e-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2

Shane Balfe and Kenneth G. Paterson

(2008)

Shane Balfe and Kenneth G. Paterson (2008) e-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2.

Our Full Text Deposits

Full text access: Open

Full Text - 321.97 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

The introduction of EMV-compliant payment cards, with their improved cardholder verification and card authentication capabilities, has resulted in a dramatic reduction in the levels of fraud seen at Point of Sale (PoS) terminals across Europe. However, this reduction has been accompanied by an alarming increase in the level of fraud associated with Internet-based Card Not Present (CNP) transactions. This increase is largely attributable to the weaker authentication pro- cedures involved in CNP transactions. This paper shows how the functionality associated with EMV-compliant payment cards can be securely emulated in software on platforms supporting Trusted Com- puting technology. We describe a detailed system architecture encom- passing user enrollment, card deployment (in the form of software), card activation, and subsequent transaction processing. Our proposal is compatible with the existing EMV transaction processing architec- ture, and thus integrates fully and naturally with already deployed EMV infrastructure. We show that our proposal, which effectively makes available the full security of PoS transactions for Internet-based CNP transactions, has the potential to significantly reduce the oppor- tunity for fraudulent CNP transactions.

Information about this Version

This is a Published version
This version's date is: 07/03/2008
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/db1f86f4-249b-455f-aed7-83b52b46b371/1/

Item TypeMonograph (Technical Report)
Titlee-EMV: Emulating EMV for Internet payments using Trusted Computing technology v-2
AuthorsBalfe, Shane
Paterson, Kenneth G.
DepartmentsFaculty of Science\Mathematics

Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010

Notes

References

[1] M. Abadi and T. Wobber. A logical account of NGSCB. In David
de Frutos-Escrig and Manuel N¶u nez, editors, Proceedings of the 24th
International Conference on Formal Techniques for Networked and Dis-
tributed Systems (FORTE 2004), volume 3235 of LNCS, pages 1{12.
Springer Verlag, 2004.

[2] M. Al-Meaither and C. J. Mitchell. Extending EMV to support
Murabaha transactions. In Proceedings of the 7th Nordic Workshop
on Secure IT Systems (NordSec 2007), pages 95{108, Gjovik Univer-
sity College, Norway, October 2003. Department of Telematics, NTNU,
Trondheim, Norway.

[3] A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trusted
computing technology. In Proceedings of the 6th International Network
Conference (INC 2006), pages 221{228, July 2006.

[4] AMD. AMD64 architecture programmer's manual: Volume 2: System
programming, AMD Publication no. 24594 rev. 3.11 edition, May 2006.

[5] APACS. Card fraud the facts 2006. http://www.apacs.org.uk/
resources_publications/documents/FraudtheFacts2006.pdf,
April 2006.

[6] APACS. Card fraud losses continue to fall. http://www.apacs.org.
uk/media_centre/press/07_14_03.html, March 2007.

[7] B. Balache®, D. Chan, L. Chen, S. Pearson, and G. Proudler. Secur-
ing intelligent adjuncts using trusted computing platform technology.
In Proceedings of the 4th working Smart Card Research and Advanced
Applications (CARDIS 2001), pages 177{195. Kluwer Academic Pub-
lishers, Norwell, MA, USA, 2001.

[8] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer net-
works using trusted computing. In C.J. Mitchell, editor, Trusted Com-
puting, pages 271{298. IEE Press, 2005.

[9] P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neuge-
bauery, I. Pratt, and A. War¯eld. Xen and the art of virtualization. In
Proceedings of the 19th ACM Symposium on Operating Systems Princi-
ples (SOSP 2003), pages 164{177, The Sagamore, Bolton Landing (Lake
George), New York, 19{22 October 2003. ACM Press, Bolton Landing,
New York, USA.

[10] E. Brickell, J. Camenisch, and L. Chen. Direct anonymous attestation.
In Proceedings of the 11th ACM conference on Computer and Commu-
nications Security (CCS 2004), pages 132{145, Washington DC, USA,
2004. ACM Press, New York, NY, USA.

