Internet PIN Debit White Paper - HomeATM

Internet PIN Debit White Paper - HomeATM

Posted by John B. Frank Saturday, March 28, 2009

HomeATM CEO, Ken Mages (along with one of HomeATM's Engineers, Jimmy Tang) have collaborated on a White Paper outlining why a software approach to bringing PIN Debit to the Internet is not safe.

To view the White Paper in PDF file, I have included a link below.

To enlarge the photos of each individual page, you can simply click the picture and it will enlarge to a size large enough to read it.

Suffice it to say that that HomeATM believes that, from a Hardware vs. Software/ Security vs. Convenience standpoint, Internet PIN Debit transactions done on a PC is...

Doing It Wrong

Page 1
Click to Enlarge

Page 2
Click to Enlarge

3 comments

P K Sengupta Says:

Posted on July 7, 2009 at 6:24 AM
I read your PDF on PIN debit. Long ago, Safenet/Eracom had suggested use of an applet that would use a dynamically generated key to encrypt the PIN as it was entered on the web browser. Thus the PIN would be safe after reaching the web server, when https would end

What it is your objection to this method?
Kenneth G. Mages Says:

Posted on July 7, 2009 at 10:22 AM
"If it (the PIN) was entered on the web browser" it can be screen scraped, mouse click captured, or keylogged before it gets to the applet.
John B. Frank Says:

Posted on July 7, 2009 at 12:38 PM
Thanks for you question. I have a three part answer. 1. You say "Long ago" to which I reply, long ago, hackers "hacked" for notoriety, whereas now they "hack for profit." So whatever they came up with "long ago" would probably be considered "insecure" today. Keep in mind, typing your Primary Account Number into a box was much safer "long ago" than it is today and is safer today than it will be tomorrow. Nothing motivates more than money or family and the family of hackers are more than extremely motivated at this juncture.

2. You say an applet would use a dynamically generated key" (similar to DUKPT) as it was "ENTERED" on the web browser. Our position is and has been consistent. One should NEVER "Enter/Type/ PANs or PINs into a web browser. If it's on the screen, it's in the hackers hands. It is subject to keylogging, screen scraping, memory scraping (the list goes on) let alone a PIN, which is the "holy grail" for hackers.

3. You mention this would make it safe after reaching the web server when "https" would end. I've done several posts exposing https as "not safe."

If you'd like to find out more, you can use the "Search HomeATM Blog Search Tool" located on the top of the left sidebar and search "https" for articles discussing how https is more like httb.s.

Excellent question and if you have a follow-up to it, feel free to post!

JBF

Learn More About Us

Find out how our patented technology can empower your financial institution.

Our secure two-factor online banking authentication eliminates dangerous passwords and usernames and replicates the same trusted process used to access cash at ATM's. (Insert Bank Issued Card, Enter Bank Issued PIN)

There is an R.O.I. as FI's also earn recurring revenue from each transaction conducted using our PCI 2.0 Certified PIN Entry Device. Our technology also provides a unique real-time P2P "Instant-Transfer" which allows your online banking customer to transfer cash from ANY of their bankcards to ANY other bankcard...with the Swipe of a card.

Help your bank eliminate phishing and your customers avoid identity theft by providing them with the ability to stop typing and start swiping. There is no safer way to conduct financial transactions online than by 3DES DUKPT encrypting the cardholder details, which we do at the mag-head "inside the box/outside the browser."

All Top Banking