Security of Electronic Transactions (Theory and Practice) Jan Krhovják, Marek Kumpošt, Vašek Matyáš Faculty of Informatics Masaryk University, Brno.

Slides:



Advertisements
Similar presentations
Installation & User Guide
Advertisements

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Operational Risks Task 13. What is CNP? CNP stands for Card Not Present and is when you order or pay for something online as you are not in front of the.
Lecture 6 User Authentication (cont)
Digital Certificate Installation & User Guide For Class-2 Certificates.
Secure Multiparty Computations on Bitcoin
EDUCAUSE 2001, Indianapolis IN Securing e-Government: Implementing the Federal PKI David Temoshok Federal PKI Policy Manager GSA Office of Governmentwide.
HCE AND BLE UNIVERSITY TOMORROWS TRANSACTIONS LONDON, 20 TH MARCH 2014.
Chapter 6 E-commerce Payment Systems. Traditional Payment Systems Cash Checking Transfers Credit Card Accounts Stored Value Accounts Accumulating Balance.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
EMV chip and pin the business case. What is EMV? New Standard in “Chip Card” Technologies Replacing Magnetic Strip Cards New Standard in “Chip Card” Technologies.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
FIT3105 Smart card based authentication and identity management Lecture 4.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Using Digital Credentials On The World-Wide Web M. Winslett.
Digital Cash Damodar Nagapuram. Overview ► Monetary Freedom ► Digital Cash and its importance ► Achieving Digital Cash ► Disadvantages with digital cash.
Verified by Visa and MasterCard SecureCode – or, How Not to Design Authentication Steven Murdoch and Ross Anderson Cambridge.
Summary of Reading Assignments: Credits and Debits on the Internet & New Payment Systems Hope To Cash In Dr. Deepak Khazanchi.
BATCH TRANSACTION PROCESSING Option 1: Transaction Processing Systems.
“Electronic Payment System”
Financial Transactions on Internet Financial transactions require the cooperation of more than two parties. Transaction must be very low cost so that small.
Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.
By: Piyumi Peiris 11 EDO. Swipe cards are a common type of security device used by many people. They are usually a business-card-sized plastic card with.
Digital Cash By Gaurav Shetty. Agenda Introduction. Introduction. Working. Working. Desired Properties. Desired Properties. Protocols for Digital Cash.
BZUPAGES.COM Electronic Payment Systems Most of the electronic payment systems on internet use cryptography in one way or the other to ensure confidentiality.
CIS 342: e-Commerce Applications Prof Frye
Secure Electronic Transaction (SET)
R U Ready? V M E EUROPAY MASTERCARD VISA EMVco was formed in 1999.
Electronic Payment Systems. How do we make an electronic payment? Credit and debit cards Smart cards Electronic cash (digital cash) Electronic wallets.
Tutorial Chapter 5. 2 Question 1: What are some information technology tools that can affect privacy? How are these tools used to commit computer crimes?
Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.
E-commerce Vocabulary Terms. E-commerce Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the Internet.
E-commerce Vocabulary Terms By: Laura Kinchen. Buying and selling of goods, services, or information via World Wide Web, , or other pathways on the.
Agenda EMV – What Is It? EMV In The UK EMV Is Coming To The US
1 Using EMV cards for Single Sign-On 26 th June st European PKI Workshop Andreas Pashalidis and Chris J. Mitchell.
Keep Your Enemies Close: Distance Bounding Against Smartcard Relay Attacks Authors: Saar Drimer and Steven J. Murdoch Presented in: Usenix Security Symposium.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
The next generation of payments is here. Is your business ready?
Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Network Security Lecture 27 Presented by: Dr. Munam Ali Shah.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
OBJECTIVES  To understand the concept of Electronic Payment System and its security services.  To bring out solution in the form of applications to.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
CSCE 201 Identification and Authentication Fall 2015.
Computer Security Set of slides 8 Dr Alexei Vernitski.
Electronic Banking & Security Electronic Banking & Security.
Confidential and Proprietary - NOT TO BE DISTRIBUTED WITHOUT THE EXPRESS WRITTEN PERMISSION OF BANK OF AMERICA MERCHANT SERVICES. ASTRA EMV Review/Best.
Online Decision Process
EMV Operation and Attacks Tyler Moore CS7403, University of Tulsa Reading: Anderson Security Engineering, Ch (136—138), (328—343) Papers.
Mar 18, 2003Mårten Trolin1 Agenda Parts that need to be secured Card authentication Key management.
Commercial Card Expense Reporting (CCER) The Trustees of Roanoke College An internet solution Accessed via Wells Fargo’s secure Commercial Electronic Office.
Presented by David Cole CVM Methods.  CVM Methods in the End-to-End Process  What is a CVM List?  Risk protection tool  Types of PIN processing 
Terminal Risk Management
Transaction Flow end-end
Lesson 05-I E-commerce Payments
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Own Your Identity.
Welcome To Money pad November 23, 2018 Sample footer.
Own Your Identity.
Presentation transcript:

Security of Electronic Transactions (Theory and Practice) Jan Krhovják, Marek Kumpošt, Vašek Matyáš Faculty of Informatics Masaryk University, Brno

