A token gesture?
By Joris Evers
Published: 14 June 2005 08:25 GMT
The security of online transactions could be bolstered by adding a display and a set of buttons to a smartcard reader or security token, a Microsoft researcher said on Monday.
Smartcards and security tokens, which are becoming more common for user authentication, already contain cryptography modules. These could also be used to confirm transactions in a secure way, Microsoft security software engineer Dave Steeves said in a presentation at Stanford University.
When banking online, for example, a small display bolted on to the smartcard reader or USB token would show details of a transfer that has been entered into the bank's website. The user would then approve the transaction by hitting the "accept" button on the device, or kill it by pressing the "deny" button, Steeves said.
"Users are working on the internet and banking insecurely, except when they have to approve a transaction, they reach and hit accept on the trusted device," Steeves said. The action would be like approving a digital copy of a receipt, one member of the audience observed.
An alternative to the buttons would be for the reader or token to display an accept code, which the user would enter into a box on the website, Steeves said.
Smartcard readers and tokens are "trusted devices", Steeves said. By using these not only for authentication but also to confirm transactions, the security of online banking is taken further away from the insecure PC and into secure devices, he said.
"Even if your machine is owned, you can't own this [device] remotely," Steeves said, referring to an attacker having taken control of a user's PC.
Still, like many security ideas, Steeves had to admit that his secured displays would not be bullet-proof. A sophisticated man-in-the-middle attack could still allow an attacker to take over a user's online banking session, he conceded during in a question and answer session.
Steeves spoke at the Trustworthy Interfaces for Passwords and Personal Information. His work is conceptual and not directly related to any product Microsoft is working on and may never become a product, he said.
Others at the Redmond-based software maker are busy working on products that are in a more advanced stage of development. Recently Microsoft shipped a beta of software code-named InfoCard, which aims to help users deal with the plethora of internet logons and passwords and pay securely at websites.
Joris Evers writes for CNET News.com
Successful applicants will need to deal with the network, platform and user experience elements that constitute a mobile channel.The main challenge ...
Experience in as many of the following areas as possible is beneficial: * Microsoft SQL Server 2000/2003/2005 (design, development and maintenance) * ...
This role would suit an applicant with a proven track record in credit card protection, security investigations, internet commerce, credit and online ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy