The Radboud Reader: A Minimal Trusted Smartcard Reader for Securing Online Transactions

  • Erik Poll
  • Joeri de Ruiter
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 396)

Abstract

We present the design of a device for securing online transactions, e.g. for internet banking, which can protect against PC malware, including Man-in-the-Browser attacks. The device consists of a USB-connected smartcard reader with a small display and numeric keyboard, similar to devices currently used for internet banking. However, unlike existing devices, we rigorously stick to the design philosophy that the device should be as simple as possible; move functionality and control is moved as much as possible to the smartcard. Although this is a simple (and obvious) idea, we are not aware of any solutions pursuing it. Moreover, it has some interesting benefits compared to existing solutions: the device is simpler, provides stronger security guarantees than many alternatives (namely that it will only display text authenticated by the smartcard), and is generic in that it can be used in combination with different smartcards for different applications (for example, for internet banking with a bank card and for filing an online tax return with a national ID card).

References

  1. 1.
    Blom, A., de Koning Gans, G., Poll, E., de Ruiter, J., Verdult, R.: Designed to Fail: A USB-Connected Reader for Online Banking. In: Jøsang, A., Carlsson, B. (eds.) NordSec 2012. LNCS, vol. 7617, pp. 1–16. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  2. 2.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29, 198–208 (1983)MathSciNetMATHCrossRefGoogle Scholar
  3. 3.
    Drimer, S., Murdoch, S.J., Anderson, R.: Optimised to Fail: Card Readers for Online Banking. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 184–200. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  4. 4.
    EMVCo. EMV– Integrated Circuit Card Specifications for Payment Systems, Book 1-4 (2008), http://emvco.com
  5. 5.
    CEN Workshop Agreement (CWA) 14174: Financial transactional IC card reader (FINREAD) (2004)Google Scholar
  6. 6.
    Global Platform Organization. Card Specification, Version 2.2 (March 2006), http://www.globalplaform.org
  7. 7.
    Gullberg, P.: Method and device for creating a digital signature. European Patent Application EP 2 166 483 A1 (2010) (filed September 17, 2008, published March 24, 2010)Google Scholar
  8. 8.
    International Civil Aviation Organization. Machine Readable Travel Documents – Part 3-2, 3rd edn. (2008)Google Scholar
  9. 9.
    ISO/IEC, ISO/IEC 7816: Identification cards – Integrated circuit cardsGoogle Scholar
  10. 10.
    Szikora, J.-P., Teuwen, P.: Banques en ligne: à la découverte d’EMV-CAP. MISC (Multi-System & Internet Security Cookbook) 56, 50–62 (2011)Google Scholar
  11. 11.
    Weigold, T., Kramp, T., Hermann, R., Höring, F., Xia, C., Baentsch, M.: The Zurich Trusted Information Channel – An Efficient Defence Against Man-in-the-Middle and Malicious Software Attacks. In: Lipp, P., Sadeghi, A.-R., Koch, K.-M. (eds.) Trust 2008. LNCS, vol. 4968, pp. 75–91. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Erik Poll
    • 1
  • Joeri de Ruiter
    • 1
  1. 1.Institute for Computing and Information Sciences, Digital Security GroupRadboud University NijmegenThe Netherlands

Personalised recommendations