[144900] in cryptography@c2.net mail archive
Interesting way of protecting credit card data on untrusted hosts
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Mon Sep 28 19:39:55 2009
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: cryptography@metzdowd.com
Date: Sun, 27 Sep 2009 15:03:00 +1300
A Canadian company called SmartSwipe has come up with an interesting way to
protect credit card numbers from most man-in-the-browser attacks. What they
do is install a Windows CSP (cryptographic service provider) that acts as a
proxy to an external mag-stripe reader with built-in crypto processing, so the
CSP on the host PC does nothing more than forward data to be encrypted out to
the external device. There's also a browser plug-in that pre-populates the
credit-card field in web forms with a cookie. When the page is sent to the
CSP for encryption for SSL, the software running on the reader recognises the
cookie in the web-form content, reads the card data via the mag-stripe reader,
inserts it into the web-form field, and returns the encrypted result to the
host PC to forward to the remote server. As a result, the CC data is never
present on the host PC.
The downsides are obvious: not secure against phishing (which is a killer),
only works with MSIE because of the requirement for use of a CSP (although you
could do it with Firefox as well by creating a PKCS #11 soft-token), and not
secure against page-rewrite trojans which have the web page show one thing and
do another, but it's an interesting concept. You can find a description of
the technology under the name Dynamic SSL(tm)(c)(p), a start point is:
http://www.smartswipe.ca/en/dynamic-ssl/600-dynamic-ssl-a-practical-solution-for-endpoint-to-endpoint-encryption
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
