Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.

Slides:



Advertisements
Similar presentations
Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Advertisements

Card Verification Support
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Lecture 6 User Authentication (cont)
Vpn-info.com.
ANSI X9.119 Part 2: Using Tokenization Methods
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
I Know your PIN I Know Your PIN Jolyon Clulow Prism
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
ICT at Work Banking and Finance.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Electronic Transaction Security (E-Commerce)
FIT3105 Smart card based authentication and identity management Lecture 4.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Chapter 9 Banking and Book keeping Protecting yourself from you.
ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS eCommerce Technology Lecture 9 Micropayments I.
“Electronic Payment System”
Electronic Payment Systems. Transaction reconciliation –Cash or check.
Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.
Security of Electronic Transactions (Theory and Practice) Jan Krhovják, Marek Kumpošt, Vašek Matyáš Faculty of Informatics Masaryk University, Brno.
1 PIN Security Management and Concerns Susan Langford Sr. Cryptographer CACR Information Security Workshop.
SMARTCARDS. What we’ll cover: How does the Smart Card work (layout and operating system)? Security issues for the card holder The present and future of.
Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.
1 Design, Implementation and Deployment of the iKP Secure Electronic Payment System Mihir Bellare, Juan A. Garay et al. “ … At this day and age it is hardly.
Cryptography and Network Security Chapter 11 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.
WELCOME TO THE SEMINAR ON Money Pad, The Future Wallet
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
1 Kyung Hee University Prof. Choong Seon HONG Network Control.
Secure Electronic Transaction (SET)
Cryptography and Network Security (CS435)
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
ICT in Banking.
1 1 Slide HOW CREDIT CARDS WORK. 2 2 Slide How Credit Cards Work n What the numbers on the card mean? n How the transactions work? n Main entities involved.
Traditional and Electronic Payment Methods Chapter 3.
1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.
The next generation of payments is here. Is your business ready?
Key Management Workshop November 1-2, Cryptographic Algorithms, Keys, and other Keying Material  Approved cryptographic algorithms  Security.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Network security Network security. Look at the surroundings before you leap.
Payment Systems Unit 34: E-commerce M2 - Compare two different payment systems used in e-commerce systems.
API-Level Attacks on Embedded Systems By Mike Bond and Ross Anderson “… by presenting valid commands to the security processor, but in an unexpected sequence,
A Generalized Effectuate Strategy for Mash-up Mobile Circumstances A Generalized Effectuate Strategy for Mash-up Mobile Circumstances Project Guide M.J.Jeyasheela.
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
OBJECTIVES  To understand the concept of Electronic Payment System and its security services.  To bring out solution in the form of applications to.
Wireless and Mobile Security
Module 7 – SET SET predecessors iKP, STT, SEPP. iKP Developed by IBM Three parties are involved - Customer, Merchant, and Acquirer Uses public key cryptography,
Decimalisation Table Attacks for PIN cracking “ It takes an average of 15 guesses to determine a four digit PIN using this technique, instead of the 5000.
Online Decision Process
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Presented by David Cole Changing the Card – Scripts.
Presented by David Cole
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
Presented by David Cole CVM Methods.  CVM Methods in the End-to-End Process  What is a CVM List?  Risk protection tool  Types of PIN processing 
Samsung Pay RAO Lu KONG Shuyi
Transaction Flow end-end
SECURITY FEATURES OF ATM
Secure Electronic Transaction
Presentation transcript:

Lecture 9 e-Banking

Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check in US) –Credit cards –On line payments Nowadays the last two banking instruments begin to replace the classical ones in direct relation with the level of economic development of each country. It is clear that so called knowledge base society that is expected to globally extend into the future will use something similar but probably more complex Anyhow in all transactions the security problem is inevitable

Tamper Resistant/Responding Security Module TRSM Host Security Module (HSM) Hardware Security Module (HSM) Crypto Coprocessor –Provides a secure, trusted environment to perform sensitive operations –Detects and responds to physical, electronic (or other) attempts to recover key material or sensitive data. Typical measures include: physical tamper envelope/membrane temperature, radiation sensors power supply monitoring and filtering –Trigger causes erasure of protected data

