Project: TruSIP for Cards
Context
What is a bank card transaction platform?
Card transaction platforms are responsible for processing card transactions performed at an automatic teller machine, point of sale device, and more recently over the Internet and mobile devices such as smart phones and tablets.
In the traditional card transaction platform we have the card holder (who may have a magnetic or chip card), a merchant (shop), an acquirer (responsible for supplying the point of sale device to the merchant, and managing the connection between the point of sale device and the bank card brand, and a brand that is responsible for relaying card transactions to the issuing bank. In support of the the issuing bank there may be an `issuer processor' that manages the transaction processing and possibly a back office `operations centre'. For more detailed information see Fabian Martins IEEE Key Management Summit 2010 presentation titled: "Practices and difficulties of key management in the card market" which has an excellent introduction to the traditional card processing environment.
Security problems and theft plague today's card processing systems
A large amount of information has been written about credit card fraud, both in the popular press and by security researchers. We recommend reading the wikipedia page on credit card fraud as it offers a concise introduction to many of the problems such as skimming, carding, account takeover and application fraud.
Frequently credit card attacks are "inside jobs" perpetrated by a dishonest employee of a legitimate merchant, or by privileged technicians within the bank-card processing environment. Often attacks are well organised and use a combination of inside and outside attacks (see Wikipedia page on Albert Gonzalez the computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007).
Major banks now issue credit card security warning notices routinely. This notice is accessible from the front page of the HSBC (Singapore) website (23 December 2010):
"CARDS FRAUD ALERT Cards fraud is a commonly known issue and has been on the rise in recent years. The industry recently reported a number of cards and PIN numbers being compromised in the United Arab Emirates ("UAE") resulting in unauthorised cash withdrawals on customers' debit and credit cards.
Fraudsters are able to acquire PIN numbers and electronic data from the black strip of the bank card, possibly during cash withdrawals at ATMs. Thereafter, they fashion counterfeit cards that are used to withdraw money from the customers' accounts.
To safeguard yourself against cards fraud, it is advisable that you refrain from performing any cash withdrawals in the UAE in the near term where possible.
If you have recently returned from the UAE and have performed cash transactions in the UAE, you should immediately change your PIN number if you have not been contacted by HSBC to replace your card."
Example of some security problems in the Eurocard-Mastercard-Visa platform
Let us consider the EMV protocol. EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. As of February 2010, the EMV protocol is broken. Specifically criminals can perform transactions on stolen chip and PIN cards without knowing the PIN. Furthermore, several vulnerabilities have been found in the support for EMV secure messaging. These attacks are significant because they show that the EMV protocol has not mitigated the risks of abuse by bank programmers at operations centers, and by exploiting this weakness insider attack there can rapidly undermine the system. This is a serious concern. Celent, a research and advisory firm for financial institutions, estimates that approximately 60 percent of bank fraud cases where a data breach or theft of funds has occurred are the work of an insider (2008).
List of some common bank transaction security problems
Common security themes relating to banking revolve around inadequate security controls:
- Confidentiality failures:
- Card transaction information may not be encrypted at every point along the transaction flow
- Some back-end key management operations are done manually, by hand, in a way that is poorly managed
- The information in each card transaction is exposed to several organisations, and several information processing systems (risk surface is relatively large)
- Authentication failures:
- Faulty electronic security protocols (EMV) fail to provide essential transaction authentication failures
- The ability to perform transactions using account numbers and verification codes that are not adequately secured (magnetic strips, authorisation codes)
- Physical security failures:
- Physically compromised Point of Sale devices that violate necessary security properties
- Trust failures:
- Malicious insider attacks conducted at the point of sale
- Malicious insider attacks conducted within the transaction environment
- Complex server side systems that are difficult to audit, permitting fraud to be present inside the back-end processing environment
The Trustworthy Bank Card Transaction Platform initiative seeks to address security threats across the full life-cycle of card transactions in Point of Sale, ATM and Internet banking, making them more resilient against a wide range of insider attacks (attacks originating inside the hardware, operating systems, trusted staff and administrators) and outsider attacks (reduce attack surface).
Bank security expert calls for new trustworthy key exchanges for credit card back-end
In May 2010, at the IEEE Key Management Summit, Prof. Fabian Martins (Crosscut Consulting / FIAP University) made a presentation titled: "Practices and Difficulties of key management on the credit card market" [Streaming] [Download low-res video] [Download high-res video]. In that presentation Fabian called for new trustworthy and dependable key management solutions for use in the back-end of credit card processing systems, specifically for technologies that were suitable for use between mutually-suspicious parties and also provided protection against insider attacks.
ICT Gozo Malta Initiatives
It is clear that new solutions are needed in the credit-card transaction space.
ICT Gozo Malta member Synaptic Laboratories has proposed a key management model which addresses the security problems raised by Prof. Fabian Martins in the point above. This proposal was presented at the same IEEE Key Management Summit and can be found here and here.
