CREDITSEC - Next Generation Credit Card Security


Published on

This is my presentation at PhreakNIC15 on my independent research project called as "CREDITSEC - Next generation credit card security" - a revolutionizing credit card security technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

CREDITSEC - Next Generation Credit Card Security

  1. 1. CREDIT SEC – Next Generation Credit Card Security Rahul Tyagi Master of Science ( Information Security) Johns Hopkins University - Information Security Institute [email_address] [email_address] Cell :- 443-813-7577
  2. 2. About Me ….. <ul><li>Master of Science student at Johns Hopkins University - Information Security Institute . </li></ul><ul><li>( ) </li></ul><ul><li>Independent Information Security Researcher. </li></ul><ul><li>Likes to make new and simple security mechanisms. </li></ul>
  3. 3. Disclaimer <ul><li>Not a Cyrpto Professional </li></ul><ul><li>Not a genius Mathematician </li></ul><ul><li>“ The Only” person working on the project . </li></ul><ul><li>Mainly aimed at securing credit card numbers at the database level . </li></ul>
  4. 4. Introduction <ul><li>Each time we enter our credit card number information in open form or the other be it online shopping website or be it Point of Sale Terminals the credit card processor performs a series of security checks based on the information that these credit card number gives away . </li></ul><ul><li>The problem with the credit card number is that these credit card numbers are not “randomly” assigned each of the individual digits in the credit card number has its own meaning . </li></ul>
  5. 5. Anatomy of Credit Card Numbers
  6. 6. A bit more about the Credit Card Numbers <ul><li>Issuer Identifier </li></ul><ul><li>The  first 6 digits  -- issuer identifier. Total number of possible issuers is a million (10 raised to the sixth power, or 1,000,000). </li></ul><ul><li>Account Number </li></ul><ul><li>Digits 7 to (n - 1)  of your credit card number are your individual account identifier. </li></ul><ul><li>Maximum length of a credit card number is 19 digits. </li></ul><ul><li>Initial 6 digits of a credit card number are the issuer identifier, and the final digit is the check digit, this means that the maximum length of the account number field is 19 - 7, or 12 digits . Each issuer therefore has a trillion (10 raised to the 12th power, or 1,000,000,000,000) possible account numbers. </li></ul><ul><li>The 9 digit account number will yield 1 billion combinations; so the chances of getting a working credit card number are very remote. </li></ul>
  7. 7. The Prevalence of Credit Card Number and E – commerce <ul><li>US Retail E-Commerce Sales, 2007-2012  </li></ul><ul><li>127.7 billion (2007), 146.0 billion (2008), 164.3 billion (2009), 182.5 billion (2010), 200.6 billion (2011), 218.4 billion (2012) </li></ul><ul><li>US B2C E-Commerce Sales, 2007-2012  </li></ul><ul><li>221.5 billion (2007), 251.1 billion (2008), 280.3 billion (2009), 311.3 billion (2010), 345.5 billion (2011), 380.8 billion (2012) </li></ul>
  8. 8. Alarming Situation …… <ul><li>Hackers on the Rise </li></ul><ul><li>  </li></ul><ul><li>82,094 reported instances in 2002 </li></ul><ul><li>- 52,658 in 2001 and 21,756 in 2000 </li></ul><ul><li>- 55% increase --- So Many go Unreported . </li></ul><ul><li>( CERT, 2003 ) </li></ul><ul><li>Symantec Reported 689 attacks on Financial Institutions </li></ul><ul><li>- 48 % of those attacks were severe </li></ul><ul><li>( Symantec, 2003 ) </li></ul><ul><li>  </li></ul><ul><li>Symantec Reports 616 attacks on e – commerce merchants </li></ul><ul><li>19% of these attacks were severe </li></ul><ul><li>(Symantec, 2003 ) </li></ul>
  9. 9. <ul><li>Over 100,000 identities are stolen every year in the U.S. (Source: Celent Communications) </li></ul><ul><li>Rising at a CAGR of 20.7% from 2002 – 2006 (Source: Celent Communications) </li></ul><ul><ul><li>Over the past 5 years identity fraud has cost close to $2 billion USD. (Source : Celent communications) </li></ul></ul>
  10. 10. Few recent Examples…..
  11. 11. How do we secure the Credit Card Numbers Today <ul><li>The Payment Card Industry – Data Security Standard is the de facto standard followed by the credit card industry for ensuring the security of the credit card both while processing and stored . </li></ul><ul><li>PAYMENT CARD INDUSTRY DATA SECURITY STANDARD </li></ul><ul><li>  </li></ul><ul><li>PCI DSS Requirement 3.4 – </li></ul><ul><li>“ Render [credit card numbers], at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs, and data received from or stored by wireless networks) by using any of the following approaches :- </li></ul><ul><li>Strong one-way hash functions (hashed indexes) </li></ul><ul><li>Truncation </li></ul><ul><li>Index tokens and pads (pads must be securely stored) </li></ul><ul><li>Strong cryptography with associated key management processes and procedures </li></ul>
