
A token gesture?
By Joris Evers
Published: 14 June 2005 08:25 BST
The security of online transactions could be bolstered by adding a display and a set of buttons to a smartcard reader or security token, a Microsoft researcher said on Monday.
Smartcards and security tokens, which are becoming more common for user authentication, already contain cryptography modules. These could also be used to confirm transactions in a secure way, Microsoft security software engineer Dave Steeves said in a presentation at Stanford University.
When banking online, for example, a small display bolted on to the smartcard reader or USB token would show details of a transfer that has been entered into the bank's website. The user would then approve the transaction by hitting the "accept" button on the device, or kill it by pressing the "deny" button, Steeves said.
"Users are working on the internet and banking insecurely, except when they have to approve a transaction, they reach and hit accept on the trusted device," Steeves said. The action would be like approving a digital copy of a receipt, one member of the audience observed.
An alternative to the buttons would be for the reader or token to display an accept code, which the user would enter into a box on the website, Steeves said.
Smartcard readers and tokens are "trusted devices", Steeves said. By using these not only for authentication but also to confirm transactions, the security of online banking is taken further away from the insecure PC and into secure devices, he said.
"Even if your machine is owned, you can't own this [device] remotely," Steeves said, referring to an attacker having taken control of a user's PC.
Still, like many security ideas, Steeves had to admit that his secured displays would not be bullet-proof. A sophisticated man-in-the-middle attack could still allow an attacker to take over a user's online banking session, he conceded during in a question and answer session.
Steeves spoke at the Trustworthy Interfaces for Passwords and Personal Information. His work is conceptual and not directly related to any product Microsoft is working on and may never become a product, he said.
Others at the Redmond-based software maker are busy working on products that are in a more advanced stage of development. Recently Microsoft shipped a beta of software code-named InfoCard, which aims to help users deal with the plethora of internet logons and passwords and pay securely at websites.
Joris Evers writes for CNET News.com
Transaction Services Project/Programme Manager, London, Global As part of a huge strategic Transaction Services expansion one of our Global Tier 1 ...
This will be achieved through the development of 'agents' which gather information from our clients to display on the website. You are confident and ...
Interest in one or more domains of the financial services industry (capital markets, corporate and transaction banking, asset management, retail ...
CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.
Stories from the web...
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…
Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...