Error
  • JFolder::create: Could not create directory
  • JFolder::create: Could not create directory
  • JFolder::create: Could not create directory

Project: TruSIP for Cards

hand_credit_card_980

Context


What is a bank card transaction platform?

Card transaction platforms are responsible for processing card transactions performed at an automatic teller machine, point of sale device, and more recently over the Internet and mobile devices such as smart phones and tablets.

In the traditional card transaction platform we have the card holder (who may have a magnetic or chip card), a merchant (shop), an acquirer (responsible for supplying the point of sale device to the merchant, and managing the connection between the point of sale device and the bank card brand, and a brand that is responsible for relaying card transactions to the issuing bank.  In support of the the issuing bank there may be an `issuer processor' that manages the transaction processing and possibly a back office `operations centre'.  For more detailed information see Fabian Martins IEEE Key Management Summit 2010 presentation titled: "Practices and difficulties of key management in the card market" which has an excellent introduction to the traditional card processing environment.

Security problems and theft plague today's card processing systems

A large amount of information has been written about credit card fraud, both in the popular press and by security researchers. We recommend reading the wikipedia page on credit card fraud as it offers a concise introduction to many of the problems such as skimming, carding, account takeover and application fraud.

Frequently credit card attacks are "inside jobs" perpetrated by a dishonest employee of a legitimate merchant, or by privileged technicians within the bank-card processing environment.  Often attacks are well organised and use a combination of inside and outside attacks (see Wikipedia page on Albert Gonzalez the computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 through 2007).

Major banks now issue credit card security warning notices routinely.   This notice is accessible from the front page of the HSBC (Singapore) website (23 December 2010): 

"CARDS FRAUD ALERT  Cards fraud is a commonly known issue and has been on the rise in recent years. The industry recently reported a number of cards and PIN numbers being compromised in the United Arab Emirates ("UAE") resulting in unauthorised cash withdrawals on customers' debit and credit cards.

Fraudsters are able to acquire PIN numbers and electronic data from the black strip of the bank card, possibly during cash withdrawals at ATMs. Thereafter, they fashion counterfeit cards that are used to withdraw money from the customers' accounts.

To safeguard yourself against cards fraud, it is advisable that you refrain from performing any cash withdrawals in the UAE in the near term where possible.

If you have recently returned from the UAE and have performed cash transactions in the UAE, you should immediately change your PIN number if you have not been contacted by HSBC to replace your card."

Example of some security problems in the Eurocard-Mastercard-Visa platform

Let us consider the EMV protocol.  EMV is the dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation.  As of February 2010, the EMV protocol is broken. Specifically criminals can perform transactions on stolen chip and PIN cards without knowing the PIN.  Furthermore, several vulnerabilities have been found in the support for EMV secure messaging.  These attacks are significant because they show that the EMV protocol has not mitigated the risks of abuse by bank programmers at operations centers, and by exploiting this weakness insider attack there can rapidly undermine the system.  This is a serious concern.  Celent, a research and advisory firm for financial institutions, estimates that approximately 60 percent of bank fraud cases where a data breach or theft of funds has occurred are the work of an insider (2008).

List of some common bank transaction security problems

Common security themes relating to banking revolve around inadequate security controls:

  • Confidentiality failures:
    • Card transaction information may not be encrypted at every point along the transaction flow
    • Some back-end key management operations are done manually, by hand, in a way that is poorly managed
    • The information in each card transaction is exposed to several organisations, and several information processing systems (risk surface is relatively large)
  • Authentication failures:
    • Faulty electronic security protocols (EMV) fail to provide essential transaction authentication failures
    • The ability to perform transactions using account numbers and verification codes that are not adequately secured (magnetic strips, authorisation codes)
  • Physical security failures:
    • Physically compromised Point of Sale devices that violate necessary security properties
  • Trust failures: 
    • Malicious insider attacks conducted at the point of sale
    • Malicious insider attacks conducted within the transaction environment
    • Complex server side systems that are difficult to audit, permitting fraud to be present inside the back-end processing environment

The Trustworthy Bank Card Transaction Platform initiative seeks to address security threats across the full life-cycle of card transactions in Point of Sale, ATM and Internet banking, making them more resilient against a wide range of insider attacks (attacks originating inside the hardware, operating systems, trusted staff and administrators) and outsider attacks (reduce attack surface).

Bank security expert calls for new trustworthy key exchanges for credit card back-end

In May 2010, at the IEEE Key Management Summit, Prof. Fabian Martins (Crosscut Consulting / FIAP University) made a presentation titled: "Practices and Difficulties of key management on the credit card market" [Streaming] [Download low-res video] [Download high-res video].  In that presentation Fabian called for new trustworthy and dependable key management solutions for use in the back-end of credit card processing systems, specifically for technologies that were suitable for use between mutually-suspicious parties and also provided protection against insider attacks.

