Shane Balfe and Kenneth G. Paterson (2006) e-EMV: Emulating EMV for Internet payments using Trusted Computing technology.
Full text access: Open
The introduction of Static Data Authentication (SDA) compliant EMV cards with their improved cardholder verification and card authentication capabilities has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (POS) terminals. However, with this POS-based reduction has come a corresponding increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the fact that Internet-based CNP processing has no easy way of integrating EMV into its transaction architecture. In this regard, payment is reliant on Mail Order Telephone Order (MOTO) based processing where knowledge of card account details is deemed a sufficient form of transaction authorisation. This report aims to demonstrate how Trusted Computing technology can be used to emulate EMV for use in Internet-based CNP transactions. Through a combination of a Trusted Platform Module, processor (with chipset extensions) and OS support we show how we can replicate the functionality of standard EMV-compliant cards. The usage of Trusted Computing in this setting allows a direct migration to more powerful Combined DDA and application cryptogram generation (CDA) cards as well as offering increased security benefits over those seen in EMV's deployment for POS transactions. Customer to Merchant interaction in our setting mirrors transaction processing at traditional POS terminals. We build upon the services offered by Trusted Computing in order to provide a secure and extensible architecture for Internet-based CNP transactions.
This is a Published version This version's date is: 17/11/2006 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/03ef906a-ba3d-6978-8202-864e1a5f9942/1/
Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] M. Al-Meaither and C. J. Mitchell. Extending EMV to supportmurabaha transactions. In Proceedings of the Seventh Nordic Work-shop on Secure IT Systems - Encouraging Cooperation, pages 95{108.NORDSEC 2003, 2003.
[2] Tiago Alves and Don Felton. Trustzone: Integrated hard-ware and software security. http://www.arm.com/products/CPUs/arch-trustzone.html, July 2004.
[3] APACS. Card fraud the facts 2005, April 2005.
[4] APACS. Card fraud the facts 2006. http://www.apacs.org.uk/resources_publications/documents/FraudtheFacts2006.pdf,April 2006.
[5] Visa International Service Association. 3-D SecureTM Protocol Speci¯ca-tion: Core Functions. http://international.visa.com/fb/paytech/secure/main.jsp, July 2002.
[6] Visa International Service Association. 3-D SecureTM Protocol Spec-i¯cation: System Overview. http://international.visa.com/fb/paytech/secure/main.jsp, May 2003.
[7] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer net-works using trusted computing. In C.J. Mitchell, editor, Trusted Com-puting, pages 271{298. IEE Press, 2005.
[8] S. balfe and K.G. Paterson. Augmenting Internet-based Card NotPresent Transactions with Trusted Computing: An Analysis. Technicalreport, Technical report RHUL-MA-2006-9, (Department of Mathemat-ics, Royal Holloway, University of London, 2005). http://www.rhul.ac.uk/mathematics/techreports.
[9] J. Camenisch and A. Lysyanskaya. A signature scheme with e±cientprotocols. In Security in Communication Networks, Third InternationalConference, SCN 2002, volume 2576 of LNCS, pages 268{289. SpringerVerlag, 2003.
[10] EMVCo. Book 3 - Application Speci¯cation, 4.0 edition, December 2000.
[11] EMVCo. Book 1 - Application independent ICC to Terminal Interfacerequirements, 4.1 edition, May 2004.
[12] EMVCo. Book 2 - Security and Key Management, 4.1 edition, May2004.
[13] EMVCo. Book 3 - Application Speci¯cation, 4.1 edition, May 2004.
[14] EMVCo. Book 4 - Cardholder, Attendant, and Acquirer Interface Re-quirements, 4.1 edition, June 2004.
[15] E. Gallery and A. Tomlinson. Conditional access in mobile systems: Se-curing the application. In First International Conference on DistributedFrameworks for Multimedia Applications (DFMA'05), pages 190{197.IEEE, 2005.
