Augmenting Internet-Based Card Not Present Transactions with Trusted Computing (Extended Abstract)

We demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We focus on exploiting features of Trusted Computing as it is being deployed today, relying only on the presence of client-side Trusted Platform Modules. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated.

[1]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[2]  Boris Balacheff,et al.  Securing Intelligent Adjuncts Using Trusted Computing Platform Technology , 2000, CARDIS.

[3]  Paul England,et al.  NGSCB: A Trusted Open System , 2004, ACISP.

[4]  Kenneth G. Paterson,et al.  Augmenting Internet-based Card Not Present Transactions with Trusted Computing: An Analysis , 2006 .

[5]  Li Wei-hua Preventing Phishing Attacks Using Trusted Computing Technology , 2008 .

[6]  Michael K. Reiter,et al.  Bump in the Ether: A Framework for Securing Sensitive User Input , 2006, USENIX Annual Technical Conference, General Track.

[7]  Kenneth G. Paterson,et al.  Securing peer-to-peer networks usingtrusted computing , 2005 .

[8]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 2003, RFC.

[9]  Warwick Ford,et al.  Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework , 1999, RFC.

[10]  Ahmad-Reza Sadeghi,et al.  Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[11]  D. O'Mahony,et al.  Electronic payment systems for e-commerce , 2001 .

[12]  C. Mitchell,et al.  Preventing Phishing Attacks Using Trusted Computing Technology , 2006 .

[13]  Dan Boneh,et al.  Transaction Generators: Root Kits for Web , 2007, HotSec.

[14]  Mihir Bellare,et al.  iKP - A Family of Secure Electronic Payment Protocols , 1995, USENIX Workshop on Electronic Commerce.

[15]  Aaron Weiss Trusted computing , 2006, NTWK.

[16]  Dan Boneh,et al.  Spyware Resistant Web Authentication using Virtual Machines , 2006 .

[17]  T. Alves,et al.  TrustZone : Integrated Hardware and Software Security , 2004 .

[18]  Srinivas Devadas,et al.  Virtual monotonic counters and count-limited objects using a TPM without a trusted OS , 2006, STC '06.

[19]  Paul England,et al.  An overview of NGSCB , 2005 .

[20]  Armin B. Cremers,et al.  Protecting the Creation of Digital Signatures with Trusted Computing Platform Technology Against Attacks by Trojan Horse Programs , 2001, SEC.