ICT Gozo Malta Initiatives

It is clear that new solutions are needed in the credit-card transaction space.

ICT Gozo Malta member Synaptic Laboratories has proposed a key management model which addresses the security problems raised by Prof. Fabian Martins in the point above.  This proposal was presented at the same IEEE Key Management Summit and can be found here and here.  

ICT Gozo Malta member Synaptic Laboratories' Trustworthy Cloud Compute Platform is designed to address issues of trust and insider attacks in financial processing environments. 

end faq

Proposal

Synaptic Labs' trustworthy bank card transaction platform

The creation of a universally trustworthy and dependable bank card transaction platform suitable for processing day-to-day and high value financial transactions.  This platform should deliver unprecedented confidentiality, integrity, availability, reliability, financial safety and authenticity assurances for all stakeholders against continuous and evolving insider and outsider attacks (i.e. all malicious actors), in a way that is credible and can be audited. Furthermore this platform should facilitate business continuity in the face of natural or man made physical disasters.  The platform will employ the use of smart phones.

Achieving this vision

We have taken a clean-slate approach to bank card transaction processing.

Synaptic Labs' solution synergistically combines high-availability techniques found in aerospace, safety techniques found in critical infrastructure, survivability techniques employed by biological systems and modern information security techniques in a cost-effective design that reduces the attack surface and mitigates the number of single point of trust failures.

We will achieve secure transactions for all stakeholders:

  • using commercial off the shelf (COTS) hardware and operating systems often found in card transaction environments, where each component is managed in a particular way; and
  • by employing split controls.

Synaptic Labs' unique-value-propositions

Synaptic Labs' trustworthy bank card transaction platform:

  • has been designed from the ground up as a cryptographic project
  • is designed as an online system that opportunistically exploits all wide-area networking facilities, including mobile phones and the Internet
  • is a clean-slate design that reduces the attack surface and focuses on the essential transaction functionality
  • employs an intrusion and malware resistant design:
    • offers unprecedented assurances for all stakeholders with regard to confidentiality, integrity and availability against broad classes of both insider and outsider attacks, even when the attack successfully compromises one component
    • employs a system of inter-organisation checks-and-balances to improve accountability
  • is designed to reduce the risk exposure of all stakeholders (including the client) within the card transaction platform
  • employ the use of the Trustworthy Cloud Computing Platform to host all server side transactions

The trustworthy bank card transaction platform can be built using commercial-off-the-shelf hardware, operating systems and programming languages.  Synaptic Labs' project will be exploring the wireless connectivity issues between banking applications running on mobile phones and point of sale devices.

Comparing Features with EuroMasterVisa (EMV) Card

(Key: Bad, Good)

{arijdatatable bPaginate="false" bSort="truee" bLengthChange="false" bFilter="false"}
FEATURESEMVTBCTP
The design assumes there is already a significant security weakness or breach somewhere inside the card processing ecosystem (software, devices, administration) and uses a comprehensive system of checks-and-balances to prevent these compromises that otherwise result in fraudulent transfer of money or corruption of account balance.  Trusted `Insiders’ and untrusted ‘outsiders’ cannot commit an unauthorized transaction. NO YES
Robust, international protection against point-of-sale skimming by ensuring human readable information cannot be used on it’s own to attack card holder (Account number, PIN, authorization code) NO YES
Protection against attacker in direct possession of credit card, or indirectly through relay attacks against RFID credit cards. Protects against tampering of smart card. NO YES
Card holders are protected from a) compromised merchant terminals acquiring enough information to use card holder account at another location, and b) malicious merchant insider using the card holder’s account to purchase things at other merchant locations. NO YES
Support N-variant, N-redundant implementation of back-end logic distributed over 2 or more transaction processors to maintain integrity even in case of latent unknown vulnerabilities or malware present in transaction platform (hardware and software) and rogue administrators or management at one transaction processor site NO YES
Support for offline transactions. (* The Trustworthy Bank card Transaction Platform is designed to opportunistically use Internet and card holder's SMS if required to improve availability and reduce the overheads that would be required to support offline transactions) YES YES
Security system discourages attacks and theft of data through ‘no reward’ NO YES

{/arijdatatable}


Elements in the design

  • The Trustworthy Bank Transaction Platform will employ the Trustworthy Cloud Compute Platform on the server side.  The server side can be implemented using commercial off the shelf (COTS) hardware and a small amount of proprietary software, all organized in an innovative configuration that provides greater confidentiality, integrity and availability to all cloud stakeholders.
  • The Trustworthy Bank Transaction Platform will employ commercial off the shelf magnetic cards, or preferably smart cards (chip cards) on the client side.
  • The Trustworthy Bank Transaction Platform will employ the use of smart mobile phones or possibly portable low-cost smart devices that have a simple LCD screen, PIN pad and short-range wireless connectivity (bluetooth, NFC).
  • The Trustworthy Bank Transaction Platform will employ point of sale terminals.
  • Synaptic Labs' project will be exploring the wireless connectivity issues between banking applications running on mobile phones and point of sale devices.  We anticipate the connectivity between point of sale devices and mobile phones is already being prepared for by point of sale and mobile phone manufacturers in response to increased interest in m-Banking.