  12. 12. Typical Security Threats
  13. 13.
  14. 14. How do we make it impossible for Bad Guys ….. ? <ul><li>Let’s make it Hard …. A Key with a Lock </li></ul>
  15. 15. Little Bit of Introduction … About CREDITSEC …. <ul><li>Credit Card Security is the Next Generation Credit Card Security mechanism that aims at revolutionizing the Credit Card Industry. </li></ul><ul><li>Stores the credit card numbers in an human unreadable form making it impossible for the attackers and hackers to get the credit card numbers even if the database is compromised . </li></ul><ul><li>The basic principle does not uses any sort of encryption or decryption or any other mechanism to store the credit card numbers in the database in human unreadable form . </li></ul><ul><li>The security mechanism does not uses any sort of encryption keys or hidden values to get the human unreadable output that would be stored in the database . </li></ul>
  16. 16. Underlying Principle …. <ul><li>7 – segment Display </li></ul>
  17. 17. How it Works ….
  18. 18. CREDITSEC – The Working …. Database ( CREDITSEC ) Input - Credit Card Customer CREDITSEC – Algorithm Comparison Server - Side Client - Side
  19. 19. A Bit about the Algorithm … <ul><li>Input :- </li></ul><ul><li>Credit Card Number </li></ul><ul><li>Individual Digits of Credit Card Number </li></ul><ul><li>Meta Data associated with the CC Number </li></ul><ul><li>Output :- </li></ul><ul><li>Human Unreadable </li></ul><ul><li>One – Way Hash function </li></ul><ul><li>Stored in database without need for encrypting it or storing Cryptographic Keys </li></ul>
  20. 20. A little Deep Inside…. One of the Factors on which it generates a Unique Output Image each Time
  21. 21. One Way Hash …. <ul><li>A  cryptographic hash function  is a  deterministic procedure  that takes an arbitrary block of data and returns a fixed-size bit string, the ( cryptographic )  hash value , such that an accidental or intentional change to the data will change the hash value. </li></ul><ul><li>The data to be encoded is often called the &quot;message,&quot; and the hash value is sometimes called the  message digest  or simply  digest. </li></ul><ul><li>The ideal cryptographic hash function has four main or significant properties: </li></ul><ul><li>it is infeasible to generate a message that has a given hash </li></ul><ul><li>it is infeasible to modify a message without changing the hash </li></ul><ul><li>it is infeasible to find two different messages with the same hash </li></ul>
  22. 22. <ul><li>Most cryptographic hash functions are designed to take a string of any length as input and produce a fixed-length hash value. </li></ul><ul><li>A cryptographic hash function must be able to withstand all known types of cryptanalytic attack. As a minimum, it must have the following properties: </li></ul><ul><li>Preimage resistance Given a hash  it should be difficult to find any message   . This concept is related to that of one-way function. Functions that lack this property are vulnerable to preimage attacks. </li></ul><ul><li>Second-preimage resistance Given an input  it should be difficult to find another input   . This property is sometimes referred to as  weak collision resistance,  and functions that lack this property are vulnerable to second-preimage attacks. </li></ul><ul><li>Collision resistance It should be difficult to find two different messages . Such a pair is called a cryptographic hash collision. This property is sometimes referred to as  strong collision resistance.  It requires a hash value at least twice as long as that required for preimage-resistance, otherwise collisions may be found by a birthday attack. </li></ul>
  23. 23. The Comparison … Between One – Way Hash and CREDITSEC Output
  24. 24. The Security Model of CREDITSEC ….. <ul><li>Does not involve any sort of Encryption or Decryption . </li></ul><ul><li>Algorithm does not require encryption keys, which eliminates the need for “even” storing the keys . ( NO ENCRYPTION KEYS Required ) . </li></ul><ul><li>The Output stored in the Database which is human unreadable, making it impossible for the bad guys even if the database is compromised . </li></ul><ul><li>Even for the same Input the of Credit Card Number the output generated is “different” each time, making it impossible for bad guys ( hackers) to attack it or reverse engineer it . </li></ul>
  25. 25. Progress so far …. <ul><li>Not as mature ….. </li></ul><ul><li>Completely Novel Idea . </li></ul><ul><li>Need to Work “little bit” more on the CREDITSEC Algorithm </li></ul><ul><li>Not Foolproof as of Now ….. Trying to make it Foolproof … </li></ul>
  26. 26. <ul><li>References </li></ul><ul><li> </li></ul><ul><li> </li></ul>
  27. 27. Special Thanks … <ul><li>Dr. Gerald Mason </li></ul><ul><li>( Director – Information Security Institute ) </li></ul><ul><li>Deborah Higgins ( Academic Co-ordinator ) </li></ul><ul><li>Laura Graham </li></ul>