homesite mapcontact search
Newsroom   
Careers   
Solutions     
Products & Services    
Support    
Whitepapers     
Case Studies    
Alliances     
Sales     
Offices     

smart card security Articles

Smart cards will take secure electronic transactions to the next level

By Paul Meadowcroft, head of transaction security at Thales e-Security


Without a doubt 2004 is going to be a landmark year in the history of the smart card. While it will take years to realise the full potential of the technology, several important steps forward will be taken over the coming months. Of these, the use of the smart card for electronic financial transactions will be among the most significant.

Barclaycard has already announced that it is launching a six-month pilot scheme to test the use of smart cards for e-transactions. Other banks and card issuers are sure to be watching the results of this trial very closely as it is crucial for demonstrating that the smart card can genuinely become the de facto tool for authenticating all financial transactions. The expectations are that in addition to the use of smart cards for payments in the physical world, the widespread deployment of unconnected smart card readers will open up the potential for smart cards to become personal security modules. As such they will be used to authenticate all channels of transaction, be it physical, online, telephone or commerce through interactive TV.

The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have as well as something you know should reduce fraud. Given that the EMV smart card rollout is predicted to dramatically increase Card Not Present (CNP) fraud, the parallel introduction of unconnected readers for smart card transactions is very timely.

The rollout of unconnected smart card readers

In terms of the technology behind the unconnected smart card readers, it is the recent introduction of a common standard that is the important innovation. Earlier this year APACS, in association with MasterCard, released specification standards for unconnected smart card readers. This has allowed leading smart card reader manufacturers to offer products for mass consumption at a commercially viable cost.

At the moment the maximum level of security available to consumers is user and password authentication, which is already seen as being inadequate for securing financial transactions. It is anticipated that over the next two or three years some, if not all, card issuers will wish to offer stronger levels of authentication based around EMV smart cards. To do this they will need to provide unconnected smart card readers for customers wishing to make e-transactions. With £1.17bn worth of online shopping expected to have been done in Christmas 2003 in a market that has grown by over 40% over the year, banks have added incentives to provide increased security for such transactions. This is especially timely as on-line credit card fraud has now topped £100m a year, an increase of 33% over a two-year period. The EMV migration is expected to push this value even higher as a lot of the annual £454m worth of credit card fraud will shift to CNP transactions.

As the 10,000 Barclaycard trial participants will be finding out from February onwards, using the unconnected readers is a very straightforward process. The reader is a dumb device that does little more than display a one-time passcode which is generated by the user’s standard EMV smart card. The user then manually types this passcode into the computer at the appropriate prompt. This one-time passcode can only be authenticated by the issuing bank. To avoid replay attacks, the one-time passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction.

Assuming there is no resistance from consumers, this unconnected reader system will have an extremely positive effect on fraud and in turn help boost consumer confidence in shopping on-line. From a business perspective, it will mean that CNP fraud can virtually be eliminated for the banks who implement this system as the liability shifts from the retailer and acquirer to the card issuer. This alone will almost certainly prove to be a massive incentive for card issuers to roll out the unconnected readers. This is coupled with the fact that card issuers who do not participate in the scheme will undoubtedly see the CNP fraud migrate to them as a result of tighter security being provided elsewhere. Furthermore, card issuers who do not upgrade their systems will still be liable for CNP fraud if it can be proved that the fraud could have been prevented by the use of unconnected readers.

The authentication challenges for card issuers

One of the most representative examples of the need for increased security for user authentication for CNP transactions is the new initiative by card associations to tackle the problem of payment fraud over the internet. For handling Internet payments, the technology backbone behind the system is the 3-D Secure protocol developed by Visa and adopted by MasterCard, which is known as Verified by Visa and MasterCard SecureCode respectively. The 3-D Secure scheme has been specifically designed to handle internet transactions. As such it will make the internet a more secure place to trade, reduce chargebacks and increase card usage.

Within the new 3-D Secure scheme, Visa and MasterCard provide all the necessary infrastructure for card issuers to implement secure authentication of their cardholders for all internet payment transactions. Today, nearly all card issuers use username and password as the authentication method for their cardholders. However, 3-D Secure allows the card issuer to implement advanced authentication techniques, such as the EMV smart card and unconnected reader combination, to secure internet payments.

In order to accelerate acceptance of these innovative security methods both Visa and MasterCard have also agreed to actually shift the liability for Internet transactions from Internet merchants to card issuers. This radical decision, which puts card issuers at the centre of the responsibility for Internet payments security, is likely to fuel the development of 3-D Secure for securing these types of payments and justify the investment on strong authentication methods for issuing banks.

