CSIL

1
A global scientific and engineering software
products and solutions provider
2

Risk mitigation for e-transactions Cryptographic
methods for fraud prevention Rajeeva L
Karandikar EVP and Head, Analytics Cranes
Software International Limited
3
E-Commerce and Risk

As the volume of transaction over internet- in
the form of e-banking and e-commerce increases,
so does the risk associated with these
transactions. There is a strong need for decision
makers to understand the security provided by the
solution chosen and the possible alternatives.
Also, the banks must launch campaigns to
educate the users on good practices.
4
Public Perception

Mr Trust is an avid user of internet and uses
internet banking and uses the power of the
internet to pay his bills, buy airline and train
tickets, order books, make hotel reservations and
so on. Ms Skeptical asks Mr Trust if he is not
worried about giving his credit card number, atm
card number, PIN etc on web-site and is he not
worried about someone using this to impersonate
him. Mr Trust replies, the secure transactions
via https protocol takes care of all these
issues and he has no fear.
5
On SSL and https protocol

Let us examine what is SSL and https The
internet evolved as a means to communicate
between friends. Also, in the early days,
computing power and bandwidth for communication
was limited. So the TCP/IP protocol used for most
communications sends the data over the wires as
clear text and so an eavesdropper can easily
recover all information being sent. SSL and
https protocol ensure that an eavesdropper who
has intercepted the transmission cannot recover
the data being transmitted.
6
On SSL and https protocol

Thus SSL and https protocol is a must for
internet banking and e-commerce. It ensures that
the data that is being transmitted cannot be read
by an interceptor. SSL achieves this using a
combination of Public Key Cryptography and
symmetric key cryptography. Generation of keys
and encryption all this happens in the
background and the user is blissfully unaware of
this. So in colloquial terms, we can draw an
analogy with a letter being sent in a sealed
envelope kept inside a locked briefcase and only
the targeted user has the key to this lock.
7
On SSL and https protocol

What if someone fraudulently launches a website
with URL like www.icicibank.net or
www.icici-bank.com He/she can make the website
look exactly like the real icicibank website and
may lure users into giving the credit card/ debit
card numbers and other information. SSL gives a
protection against this as well It authenticates
the web site as belonging to the claimed entity.
This is done via SSL certificate. The vendor web
site would have a certificate giving their
identity. The certificates are digitally signed
by Trusted Third parties such as VeriSign. If
some site does not have a correct certificate,
your browser will give a warning (which often
people ignore!)
8
On SSL and https protocol

Thus SSL ensures that the information being sent
cannot be read by an interceptor and it also
ensures that the web site where the user is
planning to enter sensitive information does
actually belong to the claimed vendor/entity. But
this is all that SSL promises to do. An
additional feature that most browsers have is
that information entered on secure pages is not
stored in cache.
9
On SSL and https protocol

But this is far from the total security that Mr
Trust believes is what SSL and https protocol
guarantee him. Indeed, someone could be running
a software on his PC that could be trapping all
the keystrokes that he makes thus making it
possible for someone to recover his debit card /
credit card numbers along with the PIN. Such
software can be downloaded from internet or could
be written. In fact, there are software that
allow keystroke monitoring/recording across an
entire Local area network on machines running
windows OS.
10
What happens at other end

So let us assume that Mr Trust is working on his
own Laptop running Unix/Linux and is assured
that no one can trap his key srokes and SSL has
ensured that no one can intercept his credit card
/ debit card number while it is transmitted. He
has explained this to Ms Skeptical who, by her
nature, is not convinced but has no counter
argument. On 27th June 2006, Mr Trust gets a
call from Ms Skeptical drawing his attention to
the BPO scam that hit the news that day- with
some employee at a BPO getting hold of credit
card / debit card numbers in one of the banks in
India.
11
What happens at other end

Mr Trust is shaken. He now realizes that while
the information about his numbers is encrypted
while it is transmitted, it is decrypted at the
other end and is compared with the information
that is stored in the bank computer before he is
given authorization (for purchase or transfer of
funds ) So an employee that has access to this
process can steal his identity and use it for
fraudulent transactions. This is what happened
in the case as was reported in press.
12
What is the way out?

Or, Is there a way out ? A bank may initiate
processes in such a way that very few employees
have access to the master data on credit card /
debit card numbers and there by minimize risk.
13
Two factor authentication

Some banks have recently introduced in India a
system where it has given to its customers a
Token looks like a key chain which keeps
displaying numbers that change in a random
fashion every minute. A customer is required to
enter the number on his token on the web site in
addition to the password or PIN. The system at
the bank can generate the exact number on the
customers device and thus provide additional
layer of identification. The two systems, where
the bank stores credit / debit card numbers and
the system which generates the taken numbers
could be isolated with different sets of people
having access to them, thereby reducing chance of
fraud being committed.
14
Two factor authentication

This can be improved whereby when a customer
attempts to log in, he is sent a challenge (say a
system generated random number) which the
customer keys in his token which then computes a
function of the challenge and his secret
typically a (keyed) hash function. The output is
sent to the bank. The secret is also stored in
the bank system which can verify the correctness
of the output sent. Such protocols are
classified as Challenge-Response authentication
protocols.
15
Zero-Knowledge proof protocols

Zero-Knowledge proof is an interesting concept.
The most important aspect here is that the bank
(or verifier) does not store the password but
only stores a one-way function of the password.
The verifier sends a random challenge and
prover computes a certain quantity based on the
challenge and the secret and sends this to the
verifier. The verifier is able to verify this
without knowing the true secret. Like RSA, the
security of ZK protocols typically depends on
computational complexity of some mathematical
operations.
16
Zero-Knowledge proof protocols

Well known examples of ZK protocols that do not
need much computing power for the prover (and
hence could be embedded in smart cards) are
Feige-Fiat-Shamir, Guillou-Quisquater, and
Schnorr. Perhaps when the banking Industry
moves to credit cards / debit cards with embedded
smart cards instead of magnetic strip as is the
case now, ZK protocols can be used extensively
for authentication reducing the incidence of
fraud.
17
Digital Signature

Most of the problems can be addressed by using
Digital Signatures. The Indian IT act of 2000
declares RSA based signatures to be on par with
paper signatures (for almost all transactions).
Then each payment by credit card can be
authorized by signing the appropriate electronic
document using digital signature. The
difficulty is having a hardware device capable of
digitally signing a given document (file).
Perhaps, with growing popularity of mobile
phones, the answer is in using mobile phones to
digitally sign payments.
18
Digital Signature

Indeed, the higher end Mobile phones have these
capabilities. Using these, the need to give ones
credit card number over the net can be eliminated
by using internet to generate a transaction
number, and the user sending a digitally signed
SMS to the bank authorizing the payment. The bank
can then send to the vendor a digitally signed
SMS to the vendor promising payment. This can
also be used for Point-of-Sale transactions,
eliminating the need to exchange credit card
numbers altogether.