Abstract
The legal framework provided by the Electronic Signature Act, enacted to law as of October 1, 2000, has fueled the interest for digital signature-based payment transactions over the Internet. The bulk of formalization and security analysis to date on such secure payments has focused on creating new secure channels for existing credit or debit card systems (iKP and SET). But there has been no formal modeling, or an attempt to strengthen of the security of, the card systems themselves.
In this paper we present a simple but formal communication and security model for all card-based payments, encompassing credit, debit and pre-paid cards, and proceed to propose CardSec, a new family of card-based systems which can be proven secure under this model. In the process we also analyze the security of existing credit, debit and pre-paid card systems, both for Internet and for brick and mortar payments. We then present an efficient implementation of CardSec in the form of the InternetCash™ card system and analyze its security in detail. We take the opportunity to describe the InternetCash Payment Protocol (ICPP) which can be used for creating a secure channel between Transaction Processor and Customer for all Internet-bound transactions, thus acting as an alternative to iKP and SET, and offering more security than systems utilizing limited-use credit card numbers. We conclude with a discussion on pre-authorization, refunds and customer service issues.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
7 Eleven-American Express Internet Shopping Card. http://www.7-eleven.com/products.html.
7 Eleven-American Express Internet Shopping Card Balance Check. http://www.7-eleven.com/products/card_bal.html.
7 Eleven-American Express Internet Shopping Card F.A.Q. http://www.7-eleven.com/products/AMEX_12_13.html.
Julia Angwin. Credit-card fraud has become a nightmare for e-merchants, September 19 2000. Wall Street Journal Archives.
ANSI X3. 92-1981, Data Encryption Algorithm, American National Standards Institute, New York, December 31, 1980.
M. Bellare, R. Canetti, and H. Krawzcyk. Keying hash functions for message authentication. In N. Koblitz, editor, Advances in Cryptology — Crypto’96, Proceedings (Lecture Notes in Computer Science 1109), pages 1–15, Santa Barbara, California, U.S.A., August 1996. Springer-Verlag.
Matt Berger. Fraud part of life for online retailers, September 28 2000. http://www.upside.com/texis/mvm/ebiz/story?id=39c689cb0.
BGH+95._M. Bellare, J.A. Garay, R. Hauser, A. Herzberg, H. Krawczyk, M. Steiner, G. Tsudik, and M. Waidner. iKP-A family of secure electronic payment protocols, 1995. The most recent version is available at http://www.zurich.ibm.com/Technology/Security/extern/ecommerce/.
Jupiter Communications. The real cost of credit card processing, 2000.
I.B. Damgård. Collision free hash functions and public key signature schemes. In D. Chaum and W.L. Price, editors, Advances in Cryptology — Eurocrypt’87 (Lecture Notes in Computer Science 304). Springer-Verlag, Berlin, 1988. Amsterdam, The Netherlands, April 13–15, 1987. EFF.EFF. Electronic Frontier Foundation DES cracker. http://www.eff.org/descracker/.
M.K. Franklin. Complexity and security of distributed protocols. PhD thesis, Columbia University, New York, 1993.
O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. Journal of ACM, 33(4):792–807, October 1986.
S. Goldwasser, S. Micali, and R. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. Siam J. Comput., 17(2):281–308, April 1988.
S. Goldwasser, S. Micali, and A. Yao. Strong signature schemes. In Proc. 15th. Annual Symp. on the Theory of Computing, pages 431–439, Boston, April 1983.
Cybersource fraud 2000 survey, 2000. http://www.cybersource.com/fraud_survey/.
Robert Lemos. Top 10 security stories of 2000, December 24 2000. http://www.zdnet.com/zdnn/stories/news/0,4586,2668051-2,00.html No. 6.
Lewis Perdue. E-tailers squeezed by credit card cheats, December 3 2000. http://www.zdnet.com/zdnn/stories/news/0,4586,2660192,00.html.
P. Rogaway. UMAC Performance, August 29 2000. http://www.cs.ucdavis.edu/~rogaway/umac/perf00.html.
A. Rubin and R. Wright. Off-line generation of limited-use credit card numbers. In Financial Cryptography 2001. LLNCS, Feruary 19–February 22, 2001. Cayman Islands, AI. These proceedings.
Greg Sandoval. Extortionist targers creditcards.com, December 12 2000. http://www.zdnet.com/zdnn/stories/news/0,4586,2664008,00.html.
Secure Electronic Transactions Specification. http://www.setco.org.
FIPS 180, Secure Hash Standard, Federal Information Processing Standards Publication 180, May 11 1993.
A. Shamir. SecureClick: A web payment system with disposable credit card numbers. In Financial Cryptography 2001. LLNCS, Feruary 19–February 22, 2001. Cayman Islands, AI. These proceedings.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsiounis, Y. (2002). A Security Framework for Card-Based Systems. In: Syverson, P. (eds) Financial Cryptography. FC 2001. Lecture Notes in Computer Science, vol 2339. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46088-8_19
Download citation
DOI: https://doi.org/10.1007/3-540-46088-8_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-44079-6
Online ISBN: 978-3-540-46088-6
eBook Packages: Springer Book Archive