Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis

In this paper, we demonstrate how the staged roll out of Trusted Computing technology, beginning with ubiquitous client-side Trusted Platform Modules (TPMs), can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. This approach can be seen as an alternative to the proposed mass deployment of unconnected card readers in the provision of CNP transaction authorisation. Using TPM functionality (and the new PC architecture that will evolve around it) we demonstrate how TPM-enabled platforms can integrate with SSL, 3-D Secure and server-side SET. We highlight how the use of TPM functionality, as is currently being deployed in the marketplace, is not a panacea for solving all the problems associated with CNP transactions. In this instance, a more holistic approach requiring additional Trusted Computing components incorporating Operating System, processor and chipset support is required to combat the threat of malware.

[1]  D. O'Mahony,et al.  Electronic payment systems for e-commerce , 2001 .

[2]  Armin B. Cremers,et al.  Protecting the Creation of Digital Signatures with Trusted Computing Platform Technology Against Attacks by Trojan Horse Programs , 2001, SEC.

[3]  Paul England,et al.  An overview of NGSCB , 2005 .

[4]  Aaron Weiss Trusted computing , 2006, NTWK.

[5]  Ahmad-Reza Sadeghi,et al.  Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[6]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[7]  Li Wei-hua Preventing Phishing Attacks Using Trusted Computing Technology , 2008 .

[8]  Michael K. Reiter,et al.  Bump in the Ether: A Framework for Securing Sensitive User Input , 2006, USENIX Annual Technical Conference, General Track.

[9]  Kenneth G. Paterson,et al.  Securing peer-to-peer networks usingtrusted computing , 2005 .

[10]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[11]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[12]  Boris Balacheff,et al.  Securing Intelligent Adjuncts Using Trusted Computing Platform Technology , 2000, CARDIS.

[13]  Dan Boneh,et al.  Transaction Generators: Root Kits for Web , 2007, HotSec.

[14]  Mihir Bellare,et al.  iKP - A Family of Secure Electronic Payment Protocols , 1995, USENIX Workshop on Electronic Commerce.

[15]  Paul England,et al.  NGSCB: A Trusted Open System , 2004, ACISP.