Phase 1: Proof of concept

Implement proof of concept using a smart card, a smart phone, a point of sale device, and the back-end servers running on the Trustworthy Cloud Compute Platform.

end faq

Recent News!

Prev Next

ICT Gozo Malta Project wins National Ent…

26 Apr 2012

ICT Gozo Malta Project wins National Enterprise Award

The ICT Gozo Project co-founded by The Gozo Business Chamber and Synaptic Laboratories Ltd were joint winners of a 20,000 Euro prize in the National Enterprise Support Awards 2011, an event sponsored by Government of Malta and the European Commission,...

Read more

Synaptic Laboratories Ltd. to represent …

26 Apr 2012

Synaptic Laboratories Ltd. to represent ICT Gozo Malta Project, and also to present at, the Dubrovnik Nuclear Threats and Security Conference 2012

The activities of the ICT Gozo Malta Project and Synaptic Laboratories continue to draw international attention, resulting in invitations to provide expert speakers at leading scientific events.  Recently Synaptic Laboratories Ltd., as ICT GM co-founders and project designers, were contacted by...

Read more

Cyber Security and Awareness Seminar

28 Nov 2011

Cyber Security and Awareness Seminar

On the 23rd November 2011 we held a unique Cyber Security and Awareness Seminar, targeted to all groups and held at MITA’s offices, who also sponsored the event.  Entrence was free with complimentary refreshments.  The seminar was organised by ICT Gozo Malta...

Read more

News:Cyber Security Seminar

16 Nov 2011

News:Cyber Security Seminar

Cyber Security Seminar ICT Gozo Malta and BCS Malta to organize International Cyber Security Seminar with bi-directional links to Brazil’s Annual Security Leaders Congress and world leading security experts. An International Cyber Security Seminar will be held at MITA’s Offices on Wednesday...

Read more

News: Participation in Brasil Security L…

04 Nov 2011

News: Participation in Brasil Security Leaders Congress

Synaptic Laboratories' Chief Technical Officer Benjamin Gittins has been invited to participate in the Annual Brasil Security Leaders Congress on the 23 Nov. 2011.  This 2 day Congress is attended by some 300 CEO/CIO/CTO level executives from public and industry...

Read more

News: Gozo may have it's own Silicon Val…

27 Oct 2011

News: Gozo may have it's own Silicon Valley

Just the moment you start reading this article, a new technology has been invented, produced, tested or used. Technologies took over the way we communicate, think, travel or learn and it has infiltrated  human lives in a manner that no...

Read more

News: ICT Gozo Malta Launch

12 Aug 2011

News: ICT Gozo Malta Launch

 Official launch of ICT Gozo Malta Project Click on image to view Launch videosWe are pleased to announce that on 5th AUGUST  2011, the ICT Gozo Malta Project was formally launched by the Hon. Giovanna Debono, Minister for Gozo. Speakers also...

Read more

News: Government Funding for Project

25 Apr 2011

News: Government Funding for Project

The Government of Malta has provided funding, through the Eco-Gozo initiative, to launch Phase 1 of the ICT Gozo Malta Project. Contract Signing Ceremony   with the Honourable Giovanna Debono, Minister for Gozo. 

Read more

News: Malta Chamber participation

04 Mar 2011

News: Malta Chamber participation

The Malta Chamber of Commerce, Enterprise and Industry have added their weight and support to this project, recently confirming their participation and collaboration.

Read more

News: Malta Enterprise support initiativ…

24 Feb 2011

News: Malta Enterprise support initiative

Malta Enterprise express support for the ICT Cluster initiative in Gozo.  Tasked with assisting networks to develop further into business clusters, Malta Enterprise supports this initiative

Read more

News: MITA participation and support

20 Jan 2011

News: MITA participation and support

The Government's Malta Information Technology Agency (MITA) recently expressed clear support for the ICT Gozo Malta project confirming their participation in the project to identify common goals and potential areas of collaboration.

Read more

News: Brazilian Banking Expertise

22 Nov 2010

News: Brazilian Banking Expertise

Brazilian banking security expert Professor Fabian Martins will assist ICT Gozo Malta to develop its members global cyber security solution suited to the credit card market.

Read more
GBC1 SLL-Logo_150  A Collaborative Project co founded by
The Gozo Business Chamber and
Synaptic Laboratories Ltd

Eco Gozo Logo

Eco-Gozo – a Better Gozo Action Plan 2010 – 2012
Project part-financed by the Government of Malta - Ministry for Gozo
www.eco-gozo.com

feedback
feedback
feedback