2. Contents
• Context
• Why does credit card fraud happen?
• How to fix it?
• Rel-ID Credit Card Authentication Service
• How does it work?
• Security Flaws in 3D Secure
• 3D Secure and TruCard
• Payment Model
• Advantages of the service
• About Uniken
3. Context
• The final liability of the damage in case of a fraudulent credit card
transaction is with the end customer or sometimes the issuing
bank
• Customers are not aware that their credit card data can be easily
stolen and reused
• The basic flaw in the current system is that currently customers
cannot authenticate and verify the transaction before it is
approved by the issuing bank
• Uniken is offering its REL-ID CARD AUTHENTICATION SERVICE to
the card issuing banks in a SaaS model to secure online credit
card transactions.
4. Why does credit card fraud happen?
• Lets first understand how the credit card transaction is processed
• Authorization Process
1. The customer after selecting the mode of payment – provides the credit card
details to the website – which submits this to the payment gateway
2. The payment gateway submits that to the merchant banks processor (acquiring
bank)
3. The merchant bank submits this to the credit card network
4. The credit card network submits it to the issuing bank, which checks the validity,
credit limit and approves/disapproves the transaction
5. The credit card network relays this information to the merchant banks process,
which sends it to the payment gateway and finally to the merchants website –
based on which the merchant decides to process the sale
• Settlement Process
1. The issuing bank then pays the credit card network
2. The credit card network pays the merchant bank
3. The merchant bank then deposits this amount in the merchants account
5. Why does credit card fraud happen?
• The fraud happens because none of the entities present in the entire authorization
process authenticate the individual providing the credit card details
• The mere knowledge of the credit card data is deemed good enough to “believe” he/she
is indeed the authentic credit card holder
• There are a few solutions available that attempt to solve this by asking a password or pin
in addition to the credit card data – however, fraudsters set-up phished merchant
websites to get access to this additional information as well along with the credit card
details (if they are already stealing credit card data by phishing the website – they can as
well get the login/.password data!)
• Once the customer comes to know that his credit card has been fraudulently used,
he/she disputes it to the issuing bank, who then investigate the case – most of the time
the customer is made to bear the impact – as the issuing bank only ensures if the
appropriate process was followed by the merchant before issuing the goods. If the
issuing bank takes the liability, even then this is then distributed across all its customers
6. How to fix this fraud?
The only way to fix this fraud is to ensure that the credit
card owner (customer) is made to authenticate and
verify the transaction (over a secure channel) by the
issuing bank just before approving and authorizing the
transaction
7. Fundamental limitations of
3D Secure
• In 3D Secure protocol the credit card holder is authenticated before the
transaction is submitted by the merchants website to the visa/mastercard
network and not when the transaction is getting approved/authorized by the
issuing bank
• The customer cannot authenticate the website where she is submitting the
login/password information and the “personal message” based authentication
of the website is vulnerable to MITM and MITB attacks
• Merchant website authentication is not possible hence the customers can still
loose the credit card data
• It is mandatory for the merchants to integrate their website with the 3D Secure
Solution (they need to install MPI and pay substantial fees to the solution
provider)
8. REL-ID Credit Card Authentication Service
• The REL-ID Credit Card Authentication server will seamlessly integrate with the issuing banks
transaction and card authorization system
• The TruCard software will be freely distributed to the customer
• The Issuing Banks can avail this service with zero investment in the infrastructure
• If the issuing bank has implemented 3D Secure then TruCard works seamlessly with the 3D Secure
solution, the TruCard ensures that the Login/Password information is protected from MITM and
MITB attacks
• If they have not implemented the 3D Secure solution then TruCard will ask for a PIN to turn itself
ON and authenticate the customer
• TruCard solution has absolutely NO dependence on the merchants or on the type of card network
(Visa/Mastercard)
• TruCard solution does not require any credit card data of the customer
• The integration of this service in to their authorization process will be free
• They can disable this service at any point in time with just a 60 day notice with no impact on user
experience
9. How will this work?
(Without 3D Secure)
Activation of TruCard
• The issuing bank will notify its customers to download and install the TruCard Software on their personal
computers
• The customer will go to the issuing banks website to register for the service; on successful registration - the
issuing bank will create a customer ID and provide the customer with a link to download the TruCard software
• The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be
asked for the activation code that has been sent to the customer’s mobile phone or email account during
registration on the issuing banks website.