[11] PCI Security Standards Council. Payment Card Industry Data Security
Standard { Version 1.1. https://www.pcisecuritystandards.org/
tech/download_the_pci_dss.htm, 2006.

[12] R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In
Proceedings of the SIGCHI Conference on Human factors in computing
systems (CHI 2006), pages 581{590, Montreal, Qubec, Canada, 2006.
ACM Press, New York, NY, USA.

[13] EMVCo. Book 3 - Application Speci¯cation, 4.0 edition, December 2000.

[14] EMVCo. Book 1 - Application independent ICC to Terminal Interface
requirements, 4.1 edition, May 2004.

[15] EMVCo. Book 2 - Security and Key Management, 4.1 edition, May
2004.

[16] EMVCo. Book 3 - Application Speci¯cation, 4.1 edition, May 2004.

[17] EMVCo. Book 4 - Cardholder, Attendant, and Acquirer Interface Re-
quirements, 4.1 edition, June 2004.

[18] S. Gajek, A-R. Sadeghi, C. StÄuble, and M. Winandy. Compartmented
security for browsers{or how to thwart a phisher with trusted computing.
ARES, 0:120{127, 2007.

[19] E. Gallery and A. Tomlinson. Conditional access in mobile systems: Se-
curing the application. In First International Conference on Distributed
Frameworks for Multimedia Applications (DFMA 2005), pages 190{197.
IEEE, 2005.

[20] V. Haldar, D. Chandra, and M. Franz. Semantic remote attestation: A
virtual machine directed approach to trusted computing. In USENIX
Virtual Machine Research and Technology Symposium, pages 19{41.
USENIX, May 2004.

[21] E.V. Herreweghen and U. Wille. Risks and potentials of using EMV
for internet payments. In Proceedings of the 1st USENIX Workshop on
Smartcard Technology, pages 163{174. USENIX, May 1999.

[22] IBM-Global-Services. IBM Global Business Security Index Report,
February 2005.

[23] Intel-Corporation. LaGrande Technology Preliminary Architecture Spec-
i¯cation, intel publication no. d52212 edition, May 2006.

[24] C. Jackson, D. Boneh, and J. Mitchell. Attack of the transaction gen-
erators. http://crypto.stanford.edu/SpyBlock/spyblock.pdf.

[25] C. Jackson, D. Boneh, and J. Mitchell. Spyware resistant web au-
thentication using virtual machines. http://crypto.stanford.edu/
antiphishing/spyblock.pdf.

[26] T. Jaeger, R. Sailer, and U. Shankar. PRIMA: policy-reduced integrity
measurement architecture. In Proceedings of the 11th ACM Symposium
on Access Control Models And Technologies (SACMAT 2006), pages
19{28, Lake Tahoe, California, USA, 2006. ACM Press, New York, NY,
USA.

[27] V. Khu-Smith and C.J. Mitchell. Using EMV Cards to Protect E-
commerce Transactions. In Proceedings of the 3rd International Confer-
ence on E-Commerce and Web Technologies (EC-WEB 2002), volume
2455, pages 388{399. Springer-Verlag, London, UK, January 2002.

[28] J.M. McCune, B. Parno, A. Perrig, M.K. Reiter, and A. Seshadri. Mini-
mal TCB Code Execution. In Proceedings of the 2007 IEEE Symposium
on Security and Privacy, pages 267{272. IEEE Computer Society, Wash-
ington, DC, USA, 2007.

[29] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/
uk/news/article/459478/combating+card+fraud/, January 2005.

[30] C.J. Mitchell, editor. Trusted Computing. IEE Professional Applications
of Computing Series 6. The Institute of Electrical Engineers (IEE), Lon-
don, UK, April 2005.

[31] C. Radu. Implementing Electronic Card Payment Systems. Artech
House, Inc., Norwood, MA, USA, 2002.

