| 摘要: | 隨著電子商務網站迅速發展,交易方式逐漸由實體交易轉為線上交易。由於傳統交易環境中的晶片卡付款方式已被消費者普遍接受,因此若能在網路環境中提供安全的晶片卡付款方式,必能提升消費者對使用線上晶片卡付款機制的接受度,所以VISA、MasterCard、Netscape與Microsoft等公司於1996年2月,制定了一套專為線上線用卡付款機制設計的安全電子交易規格SET(Secure Electronic Transaction)。
儘管SET本身流程設計相當安全嚴謹,但卻無法抵抗近年來重要的資安漏洞—鍵盤側錄程式的惡意威脅,駭客可藉由側錄下來的使用者資訊進行重送攻擊,偽裝冒用消費者的名義做非法交易;且由於SET的使用必須負擔額外費用,並且必須安裝相關軟體如電子錢包,是以推廣成效不彰。因此本研究在使用SAML技術,依照現行EMV晶片卡規格,讓消費者所持有之晶片卡與收單銀行在進行交易確認前,實施雙因素認證(Two-Factor Authentication)(通行碼、憑證),以預防相關安全攻擊。讓線上交易不僅可以達到安全、便利的目地,更提供一個開放的新機制,以利推廣。
As the rapid development of e-commerce, online transaction has become more popular than entity transactions. With traditional transactions, paying with IC card has been the method accepted by most consumers. If there is a safer payment method over the Internet, it will greatly enhance the acceptance of using IC card payment on-line. That is the main reason that VISA, MasterCard, Netscape, Microsoft and other companies have developed a specification, SET (Secure Electronic Transaction), for secure electronic transaction in February 1996.
While SET itself is quite secure, it could not escape the recently popular security loophole, "the Keylogger". Through the replay attack, hackers can camouflage as consumers to do illegal transactions. Since usage of SET must pay additional costs, and related software such as electronic purse must be installed, the product was not very well accepted. In this research, I present a Two-Factor authentication system in accordance with the EMV specifications, and use SAML technology to ensure security of transactions between user and acquirer bank. With those technologies, it is not only safe and convenient to perform transaction on-line, but it is also easier to promote the new technology by offering a new mechanism. |
