STANFORD, Calif.--The security of online transactions could be bolstered by adding a display and a set of buttons to a smart card reader or security token, a Microsoft researcher said Monday.
Smart cards and security tokens, which are becoming more common for user authentication, already contain cryptography modules. These could also be used to confirm transactions in a secure way, Dave Steeves, a Microsoft security software engineer, said in a presentation at a TIPPI (Trustworthy Interfaces for Passwords and Personal Information) workshop at Stanford University.
When banking online, for example, a small display bolted onto the smart card reader or USB token would show details of a transfer that has been entered into the bank's Web site. The user would then approve the transaction by hitting the "accept" button on the device, or kill it by pressing the "deny" button, said.
"Users are working on the Internet and banking insecurely, except when they have to approve a transaction, they reach and hit accept on the trusted device," Steeves said. The action would be like approving a digital copy of a receipt, one member of the audience observed.
An alternative to the buttons would be for the reader or token to display an accept code, which the user would enter into a box on the Web site, Steeves said.
Smart-card readers and tokens are "trusted devices," Steeves said. By using these not only for authentication but also to confirm transactions, the security of online banking is taken further away from the insecure PC and into secure devices, he said.
"Even if your (PC) is owned, you can't own this (device) remotely," Steeves said.
Still, Steeves had to admit that his idea of secured displays, like many security ideas, is not bulletproof. A sophisticated man-in-the-middle attack could still allow an attacker to take over a user's online banking session, he conceded during a question-and-answer session.
Steeves noted that his work is conceptual and not directly related to any product Microsoft is working on, and it may never become a product, he said.
Others at the Redmond, Wash.-based software maker are busy working on products that are in a more advanced stage of development. Recently, Microsoft shipped a test version of software code-named InfoCard, which aims to help users deal with the plethora of Internet logons and passwords and to make secure payments at Web sites.
The two telecom carriers will carry a next-generation iPad running on the fast, next-generation wireless technology, sources tell The Wall Street Journal.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
I'd rather just be issued an RSA SecurID like my wife has for work for her e-mail.