Jean-Paul, Peter, et al,
>>>>> "jb" == Jean-Paul Billon <[EMAIL PROTECTED]> writes:
jb> Hi Peter,
jb> It is clear that in any case the card should sign all the elements
jb> identifying the transaction, which includes (among other) the amount. Is
jb> this enough for a complete security of everyone involved in the payment?
jb> No, for the following reasons:
jb> 1. Customer protection: when signing the transaction by PIN entry, the
jb> customer gives a legal acceptation that he cannot repudiate afterward. So,
jb> he must be absolutely certain that the amount displayed is really the one
jb> that he accepts. This means that the display of the amount should not be
jb> controlled by an unsecure PC but only by a certified secure device
jb> controlling in an opaque mode all the exchanges between the customer
jb> (display and pinpad) and the customer card. This means that all the APDU
jb> exchanges with the customer card for making it validating the transaction
jb> must be driven by a program residing in the secure device, which excludes
jb> an open PC.
The problem is much more subtle than just having a "certified"
device. Non-technical people will not know how to destinguish a certified
device from a non-certified device or even from a certified but tampered with
device. The same questions you raise with regards to the PC (and I agree
completely with what you are concerned about, don't misunderstand me) can be
raised about a certified card-acceptance device. Perhaps smart cards with an
LCD display are the solution after all...
jb> 2. Merchant protection: in off-line processing mode, the info about
jb> the accepted transaction are just stored in the terminal until some
jb> collection from the acquirer. If the elements identifying the transaction
jb> are properly signed, there is no possibility to tamper the amount. But
jb> there is still the possibility to alter the stored data, which would make
jb> them unusable, with the consequence that the merchant would not be paid. On
jb> an unsecure PC there is also the possibility to download fake programs
jb> which would simulate the acceptation of transactions for some cards while
jb> in fact no real transaction were performed. When knowing that such a fake
jb> program is running, a gang can "buy" goodies for hundred of thousands of
jb> dollars in a shop before the merchant understand he will never be
jb> paid...
Well, no system is ever going to be completely secure. Also, if I'm a merchant
having wares worth "hundreds of thousands of dollars" in my shop I'd probably
would have an online connection to make sure that I get my money in the end.
Just a couple of thoughts on these topics.
Dirk
Visit the OpenCard Framework's WWW site at http://www.opencard.org/ for
access to documentation, code, presentations, and OCF announcements.
-----------------------------------------------------------------------------
To unsubscribe from the OCF Mailing list, send a mail to
"[EMAIL PROTECTED]" with the word "unsubscribe" in the BODY of the
message.
