EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (1) Paul Killoran EUROCON 2005 Paul Killoran, Fearghal Morgan & Michael Schukat National University of Ireland, Galway SWiFT :: A New Secure Wireless Financial Transaction :: :: Architecture :: :: Architecture ::
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (2) Paul KilloranIntroduction Aim: to develop a more secure alternative to the credit card Credit card fraud totalled £500 million in 2004 Credit card security –Signature –Chip and PIN Types of fraud Architecture of current system
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (3) Paul Killoran Proposed Solution Model the credit card on a wireless mobile authentication device –J2ME (Java 2 micro edition) mobile phone Increase the security of the system by removing the trust required of the customer –Open a connection to the bank (GPRS) Focus on the security of the customer –Provide anonymity
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (4) Paul Killoran SWiFT Architecture Transaction Server –Bank or Banking Agent Customer Authorisation Device –MIDP enabled mobile phone –E-Card Retailer Kiosk –Modelled on existing terminals Network & Security –GPRS & Bluetooth –RSA, MD5 & Customer PIN
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (5) Paul KilloranSecurity E-Card – Merchant communication –Never occurs –Eliminates need for a third secure channel. Customer authorises bank directly –Must only trust their bank Centralised control of security (Bank) –All parties communicate through the bank –Bank controls security in the network by supporting requests of authorised nodes only
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (6) Paul KilloranProtocol Transaction server established with many retailer nodes connected E-Card logs onto the network 3 handshaked challenges Use geographic information to inform bank of its location E-Card receives list of local retailers
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (7) Paul KilloranProtocol Customer approaches a retailer pay point with goods and produces their mobile phone (E-Card) Customer uses their E-Card to request the Transaction Server to initiate a payment to the retailer Cashier is informed of this request on their merchant terminal
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (8) Paul KilloranProtocol Cashier requests payment using the Merchant Terminal Customer is asked to confirm payment of this amount on their E-Card by entering their PIN The PIN number is first padded, then hashed using MD5 and finally encrypted using RSA. The result is send to the Transaction Server for authorisation
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (9) Paul KilloranProtocol If the PIN authorisation is successful, a confirmation is then sent to the Merchant Terminal The cashier confirms the sale and the agreed amount is transferred between accounts The E-Card and Merchant Terminals receive a copy each of an e-receipt The e-receipt is printed by the Merchant Terminal and issued to the customer
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (10) Paul Killoran Points to Note Geographic location Customer username Customer initiated Marketing opportunity Card-present & card-not-present transactions support Security –RSA, MD5 & PIN number
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (11) Paul KilloranImplementation Transaction Server –HTTP requests & responses –Session tracking –Web user interface (account management) E-Card Application –J2ME & Mobile Information Device Profile (MIDP) –HTTP over WAP –Downloaded MIDlet –Secret shared values
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (12) Paul KilloranImplementation Retailer Kiosk –Easy integration with existing retail terminals –Requires MD5 & RSA encryption module –Requires online connection (GPRS)
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (13) Paul KilloranPrototype E-Card –Java PDA –Wi-Fi & sockets –Large touch screen Transaction Server –Java application –Sockets Retailer kiosk –ARM development kit –Keypad & small LCD –Modelled on current retail payment devices
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (14) Paul Killoran Future Work Expand the application to include card-not-present transactions Refine the RSA implementation for faster operation Transfer the E-Card application from the PDA to a mobile phone Extensive testing of the security of the network
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (15) Paul KilloranConclusion New approach to secure personal financial solutions Considerable improvements over credit card security Easy integration Support for card-present & non-present transactions Reliance of trust between customer and 3 rd parties removed Working prototype developed
EUROCON “Computer as a Tool”, Belgrade, 24 th November 2005 (16) Paul Killoran SWiFT :: A New Secure Wireless Financial Transaction Architecture :: Paul Killoran Progress is impossible without change, and those who cannot change their minds cannot change anything. - Albert Einstein ( )