HomeATM CEO, Ken Mages (along with one of HomeATM's Engineers, Jimmy Tang) have collaborated on a White Paper outlining why a software approach to bringing PIN Debit to the Internet is not safe.
To view the White Paper in PDF file, I have included a link below.
To enlarge the photos of each individual page, you can simply click the picture and it will enlarge to a size large enough to read it.
Suffice it to say that that HomeATM believes that, from a Hardware vs. Software/ Security vs. Convenience standpoint, Internet PIN Debit transactions done on a PC is...
Doing It Wrong
Page 1
Click to Enlarge
Page 1
Click to Enlarge
Page 2
Click to Enlarge
Click to Enlarge
I read your PDF on PIN debit. Long ago, Safenet/Eracom had suggested use of an applet that would use a dynamically generated key to encrypt the PIN as it was entered on the web browser. Thus the PIN would be safe after reaching the web server, when https would end
What it is your objection to this method?
"If it (the PIN) was entered on the web browser" it can be screen scraped, mouse click captured, or keylogged before it gets to the applet.
Thanks for you question. I have a three part answer. 1. You say "Long ago" to which I reply, long ago, hackers "hacked" for notoriety, whereas now they "hack for profit." So whatever they came up with "long ago" would probably be considered "insecure" today. Keep in mind, typing your Primary Account Number into a box was much safer "long ago" than it is today and is safer today than it will be tomorrow. Nothing motivates more than money or family and the family of hackers are more than extremely motivated at this juncture.
2. You say an applet would use a dynamically generated key" (similar to DUKPT) as it was "ENTERED" on the web browser. Our position is and has been consistent. One should NEVER "Enter/Type/ PANs or PINs into a web browser. If it's on the screen, it's in the hackers hands. It is subject to keylogging, screen scraping, memory scraping (the list goes on) let alone a PIN, which is the "holy grail" for hackers.
3. You mention this would make it safe after reaching the web server when "https" would end. I've done several posts exposing https as "not safe."
If you'd like to find out more, you can use the "Search HomeATM Blog Search Tool" located on the top of the left sidebar and search "https" for articles discussing how https is more like httb.s.
Excellent question and if you have a follow-up to it, feel free to post!
JBF