PIN Encryption e.g. PIN is 1234, Key is ABCDEF 1.Start with an empty PIN block 2.Insert PIN 3.Pad 4.Encrypt the clear PIN block FFFFFFFFFFFF 2580D0D6B489DD1B

DUPKT management DUKPT is specified in ANSI X9.24 part 1. Here the receiver has a master key called the Base Derivation Key (BDK). The BDK is supposed to be secret and will never be shared with anyone. This key is used to generate keys called the Initial Pin Encryption Key (IPEK). From this a set of keys called Future Keys is generated and the IPEK discarded. Each of the Future keys is embedded into a PED by the device manufacturer, with whom these are shared. This additional derivation step means that the receiver does not have to keep track of each and every key that goes into the PEDs. They can be re-generated when required. The receiver shares the Future keys with the PED manufacturer, who embeds one key into each PED.

APACS-40, 70 standard APACS - 40 also use the coding of transaction key. To do it the information from previous and current transaction is used to generate: –Key to code the PIN –The code of authentication message for current transaction Each keys are changed on each transaction and are unique for each terminal In APACS 70 the UK card issuers have agreed to use static data authentication (SDA) initially. Dynamic data authentication (DDA) or combined dynamic data authentication (CDA) should not be used except with higher specification cards incorporating a dedicated cryptographic processor. The use of cards with Chinese remainder theorem is also likely to be a necessity and is thus recommended.

PIN Verification (Offsets) 1.Validation data is encrypted under PIN generation (verification) key. 2.Ciphertext is ‘decimalised’ to form IPIN by means of a table. 3.Calculate the offset as OFFSET = PIN-IPIN (where ‘-’ is subtraction modulo 10)

PIN Verification (Offsets) IBM PIN Offset Algorithm Allows user to choose own PIN (also to change it easily) Validation data is typically customer and financial institution specific (e.g. PAN) ‘Decimalization’ by means of a table ABCDEF

Transaction flow example

ANSI X9.8 (ISO-0) Attack –Attacks the PIN translate/reformat function

ANSI X9.8 Attack Q: What happens if (P  x) is a decimal digit? A: The call passes. Q: What happens if (P  x) is not a decimal digit? A: Typically, the call FAILS! We have a test for (P  x) < 10. Building a simple algorithm to identify P 1.Try all possible values of x, yielding a unique * pattern of ‘passes’ and ‘fails’ allowing you to identify P. 2.A decision tree

The Decimalization Attack –Attacks the PIN Verification using offsets function

Decimalization Attack Input Parameters Encrypted PIN Block (EPB) Validation Data Decimalization Table Offset Encrypted Key Attack Strategy: –In an iterative manner, we make a single change to an entry in the decimalization table and observe the effects

what 3-D Secure Password is.. It is an E-Commerce Application for Payment System To know about the 3-D Secure password we need to know about 3-D and then 3-D Secure. 3-D Stands for Three Domains here. 3-D Secure is XM L Based Protocol to implement the better security to the Credit and Debit card Transactions. So The Password formed by 3-D Secure Protocol is called 3-D Secure Password.

Toward implementation

Process flow

Performance It was officially launched in 2007and now most of the banks are working with this. ICICI and more Banks are working on implementing on 3-D Secure. As Now more than 100 vendors are developing 3-D Secure. Current Version is running with high Performance.

References usa.visa.com/download/merchants/pin-security final.pdf 15.html transaction-dukpt/ transaction-dukpt/

pt&source=web&cd=2&ved=0CC0QFjAB&url=http%3A%2F%2 Fwww.terena.org%2Factivities%2Feurocamp%2Fmarch05%2F slides%2Fday2%2Forrel.ppt&ei=vBvvTpbfDMHT4QTZlpWdCQ &usg=AFQjCNG3HRU6QEtR9p6JiucHxn29_6PEGg&cad=rja getis.ppt pt&source=web&cd=9&ved=0CFgQFjAI&url=https%3A%2F%2 Fwww.owasp.org%2Fimages%2F2%2F26%2FOWASPSanAnt onio_2006_08_SingleSignOn.ppt&ei=vBvvTpbfDMHT4QTZlpW dCQ&usg=AFQjCNFV7y-o315tnzw2KueaP812joxAfQ&cad=rja

I want my real money back…!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.