Securing Online Card Transactions

775 views
721 views

Published on

Is 3D Secure really safe? Not really! Here is a look at an innovative solution to prevent online transaction frauds relating to credit and debit cards

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
775
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Securing Online Card Transactions

  1. 1. Securing Online Credit Card Transactions REL-ID Authentication Services
  2. 2. Contents • Context • Why does credit card fraud happen? • How to fix it? • Rel-ID Credit Card Authentication Service • How does it work? • Security Flaws in 3D Secure • 3D Secure and TruCard • Payment Model • Advantages of the service • About Uniken
  3. 3. Context • The final liability of the damage in case of a fraudulent credit card transaction is with the end customer or sometimes the issuing bank • Customers are not aware that their credit card data can be easily stolen and reused • The basic flaw in the current system is that currently customers cannot authenticate and verify the transaction before it is approved by the issuing bank • Uniken is offering its REL-ID CARD AUTHENTICATION SERVICE to the card issuing banks in a SaaS model to secure online credit card transactions.
  4. 4. Why does credit card fraud happen? • Lets first understand how the credit card transaction is processed • Authorization Process 1. The customer after selecting the mode of payment – provides the credit card details to the website – which submits this to the payment gateway 2. The payment gateway submits that to the merchant banks processor (acquiring bank) 3. The merchant bank submits this to the credit card network 4. The credit card network submits it to the issuing bank, which checks the validity, credit limit and approves/disapproves the transaction 5. The credit card network relays this information to the merchant banks process, which sends it to the payment gateway and finally to the merchants website – based on which the merchant decides to process the sale • Settlement Process 1. The issuing bank then pays the credit card network 2. The credit card network pays the merchant bank 3. The merchant bank then deposits this amount in the merchants account
  5. 5. Why does credit card fraud happen? • The fraud happens because none of the entities present in the entire authorization process authenticate the individual providing the credit card details • The mere knowledge of the credit card data is deemed good enough to “believe” he/she is indeed the authentic credit card holder • There are a few solutions available that attempt to solve this by asking a password or pin in addition to the credit card data – however, fraudsters set-up phished merchant websites to get access to this additional information as well along with the credit card details (if they are already stealing credit card data by phishing the website – they can as well get the login/.password data!) • Once the customer comes to know that his credit card has been fraudulently used, he/she disputes it to the issuing bank, who then investigate the case – most of the time the customer is made to bear the impact – as the issuing bank only ensures if the appropriate process was followed by the merchant before issuing the goods. If the issuing bank takes the liability, even then this is then distributed across all its customers
  6. 6. How to fix this fraud? The only way to fix this fraud is to ensure that the credit card owner (customer) is made to authenticate and verify the transaction (over a secure channel) by the issuing bank just before approving and authorizing the transaction
  7. 7. Fundamental limitations of 3D Secure • In 3D Secure protocol the credit card holder is authenticated before the transaction is submitted by the merchants website to the visa/mastercard network and not when the transaction is getting approved/authorized by the issuing bank • The customer cannot authenticate the website where she is submitting the login/password information and the “personal message” based authentication of the website is vulnerable to MITM and MITB attacks • Merchant website authentication is not possible hence the customers can still loose the credit card data • It is mandatory for the merchants to integrate their website with the 3D Secure Solution (they need to install MPI and pay substantial fees to the solution provider)
