Security x.0

Trusted path is quite a common term in security research. It is the basis of many security protocol and application designs, and a security breach of it is one of the most common attack vectors.

This week, the Security Group published their findings on the vulnerability of PIN entry devices (PEDs) currently deployed in the UK (details available in their technical report). The vulnerability arises partially from insufficient protection of the PEDs from tampering and partially from communications between the card and the device not being encrypted. This effectively breaks the trusted path between customer's card and the retailer's terminal/card processing network. You can watch the BBC Newsnight program covering this.

This week we (Cronto) have also made an announcement about potential vulnerabilities of Chip and PIN based authentication for online banking. Whilst the CAP readers deployed by the UK banks can provide transaction authentication, there is still a weak link. If the user is tricked into entering incorrect details into the CAP reader then they could be inadvertently authorising a fraudulent transaction. Whilst the possibility of this happening might seem remote, our analysis of existing systems shows otherwise. Again, the threats arise because there is no trusted path from the bank to the user's card/reader as the attacker can manipulate the presentation of the bank's website to the user.

The trusted path issue is common to all consumer payments industry applications: from ATMs with added PIN pads and tampered retail terminals to man-in-the-browser'ed banking websites. The problem is also increasing with the growth of the payments industry, and any potentially successful solution requires a new approach based on innovation rather than attempts to patch the holes in the old protocols.

These issues are already a subject of both academic research and commercial product development. Some see a solution in the USB tokens with strong security protocols, some suggest the mobile phone based PKI certificates are the answer. At Cronto, we believe the visual channel is the best way to go.

<!-- If you are offended by a commercial company being passionate about its product and advocating innovation in a traditionally very conservative industry, you can stop reading now -->

We believe that our visual cryptogram can provide a trusted path from a bank to the customer in the way which is both secure and simple for consumers.

We chose the visual channel for the following reasons:

• The image can contain encrypted data
• Most end user terminals can display images: from ATMs to Train Ticket machines to websites, no hardware modifications are needed
• Taking a picture of the terminal is easy for the user
• Any personal device can be used: a camera phone, a dedicated camera token or, potentially, a CAP reader, and even a credit card itself extended with a camera and our algorithms running on the chip
• Both attack vectors – the data in transfer being tampered with, and the user typing incorrect information – are mitigated