Sunday, December 27, 2009

SmartSwipe (and HomeATM)- A Very Smart Tool For The Cautious Online Shopper

I hadn't heard of this device until I was leafing through the Hammacher Schlemmer catalog tonight and the claim of a credit card reader that you plug in to your USB port that will read your credit card and encrypt the card info, and insert it into the browser, pre-encrypted, to be securely transmitted to any online store without ever passing the unencrypted data to the user's computer caught my attention.

The device is the SmartSwipe by Canadian company NetSecure.

I had a hard time believing that what the catalog was claiming was possible, but then after reading the white-paper on it at the SmartSwipe site I think it's incredibly smart. With this device installed, it's driver is used by the web browser as an encryption engine. The browser (for now it only works with IE) passes off the unencrypted form to the device, which inserts the creditcard data into the form an encrypts the page before passing it back to the browser to transmit to the store website. The device does the encryption, not the browser, so since the card scanning and encryption are done outside the computer, there is no unencrypted data for spyware running on the user's PC to read.

Normally, if you typed it in yourself, there are a number of places where spyware or keyloggers could grab the unencrypted data before the browser gets a chance to encrypt it to pass it securely over the net to the store.

This way the spyware would have to be running on the card reader (which for now anyway, isn't an issue, no one has written spyware that runs in the external card reader) so, it is safe from all the current spyware until it gets to the store's end of the chain.

These are very nice, and I hope that they manage to work deals with the major manufacturers to install these, or better yet, a next generation chip and pin version directly into new PCs.

The SmartSwipe is probably not the only such device out there, the technology to look for if you find another device like it is called Dynamic SSL. I believe Dynamic SSL is the future for secure online shopping. 

For a little company from Saskatchewan, they certainly have made inroads with this device being carried by Costco, Futureshop, Dell and Amazon already, and it only works with 32 bit Internet Explorer so far. Once it works with other browsers it'll probably become a commonplace tool for regular internet shoppers.

[Ed note: Only a few hours after the initial post which mentioned only SmartSwipe, a sales person from Home ATM posted a comment. Therefore I have changed the title to reflect that. Having read the website at http://www.homeatm.net I cannot say for sure how the HomeATM works, but I am really disappointed in the video demo that they use to show how secure it is. The fault in the video isn't really with the device itself, but the method that Western Union used to send the money that was taken from his account to the recipient.

Sure, it was securely transferred from his account to Western Union, but then Western Union sent an unencrypted e-mail to a Gmail account with a web link and all the details including a password needed to retrieve the funds. Anyone who could intercept that e-mail could take the money before it got to the recipient. Sure, then it is securely transferred to the hacker's account from Western Union, but the intended recipient is left with nothing.

It is not the device's fault how Western Union chose to implement the transfer, what W.U. should have done was what the Canadian banks on the Interac system do and have the user create a password that they tell the recipient OUT OF BAND so that an intercepted e-mail transfer is still secured by a password that is not known to the intercepting bad guy. It is a poor marketing choice to use a video of a system with such an obvious security problem to demonstrate a security device.

The biggest problem I see with the device itself, aside from being a magstripe and PIN device as opposed to Chip and PIN (which I'm sure will be the next version) is that there doesn't seem to be any way to actually get one.]

2 comments:

John B. Frank said...

1. Is it PCI Certified? One Caveat: Everyone uses "encryption" as a buzz word these days.

2. Does it have a PIN Pad for two factor authentication?

I already know the answer to those two questions as HomeATM has the only PCI 2.x Certified PIN Entry Device designed exclusively for online transactions, online banking and instant money transfer.

Not only does the HomeATM device encrypt the cardholder data "inside the box" (using 3DES DUKPT) it also encrypts the Track 2 data.

How much does SmartSwipe (without a PIN Pad) cost? Our PCI certified unit (with PIN Pad) is under $25.00. For more information visit: http://www.PINDebit.blogspot.com or http://homeatm.net

John B. Frank
VP Sales & Marketing
HomeATM ePayment Solutions

Rod MacPherson said...

Well there you go. A salesman for a competing product posting within a few hours of the original post.

SSL is encryption, yes. It's just taking over the encrytion that the browser would do itself as it appears your product does presumably in the same way.

PCI? I doubt it as it falls well outside the scope of PCI-DSS when used at home. If a business used it as part of the Point of sale system it would need to be evaluated.

Since the one I mentioned doesn't have a PIN pad, as it is designed only for scanning the magstripe not for any type of pin enabled transactions, it does not do 2 factor auth.

Thanks John for pointing out another great tool.

What is this PCI 2.x you speak of? you can't certify to un released standards so the .x is misleading. I assume you mean PTS 2.1 (PCI council's Pin Transaction Standard) which would make HomeATM the next gen device I'm waiting for. :)