1 / 12

Securing the World’s Information

Securing the World’s Information. Secure Dynamic Credit and Debit Cards Stop Credit Card and Identity Theft. Andre Brisson Stephen Boren Co founders/ Co Inventors 2006. Narrated. The Problem Rampant credit card and Identity Theft The Approach

toril
Download Presentation

Securing the World’s Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing the World’s Information Secure Dynamic Credit and Debit Cards Stop Credit Card and Identity Theft Andre Brisson Stephen Boren Co founders/ Co Inventors 2006 Narrated

  2. The Problem Rampant credit card and Identity Theft The Approach Use of Identity Management keys in a non-cryptographic context by association of a unique key to a unique account Immediate malfeasance detection – Dynamic Identity Verification and Authentication [DIVA] Immediate revocation Compatibility This technique can be used independently. It can be used in conjunction with existing PKI approaches to add an additional layer of protection and by enabling theft detection and immediate revocation capability.

  3. The Secure Process The credit or debit card is initially issued to the user and contains a random 1k chunk of data generated from the user’s unique key. The card has write-back capacity. The server has all the pertinent user, key and offset information. The user’s card does not have the offset. The user’s card does not have its private key so the key can never be stolen. • the credit card has write back capacity • db at bank server for processing transactions • a separate db at bank server with unique WN distributed keys for each and every card holder The goal is to make each and every transaction unique

  4. Secure Characteristics • The WN keys are highly random and unpredictable. There were no randomness failures against the NIST test suite. It is impossible for a thief to guess or break. • The offsets are never transmitted or written to the card so they can’t be stolen. The user’s private keys is never written to the credit card. The keys are kept on a separate bank server db than the cardholder information to keep the offset separate from the key. The keys can be kept at the bank in an encrypted state. They can be encrypted either with Whitenoise or AES. • Each transaction becomes a unique event because the 1k chunk of data is updated on every transaction. • Cards can easily be refreshed or updated by going to a web site and having a new chunk of data written to the card. This eliminates the majority of card replacement which is expensive.

  5. The Secure Process B A C 1 1 Andre’s WN Key – 393858 9898989898989898989989898989894978345784583485348583858328306380-5387086045684-9084568-345689086-349068-468-46490585858 etc. 2 3 4 A = Client card B = Bank database C = WN Key database (separate from offset) Step 1 – A purchase is made and the card A is run through a swipe. The first level authentication PIN number is entered and the transaction begins. Step 2 – Another level of authentication is verifying that the serial number on the card is the same that is listed at the bank db. Step 3 – The offset is noted and the 1k chunk of data is compared between the server DB and the card. Step 4 – If the 1k chunk of data matches up between the card and the server, the transaction is processed. Step 5 – The offset is updated to then beginning of the next 1k chunk of data, and finally this new 1k chunk of data is written back to the card for the next use.

  6. There are only two possible outcomes! Let us imagine a crook has managed to double swipe your card and capture all of the information on the card including the random chunk of key data. There is no offset to capture. There is no key to capture. This assumes that a thief can break the user MS .net2 robust password that has a brute force odds of being broken of 1 in 80 trillion. This also acknowledges that there is NO key and NO offset information that can be stolen. Only the card number and the random chunk of data is available to a thief.

  7. Either Or Outcomes Assume the thief can make a copy of a client credit card and somehow has broken or captured the password. • The legitimate owner uses his/her card first, the chunk of random key data is updated on the legitimate card. The thief then uses the stolen card and it won’t process because the 1k chunk does not match between the stolen credit card and the server. The account is immediately disabled. • The thief uses the stolen card first successfully. The next time the card holder uses their card the transaction is refused because the stolen card has been updated, the offset on the server database has been updated, but NOT chunk of data on the legitimate card. Theft has been identified. The account is immediately disabled. We know where the theft occurred because of the previous transaction.

  8. Securing the World’s Information 100 % Theft Prevention

  9. Smart Cards and unique identifiers Credit Card companies like AMEX are already issuing smart cards to combat theft. If credit cards and debit cards are simply manufactured with chips that have unique identifiers or unique serial numbers burned into the chips, then theft prevention can be 100% effective.

  10. Bank Key, Private Key and Piracy Prevention • USER CREDIT CARD PRIVATE KEY • The user private key is securely stored at the bank vault - it is never transmitted electronically. The user key is not ever on the user credit card. This key is not used cryptographically but rather is a Random Number Generator. (Keys are enormous but storage is easy. See multiplicity in our technical presentation) • The private key is unique for each credit card and account. The serial number on the client card is used as a seed to set the initial offset and create unique private key associated with a specific credit card. This serial number is used with the Bank Application key to decrypt the clients private key during a transaction. • Private Key • pre-authenticated distributed key is never given to the credit card holder. It is kept securely by the bank. • It has never been transmitted electronically. It is never given out. It never leaves the bank’s control. • Private keys can be kept encrypted to prevent internal malfeasance at the bank with WN or AES. • Serial number on chip/device etc. • The smart credit card has a unique serial number [NAM, identifiers..] burned onto its chip • Bank Application Key • This can be a unique key for the bank or credit card company and is used to decrypt the user credit card private key in order to generate the appropriate random strings of data for transaction authentication.

  11. Credit Card Theft Stopped Dead in its Tracks! • The credit card transaction is initiated. • The server reads the card’s unique serial number. The first authentication step is simply to compare this serial number with the device serial number associated with the account. It then uses this serial number with the NEVER transmitted bank key at the server to decrypt the credit card account private key in order to generate and compare the random chunks of data • At the bank server, the application key will be able to decrypt and use private key if the serial number is correct. The identical corresponding random chunk of data is regenerated from the offset for comparison. • A pirated or copied key will be copied to another medium/media with a different serial number or without a serial number at all • The bank application key will be unable to decrypt the credit card Private key for the comparison of random data. The server recognizes the illegal attempt and immediately disables the account. • Should the thief make it this far, the random chunk of data between the card and the server must still match 100% before the transaction continues

  12. Coming in from the cold 1. Server reads serial number from existing smart card. 2. Server generates unique key and unique starting offset associated with that specific card and updates itself with UID, starting offset, key info, encrypts private key with application key. This all stays at the server. The server sends the first chunk of random data to the card. New credit card Scotia Bank Secure Network Server • Expand secure credit card networks in 2 steps electronically • Secure legacy distributed smart credit cards – MFG acceptance is helpful • Persons can add password for access and two factor authentication

More Related