The unavoidable security limitations of software have led many to look for hardware solutions, such as those based on smart cards. Although software is easy to modify and hence subvert, this is less true of hardware, which makes it attractive for implementing security critical features. While hardware solutions offer better security assurance than software, they are also more expensive. As a result such solutions are likely to be advocated not just for online banking but in the wider context of online electronic commerce. The discussion that follows will therefore consider this wider context.
If secret data can be held in hardware, for example in smart cards, it is much less vulnerable to being discovered by an attacker. Smart cards are vulnerable to a number of forms of attack, but much less so than software since the expertise required is more specialised and the tools needed are less commonly available. But expertise in microelectronics is not rare, and many laboratories will have the necessary equipment. Several techniques have been developed to discover the internal secrets of smart cards, and some of these have been shown to be very successful for particular cards (Kömmerling99).
Such attacks have already become a serious problem for the purveyors of pay per view TV. At one point, Sky TV reckoned that smartcard forgery was costing in excess of 5% of its turnover. Once they are widely introduced, banking smartcards will clearly present an even more attractive target. Some attacks on cash dispenser cards have involved sophisticated and expensive techniques to deceive customers into giving their PIN to a fake machine, and recent research has shown that many smartcards are vulnerable to a fake machine extracting their secrets by observing the power they consume while calculating a digital signature. Organised crime will certainly be able to obtain the means to attack smart cards when the rewards justify the effort.
Moreover, the undoubted advantages of smart cards when compared with security mechanisms based on software are not as easy to harness as they seem. First, where smart cards are used to hold secret information, it makes little sense to transfer this information into a PC for use, since this will remove the very protection that the smart card is intended to provide. So in order to maintain the security of the information, it has to be used on the card itself, and this is likely to require the card to have very powerful processing capability of its own. There are obvious cost implications. Secondly, at a practical level, almost no mass market PCs come with smart card readers, and this seems unlikely to change unless the need is widely recognised and the costs involved are small.
Thirdly, a PIN or a password will be used to activate the card in order to guard against the fraudulent use of lost or stolen cards. If this is entered through the PC’s keyboard it will be vulnerable to all the attacks discussed earlier. In this case it can be argued that the loss of the PIN is not so serious since fraud will require both the card and the PIN. Although this is true, if an attack has been mounted on a PC through a virus as described earlier, it would not be hard to extend the virus to use captured password data with the smart card the next time it is inserted by the user.
These points are not made in order to deny the value of smart cards, but simply to point out that while they will offer big improvements when compared purely with software, they are not a perfect solution.
In order to overcome one of these vulnerabilities, at least one smart card manufacturer is now offering a secure smart card reader with a small keypad for the entry of the PIN. This avoids the use of the PC for PIN entry, but it remains vulnerable to an attack in which a fraudulent application running on the PC (or a point of sale terminal) displays one transaction to the user while asking the inserted smart card to authorise a completely different one. For example, a personal signature card used to sign credit card transactions is vulnerable to an attacker who presents a point of sale terminal to the user which purports to perform a genuine transaction but simultaneously authorises another transaction that is seriously to the user’s detriment – examples might range from another credit card transaction for a large amount up to a re-mortgage of the user’s home.
Smart cards are often seen as the perfect answer for implementing digital signatures, because signature keys kept on such cards can in principle have values not even known by their owners. This can prevent an owner from repudiating a genuine signature by publishing the key and claiming it to have been compromised before the transaction.
But providing a useful identity based signature which cannot be repudiated by this means remains very difficult, because:
in order to ensure that the signature key is secret it must be generated on the card;
for the same reason it must never leave the card, and this requires that the transaction or document to be signed must be imported on to the card, with the signature process be performed by the card; and
the card has to export a verification key that allows the signature to be verified and associated with a person authorised to perform the transaction.
As already indicated, meeting requirements (1) and (2) currently requires relatively expensive ‘state of the art’ hardware solutions, while meeting requirement (3) turns out to be difficult because it raises social and legal issues about how a person can be identified in a unique way.
A person’s name alone is clearly not sufficient since names are not unique; but neither are names with birthdays or names with addresses (which can in any case change frequently). The use of verifiable biometric data – for example, fingerprints, iris or retinal scans or DNA data – offers a more robust solution but will be expensive. Use of such data also raises a number of ethical and privacy concerns such as those that come to the fore when identity cards are mooted: there are many circumstances where an individual may legitimately wish to use a pseudonym which has no link to any other name the individual uses. Moreover, while the costs might be contemplated for use with cash dispensers or point of sale terminals, it is less obvious that the cost of secure biometric data collection devices will soon become low enough for them to become ‘commodity’ peripherals for home PCs. For this reason their value in the foreseeable future for online banking and electronic commerce by consumers is somewhat uncertain.
It is worth noting that major computer and software suppliers are aware of the need to improve the security of current PCs to meet electronic commerce and related needs. This was illustrated in October last year with the announcement of the formation of the Trusted Computing Platform Alliance in the following terms:
‘Compaq, Hewlett Packard, IBM, Intel, and Microsoft today announced the formation of the Trusted Computing Platform Alliance (TCPA), an industry group focused on building confidence and trust of computing platforms in e-business transactions by creating an industry standard for security technologies in personal computing environments.’
In many respects typical PCs offer far more performance than is necessary for controlling the transactions involved in online banking and electronic commerce. They are designed for high levels of functional performance, but their resulting complexity makes the achievement of security objectives much more difficult. In many respects the ideal vehicle for online banking and electronic commerce is a small self-contained computer system such as a palmtop with a small keyboard, a screen and (possibly) an infrared port to enable it to communicate with a home PC, a bank’s or a merchant’s computer system, or a point of sale terminal. By keeping this device simple, and by having a keyboard, a screen, a processor and secure storage in one small self-contained unit, it would be possible to have a highly assured capability for signing transactions without being dependent on other devices such as PCs or point of sale terminals.
Still further security could be achieved by having the secure storage for such a device implemented on a plug-in smart card. It is possible to envisage a secure device with an integral keypad, screen, smart card reader, PC interface and biometric input such as a fingerprint reader. If such a device could be manufactured at reasonable cost it could serve both as a point of sale terminal in a merchant environment and as a PC peripheral at home. In practice the merchant terminal would have to be more robust physically, but the two devices could share much of their security design in common. We think that one essential element in achieving public confidence in such a design will be its openness to scrutiny by independent experts, and the abandonment of ‘security through obscurity’.
Devices of this kind will nevertheless be expensive. We do not think they will come into widespread use without being subsidised by banks and others who benefit from the growth of electronic commerce and have the skills to collaborate in their design. The most certain way to ensure that the banks have the necessary incentive to pursue this programme is to ensure that they carry the risks of the fraud that the programme would help to prevent. Such a programme is not without precedent: the spread of mobile telephony depends on large subsidies by network service providers to reduce the cost to users of buying mobile telephones.