Online Transaction
• The customer goes to the merchants website and provides credit card information for purchase
• The Issuing Bank’s card authorization system on receiving any request for authorization from the credit card
network will send the transaction details along with the customer ID (created during registration) to the REL-ID
card authentication server
• The REL-ID Card Authentication server will send the information to the customers TruCard,
• The TruCard will authenticate the customer by requesting for the pin, if the TruCard has been configured to Auto-
ON mode then the Customer will directly verify the transaction and approve it
• The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to
the credit card network
13. User Experience - Online Purchase
(without 3D Secure)
Payment Successful!
14. How will this work?
(With 3D Secure)
Activation of TruCard
• The issuing bank will notify its customers to download and install the TruCard Software on their personal computers
• The customer will go to the issuing banks website to register for the service; on successful registration - the issuing bank
will create a customer ID and provide the customer with a link to download the TruCard software
• The TruCard software on installation will prompt the customer to set-up the PIN for the software, and will be asked for
the activation code that has been sent to the customer’s mobile phone or email account during registration on the issuing
banks website.
• The TruCard will display a personal message (set during registration) to ensure authenticity of the software
• Once registered, the customer can install the software on as many computers as she wants directly from the website
Online Transaction
• The customer goes to the merchants website and provides credit card information for purchase
• The Issuing Bank’s card authorization system on receiving any request for authorization from merchant plug-in will
request for the 3D Secure credentials along with the customer ID and personal message to the REL-ID card authentication
server
• The REL-ID Card Authentication server will send the information to the customers TruCard,
• The TruCard will accept the customers 3D Secure Credentials and pass it on to the 3D Secure ACS
• The 3D Secure ACS will authenticate and redirect to the merchant website for it to submit the transaction
Optional (Transaction Verification)
• If the TruCard has been configured to Auto-ON mode then the Customer can further verify the transaction and approve it
• The Issuing Bank after receiving an OK from the REL-ID Card Authentication Server will approve the transaction to the
credit card network
20. 3D Secure and TruCard
3D Secure TruCard
1 3D Secure cannot protect from phishing and MITM attacks – it is very Protects from Phishing and MITM due
easy steal the 3D Secure Login/Password information to RMAK mutual authentication
protocol
2 It mandates the Merchant to participate in 3D Secure to make it work, TruCard DOES NOT require the
merchant to participate in the solution
and is completely independent of
Merchants
3 In 3D Secure the transaction data are shown to the customer during The transaction data shown the
authentication as submitted by the customer to the merchant and not customer for verification is the same
the one submitted by the merchant for authorization (the customer that the bank has received for
may think she is approving USD 200 while the actual transaction authorization from the credit card
submitted to the card network could be USD 210) network
4
• 3D Secure requiresneed TruCard?
Why do we the customer to authenticate every time they do an Does not require the customer to
– to maintain
online transaction, TruCard requires the customer to authenticate only authenticate every time
once to turn it ON (optionally it can be turned ON automatically,
without asking the PIN everytime)
5 3D Secure requires PKI (Digital Certificates) making it extremely costly to Does not require PKI – is based on the
implement and maintain RMAK protocol (that provides for
encryption and mutual
authentication).
21. 3D Secure and TruCard
• We have already implemented 3D Secure – now what?
– TruCard seamlessly integrates with 3D Secure
– The user experience does not change at all and fixes all the
flaws in 3D Secure solution
– Instead of showing a web-page to capture the 3D Secure
login/password information (which is prone to Phishing and
MITM attacks), TruCard will accept the 3D Secure
Login/Password and send it to issuers authentication server
– TruCard will eliminate MITM and Phishing attacks completely
– TruCard provides for Transaction Verification , Transaction Log
and more importantly credit card statements on demand
22. SMS based solutions and its limitations
• The SMS cannot ensure confirmation of the delivery of
the message more so in real time; and the customer may
end up doing the transaction again and again
• SMS is not a secure channel as the transaction
information is sent over an unencrypted SMS channel
• There are simple attacks available to change the mobile
number of the credit card owner (due to flaws in mobile
number registration process).