[16] E. Gallery, A. Tomlinson, and R. Delicata. Application of trusted com-puting to secure video broadcasts to mobile receivers. Technical re-port, Technical report RHUL-MA-2005-11, (Department of Mathemat-ics, Royal Holloway, University of London, 2005). http://www.rhul.ac.uk/mathematics/techreports.
[17] Trusted Computing Group. TCG PC Speci¯c Implementation Speci¯-cation, 2003.
[18] Trusted Computing Group. Trusted computing: Opportunities andchallenges. https://www.trustedcomputinggroup.org/downloads/tcgpresentations/, 2004.
[19] Trusted Computing Group. Mobile Phone Work Group Use Cases, 2.7edition, 2005.
[20] Trusted Computing Group. TCG Infrastructure Working Group Ref-erence Architecture for Interoperability (Part I), 1.0 revision 1 edition,2005.
[21] Trusted Computing Group. TCG Trusted Network Connect TNC Ar-chitecture for Interoperability, 1.0 revision 4 edition, 2005.
[22] Trusted Computing Group. TCG Trusted Network Connect TNC IF-IMC, 1.0 revision 3 edition, 2005.
[23] Trusted Computing Group. TCG Trusted Network Connect TNC IF-IMV, 1.0 revision 3 edition, 2005.
[24] Trusted Computing Group. TPM Main: Part 1 Design Principles, 1.2revision 85 edition, 2005.
[25] Trusted Computing Group. TPM Main: Part 2 Structures of the TPM,1.2 revision 85 edition, 2005.
[26] Trusted Computing Group. TPM Main: Part 3 Commands, 1.2 revision85 edition, 2005.
[27] Trusted Computing Group. TCG Generic Server Speci¯cation, 2005Revision 0.8.
[28] Trusted Computing Group. TCG Software Stack Speci¯ciation Version1.2 Level 1, 2006.
[29] E.V. Herreweghen and U. Wille. Risks and potentials of using EMV forinternet payments. In In Proceedings of the First USENIX Workshopon Smartcard Technology. USENIX, May 1999.
[30] Intel. Lagrande technology architectural overview. http://www.intel.com/technology/security/, September 2003.
[31] MasterCard International. SecureCodeTM Merchant ImplementationGuide. http://www.mastercardmerchant.com/securecode/, March2004.
[32] V. Khu-Smith and C.J. Mitchell. Using EMV cards to protect e-commerce transactions. In Lecture Notes in Computer Science, volume2455 of E-Commerce and Web Technologies: Third International Con-ference, page 338, January 2002.
[33] J. Leyden. Chip and pin hits 8 million cards.
[34] M. and T. Wobber. A logical account of NGSCB. In 24th IFIP WG6.1 International Conference on Formal Techniques for Networked andDistributed Systems, volume 3235 of LNCS, pages 1{12. Springer Verlag,2004.
[35] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/uk/news/article/459478/combating+card+fraud/, January 2005.
[36] D. O'Mahony, M. Peirce, and H. Tewari. Electronic Payment Systemsfor E-Commerce 2nd edition. Artech House, 2001.
[37] M. Peinado, Y. Chen, P. England, and J. Manferdelli. NGSCB: Atrusted open system. In Proceedings of the 9th Australasian Confer-ence on Information Security and Privacy, volume 2738 of LNCS, pages86{97. Springer Verlag, 2004.
[38] C. Radu. Implementing Electronic Card Payment Systems. ArtechHouse, 2002.
[39] IBM Global Services. IBM Global Business Security Index Report,February 2005.
[40] Visa and Mastercard. Payment card industry data security standard.http://usa.visa.com/download/business/accepting\_visa/ops\_risk\_management/cisp\_PCI\_Data\_Security\_Standard.pdf,2004.
[41] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2904 {AAA Authorization Framework, 2000.
[42] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2905 {AAA Authorization Application Examples, 2000.
[43] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2906 {AAA Authorization Requirements, 2000.
[44] K. Zetter. Cardsystems' data left unsecured. http://www.wired.com/news/technology/0,1282,67980,00.html, 2004.