Shane Balfe and Kenneth G. Paterson (2006) Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis .
Full text access: Open
In this paper, we demonstrate how the staged roll out of Trusted Computing technology, beginning with ubiquitous client-side Trusted Platform Modules (TPMs), can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. This approach can be seen as an alternative to the proposed mass deployment of unconnected card readers in the provision of CNP transaction authorisation. Using TPM functionality (and the new PC architecture that will evolve around it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D Secure and server-side SET. We highlight how the use of TPM functionality, as is currently being deployed in the marketplace, is not a panacea for solving all the problems associated with CNP transactions. In this instance, a more holistic approach requiring additional Trusted Computing components incorporating Operating System, processor and chipset support is required to combat the threat of malware.
This is a Published version This version's date is: 24/10/2006 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/e7d86d8e-1fa4-a6c3-9c38-fa76a0442009/1/
Deposited by () on 12-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010
[1] A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trustedcomputing technology. In INC 2006: Sixth International Network Con-ference, July 2006.
[2] APACS. Card fraud the facts 2006. http://www.apacs.org.uk/resources_publications/documents/FraudtheFacts2006.pdf,April 2006.
[3] Visa International Service Association. 3-D SecureTM Protocol Speci¯ca-tion: Core Functions. http://international.visa.com/fb/paytech/secure/main.jsp, July 2002.
[4] Visa International Service Association. 3-D SecureTM Protocol Spec-i¯cation: System Overview. http://international.visa.com/fb/paytech/secure/main.jsp, May 2003.
[5] B. Balache®, D. Chan, L. Chen, S. Pearson, and G. Proudler. Securingintelligent adjuncts using trusted computing platform technology. InIFIP TC8/WG 8.8 4th Working Conference on Smart Card Researchand Advanced Applications, IFIP TC8/WG 8.8, pages 177{195, 2000.
[6] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer net-works using trusted computing. In C.J. Mitchell, editor, Trusted Com-puting, pages 271{298. IEE Press, 2005.
[7] S. Chokhani and W. Ford. RFC 2527 - Internet X.509 public key infras-tructure certi¯cate policy and certi¯cation practices framework, March1999.
[8] EMVCo. Book 3 - Application Speci¯cation, 4.0 edition, December 2000.
[9] Trusted Computing Group. Trusted computing: Opportunities andchallenges. https://www.trustedcomputinggroup.org/downloads/tcgpresentations/, 2004.
[10] Trusted Computing Group. TCG Infrastructure Workgroup Subject KeyAttestation Evidence Extension, 1.0 edition, June 2005.
[11] Trusted Computing Group. TCG Infrastructure Working Group Ref-erence Architecture for Interoperability (Part I), 1.0 revision 1 edition,2005.
[12] Trusted Computing Group. TCG Trusted Network Connect TNC Ar-chitecture for Interoperability, 1.0 revision 4 edition, 2005.
[13] Trusted Computing Group. TCG Trusted Network Connect TNC IF-IMC, 1.0 revision 3 edition, 2005.
[14] Trusted Computing Group. TCG Trusted Network Connect TNC IF-IMV, 1.0 revision 3 edition, 2005.
[15] Trusted Computing Group. TPM Main: Part 1 Design Principles, 1.2revision 85 edition, 2005.
[16] Trusted Computing Group. TPM Main: Part 2 Structures of the TPM,1.2 revision 85 edition, 2005.
[17] Trusted Computing Group. TPM Main: Part 3 Commands, 1.2 revision85 edition, 2005.
[18] Trusted Computing Group. TCG Generic Server Speci¯cation, 2005Revision 0.8.
[19] Trusted Computing Group. TCG Software Stack Speci¯ciation Version1.2 Level 1, 2006.
[20] MasterCard International. SecureCodeTM Merchant ImplementationGuide. http://www.mastercardmerchant.com/securecode/, March2004.
[21] B. Krebs. Citibank phish spoofs 2-factor authentication.http://blog.washingtonpost.com/securityfix/2006/07/citibank\_phish\_spoofs\_2factor\_1.html, July 2006.
[22] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/uk/news/article/459478/combating+card+fraud/, January 2005.
[23] BBC News. Barclays banks on anti-virus deal. http://news.bbc.co.uk/2/hi/technology/5019856.stm, May 2006.
[24] D. O'Mahony, M. Peirce, and H. Tewari. Electronic Payment Systemsfor E-Commerce 2nd edition. Artech House, 2001.
[25] IBM Global Services. IBM Global Business Security Index Report,February 2005.
[26] A. Spalka, A.B. Cremers, and H. Langweg. Protecting the creation ofdigital signatures with trusted computing platform technology againstattacks by trojan horse programs. In Proceedings of the IFIP SEC 2001,pages 403{420, 2001.
[27] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2904 {AAA Authorization Framework, 2000.
[28] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2905 {AAA Authorization Application Examples, 2000.
[29] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2906 {AAA Authorization Requirements, 2000.
[30] K. Zetter. Cardsystems' data left unsecured. http://www.wired.com/news/technology/0,1282,67980,00.html, 2004.