[32] A-R. Sadeghi, M. Selhorst, C. StÄuble, C. Wachsmann, and M. Winandy.
TCG inside?: a note on TPM speci¯cation compliance. In Proceedings
of the 1st ACM workshop on Scalable trusted computing (STC 2006),
pages 47{56, Alexandria, Virginia, USA, 2006. ACM Press, New York,
NY, USA.

[33] A-R. Sadeghi and C. StÄuble. Property-based attestation for computing
platforms: caring about properties, not mechanisms. In Proceedings
of the 2004 workshop on new security paradigms (NSPW 2004), pages
67{77, Nova Scotia, Canada, 2004. ACM Press, New York, NY, USA.

[34] A-R. Sadeghi, C. StÄuble, and N. Pohlmann. European Multilateral Se-
cure Computing Base: Open Trusted Computing for You and Me. http:
//www.prosec.rub.de/Publications/SaStPo2004Web.pdf, 2004.

[35] U.S. Securities and Exchange Commission. Form 10-K { The TJX Com-
panies, INC. http://www.sec.gov/Archives/edgar/data/109198/
000095013507001906/b64407tje10vk.htm, 2007.

[36] A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: a tiny hypervisor
to provide lifetime kernel code integrity for commodity OSes. In Proceed-
ings of 21st ACM SIGOPS symposium on Operating Systems Principles
(SOSP 2007), pages 335{350, Stevenson, Washington, USA, 2007. ACM
Press, New York, NY, USA.

[37] SETCo. SET Secure Electronic Transaction 1.0 speci¯cation |
the formal protocol de¯nition. http://www.cl.cam.ac.uk/research/
security/resources/SET/, May 1997.

[38] E. Shi, A. Perrig, and L.V. Doorn. BIND: A Fine-Grained Attestation
Service for Secure Distributed Systems. In Proceedings of the 2005 IEEE
Symposium on Security and Privacy, pages 154{168. IEEE Computer
Society, Washington, DC, USA, 2005.

[39] TCG. TCG PC Speci¯c Implementation Speci¯cation, 2003. https:
//www.trustedcomputinggroup.org/downloads/specifications.

[40] TCG. TCG Speci¯cation Architecture Overview, 1.2 edition,
2004. https://www.trustedcomputinggroup.org/downloads/
specifications.

[41] TCG. Trusted computing: Opportunities and challenges. https://www.
trustedcomputinggroup.org/downloads/tcgpresentations/, 2004.

[42] TCG. Interoperability Speci¯cation for Backup and Migration Services,
1.0 revision 1.0 edition, 2005. https://www.trustedcomputinggroup.
org/specs/IWG/.

[43] TCG. TCG Mobile Trusted Module Speci¯cation, .09 draft edition, 2006.
https://www.trustedcomputinggroup.org/specs/mobilephone/.

[44] TCG. TCG Speci¯cation Architecture Overview Revision 1.2, 1.2 re-
vision 93 edition, 2006. https://www.trustedcomputinggroup.org/
downloads/specifications.

[45] TCG. TPM Main: Part 1 Design Principles, 1.2 revision 93 edi-
tion, 2006. https://www.trustedcomputinggroup.org/downloads/
specifications.

[46] TCG. TPM Main: Part 2 Structures of the TPM, 1.2 revision 93 edi-
tion, 2006. https://www.trustedcomputinggroup.org/downloads/
specifications.

[47] TCG. TPM Main: Part 3 Commands, 1.2 revision 93 edi-
tion, 2006. https://www.trustedcomputinggroup.org/downloads/
specifications.

[48] The Sunday Times. Don't use cards at petrol stations. http://
business.timesonline.co.uk/, Febuary 18 2007.

[49] Visa. 3-D SecureTM Protocol Speci¯cation: System Overview. http://
international.visa.com/fb/paytech/secure/main.jsp, May 2003.

[50] Visa. Cardholder information security program { list of vali-
dated payment applications. http://usa.visa.com/merchants/risk_
management/cisp_payment_applications.html, October 2007.

[51] Visa. Cardholder information security program bulletin 102307{
visa announces new payment application security mandates.
http://usa.visa.com/merchants/risk_management/cisp_payment_
applications.html, October 2007.

Details