  8. 8. REL-ID Credit Card Authentication Service • The REL-ID Credit Card Authentication server will seamlessly integrate with the issuing banks transaction and card authorization system • The TruCard software will be freely distributed to the customer • The Issuing Banks can avail this service with zero investment in the infrastructure • If the issuing bank has implemented 3D Secure then TruCard works seamlessly with the 3D Secure solution, the TruCard ensures that the Login/Password information is protected from MITM and MITB attacks • If they have not implemented the 3D Secure solution then TruCard will ask for a PIN to turn itself ON and authenticate the customer • TruCard solution has absolutely NO dependence on the merchants or on the type of card network (Visa/Mastercard) • TruCard solution does not require any credit card data of the customer • The integration of this service in to their authorization process will be free • They can disable this service at any point in time with just a 60 day notice with no impact on user experience
  9. 9. How will this work? (Without 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from the credit card network will send the transaction details along with the customer ID (created during registration) to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will authenticate the customer by requesting for the pin, if the TruCard has been configured to Auto- ON mode then the Customer will directly verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
  10. 10. User Experience TruCard Activation
  11. 11. User Experience - Online Purchase (without 3D Secure)
  12. 12. User Experience - Online Purchase (without 3D Secure)
  13. 13. User Experience - Online Purchase (without 3D Secure) Payment Successful!
  14. 14. How will this work? (With 3D Secure) Activation of TruCard • The issuing bank will notify its customers to download and install the TruCard Software on their personal computers • The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank will create a customer ID and provide the customer with a link to download the TruCard software • The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing banks website. • The TruCard will display a personal message (set during registration) to ensure authenticity of the software • Once registered, the customer can install the software on as many computers as she wants directly from the website Online Transaction • The customer goes to the merchants website and provides credit card information for purchase • The Issuing Bank’s card authorization system on receiving any request for authorization from merchant plug-in will request for the 3D Secure credentials along with the customer ID and personal message to the REL-ID card authentication server • The REL-ID Card Authentication server will send the information to the customers TruCard, • The TruCard will accept the customers 3D Secure Credentials and pass it on to the 3D Secure ACS • The 3D Secure ACS will authenticate and redirect to the merchant website for it to submit the transaction Optional (Transaction Verification) • If the TruCard has been configured to Auto-ON mode then the Customer can further verify the transaction and approve it • The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the credit card network
  15. 15. User Experience - Online Purchase (without 3D Secure)
  16. 16. User Experience - Online Purchase (without 3D Secure)
  17. 17. User Experience - Online Purchase (without 3D Secure) Payment Successful!
  18. 18. Solution Architecture (without 3DSecure) 2 Normal Payment Authorization 1 6 3 5 4 User verifies & approves transaction
  19. 19. Solution Architecture (with 3DSecure) 6 Normal Payment Authorization MPI ACS 2 1 7 3 5 4 User verifies & approves transaction
  20. 20. 3D Secure and TruCard 3D Secure TruCard 1 3D Secure cannot protect from phishing and MITM attacks – it is very Protects from Phishing and MITM due easy steal the 3D Secure Login/Password information to RMAK mutual authentication protocol 2 It mandates the Merchant to participate in 3D Secure to make it work, TruCard DOES NOT require the merchant to participate in the solution and is completely independent of Merchants 3 In 3D Secure the transaction data are shown to the customer during The transaction data shown the authentication as submitted by the customer to the merchant and not customer for verification is the same the one submitted by the merchant for authorization (the customer that the bank has received for may think she is approving USD 200 while the actual transaction authorization from the credit card submitted to the card network could be USD 210) network 4 • 3D Secure requiresneed TruCard? Why do we the customer to authenticate every time they do an Does not require the customer to – to maintain online transaction, TruCard requires the customer to authenticate only authenticate every time once to turn it ON (optionally it can be turned ON automatically, without asking the PIN everytime) 5 3D Secure requires PKI (Digital Certificates) making it extremely costly to Does not require PKI – is based on the implement and maintain RMAK protocol (that provides for encryption and mutual authentication).