ICT Gozo Malta member Synaptic Laboratories' Trustworthy Cloud Compute Platform is designed to address issues of trust and insider attacks in financial processing environments.
end faq
Proposal
Synaptic Labs' trustworthy bank card transaction platform
The creation of a universally trustworthy and dependable bank card transaction platform suitable for processing day-to-day and high value financial transactions. This platform should deliver unprecedented confidentiality, integrity, availability, reliability, financial safety and authenticity assurances for all stakeholders against continuous and evolving insider and outsider attacks (i.e. all malicious actors), in a way that is credible and can be audited. Furthermore this platform should facilitate business continuity in the face of natural or man made physical disasters. The platform will employ the use of smart phones.
Achieving this vision
We have taken a clean-slate approach to bank card transaction processing.
Synaptic Labs' solution synergistically combines high-availability techniques found in aerospace, safety techniques found in critical infrastructure, survivability techniques employed by biological systems and modern information security techniques in a cost-effective design that reduces the attack surface and mitigates the number of single point of trust failures.
We will achieve secure transactions for all stakeholders:
- using commercial off the shelf (COTS) hardware and operating systems often found in card transaction environments, where each component is managed in a particular way; and
- by employing split controls.
Synaptic Labs' unique-value-propositions
Synaptic Labs' trustworthy bank card transaction platform:
- has been designed from the ground up as a cryptographic project
- is designed as an online system that opportunistically exploits all wide-area networking facilities, including mobile phones and the Internet
- is a clean-slate design that reduces the attack surface and focuses on the essential transaction functionality
- employs an intrusion and malware resistant design:
- offers unprecedented assurances for all stakeholders with regard to confidentiality, integrity and availability against broad classes of both insider and outsider attacks, even when the attack successfully compromises one component
- employs a system of inter-organisation checks-and-balances to improve accountability
- is designed to reduce the risk exposure of all stakeholders (including the client) within the card transaction platform
- employ the use of the Trustworthy Cloud Computing Platform to host all server side transactions
The trustworthy bank card transaction platform can be built using commercial-off-the-shelf hardware, operating systems and programming languages. Synaptic Labs' project will be exploring the wireless connectivity issues between banking applications running on mobile phones and point of sale devices.
Comparing Features with EuroMasterVisa (EMV) Card
(Key: Bad, Good)
{arijdatatable bPaginate="false" bSort="truee" bLengthChange="false" bFilter="false"}| FEATURES | EMV | TBCTP |
|---|---|---|
| The design assumes there is already a significant security weakness or breach somewhere inside the card processing ecosystem (software, devices, administration) and uses a comprehensive system of checks-and-balances to prevent these compromises that otherwise result in fraudulent transfer of money or corruption of account balance. Trusted `Insiders’ and untrusted ‘outsiders’ cannot commit an unauthorized transaction. | NO | YES |
| Robust, international protection against point-of-sale skimming by ensuring human readable information cannot be used on it’s own to attack card holder (Account number, PIN, authorization code) | NO | YES |
| Protection against attacker in direct possession of credit card, or indirectly through relay attacks against RFID credit cards. Protects against tampering of smart card. | NO | YES |
| Card holders are protected from a) compromised merchant terminals acquiring enough information to use card holder account at another location, and b) malicious merchant insider using the card holder’s account to purchase things at other merchant locations. | NO | YES |
| Support N-variant, N-redundant implementation of back-end logic distributed over 2 or more transaction processors to maintain integrity even in case of latent unknown vulnerabilities or malware present in transaction platform (hardware and software) and rogue administrators or management at one transaction processor site | NO | YES |
| Support for offline transactions. (* The Trustworthy Bank card Transaction Platform is designed to opportunistically use Internet and card holder's SMS if required to improve availability and reduce the overheads that would be required to support offline transactions) | YES | YES |
| Security system discourages attacks and theft of data through ‘no reward’ | NO | YES |
{/arijdatatable}
Elements in the design
- The Trustworthy Bank Transaction Platform will employ the Trustworthy Cloud Compute Platform on the server side. The server side can be implemented using commercial off the shelf (COTS) hardware and a small amount of proprietary software, all organized in an innovative configuration that provides greater confidentiality, integrity and availability to all cloud stakeholders.
- The Trustworthy Bank Transaction Platform will employ commercial off the shelf magnetic cards, or preferably smart cards (chip cards) on the client side.
- The Trustworthy Bank Transaction Platform will employ the use of smart mobile phones or possibly portable low-cost smart devices that have a simple LCD screen, PIN pad and short-range wireless connectivity (bluetooth, NFC).
- The Trustworthy Bank Transaction Platform will employ point of sale terminals.
- Synaptic Labs' project will be exploring the wireless connectivity issues between banking applications running on mobile phones and point of sale devices. We anticipate the connectivity between point of sale devices and mobile phones is already being prepared for by point of sale and mobile phone manufacturers in response to increased interest in m-Banking.
Phase 1: Proof of concept
Implement proof of concept using a smart card, a smart phone, a point of sale device, and the back-end servers running on the Trustworthy Cloud Compute Platform.
