusted Computing technologies, such as processor, chipset and operating system extensions, can provide a measured virtualisation layer on top of which emulated EMV (chip and pin) cards can run. The second part of this thesis looks at how Trusted Computing can be used to add security functionality to a number of computing paradigms. Firstly, we examine how Trusted Computing can be used to provide stable pseudonymous identities on top of which reputation systems can be built for Peer-to-Peer systems. Secondly, we examine the role Trusted Computing can play in protecting mobile agent systems. In this regard, we examine how mechanisms for protecting both agent hosts and mobile agents can be achieved by augmenting agent systems with Trusted Computing functionality

Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis (Vol 2)

In this paper, we demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We take a pragmatic approach, focusing here on exploiting features of Trusted Computing as it is being deployed today. Thus we rely only on the presence of client-side Trusted Platform Modules, rather than upon the ``idealised'' deployment in which Trusted Computing functionality is fully integrated with OS and CPU, and which still seems to be a distant prospect. In essence, our approach uses features of the Public Key Infrastructure that is inherent in Trusted Computing to build lightweight client-side enrollment and certification processes; public key certificates are then used to underpin authentication for CNP payments. Using this approach we demonstrate how Trusted Platform Module (TPM) enabled platforms can integrate with SSL and 3-D Secure. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated

Towards Secure E-Commerce Based on Virtualization and Attestation Techniques

We present a secure e-commerce architecture that is resistant to client compromise and man-in-the-middle attacks on SSL. To this end, we propose several security protocols that use attestation techniques offered by the Trusted Computing Group (TCG). Using these protocols, we can ensure that the client configuration remains untampered and trusted for the duration of the transaction. In addition, confidential data, such as authentication passwords, are only accessible by the electronic commerce server to which the users intend to transfer their data. Since we employ a trusted third party that is responsible for verifying a client’s platform configuration, our approach does not depend on trusted computing at the server but instead only requires minor modification to server logic

e-EMV: Emulating EMV for Internet Payments using Trusted Computing Technology

The introduction of Static Data Authentication (SDA) compliant EMV cards with their improved cardholder verification and card authentication capabilities has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (POS) terminals. However, with this POS-based reduction has come a corresponding increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the fact that Internet-based CNP processing has no easy way of integrating EMV into its transaction architecture. In this regard, payment is reliant on Mail Order Telephone Order (MOTO) based processing where knowledge of card account details is deemed a sufficient form of transaction authorisation. This report aims to demonstrate how Trusted Computing technology can be used to emulate EMV for use in Internet-based CNP transactions. Through a combination of a Trusted Platform Module, processor (with chipset extensions) and OS support we show how we can replicate the functionality of standard EMV-compliant cards. The usage of Trusted Computing in this setting allows a direct migration to more powerful Combined DDA and application cryptogram generation (CDA) cards as well as offering increased security benefits over those seen in EMV's deployment for POS transactions. Customer to Merchant interaction in our setting mirrors transaction processing at traditional POS terminals. We build upon the services offered by Trusted Computing in order to provide a secure and extensible architecture for Internet-based CNP transactions