About Us  |  Search  | FAQ  | Contact Us
security under scrutiny
Home
Banking
STP
Risk Management
BCM
CLS
Human Resources
e-commerce
Features
Smarts Cards
Interviews
Optimise CRM
Data Warehousing
Disaster Recovery
Swift Messaging
Securities
M-commerce
Africa
Finance
BPM & Workflow
Capital Markets
Global Custody
Outsourcing
 

 

 

 

e-Commerce security under scrutiny

www.cps-europe.com

Over the last few years Web-based companies such as Amazon and e-Bay have opened our eyes to the potential of electronic commerce over the Internet. These days it is easy to buy and sell shares through an online broker, make travel reservations, purchase books and CDs, even order groceries for home delivery using e-commerce services on the Web browser of your PC. The benefits of using such services can be considerable in terms of cost savings and convenience but, as the number of online shopping and transaction services continues to grow. there is a worrisome downside - transaction security

A matter of trust
Every time we use a credit card to pay for goods or services, after dining for example, we trust the company's staff not to use the credit card information provided for fraudulent purposes. Although we know that such fraudulent activities cost the credit card companies millions of dollars each year, we feel secure in the knowledge that it is unlikely to happen to us and that we are protected by the card issuer in case of fraud. In fact, the credit card companies usually only accept liability for fraudulent internet transactions over an amount of fifty dollars - below this amount, the card member pays.

Fraud on the internet
Armed only with your credit card details, it is easy for a criminal to order goods and services using any one of thousands of commercial web sites available on the internet today. in a recent case, a California based "adult services" company netted more than $40 million by legitimately purchasing lists of valid credit cards from a bank and then fraudulently charging $19.95 to every cardholder account. Another recent case of credit card abuse was in England, where two 18-year old students were able to retrieve 26.000 credit card numbers from web shops located in the USA, Canada, Thailand, Japan and England. The total value of this fraud was estimated at over $3 million.

Sensitive data scare
Stories like these regularly receive international press and media coverage with the result that potential users of e-commerce services are scared to send their credit card information over the Internet. Market analysts Ernst & Young state. "97% of all households do not buy online because they do not feel comfortable sending credit card data across the Web, and 62% of online consumers have the same fear". Despite these fears, the number of payments is increasing very rapidly due largely to the trust that is placed in the SSL protocol providing secure (encrypted) communications over the Internet. Unfortunately this trust is somewhat misplaced, as many merchants use server computers with inadequate data security and the weakest link is usually the user's PC and the software applications running on it.

For online merchants and service providers this has a serious knock on effect as their markets and turnover are severely limited by the lack of consumer confidence in online transaction security. The real breakthrough in consumer e-commerce will only happen once there is an end-to-end system solution capable of authenticating the merchant and consumer identities and storing / sending confidential information in a highly secure manner.

Enter the virus
Whenever a PC connects to the Internet, it is vulnerable to attack by many different kinds of computer virus. These viruses are categorised under names such as Trojan Horse, Worm, Logic Bomb and, rather ominously Back Orifice, according to the way in which they operate. The "Love Bug" or "l love you" virus was a recent example that affected a huge number of e-mail servers and computers of companies and individuals all around the world. In many cases corporate e-mail servers were unusable for days and within two weeks of this attack, new, more damaging viruses known "Herbie" and "Melissa 11" had already attacked further computer systems.

Such viruses are usually transmitted disguised as innocuous e-mail attachments. The most common are designed to replicate themselves via e-mail to all the addresses stored on the PC whilst damaging or altering the computer's operating system. However, it is just as simple for a new virus to remain undetected on a PC and undermine the reliability of the software handling an Internet transaction through: retrieving unauthorised PIN and credit card data, tampering with purchase amounts, spoofing (appearing like an expected application), false generation of random numbers in software, tampering with security protocols and account lock-up by entering invalid PlNs. As the cryptographic protocol (SSL) to secure Internet communication runs entirely in software, hackers could easily determine the session keys from PC memory during the encryption process.

