Augmenting Internet-based Card Not Present Transactions with Trusted Computing

In this paper, we demonstrate how Trusted Computing technology can be used to enhance the security of Internet-based Card Not Present (CNP) transactions. We take a pragmatic approach, focusing here on exploiting features of Trusted Computing as it is being deployed today. Thus we rely only on the presence of client-side Trusted Platform Modules, rather than upon the “idealised” deployment in which Trusted Computing functionality is fully integrated with OS and CPU, and which still seems to be a distant prospect. In essence, our approach uses features of the Public Key Infrastructure that is inherent in Trusted Computing to build lightweight client-side enrollment and certification processes; public key certificates are then used to underpin authentication for CNP payments. Using this approach we demonstrate how Trusted Platform Module (TPM) enabled platforms can integrate with SSL and 3-D Secure. We discuss the threats to CNP transactions that remain even with our enhancements in place, focussing in particular on the threat of malware, and how it can be ameliorated.