Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check.

Published byEve Redman Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check."— Presentation transcript:

1 Lecture 9 e-Banking

2 Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check in US) –Credit cards –On line payments Nowadays the last two banking instruments begin to replace the classical ones in direct relation with the level of economic development of each country. It is clear that so called knowledge base society that is expected to globally extend into the future will use something similar but probably more complex Anyhow in all transactions the security problem is inevitable

3 Tamper Resistant/Responding Security Module TRSM Host Security Module (HSM) Hardware Security Module (HSM) Crypto Coprocessor –Provides a secure, trusted environment to perform sensitive operations –Detects and responds to physical, electronic (or other) attempts to recover key material or sensitive data. Typical measures include: physical tamper envelope/membrane temperature, radiation sensors power supply monitoring and filtering –Trigger causes erasure of protected data

4 PIN Encryption e.g. PIN is 1234, Key is 0123456789ABCDEF 1.Start with an empty PIN block 2.Insert PIN 3.Pad 4.Encrypt the clear PIN block 1234 1234FFFFFFFFFFFF 2580D0D6B489DD1B

5 DUPKT management DUKPT is specified in ANSI X9.24 part 1. Here the receiver has a master key called the Base Derivation Key (BDK). The BDK is supposed to be secret and will never be shared with anyone. This key is used to generate keys called the Initial Pin Encryption Key (IPEK). From this a set of keys called Future Keys is generated and the IPEK discarded. Each of the Future keys is embedded into a PED by the device manufacturer, with whom these are shared. This additional derivation step means that the receiver does not have to keep track of each and every key that goes into the PEDs. They can be re-generated when required. The receiver shares the Future keys with the PED manufacturer, who embeds one key into each PED.

6 APACS-40, 70 standard APACS - 40 also use the coding of transaction key. To do it the information from previous and current transaction is used to generate: –Key to code the PIN –The code of authentication message for current transaction Each keys are changed on each transaction and are unique for each terminal In APACS 70 the UK card issuers have agreed to use static data authentication (SDA) initially. Dynamic data authentication (DDA) or combined dynamic data authentication (CDA) should not be used except with higher specification cards incorporating a dedicated cryptographic processor. The use of cards with Chinese remainder theorem is also likely to be a necessity and is thus recommended.

7 PIN Verification (Offsets) 1.Validation data is encrypted under PIN generation (verification) key. 2.Ciphertext is ‘decimalised’ to form IPIN by means of a table. 3.Calculate the offset as OFFSET = PIN-IPIN (where ‘-’ is subtraction modulo 10)

8 PIN Verification (Offsets) IBM PIN Offset Algorithm Allows user to choose own PIN (also to change it easily) Validation data is typically customer and financial institution specific (e.g. PAN) ‘Decimalization’ by means of a table. 0123456789ABCDEF 0123456789012345

9 Transaction flow example

10 ANSI X9.8 (ISO-0) Attack –Attacks the PIN translate/reformat function

11 ANSI X9.8 Attack Q: What happens if (P  x) is a decimal digit? A: The call passes. Q: What happens if (P  x) is not a decimal digit? A: Typically, the call FAILS! We have a test for (P  x) < 10. Building a simple algorithm to identify P 1.Try all possible values of x, yielding a unique * pattern of ‘passes’ and ‘fails’ allowing you to identify P. 2.A decision tree

12 The Decimalization Attack –Attacks the PIN Verification using offsets function

13 Decimalization Attack Input Parameters Encrypted PIN Block (EPB) Validation Data Decimalization Table Offset Encrypted Key Attack Strategy: –In an iterative manner, we make a single change to an entry in the decimalization table and observe the effects

14 what 3-D Secure Password is.. It is an E-Commerce Application for Payment System To know about the 3-D Secure password we need to know about 3-D and then 3-D Secure. 3-D Stands for Three Domains here. 3-D Secure is XM L Based Protocol to implement the better security to the Credit and Debit card Transactions. So The Password formed by 3-D Secure Protocol is called 3-D Secure Password.