Security Protection of Information (SPI), May 20072/10 Outline Chip&PIN or signature cards – experiment Anatomy of the experiment Results of the Phase I & II Summary of both phases EMV standard Transaction processing Selected security mechanisms Other security implications

Security Protection of Information (SPI), May 20073/10 Anatomy of the Experiment The main question/objective Is it easier for an opportunistic thief to abuse Chip&PIN or signature cards? We wanted to see/have experimental practical results First (warm-up) phase (over 40 people involved) Has taken place in pseudo-realistic conditions at a university bookstore (Masaryk U., Brno) Age of the customers from 18 to 26 – “hired” students Time to practice a signature limited to about 30 minutes Time to practice “shoulder-surfing” about 2 hours Not genuine payment cards (no verification of the PIN) Second phase (over 35 people involved) Was realised in standard conditions In one of the largest supermarket in Brno Conditions set according to our experience from first phase Genuine payment cards (real verification of the PIN)

Security Protection of Information (SPI), May 20074/10 Results of the Phase I PINpad 1 (security/privacy shielding) Observers succeed in 6 from 17 PINs (35.3%) They needed one guess in 5 from the 6 PINs (83.3%) In 39 tips of 4-digit PINs (i.e., 156 digits) 75 digits guessed correctly (48%) PINpad 2 (no shielding) Observers succeed in 12 from 15 PINs (80%) Just one guess needed in 10 out of 12 PINs (83.3%) In 46 tips of 4-digit PINs (i.e., 184 digits) 129 digits guessed correctly (70.1%) Signatures (15+17 customers) Merchant detects 12 of 17 forging customers 5 forging customers passed (29.4%) 8 from 32 customers asked to sign twice After second signing: 4 detected & 4 passed We verified the signatures very carefully!!!

Security Protection of Information (SPI), May 20075/10 Results of the Phase II PINpads with & without security/privacy shielding 13 obs. from shielded pad, 7 from unshielded pad Observers succeed in 4 from 20 PINs (20%) 3 PINs from shielded pads, one from unshielded pad In 26 tips of 4-digit PINs (91 digits announced) 38 digits guessed correctly (42%) One (from three) observers group was more assertive and able to closely follow the targets => best results Correct digits by groups: 25%, 27%, 68% (!) Third group: four correct PINs in 3 or less attempts Signatures (20 customers, stop after 17 succ. attempts) 10–30 minutes for practicing a given signature No problem reported from both the customers / till assistants No one was asked to sign again or to show an ID Some signatures were checked very poorly or not at all

Security Protection of Information (SPI), May 20076/10 Summary of Both Phases The signature forgers were newbies, as well as the shoulder-surfers Correctly observed PIN digits (60% or 42%) Significant difference between fake signatures detection (70% or 0%) – space for improvement Privacy shielding is really useful, however Majority of PINpads not equipped by shielding Light (=non-effective) privacy shielding in shops Some customers may have motoric difficulties Temporary remedy (?) Both PIN and signature Different PINs for low- and high-level transactions?

Security Protection of Information (SPI), May 20077/10 EMV (Europay, MasterCard, and Visa) Standard EMV 4.1 specification (4 books with ~800 pages) Interoperability & security of payment systems Smartcards, payment terminals, banking HSMs Introduction of Chip&PIN technology Magnetic-stripe cards can be easily copied (skimming) Transaction processing (online or offline) Authentication of on-card data Offline detection of fake (altered/duplicated) cards Static/dynamic data authentication Authentication of cardholders/users Based on handwritten signatures or PINs Priority list of card-supported verification methods Automatic risk analysis Online transaction authorization

Security Protection of Information (SPI), May 20078/10 Selected Security Mechanisms Static data authentication (SDA) On-card RSA signed static data Send to the terminal for offline verification No on-card asymmetric crypto => cheaper smartcards SDA still allows skimming Dynamic data authentication (DDA) Additional RSA key pair securely stored on card On-card signing of random challenge from terminal => more expensive smartcards DDA defeats skimming User authentication & card verification methods (CVM) CVM list included in signed data only optionally Adversary can modify this list of methods PIN => handwritten signatures

Security Protection of Information (SPI), May 20079/10 Other Security Implications Problem of the EMV specification Payment terminals protect interests of merchants Payment cards protect interests of banks Interests of customers are typically overlooked Malicious merchant can always cheat the customer Copying the cards Collecting of authorization data Relay the EMV protocol Electronic advocate Enters to the EMV protocol Protects only interests of the customer Portable electronic device between smartcard & terminal Can display the details of each transaction & accept/reject

Security Protection of Information (SPI), May /10 Conclusions Introduction of Chip&PIN does not improve customer protection against opportunistic thieves Factor in problematic repudiation of false transactions Good PINpad privacy/security shielding recommended The shop till clearly isn’t the right place to enter PINs Verification based on signatures Absolutely insufficient in a standard shop Better, e.g., in jewellery Shoulder-surfing is an underestimated issue Also in other (less “hostile”) environments, e.g., office Security of EMV systems still dependent on particular implementation The system still protects mostly merchants and banks