Securing the Worlds Information Secure Dynamic Credit and Debit Cards Stop Credit Card and Identity Theft Andre Brisson Stephen Boren Co founders/ Co Inventors 2006 Narrated
The Problem Rampant credit card and Identity Theft The Approach Use of Identity Management keys in a non-cryptographic context by association of a unique key to a unique account Immediate malfeasance detection – Dynamic Identity Verification and Authentication [DIVA] Immediate revocation Compatibility This technique can be used independently. It can be used in conjunction with existing PKI approaches to add an additional layer of protection and by enabling theft detection and immediate revocation capability.
The credit or debit card is initially issued to the user and contains a random 1k chunk of data generated from the users unique key. The card has write-back capacity. The server has all the pertinent user, key and offset information. The users card does not have the offset. The users card does not have its private key so the key can never be stolen. The Secure Process the credit card has write back capacity db at bank server for processing transactions a separate db at bank server with unique WN distributed keys for each and every card holder The goal is to make each and every transaction unique
1.The WN keys are highly random and unpredictable. There were no randomness failures against the NIST test suite. It is impossible for a thief to guess or break. 2.The offsets are never transmitted or written to the card so they cant be stolen. The users private keys is never written to the credit card. The keys are kept on a separate bank server db than the cardholder information to keep the offset separate from the key. The keys can be kept at the bank in an encrypted state. They can be encrypted either with Whitenoise or AES. 3.Each transaction becomes a unique event because the 1k chunk of data is updated on every transaction. 4.Cards can easily be refreshed or updated by going to a web site and having a new chunk of data written to the card. This eliminates the majority of card replacement which is expensive. Secure Characteristics
Andres WN Key – etc. A B C Step 5 – The offset is updated to then beginning of the next 1k chunk of data, and finally this new 1k chunk of data is written back to the card for the next use. The Secure Process A = Client card B = Bank database C = WN Key database (separate from offset) Step 1 – A purchase is made and the card A is run through a swipe. The first level authentication PIN number is entered and the transaction begins. Step 3 – The offset is noted and the 1k chunk of data is compared between the server DB and the card. Step 4 – If the 1k chunk of data matches up between the card and the server, the transaction is processed. Step 2 – Another level of authentication is verifying that the serial number on the card is the same that is listed at the bank db.
Let us imagine a crook has managed to double swipe your card and capture all of the information on the card including the random chunk of key data. There is no offset to capture. There is no key to capture. This assumes that a thief can break the user MS.net2 robust password that has a brute force odds of being broken of 1 in 80 trillion. This also acknowledges that there is NO key and NO offset information that can be stolen. Only the card number and the random chunk of data is available to a thief. There are only two possible outcomes!
1.The legitimate owner uses his/her card first, the chunk of random key data is updated on the legitimate card. The thief then uses the stolen card and it wont process because the 1k chunk does not match between the stolen credit card and the server. The account is immediately disabled. 2.The thief uses the stolen card first successfully. The next time the card holder uses their card the transaction is refused because the stolen card has been updated, the offset on the server database has been updated, but NOT chunk of data on the legitimate card. Theft has been identified. The account is immediately disabled. We know where the theft occurred because of the previous transaction. Either Or Outcomes Assume the thief can make a copy of a client credit card and somehow has broken or captured the password.
Securing the Worlds Information 100 % Theft Prevention
Credit Card companies like AMEX are already issuing smart cards to combat theft. If credit cards and debit cards are simply manufactured with chips that have unique identifiers or unique serial numbers burned into the chips, then theft prevention can be 100% effective. Smart Cards and unique identifiers
Bank Key, Private Key and Piracy Prevention USER CREDIT CARD PRIVATE KEY The user private key is securely stored at the bank vault - it is never transmitted electronically. The user key is not ever on the user credit card. This key is not used cryptographically but rather is a Random Number Generator. (Keys are enormous but storage is easy. See multiplicity in our technical presentation) The private key is unique for each credit card and account. The serial number on the client card is used as a seed to set the initial offset and create unique private key associated with a specific credit card. This serial number is used with the Bank Application key to decrypt the clients private key during a transaction. Private Key pre-authenticated distributed key is never given to the credit card holder. It is kept securely by the bank. It has never been transmitted electronically. It is never given out. It never leaves the banks control. Private keys can be kept encrypted to prevent internal malfeasance at the bank with WN or AES. Serial number on chip/device etc. The smart credit card has a unique serial number [NAM, identifiers..] burned onto its chip Bank Application Key This can be a unique key for the bank or credit card company and is used to decrypt the user credit card private key in order to generate the appropriate random strings of data for transaction authentication.
Credit Card Theft Stopped Dead in its Tracks! The credit card transaction is initiated. The server reads the cards unique serial number. The first authentication step is simply to compare this serial number with the device serial number associated with the account. It then uses this serial number with the NEVER transmitted bank key at the server to decrypt the credit card account private key in order to generate and compare the random chunks of data At the bank server, the application key will be able to decrypt and use private key if the serial number is correct. The identical corresponding random chunk of data is regenerated from the offset for comparison. A pirated or copied key will be copied to another medium/media with a different serial number or without a serial number at all The bank application key will be unable to decrypt the credit card Private key for the comparison of random data. The server recognizes the illegal attempt and immediately disables the account. Should the thief make it this far, the random chunk of data between the card and the server must still match 100% before the transaction continues
Scotia Bank Secure Network Server 1. Server reads serial number from existing smart card. 2. Server generates unique key and unique starting offset associated with that specific card and updates itself with UID, starting offset, key info, encrypts private key with application key. This all stays at the server. The server sends the first chunk of random data to the card. New credit card Coming in from the cold 1.Expand secure credit card networks in 2 steps electronically 2.Secure legacy distributed smart credit cards – MFG acceptance is helpful 3.Persons can add password for access and two factor authentication