Computable.nl
  • Thema’s
    • Carrière
    • Innovatie & Transformatie
    • Cloud & Infrastructuur
    • Data & AI
    • Governance & Privacy
    • Security & Awareness
    • Software & Development
    • Werkplek & Beheer
  • Sectoren
    • Channel
    • Financiële dienstverlening
    • Logistiek
    • Onderwijs
    • Overheid
    • Zorg
  • Computable Awards
    • Overzicht
    • Nieuws
    • Winnaars
    • Partner worden
  • Vacatures
    • Vacatures bekijken
    • Vacatures plaatsen
  • Bedrijven
    • Profielen
    • Producten & Diensten
  • Kennisbank
  • Nieuwsbrief

Chip and pin (3)

19 juni 2003 - 22:004 minuten leestijdOpinieCloud & Infrastructuur
Martin Healey
Martin Healey

We are always being told that credit card transactions on the Internet are safe as long as the application is using the SSL (Secure Socket Layer) protocol to protect the transaction data in transit over the Internet. Unfortunately this also means that it protects the person who has stolen your credit card unknown to you, and is using it to perform online credit transaction to your account. So the Asecurity is not ensuring a true authorisation of a transaction by the account holder.

At first sight Chip and PIN techniques will provide an answer for Internet credit card transactions by adding a standard smart card reader to the home PC. The transaction software could read the account information from the smart card and validate it with the issuing bank over the Internet, and then prompt the user to enter their PIN to authorise the transaction. Assuming the correct PIN is entered and the authorisation process completes successfully this is equivalent to aAcard present transaction.
Unfortunately this assumes that the home PC is a secure device! When this transaction was being performedthere may have been a virus resident in the PC. This virus scanned the video output for text words such as AName, AAmount, APIN, AEnter etc. Whenever one of these trigger words is detected the virus records all keys typed at the keyboard and forwards them to an e-mail address. Somewhere in that keyboard data will be the PIN number, now made known to the attacker.
Other simpler Asocial engineering attacks such as displaying a message on the users screen requesting them to enter their PIN number, work in a surprising number of cases! This must mean that the PC is NOT a device into which PIN numbers should be typed – EVER!
To perform an online Acard present transaction securely, the standard smart card reader should be replaced with another piece of equipment. This new device has its own processor, key pad, LCD display and smart card interface all built into one tamper proof enclosure, with a USB, serial or wireless interface to allow connection to the PC. To be acceptable to the banks the device must meet certain requirements, namely (i) any key pressed on the PIN pad must never be output on its interface (ii) any data received on the interface must never be displayed on the LCDand (iii) the device itself must be able to process the authorisation algorithm. This type of device is some times called a Finread device.
With such a device secure online Acard present transactions can be performed. The Web shop initiates a session with the payment authority, which sends a digitally signed information record back to the users PC, which can pass the information on to the attached FINREAD device, which can pass the necessary information to the smart card for authentication. The device can then extract the transaction value from the received information and display it on the LCD for the user to accept. The smart card then uses the entered PIN to release information to allow it to sign the transaction record (again with encryption keys stored within the smart card). The device can then send the processed transaction record back to the PC which forwards it over the Internet to the payment authority that was controlling the transaction.
The FINREAD device effectively provides the secure "sandbox", programmatically isolated from the PC, in which financial transactions can be authorised by the true owner of the credit card, when it really will be secure to purchase items using a PC connected to the Internet!< BR>
 
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.

Meer over

SoftwarebeheerSSL

Deel

    Inschrijven nieuwsbrief Computable

    Door te klikken op inschrijven geef je toestemming aan Jaarbeurs B.V. om je naam en e-mailadres te verwerken voor het verzenden van een of meer mailings namens Computable. Je kunt je toestemming te allen tijde intrekken via de af­meld­func­tie in de nieuwsbrief.
    Wil je weten hoe Jaarbeurs B.V. omgaat met jouw per­soons­ge­ge­vens? Klik dan hier voor ons privacy statement.

    Whitepapers

    Computable.nl

    Beveiliging begint bij de Server

    Waarom lifecycle-denken cruciaal is voor IT-security

    Computable.nl

    Bouw de AI-organisatie niet op los zand

    Wat is de afweging tussen zelf bouwen of het benutten van cloud?

    Computable.nl

    Slimme connectiviteit: de toekomst van bouwen

    Hoe stoom jij jouw organisatie in de bouw en installatie sector klaar voor de digitale toekomst?

    Meer lezen

    AchtergrondData & AI

    Fokken met data

    OpinieCloud & Infrastructuur

    Introductie van sase in het netwerk: eenvoudiger beheer en lagere kosten

    Handen
    ActueelSoftware & Development

    Workday en Randstad slaan handen ineen

    ActueelInnovatie & Transformatie

    Kort: 15 miljoen voor QuiX Quantum, NTT Data met Eurofiber in 5G-zee (en meer)

    OpinieSecurity & Awareness

    Inzicht in kwetsbaarheden aanvalsoppervlak gaat voor budget

    AchtergrondCloud & Infrastructuur

    Eigen datacenter, colocatie of cloud?

    Geef een reactie Reactie annuleren

    Je moet ingelogd zijn op om een reactie te plaatsen.

    Populaire berichten

    Meer artikelen

    Uitgelicht

    Partnerartikel
    AdvertorialData & AI

    Private AI helpt gemeenten met vertrou...

    In een tijd waarin gemeenten geconfronteerd worden met groeiende verwachtingen van burgers, toenemende wet- en regelgeving en druk op budgetten,...

    Meer persberichten

    Footer

    Direct naar

    • Carrièretests
    • Kennisbank
    • Planning
    • Computable Awards
    • Magazine
    • Abonneren Magazine
    • Cybersec e-Magazine
    • Topics

    Producten

    • Adverteren en meer…
    • Jouw Producten en Bedrijfsprofiel
    • Whitepapers & Leads
    • Vacatures & Employer Branding
    • Persberichten

    Contact

    • Colofon
    • Computable en de AVG
    • Service & contact
    • Inschrijven nieuwsbrief
    • Inlog

    Social

    • Facebook
    • X
    • LinkedIn
    • YouTube
    • Instagram
    © 2025 Jaarbeurs
    • Disclaimer
    • Gebruikersvoorwaarden
    • Privacy statement
    Computable.nl is een product van Jaarbeurs