The weak link
There are considerable efforts within the industry to minimise customer concerns on the security of data. Merchants that give the highest priority to safeguarding their customers' data generally establish strong reputations and increased market share. The best-known merchants and financial institutions all use server computers with hardware solutions that protect sensitive consumer data from prying eyes and SSL to secure data transmission over the Internet. This leaves just the client PC as the weak link with poor protection of credit card and personal data that is typed in, stored and displayed.

Creating client confidence
The electronic equivalent of a passport, a digital certificate is a standardised, accepted method of identification over the Internet. Merchant servers and client PCs alike can generate them. For the client they provide a high degree of assurance that the transaction is taking place with the required merchants server computer and not a lookalike impostor system. However, they are insufficient for the merchant as only the client/PC can be identified, not the person sitting at the PC conducting the transaction.

The most common solution to this problem is the use of a client password. Unfortunately, with so many passwords to remember, they are likely to be stored in PC memory and thus become an easy target in case of virus attack or through unauthorised use of the PC. A far better solution is analogous to the keys in your pocket and the cards in your purse or wallet - smart card.

Smart card security

Appearing very similar to a regular credit card or bankcard, a smart card has a microprocessor and memory built into it that is capable of providing cryptographic functions and a 'personal' digital certificate associated with PIN number. When you wish to perform a transaction a dialogue occurs between the server and the smart card' using Public Key Infrastructure (PKI) keys, and only a correct response based on the PIN entry authenticates you as the valid client.

A good example of this is the "Blue Card", a smart card provided by American Express along with a smart card reader that simply connects to your PC. With this system, the smart card provides user authentication in order to access the American Express "electronic wallet" service to pay for goods and services online. This is much better than having your credit card details on numerous merchant servers with questionable data security. The weakness of this system is that the smart card reader works with the PC creating an insecure system. This enables a hacker to determine the PIN entered on the PC keyboard and, potentially, to change the amount that has been displayed and agreed as a charge.

End-to-end system security
The solution to provide data security in the client PC has been developed by a small Dutch chip development company that is rapidly establishing itself as a leading player in the market for high speed cryptographic solutions - Pijnenburg Custom Chips (PCC). Working with CPS Europe, its product focused, sister company, PCC has developed a new chip technology known as KeySmart. The KeySmart technology provides firewall protection and handles all cryptographic session keys (using PKI) directly in the silicon of the chip. Because session keys are handled in hardware instead of software, they are not resident in the PC memory or on the hard disk and therefore cannot be accessed by a hacker in order to decrypt the communications.

Already highly successful at marketing high-speed cryptographic chips to major server computer manufacturers such as Compaq and IBM, PCC has now developed a low cost chip known as the PCC400 that allows secure terminals to be created.

A complete end-to-end solution is available in the FinSafe range of secure smart card readers from CPS Europe. FinSafe smart card readers incorporate a keypad, an LCD display and PCC's KeySmart technology to provide firewall protection (blocking communication to the PC and Internet) of entered data such as PlNs and chargeable amounts as well as smart card-stored data. In order to be compatible with a range of different smart cards and payment schemes the operational control is handled by small programs known as 'smartlets' that run in the reader. These 'smartlets' are downloaded to the reader from the merchants site using the Public Key Infrastructure. This provides the user with a fully secured communications path to the merchants server computer when transmitting the sensitive data necessary to pay for goods or services.

 

 

Banking

Secure Banking
Internet Banking
Clicks not Bricks
Better Infrastructure
Banking Software
Automated Dealing
Synergys going dotty
Focus on Technology
Issues
Web Based Banking
Trading room costs
Offshore fund managers
New age of hacking
Electronic trading
Money laundering
The Perfect Storm
Supplier Financing
Speculative Bubbles
Index Funds
Convenience banking
Two-tier banking
Gaining Clickshare
Cutting out paper
Tracking trends
Integrating
E-commerce
Banking on Security
Real Time
security under scrutiny
Personal touch Banking
ISMA
Sell side value
GSTPA for FX
Informatics
Anti Money Laundering
21st Century Banking

 
 
 

 

Home  |  About Us  |  Search  | FAQ  | Contact Us