Microsoft gets smart about online security

The security of online transactions could be bolstered by adding a display and a set of buttons to a smartcard reader or security token, a Microsoft researcher said on Monday.

Smartcards and security tokens, which are becoming more common for user authentication, already contain cryptography modules. These could also be used to confirm transactions in a secure way, Microsoft security software engineer Dave Steeves said in a presentation at Stanford University.

When banking online, for example, a small display bolted on to the smartcard reader or USB token would show details of a transfer that has been entered into the bank's website. The user would then approve the transaction by hitting the "accept" button on the device, or kill it by pressing the "deny" button, Steeves said.

"Users are working on the internet and banking insecurely, except when they have to approve a transaction, they reach and hit accept on the trusted device," Steeves said. The action would be like approving a digital copy of a receipt, one member of the audience observed.

An alternative to the buttons would be for the reader or token to display an accept code, which the user would enter into a box on the website, Steeves said.

Smartcard readers and tokens are "trusted devices", Steeves said. By using these not only for authentication but also to confirm transactions, the security of online banking is taken further away from the insecure PC and into secure devices, he said.

"Even if your machine is owned, you can't own this [device] remotely," Steeves said, referring to an attacker having taken control of a user's PC.

Still, like many security ideas, Steeves had to admit that his secured displays would not be bullet-proof. A sophisticated man-in-the-middle attack could still allow an attacker to take over a user's online banking session, he conceded during in a question and answer session.

Steeves spoke at the Trustworthy Interfaces for Passwords and Personal Information. His work is conceptual and not directly related to any product Microsoft is working on and may never become a product, he said.

Others at the Redmond-based software maker are busy working on products that are in a more advanced stage of development. Recently Microsoft shipped a beta of software code-named InfoCard, which aims to help users deal with the plethora of internet logons and passwords and pay securely at websites.

Joris Evers writes for CNET News.com