180 likes | 318 Views
A global scientific and engineering software products and solutions provider. Risk mitigation for e-transactions: Cryptographic methods for fraud prevention Rajeeva L Karandikar EVP and Head, Analytics Cranes Software International Limited. E-Commerce and Risk.
E N D
A global scientific and engineering software products and solutions provider
Risk mitigation for e-transactions: • Cryptographic methods for fraud prevention • Rajeeva L Karandikar • EVP and Head, Analytics • Cranes Software International Limited
E-Commerce and Risk • As the volume of transaction over internet- in the form of e-banking and e-commerce increases, so does the risk associated with these transactions. There is a strong need for decision makers to understand the security provided by the solution chosen and the possible alternatives. • Also, the banks must launch campaigns to educate the users on good practices.
Public Perception • Mr Trust is an avid user of internet and uses internet banking and uses the power of the internet to pay his bills, buy airline and train tickets, order books, make hotel reservations and so on. • Ms Skeptical asks Mr Trust if he is not worried about giving his credit card number, atm card number, PIN etc on web-site and is he not worried about someone using this to impersonate him. • Mr Trust replies, the secure transactions via“https”protocol takes care of all these issues and he has no fear.
On SSL and https protocol • Let us examine what is SSL and https: • The internet evolved as a means to communicate between friends. Also, in the early days, computing power and bandwidth for communication was limited. So the TCP/IP protocol used for most communications sends the data over the wires as “clear text”and so an eavesdropper can easily recover all information being sent. • SSL and https protocol ensure that an eavesdropper who has intercepted the transmission cannot recover the data being transmitted.
On SSL and https protocol… • Thus SSL and https protocol is a must for internet banking and e-commerce. It ensures that the data that is being transmitted cannot be read by an interceptor. • SSL achieves this using a combination of Public Key Cryptography and symmetric key cryptography. Generation of keys and encryption – all this happens in the background and the user is blissfully unaware of this. • So in colloquial terms, we can draw an analogy with a letter being sent in a sealed envelope kept inside a locked briefcase and only the targeted user has the key to this lock.
On SSL and https protocol… • What if someone fraudulently launches a website with URL like www.icicibank.net or www.icici-bank.com • He/she can make the website look exactly like the real icicibank website and may lure users into giving the credit card/ debit card numbers and other information. • SSL gives a protection against this as well: • It authenticates the web site as belonging to the claimed entity. This is done via SSL certificate. The vendor web site would have a certificate giving their identity. The certificates are digitally signed by Trusted Third parties such as VeriSign. If some site does not have a correct certificate, your browser will give a warning (which often people ignore!)
On SSL and https protocol… • Thus SSL ensures that the information being sent cannot be “read” by an interceptor and it also ensures that the web site where the user is planning to enter sensitive information does actually belong to the claimed vendor/entity. • But this is all that SSL promises to do. • An additional feature that most browsers have is that information entered on “secure” pages is not stored in cache.
On SSL and https protocol… • But this is far from the total security that Mr Trust believes is what SSL and https protocol guarantee him. • Indeed, someone could be running a software on his PC that could be trapping all the keystrokes that he makes thus making it possible for someone to recover his debit card / credit card numbers along with the PIN. Such software can be downloaded from internet or could be written. • In fact, there are software that allow keystroke monitoring/recording across an entire Local area network on machines running windows OS.
What happens at other end: • So let us assume that Mr Trust is working on his own Laptop running Unix/Linux and is assured that no one can trap his key srokes and SSL has ensured that no one can intercept his credit card / debit card number while it is transmitted. He has explained this to Ms Skeptical who, by her nature, is not convinced but has no counter argument. • On 27th June 2006, Mr Trust gets a call from Ms Skeptical drawing his attention to the BPO scam that hit the news that day- with some employee at a BPO getting hold of credit card / debit card numbers in one of the banks in India.
What happens at other end: • Mr Trust is shaken. He now realizes that while the information about his numbers is encrypted while it is transmitted, it is decrypted at the other end and is compared with the information that is stored in the bank computer before he is given authorization (for purchase or transfer of funds …) • So an employee that has access to this process can steal his identity and use it for fraudulent transactions. • This is what happened in the case as was reported in press.
What is the way out? • Or, Is there a way out ? • A bank may initiate processes in such a way that very few employees have access to the master data on credit card / debit card numbers and there by minimize risk.
Two factor authentication • Some banks have recently introduced in India a system where it has given to its customers a “Token” – looks like a key chain which keeps displaying numbers that change in a random fashion every minute. • A customer is required to enter the number on his token on the web site in addition to the password or PIN. The system at the bank can generate the exact number on the customers device and thus provide additional layer of identification. • The two systems, where the bank stores credit / debit card numbers and the system which generates the taken numbers could be isolated with different sets of people having access to them, thereby reducing chance of fraud being committed.
Two factor authentication • This can be improved whereby when a customer attempts to log in, he is sent a challenge (say a system generated random number) which the customer keys in his token which then computes a function of the challenge and his secret – typically a (keyed) hash function. The output is sent to the bank. The secret is also stored in the bank system which can verify the correctness of the output sent. • Such protocols are classified as Challenge-Response authentication protocols.
Zero-Knowledge proof protocols • Zero-Knowledge proof is an interesting concept. The most important aspect here is that the bank (or verifier) does not store the password but only stores a one-way functionof the password. • The verifier sends a random challenge and prover computes a certain quantity based on the challenge and the secret and sends this to the verifier. The verifier is able to verify this without knowing the true secret. • Like RSA, the security of ZK protocols typically depends on computational complexity of some mathematical operations.
Zero-Knowledge proof protocols • Well known examples of ZK protocols that do not need much computing power for the prover (and hence could be embedded in smart cards) are Feige-Fiat-Shamir, Guillou-Quisquater, and Schnorr. • Perhaps when the banking Industry moves to credit cards / debit cards with embedded smart cards instead of magnetic strip as is the case now, ZK protocols can be used extensively for authentication reducing the incidence of fraud.
Digital Signature • Most of the problems can be addressed by using Digital Signatures. The Indian IT act of 2000 declares RSA based signatures to be on par with paper signatures (for almost all transactions). Then each payment by credit card can be authorized by signing the appropriate electronic document using digital signature. • The difficulty is having a hardware device capable of digitally signing a given document (file). Perhaps, with growing popularity of mobile phones, the answer is in using mobile phones to digitally sign payments.
Digital Signature • Indeed, the higher end Mobile phones have these capabilities. Using these, the need to give one’s credit card number over the net can be eliminated by using internet to generate a transaction number, and the user sending a digitally signed SMS to the bank authorizing the payment. The bank can then send to the vendor a digitally signed SMS to the vendor promising payment. • This can also be used for “Point-of-Sale” transactions, eliminating the need to exchange credit card numbers altogether.