The additional benefits of installing an e-transaction infrastructure

The introduction of unconnected smart card readers has the potential to provide enhanced security beyond just internet transactions. Conceivably, any channel of transaction can make use of this technology - such as telephone transactions, be it mobile or fixed line, interactive TV transactions or help desk authentication. However, the back office complexity of using the system in this way will prove very daunting for card issuers.

At the moment card issuers would require a separate platform for each transaction channel. This isolation of back office systems into individual silos generally prevents the card issuer using a single authentication method for all access channels. In turn, this makes the implementation cumbersome and hard to maintain. It is for this reason that card issuers are beginning to investigate the need for a single, flexible authentication platform.

The natural place for such an innovative authentication backbone is between the access points and the back-office - the middle office. Deploying a middle office platform would mean that the costly process of changing or replacing any of the front or back office systems need not happen. Instead, all transactions, whatever their source, could be authenticated on a single platform that is seamlessly integrated with the card issuer’s application environment, including 3-D Secure as well as other back office systems using a Java or XML interface.

The advantages of this approach are twofold. Firstly the card issuer would be able to manage all its transaction channels from a single platform, dramatically improving ease of management. Combined with this is the ability to embrace new transaction technologies and channels without needing to implement a new platform and most importantly without compromising robust security. Secondly, a single centralised platform will have significantly lower total costs of ownership than employing multiple platforms.

But the benefits of taking a strategic approach are not limited to dealing with multiple channels. As BACS have demonstrated to critical acclaim over the past year, it is also possible to use a single middle office authentication server to process transactions from multiple trust schemes. Regardless of whether it is an existing authentication token, EMV smart card or PKI scheme such as Identrus or any one of the home grown PKIs that banks have locked away unused, it is possible for a single middle office system to perform the appropriate authentication and message validation.

The BACS experience

Within the new internet-base BACSTEL infrastructure that BACS is currently rolling out, UK businesses are issued with smart cards by their bank. That smart card is then used to digitally authenticate all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered. However, of the 12 banks within the scheme, only eight wished to use the Identrus PKI, with the others preferring to use their own PKI scheme.

BACS was able to overcome this challenge by deploying SafeSign from Thales e-Security to handle the technical side and a Trust Services Code of Conduct to cover the policy, operational and legal aspects. SafeSign ensures compatibility with all relevant PKI standards by verifying each transaction against the set of rules defined by the bank that issued the smart card being used to sign the transaction. To authenticate the smart card holder, the system generates a random number and the cardholder responds by signing the logon challenge using the smart card together with his or her secret PIN. SafeSign then cryptographically confirms the identity against the cardholder’s public key certificate, and validates this in real time with the issuing bank. Similarly, all payment requests and other transactions submitted to BACS are digitally signed by the user with his smart card and PIN, and verified in real time.

Since all digital certificates used are verified in real time against the issuing bank, lost or stolen cards cannot be used to sign transactions, and changes in employee status are reflected in the system as soon as the bank is made aware of them. This substantially reduces the risk of fraud compared to the old system. Varying levels of security access are supported for different personnel working in the banks or businesses using the system.

The advantages of a single, centralised authentication platform

The need for a single authentication platform was critical for BACS. However, an additional benefit of a single platform is that card issuers can manage all transaction channels in one place, dramatically improving ease of management. But the power of a single middle office authentication platform can only be realised if combined with a centralised identity management system. Together, a bank will be able to provide the appropriate level of identity authentication on a flexible platform.

By doing so, banks are able to reduce the costs associated with allocating the appropriate level of authentication, as calculated by the risk assessment, required for each cardholder. As the single platform is able to authenticate all trust schemes, the bank is able to apply whatever level of authentication it deems satisfactory in accordance with its risk management policies. More importantly, it can change this as often as required with no cost implications for the authentication systems.

As well as the cost benefits, a single platform will also provide a range of other efficiency improvements. For example, it will become far easier for banks to maintain a secure audit trail of transactions. In addition, it could help in other new services that many banks are experimenting with at the moment. One such example is account aggregation, which allows individuals to manage all their various accounts through a single interface. This obviously involves the handling of multiple identities but this task would be simplified if done through a centralised identity management and authentication platform.

Authentication agility

In today’s e-business world, banks need a flexible and dependable trust model. Crucially this solution must be able to grow organically as organisations grow and at the same time seamlessly embraces new transaction technologies and channels. The move towards two-factor authentication for e-transactions using smart cards is an important example of this.

The advantages of introducing such a scheme are clear in terms of increased security, reduction of fraud and boosting consumer confidence. However, to realise the full benefit, banks must be in a position where rolling out such a scheme for use with other transaction channels does not necessitate major back office upheaval. A single, middle office authentication platform is therefore a growing priority for card issuers not only in terms of instant cost and management benefits, but also for providing authentication agility for the future.
smart card security Articles
           © Thales 2007         Legal Notice