Prashant Dewan and David Durham, Intel
Secure Digital Wallet Portal (SDWP) enables the users to manage their credentials for various banks, e-commerce websites, e-mail servers on laptops, desktops and MIDs so that their susceptibility to identity fraud is minimized. Identity fraud is one of the ways by which the criminals on the Internet steal innocent user’s credentials and use it for illegitimate purposes. Criminals can steal credit card numbers to buy things on the Internet and tarnish our credit history. It can take a few days to a few months with lots of pain for the owner of the card to recover from such misuse. In the extreme cases the damage done could be irreparable.
The concept of digital wallets is a decade old. The early attempts forced users to download software for each merchant; later the merchants started storing user’s information on the merchant’s sites thereby raising privacy concerns. Subsequently each merchant had its own data format leading to the Electronic Common Modeling Language (ECML) Standard (D. Eastlake, T. Goldstein, RFCc3106 - ECML v1.1: Field Specifications for E-Commerce, April 2001, Available: http://www.faqs.org/rfcs/rfc3106.html). Moreover with the advent of near field technology (NFC) the same wallets can be used for traditional physical merchants and in online e-commerce.
Traditionally the e-commerce industry has used smart cards, smart dongles etc. for various forms of wallet applications. Besides adding to the cost, these hardware solutions are susceptible to increasingly smart malware attacks running on the user’s platform. In addition, more and more users are being exposed to phishing attacks. There also have been attempts to use single sign-on mechanism by certain web portals.
The digital wallet portal will be present on multitude of devices possessed by the user: laptops, to desktops, to cell phones etc. A user would be able to seamlessly transfer credit cards and digital money across different devices and use it for e-commerce and traditional commerce. The credit card information stored in the platform will only be transferred to the user-authorized third parties. The digital wallet will be protected against malware running in the operating system like key loggers, screen scrapers, phishing etc., resilient to social engineering, and can be made defunct if the device is stolen. Finally, it allows users to store e-tickets. SDWP uses ECML to populate merchant websites on user approval. In addition, it enables the user to validate transaction information before accepting the transaction and thereby safeguarding the user against phishing attacks.
SDW is based on security visor developed using CPU and memory virtualization to restrict illegitimate accesses to user credentials in transit and at rest. The access control is enforced under the operating system without modifying the OS kernel. More specifically the confidential information is encrypted while on disk and maintained in an enclave while in memory in a fashion that only an authenticated and validated code can access this information. Even the graphics rendered on the screen is under strict access control enforced by the security visor. The user’s information is stored on the user’s platform and shared only with the authorized services.
Digital Wallets are making a comeback especially in the ultra mobile platforms. SDWP advances the state-of-art by providing digital wallet usable across multitude of e-commerce sites and providing protection against platform resident malware and other forms of phishing attacks.