The other day I stumbled across a blog posting (which I cannot, for the life of me, find now) which offered a new solution to the issue of credit/debit cards being so insecure.
The idea was that RSA key pairs would be used to identify and authenticate people, which would add extra layers of security to transactions. I think this is a great idea, so below I’ve outlined my solution which sort of forks the one I read.
When a person first request a credit card from their bank, the bank generates a secure RSA key pair for the person. The bank then updates their servers with the person’s public key.
When a person makes a purchase, (note: this is where I borrow from the blog I read) the vendor creates a QR or other scannable code that’s encrypted with the client’s public key that the client then scans into their phone or other device’s credit card application. (Borrowed/inspired portion ends here.)
The user would then be prompted to accept or decline the transaction. If accepted, the user would enter their RSA private key’s passphrase, and then their signed message containing the transaction details would be sent to their bank’s servers. The bank would check the signature, see if it’s valid or not, and then complete the transaction as it occurs now.
This mostly solves the fraud problem, because in order for the client to be able to decrypt the transaction code, the client would have to have the correct QR code. If the client couldn’t decrypt and send the signed message to the bank’s server, then the transaction would fail and it would be apparent that the client is doing something wrong.comments powered by Disqus