Enhancing the security of electronic commerce transactions

This thesis looks at the security of electronic commerce transaction process- ing. It begins with an introduction to security terminology used in the thesis. Security requirements for card payments via the Internet are then described, as are possible protocols for electronic transaction processing. It appears that currently the Secure Socket Layer (SSL) protocol together with its standardised version Transport Layer Security (TLS) are the most widely used means to se- cure electronic transactions made over the Internet. Therefore, the analysis and discussions presented in the remainder of the thesis are based on the assumption that this protocol provides a `baseline' level of security, against which any novel means of security should be measured. The SSL and TLS protocols are analysed with respect to how well they satisfy the outlined security requirements. As SSL and TLS provide transport layer security, and some of the security requirements are at the application level, it is not surprising that they do not address all the identi¯ed security requirements. As a result, in this thesis, we propose four protocols that can be used to build upon the security features provided by SSL/TLS. The main goal is to design schemes that enhance the security of electronic transaction processing whilst imposing minimal overheads on the involved parties. In each case, a description of the new scheme is given, together with its advantages and limitations. In the ¯rst protocol, we propose a way to use an EMV card to improve the security of online transactions. The second protocol involves the use of the GSM subscriber authentication service to provide user authentication over the Internet. Thirdly, we propose the use of GSM data con¯dentiality service to protect sensitive information as well as to ensure user authentication. Regardless of the protection scheme employed for the transactions, there exist threats to all PCs used to conduct electronic commerce transactions. These residual threats are examined, and motivate the design of the fourth protocol, proposed speci¯cally to address cookie threats

Declaration

commerce transaction

Enhancing e-commerce security using GSM authentication

Today, e-commerce transactions are typically protected using SSL/TLS. However, there are risks in such use of SSL/TLS, notably threats arising from the fact that information is stored in clear at the end point of the communication link and the lack of user authentication. Although SSL/TLS does o#er the latter, it is optional and usually omitted since users typically do not have the necessary asymmetric key pair. In this paper, we propose a payment protocol in which user authentication is provided using GSM `subscriber identity authentication'. In the protocol, a consumer is required to possess a GSM mobile station registered under a subscriber name corresponding to that on his/her debit/credit card. The cardholder identity is combined with the GSM subscriber identity in such a way that without a mobile station, in particular the SIM, and the corresponding debit/credit card, an unscrupulous user will find it difficult to make a fraudulent payment at the expense of the legitimate cardholder. This is achieved in such a way that no management overhead is imposed on the user