So for a midterm report, we had a choice between writing an ACM paper on reforming the social security number system, credit card security, or finding an exploit on school campus/computer system somehow. I went with the boring choice (I had about two days to complete it so I didn't want to travel to campus all the time), the credit card. Regardless, I came up with some really good ideas in my opinion. I wish I could just post the entire article here but it would probably be all screwed up thanks to the Blogger display setting. With this paper being an ACM paper, all my information is located there such as name, address, e-mail, phone number, and I really don't want people contacting me, unless it's through e-mail or comments of course :).
I'll give you a summary since you probably don't want to read my 4 page, single spaced paper as my writing is absolutely atrocious. I came up with two systems, one that would work when you're purchasing in store, and the other when you're purchasing online. These two systems would use different mechanics to accomplish the security.
While in a store this new system would use two biometric systems to accomplish the security. The first is a fingerprint scanner and the second is a camera. So one would slide the credit card across the reader, then to confirm ones identity, the potential customer would put his finger onto the scanner and at the same time have his picture taken by the camera (which would be integrated in the fingerprint scanner). This would replace the little signature pad that we are all used to and no one really pays attention to (especially the cashier), perhaps it would save a little time too. This ensures that the person is buying whatever is the owner of the card, if he or she isn't, then hopefully the fingerprint will be rejected. It's possible for the fingerprint scanner to be fooled however. [1] If it is, the camera is there to catch the face of the guilty suspect. If your card is stolen, then the store will have their fingerprint and/or picture for the authorities to use to track down the culprit. Although privacy is always a concern, the paper asked for security, not privacy.
Our online system uses a central credit card website such as VISA.com to hold all of your credit card information. If you want to purchase something from the internet, from Amazon for example, you must generate a code. This code is generated by giving VISA the total amount of the purchase ($52.69). VISA will generate a purchasing code using your account information and the amount. Once this is done, you can paste the code into Amazon's checkout section and pay Amazon the total amount or if you've made a mistake, it will either return the difference, or ask for more money before they ship the product. This ensures that only VISA has all of your information, it isn't stored anywhere else (such as Amazon, Barnes & Noble), etc. We could also employ a confirmation system by either mail or text message. Visa would alert you that you are about to make a purchase and you must either send back a confirmation or denial of payment.
The credit card is also redesigned. On the front, your name, expiration date, and bank logo are the only things that are listed, on the back is the familiar magnetic strip we are all used to. We don't need the account numbers on the front, they haven't been used since the manual credit card imprinter days. They also won't be necessary since we have the alternate online purchase method. The back of the card doesn't have the CCV number that also won't be necessary in our new system. The signature on the back to prove ownership and consent to the VISA terms and conditions is useless, you have your name on the front to prove ownership. The expiration date is to tell you when it's time to change cards as the magnetic strip wears out eventually through use.
My article goes into more depth than this and covers many other biometric devices that were looked at. If anyone really wants to take a look at it, please comment and I'll post it here albeit with identifying information removed.
References
[1] http://www.metacafe.com/watch/2350125/mythbusters_overcoming_a_fingerprint_security_system/
No comments:
Post a Comment