Extending Card Present Transactions to the Online World…

Can anyone think of any holes in this security strategy? I know it's not cost effective, and it's inconvenient, but could you present a plausible attack on this system?

Oh, and I got the Training Day DVD today. It rocks. :->

10 thoughts on “Extending Card Present Transactions to the Online World…”

  1. Relying on an out-of-band communication to be secure isn't enough. Someone could make a device or program that would emulate x25 on one side, and communicate to the main server on the other side in a classical MiM attack… It's the same problem that other guy claimed existed in VISA's program.. if you can't trust the server, you can't trust anything….but that's what certificates are for, and I'm certain the VISA webpage uses SSL…

    1. But wouldn't that require quite a bit of analysis of the challenge and the response?
      I'm looking for a method that wouldn't make it completely impossible, but make it "not worth it" since every card would have a different secret inside.
      I don't know if what I was considering is possible with todays smartcards, but I'm just looking for a challenge-response system with integrated secret on board the card.

      The idea is, that if the card was stolen, it was probably pickpocketing, and they wouldn't know the password.

      If they steal the number and password, they don't have the card. Since the challenge-response traffic doesn't go through the server, it makes it a requirement to have the card as well.

      Since the replies don't go through the internet, MitM requires passive or active tapping on the phone line, as well as monitoring of internet traffic to do any sort of analysis on it.

      1. Well.. the standard way you would do authentication using smartcards.. would be a smartcard reader w/ a number pad (to enter PIN)… the server has everyone's public keys, and each card has a private key stored inside it, unlocked by the PIN. Whenever you want to do anything.. you either encrypt or sign your message with the private key inside.. which never leaves the card.. it's only used to encrypt/sign input.. and then spits out the output…

        1. Cool. That'd be pretty much what I was looking for.

          Given that, how difficult would it be to circumvent using the smart card as proof of card present?

          1. Pretty damn difficult. If you are trying to break this authentication method.. you can either:

            A) Steal someone's card
            B) Try to guess their private key

            Since B is very unlikely…near impossible… you could steal someone's card.. but then you would need to know their PIN… And you might think.. well, if it's just a 4 digit PIN, I can just locally brute force every possible PIN number.. not true.. Many smartcards are set up to destroy all information on them if you incorrectly enter the PIN say like… 3 times. So you would need to figure out their PIN somehow also.. but that's very difficult also, becuase the keypad they use to enter the PIN is only connected to the smartcard, never any multi-purpose computer… So you can't sniff it..

            Smartcards are sweet.. I wish they were used in the US more..

          2. this is the very reason i prefer cash over any other form of currency, when it matters.

            when it doesn't matter. i.e., when i manipulate the datum to my whim, e-cash will do. 😉

Leave a Reply