Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis

Shane Balfe and Kenneth G. Paterson

(2006)

Shane Balfe and Kenneth G. Paterson (2006) Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis .

Our Full Text Deposits

Full text access: Open

Full Text - 325.55 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

In this paper, we demonstrate how the staged roll out of Trusted Computing technology, beginning with ubiquitous client-side Trusted Platform Modules (TPMs), can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. This approach can be seen as an alternative to the proposed mass deployment of unconnected card readers in the provision of CNP transaction authorisation. Using TPM functionality (and the new PC architecture that will evolve around it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D Secure and server-side SET. We highlight how the use of TPM functionality, as is currently being deployed in the marketplace, is not a panacea for solving all the problems associated with CNP transactions. In this instance, a more holistic approach requiring additional Trusted Computing components incorporating Operating System, processor and chipset support is required to combat the threat of malware.

Information about this Version

This is a Published version
This version's date is: 24/10/2006
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/e7d86d8e-1fa4-a6c3-9c38-fa76a0442009/1/

Item TypeMonograph (Technical Report)
TitleAugmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis
AuthorsBalfe, Shane
Paterson, Kenneth G.
DepartmentsFaculty of Science\Mathematics

Deposited by () on 12-Jul-2010 in Royal Holloway Research Online.Last modified on 13-Dec-2010

Notes

References

[1] A. Alsaid and C. J. Mitchell. Preventing phishing attacks using trusted
computing technology. In INC 2006: Sixth International Network Con-
ference, July 2006.

[2] APACS. Card fraud the facts 2006. http://www.apacs.org.uk/
resources_publications/documents/FraudtheFacts2006.pdf,
April 2006.

[3] Visa International Service Association. 3-D SecureTM Protocol Speci¯ca-
tion: Core Functions. http://international.visa.com/fb/paytech/
secure/main.jsp, July 2002.

[4] Visa International Service Association. 3-D SecureTM Protocol Spec-
i¯cation: System Overview. http://international.visa.com/fb/
paytech/secure/main.jsp, May 2003.

[5] B. Balache®, D. Chan, L. Chen, S. Pearson, and G. Proudler. Securing
intelligent adjuncts using trusted computing platform technology. In
IFIP TC8/WG 8.8 4th Working Conference on Smart Card Research
and Advanced Applications, IFIP TC8/WG 8.8, pages 177{195, 2000.

[6] S. Balfe, A.D. Lakhani, and K.G. Paterson. Securing peer-to-peer net-
works using trusted computing. In C.J. Mitchell, editor, Trusted Com-
puting, pages 271{298. IEE Press, 2005.

[7] S. Chokhani and W. Ford. RFC 2527 - Internet X.509 public key infras-
tructure certi¯cate policy and certi¯cation practices framework, March
1999.

[8] EMVCo. Book 3 - Application Speci¯cation, 4.0 edition, December 2000.

[9] Trusted Computing Group. Trusted computing: Opportunities and
challenges. https://www.trustedcomputinggroup.org/downloads/
tcgpresentations/, 2004.

[10] Trusted Computing Group. TCG Infrastructure Workgroup Subject Key
Attestation Evidence Extension, 1.0 edition, June 2005.

[11] Trusted Computing Group. TCG Infrastructure Working Group Ref-
erence Architecture for Interoperability (Part I), 1.0 revision 1 edition,
2005.

[12] Trusted Computing Group. TCG Trusted Network Connect TNC Ar-
chitecture for Interoperability, 1.0 revision 4 edition, 2005.

[13] Trusted Computing Group. TCG Trusted Network Connect TNC IF-
IMC, 1.0 revision 3 edition, 2005.

[14] Trusted Computing Group. TCG Trusted Network Connect TNC IF-
IMV, 1.0 revision 3 edition, 2005.

[15] Trusted Computing Group. TPM Main: Part 1 Design Principles, 1.2
revision 85 edition, 2005.

[16] Trusted Computing Group. TPM Main: Part 2 Structures of the TPM,
1.2 revision 85 edition, 2005.

[17] Trusted Computing Group. TPM Main: Part 3 Commands, 1.2 revision
85 edition, 2005.

[18] Trusted Computing Group. TCG Generic Server Speci¯cation, 2005
Revision 0.8.

[19] Trusted Computing Group. TCG Software Stack Speci¯ciation Version
1.2 Level 1, 2006.

[20] MasterCard International. SecureCodeTM Merchant Implementation
Guide. http://www.mastercardmerchant.com/securecode/, March
2004.

[21] B. Krebs. Citibank phish spoofs 2-factor authentication.
http://blog.washingtonpost.com/securityfix/2006/07/
citibank\_phish\_spoofs\_2factor\_1.html, July 2006.

[22] P. Meadowcroft. Combating card fraud. http://www.scmagazine.com/
uk/news/article/459478/combating+card+fraud/, January 2005.

[23] BBC News. Barclays banks on anti-virus deal. http://news.bbc.co.
uk/2/hi/technology/5019856.stm, May 2006.

[24] D. O'Mahony, M. Peirce, and H. Tewari. Electronic Payment Systems
for E-Commerce 2nd edition. Artech House, 2001.

[25] IBM Global Services. IBM Global Business Security Index Report,
February 2005.

[26] A. Spalka, A.B. Cremers, and H. Langweg. Protecting the creation of
digital signatures with trusted computing platform technology against
attacks by trojan horse programs. In Proceedings of the IFIP SEC 2001,
pages 403{420, 2001.

[27] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,
B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2904 {
AAA Authorization Framework, 2000.

[28] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,
B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2905 {
AAA Authorization Application Examples, 2000.

[29] J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross,
B. de Bruijn, C. de Laat, M. Holdrege, and D. Spence. RFC2906 {
AAA Authorization Requirements, 2000.

[30] K. Zetter. Cardsystems' data left unsecured. http://www.wired.com/
news/technology/0,1282,67980,00.html, 2004.

Details