
A token gesture?
By Joris Evers
Published: 14 June 2005 08:25 GMT
The security of online transactions could be bolstered by adding a display and a set of buttons to a smartcard reader or security token, a Microsoft researcher said on Monday.
Smartcards and security tokens, which are becoming more common for user authentication, already contain cryptography modules. These could also be used to confirm transactions in a secure way, Microsoft security software engineer Dave Steeves said in a presentation at Stanford University.
When banking online, for example, a small display bolted on to the smartcard reader or USB token would show details of a transfer that has been entered into the bank's website. The user would then approve the transaction by hitting the "accept" button on the device, or kill it by pressing the "deny" button, Steeves said.
"Users are working on the internet and banking insecurely, except when they have to approve a transaction, they reach and hit accept on the trusted device," Steeves said. The action would be like approving a digital copy of a receipt, one member of the audience observed.
An alternative to the buttons would be for the reader or token to display an accept code, which the user would enter into a box on the website, Steeves said.
Smartcard readers and tokens are "trusted devices", Steeves said. By using these not only for authentication but also to confirm transactions, the security of online banking is taken further away from the insecure PC and into secure devices, he said.
"Even if your machine is owned, you can't own this [device] remotely," Steeves said, referring to an attacker having taken control of a user's PC.
Still, like many security ideas, Steeves had to admit that his secured displays would not be bullet-proof. A sophisticated man-in-the-middle attack could still allow an attacker to take over a user's online banking session, he conceded during in a question and answer session.
Steeves spoke at the Trustworthy Interfaces for Passwords and Personal Information. His work is conceptual and not directly related to any product Microsoft is working on and may never become a product, he said.
Others at the Redmond-based software maker are busy working on products that are in a more advanced stage of development. Recently Microsoft shipped a beta of software code-named InfoCard, which aims to help users deal with the plethora of internet logons and passwords and pay securely at websites.
Joris Evers writes for CNET News.com
These programs control application specific hardware, accept and display relevant maps, process information on pre-determined scenarios and display ...
My client has commissioned the Business Transaction Monitoring (BTM) project to provide monitoring of transactions across the trading integration ...
JAVA Developer - Card Payment Solutions; Home Based / South East; required to join a well established world leading JAVA house developing transaction ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business