  21. 21. 3D Secure and TruCard • We have already implemented 3D Secure – now what? – TruCard seamlessly integrates with 3D Secure – The user experience does not change at all and fixes all the flaws in 3D Secure solution – Instead of showing a web-page to capture the 3D Secure login/password information (which is prone to Phishing and MITM attacks), TruCard will accept the 3D Secure Login/Password and send it to issuers authentication server – TruCard will eliminate MITM and Phishing attacks completely – TruCard provides for Transaction Verification , Transaction Log and more importantly credit card statements on demand
  22. 22. SMS based solutions and its limitations • The SMS cannot ensure confirmation of the delivery of the message more so in real time; and the customer may end up doing the transaction again and again • SMS is not a secure channel as the transaction information is sent over an unencrypted SMS channel • There are simple attacks available to change the mobile number of the credit card owner (due to flaws in mobile number registration process).
  23. 23. TruCard SAAS Model • The issuing bank will NOT be charged anything for integrating the REL-ID Card Authentication Server with their credit card authorization and approval system • The customer will NOT be charged anything for downloading and installing the TruCard Software • The issuing bank will be charged a fixed % of the transaction amount for every transaction verification and authentication done by the customer or based on a monthly rental model • The issuing bank will be billed on a monthly basis
  24. 24. Advantages of REL-ID TruCard Authentication Solution • The TruCard is a software agent that is very easy to download and install • The customer has to register for this service with the banks and REL-ID authentication service does not retain any credit card details • The customer has to authenticate to TruCard using a password/pin to turn it ON (it can be optionally turned ON automatically by remembering the credentials) • TruCard communicates with the REL-ID Card Authentication Server over a mutually authenticated encrypted channel (all authentication/approval data is sent over this channel) • There are no upfront costs to the issuing bank as they do not have to invest anything to enable this service
  25. 25. About Uniken
  26. 26. Uniken Introduction UNIKEN is a technology innovation and product engineering firm that works closely with its customers to provide high quality products that meets their business automation and cutting edge technology needs We specialize in taking our in house innovations from concept through to production through patented product engineering design methodologies. Our staff includes 50+ product designers and engineers, technologists and researchers with backgrounds in computer science, software technology, embedded systems and professional services. As a company we invest in technology innovation, product design and product engineering Headquartered in Tampa, FL, US, with offices in US and India, we have a R&D and Product Engineering Center in India.
  27. 27. What does Uniken do? Market Analysis and • UNIKEN Technology R&D Center Problem Specifications • Concept innovation and rapid prototyping Technology • Conducts research in • Information Security R&D • Pattern Recognition • Embedded Systems • Performance Modeling Business • UNIKEN Product Engineering Group Requirements Product • Customized product development Customers • Requirements Analytics Engineering • Product Design (patent pending process) • Product Development • Performance Testing • UNIKEN Products Product Delivery • Customized Business Automation Products • REL-ID (Identity Security) Products • DEEKSHA (e-Learning) • SHOPPEX (Mobile Shopping)
  28. 28. Uniken - Management Team Profile DETAILS OF RELEVANT NAME DESIGNATION QUALIFICATIONS EXPERIENCE WORK EXPERIENCE • Tata Research Development & CEO M. S. Design Centre Sanjay Deshpande 13 years Director (Computer Science) • Infosys Technologies Ltd. • Persistent Systems Pvt. Ltd. Nanjundeaswar CTO B. Tech. • Infosys Technologies Ltd. 12 years Ganapathy Director (IIT Kharagpur) CDO B. Tech Prakash Salvi • IMR Global 15 years Director (Computer Science) PGDM • Tata Consultancy Services Vivek Saxena CBO 16 years (IIM Ahmedabad) • Infosys Technologies Ltd. COO Nilesh Dhande MBA (Systems) • Infosys Technologies Ltd. 9 years Director • Six Sigma Master Black Belt Subramanian Gopalan Advisor to the Board B. Tech. • Director of Sourcing, GE, Greater 40 years China • Chief Scientist – Motorola Dr. Pat Shankar Advisor to the Board Ph. D. 30 years Biometrics Division • Associate Professor, University of Dr. Lev Goldfarb Advisor to the Board Ph. D. 20 years New Brunswick B. Tech. • VP - Infosys Technologies Ltd. Ajay Dubey Director 25 years (IIT Kanpur) • COO - Persistent Systems Pvt. Ltd.
  29. 29. Contact Details Shaillender Mittal Director Sales shaillender.mittal@uniken.com Tel: (020) 66427970/71 | Mob: 9823422211

×