A Canadian company called SmartSwipe has come up with an interesting way to protect credit card numbers from most man-in-the-browser attacks. What they do is install a Windows CSP (cryptographic service provider) that acts as a proxy to an external mag-stripe reader with built-in crypto processing, so the CSP on the host PC does nothing more than forward data to be encrypted out to the external device. There's also a browser plug-in that pre-populates the credit-card field in web forms with a cookie. When the page is sent to the CSP for encryption for SSL, the software running on the reader recognises the cookie in the web-form content, reads the card data via the mag-stripe reader, inserts it into the web-form field, and returns the encrypted result to the host PC to forward to the remote server. As a result, the CC data is never present on the host PC.
The downsides are obvious: not secure against phishing (which is a killer), only works with MSIE because of the requirement for use of a CSP (although you could do it with Firefox as well by creating a PKCS #11 soft-token), and not secure against page-rewrite trojans which have the web page show one thing and do another, but it's an interesting concept. You can find a description of the technology under the name Dynamic SSL(tm)(c)(p), a start point is: http://www.smartswipe.ca/en/dynamic-ssl/600-dynamic-ssl-a-practical-solution-for-endpoint-to-endpoint-encryption Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com