Augmenting Internet-based Card Not Present Transactions with Trusted Computing

by Shane Balfe and Kenneth G. Paterson

In this paper, we demonstrate how Trusted Computing technology can
be used to enhance the security of Internet-based Card Not Present
(CNP) transactions. We take a pragmatic approach, focusing here on
exploiting features of Trusted Computing as it is being deployed
today. Thus we rely only on the presence of client-side Trusted
Platform Modules, rather than upon the ``idealised'' deployment in
which Trusted Computing functionality is fully integrated with OS
and CPU, and which still seems to be a distant prospect. In essence,
our approach uses features of the Public Key Infrastructure that is
inherent in Trusted Computing to build lightweight client-side
enrollment and certification processes; public key certificates are
then used to underpin authentication for CNP payments. Using this
approach we demonstrate how Trusted Platform Module (TPM) enabled
platforms can integrate with SSL and 3-D Secure. We discuss the
threats to CNP transactions that remain even with our enhancements
in place, focussing in particular on the threat of malware, and how
it can be ameliorated.