23. TruCard SAAS Model
• The issuing bank will NOT be charged anything for integrating the
REL-ID Card Authentication Server with their credit card
authorization and approval system
• The customer will NOT be charged anything for downloading and
installing the TruCard Software
• The issuing bank will be charged a fixed % of the transaction
amount for every transaction verification and authentication done
by the customer or based on a monthly rental model
• The issuing bank will be billed on a monthly basis
24. Advantages of REL-ID TruCard
Authentication Solution
• The TruCard is a software agent that is very easy to download and
install
• The customer has to register for this service with the banks and
REL-ID authentication service does not retain any credit card
details
• The customer has to authenticate to TruCard using a
password/pin to turn it ON (it can be optionally turned ON
automatically by remembering the credentials)
• TruCard communicates with the REL-ID Card Authentication
Server over a mutually authenticated encrypted channel (all
authentication/approval data is sent over this channel)
• There are no upfront costs to the issuing bank as they do not have
to invest anything to enable this service
26. Uniken Introduction
UNIKEN is a technology innovation and product engineering firm that works
closely with its customers to provide high quality products that meets their
business automation and cutting edge technology needs
We specialize in taking our in house innovations from concept through to
production through patented product engineering design methodologies. Our staff
includes 50+ product designers and engineers, technologists and researchers with
backgrounds in computer science, software technology, embedded systems and
professional services.
As a company we invest in technology innovation, product design and
product engineering
Headquartered in Tampa, FL, US, with offices in US and India, we have a R&D and
Product Engineering Center in India.
27. What does Uniken do?
Market Analysis and • UNIKEN Technology R&D Center
Problem Specifications • Concept innovation and rapid prototyping
Technology • Conducts research in
• Information Security
R&D • Pattern Recognition
• Embedded Systems
• Performance Modeling
Business • UNIKEN Product Engineering Group
Requirements
Product • Customized product development
Customers • Requirements Analytics
Engineering • Product Design (patent pending process)
• Product Development
• Performance Testing
• UNIKEN Products
Product Delivery • Customized Business Automation Products
• REL-ID (Identity Security)
Products • DEEKSHA (e-Learning)
• SHOPPEX (Mobile Shopping)
28. Uniken - Management Team Profile
DETAILS OF RELEVANT
NAME DESIGNATION QUALIFICATIONS EXPERIENCE
WORK EXPERIENCE
• Tata Research Development &
CEO M. S. Design Centre
Sanjay Deshpande 13 years
Director (Computer Science) • Infosys Technologies Ltd.
• Persistent Systems Pvt. Ltd.
Nanjundeaswar CTO B. Tech.
• Infosys Technologies Ltd. 12 years
Ganapathy Director (IIT Kharagpur)
CDO B. Tech
Prakash Salvi • IMR Global 15 years
Director (Computer Science)
PGDM • Tata Consultancy Services
Vivek Saxena CBO 16 years
(IIM Ahmedabad) • Infosys Technologies Ltd.
COO
Nilesh Dhande MBA (Systems) • Infosys Technologies Ltd. 9 years
Director
• Six Sigma Master Black Belt
Subramanian Gopalan Advisor to the Board B. Tech. • Director of Sourcing, GE, Greater 40 years
China
• Chief Scientist – Motorola
Dr. Pat Shankar Advisor to the Board Ph. D. 30 years
Biometrics Division
• Associate Professor, University of
Dr. Lev Goldfarb Advisor to the Board Ph. D. 20 years
New Brunswick
B. Tech. • VP - Infosys Technologies Ltd.
Ajay Dubey Director 25 years
(IIT Kanpur) • COO - Persistent Systems Pvt. Ltd.