15 Toward implementation

16 Process flow

17 Performance It was officially launched in 2007and now most of the banks are working with this. ICICI and more Banks are working on implementing on 3-D Secure. As Now more than 100 vendors are developing 3-D Secure. Current Version 1.0.2 is running with high Performance.

18 References http://home.icon.co.za/~clulow/pin.ppt http://www.thefreedictionary.com/bank+check http://en.wikipedia.org/wiki/Giro http://en.wikipedia.org/wiki/Direct_debit http://www.britannica.com/EBchecked/topic/586267/telex http://www.swift.com/ http://en.wikipedia.org/wiki/ISO_9362 http://en.wikipedia.org/wiki/Debit_card usa.visa.com/download/merchants/pin-security-080507-final.pdf http://www.cl.cam.ac.uk/research/security/seminars/2002/2002-10- 15.html http://www.beachnet.com/~hstiles/cardtype.html http://en.wikipedia.org/wiki/Master/Session http://www.codeproject.com/KB/security/CryptoInteropKeys.aspx http://www.maravis.com/library/derived-unique-key-per- transaction-dukpt/http://www.maravis.com/library/derived-unique-key-per- transaction-dukpt/ http://www.chipandpin.co.uk/info/reference.html

19 http://www.ukpayments.org.uk/downloads/ http://www.google.com/url?sa=t&rct=j&q=sso%20systems%20p pt&source=web&cd=2&ved=0CC0QFjAB&url=http%3A%2F%2 Fwww.terena.org%2Factivities%2Feurocamp%2Fmarch05%2F slides%2Fday2%2Forrel.ppt&ei=vBvvTpbfDMHT4QTZlpWdCQ &usg=AFQjCNG3HRU6QEtR9p6JiucHxn29_6PEGg&cad=rja http://iamsect.ncl.ac.uk/dissemination/iss/iss-shib-sans- getis.ppt http://www.google.com/url?sa=t&rct=j&q=sso%20systems%20p pt&source=web&cd=9&ved=0CFgQFjAI&url=https%3A%2F%2 Fwww.owasp.org%2Fimages%2F2%2F26%2FOWASPSanAnt onio_2006_08_SingleSignOn.ppt&ei=vBvvTpbfDMHT4QTZlpW dCQ&usg=AFQjCNFV7y-o315tnzw2KueaP812joxAfQ&cad=rja

20 I want my real money back…!

Download ppt "Lecture 9 e-Banking. Introduction The most used methods to pay for a service or merchandise are: –The real money (so called “cash”) –cheque (or check."

Similar presentations

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.

Smart Card Security Xufen Gao CS 265 Spring, 2004 San Jose State University.
Card Verification Support

Card Verification Support
Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.

Gareth Ellis Senior Solutions Consultant Session 5a Key and PIN Management.
Lecture 6 User Authentication (cont)

Lecture 6 User Authentication (cont)
Vpn-info.com.

Vpn-info.com.
ANSI X9.119 Part 2: Using Tokenization Methods

ANSI X9.119 Part 2: Using Tokenization Methods
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
I Know your PIN I Know Your PIN Jolyon Clulow Prism

I Know your PIN I Know Your PIN Jolyon Clulow Prism
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
ICT at Work Banking and Finance.

ICT at Work Banking and Finance.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.

Chapter 13 Paying Via The Net. Agenda Digital Payment Requirements Fraud Detection Online Payment Methods Online Payment Types The Future Payment.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.

Chapter 10  ATM 1 Automatic Teller Machines. Chapter 10  ATM 2 Automatic Teller Machines  “…one of the most influential technological innovations of.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
FIT3105 Smart card based authentication and identity management Lecture 4.

FIT3105 Smart card based authentication and identity management Lecture 4.
Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 11, 2003Mårten Trolin1 Previous lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Chapter 9 Banking and Book keeping Protecting yourself from you.

Chapter 9 Banking and Book keeping Protecting yourself from you.

Similar presentations

Ads by Google