About Us | Search | FAQ | Contact Us
e-Commerce security under scrutiny
Over the last few years Web-based companies such as Amazon and e-Bay have opened our eyes to the potential of electronic commerce over the Internet. These days it is easy to buy and sell shares through an online broker, make travel reservations, purchase books and CDs, even order groceries for home delivery using e-commerce services on the Web browser of your PC. The benefits of using such services can be considerable in terms of cost savings and convenience but, as the number of online shopping and transaction services continues to grow. there is a worrisome downside - transaction security
A matter of trust
Fraud on the
For online merchants and service providers this has a serious knock on effect as their markets and turnover are severely limited by the lack of consumer confidence in online transaction security. The real breakthrough in consumer e-commerce will only happen once there is an end-to-end system solution capable of authenticating the merchant and consumer identities and storing / sending confidential information in a highly secure manner.
Enter the virus
Such viruses are usually transmitted disguised as innocuous e-mail attachments. The most common are designed to replicate themselves via e-mail to all the addresses stored on the PC whilst damaging or altering the computer's operating system. However, it is just as simple for a new virus to remain undetected on a PC and undermine the reliability of the software handling an Internet transaction through: retrieving unauthorised PIN and credit card data, tampering with purchase amounts, spoofing (appearing like an expected application), false generation of random numbers in software, tampering with security protocols and account lock-up by entering invalid PlNs. As the cryptographic protocol (SSL) to secure Internet communication runs entirely in software, hackers could easily determine the session keys from PC memory during the encryption process.
The weak link
The most common solution to this problem is the use of a client password. Unfortunately, with so many passwords to remember, they are likely to be stored in PC memory and thus become an easy target in case of virus attack or through unauthorised use of the PC. A far better solution is analogous to the keys in your pocket and the cards in your purse or wallet - smart card.
Smart card security
Appearing very similar to a regular credit card or bankcard, a smart card has a microprocessor and memory built into it that is capable of providing cryptographic functions and a 'personal' digital certificate associated with PIN number. When you wish to perform a transaction a dialogue occurs between the server and the smart card' using Public Key Infrastructure (PKI) keys, and only a correct response based on the PIN entry authenticates you as the valid client.
A good example of this is the "Blue Card", a smart card provided by American Express along with a smart card reader that simply connects to your PC. With this system, the smart card provides user authentication in order to access the American Express "electronic wallet" service to pay for goods and services online. This is much better than having your credit card details on numerous merchant servers with questionable data security. The weakness of this system is that the smart card reader works with the PC creating an insecure system. This enables a hacker to determine the PIN entered on the PC keyboard and, potentially, to change the amount that has been displayed and agreed as a charge.
Already highly successful at marketing high-speed cryptographic chips to major server computer manufacturers such as Compaq and IBM, PCC has now developed a low cost chip known as the PCC400 that allows secure terminals to be created.
A complete end-to-end solution is available in the FinSafe range of secure smart card readers from CPS Europe. FinSafe smart card readers incorporate a keypad, an LCD display and PCC's KeySmart technology to provide firewall protection (blocking communication to the PC and Internet) of entered data such as PlNs and chargeable amounts as well as smart card-stored data. In order to be compatible with a range of different smart cards and payment schemes the operational control is handled by small programs known as 'smartlets' that run in the reader. These 'smartlets' are downloaded to the reader from the merchants site using the Public Key Infrastructure. This provides the user with a fully secured communications path to the merchants server computer when transmitting the sensitive data necessary to pay for goods or services.
|Home | About Us | Search | FAQ | Contact Us|