NetSecure SmartSwipe credit card reader
Because you can never be too safe on-line
Review We’re constantly hearing stories about credit card fraud and identity theft on the Internet, so the Canadian company NetSecure has come up with a gadget called the SmartSwipe that aims to provide people with a little extra peace of mind when using their credit card online.
Card sharp: NetSecure's SmartSwipe
The SmartSwipe is a small egg-shaped scanning device, with a slot for swiping your credit card through. It can scan the magnetic strip on the card and then automatically enter the card number onto a web page without you having to type the number yourself – thereby foiling malware such as keyloggers that might record the card number as you type it in.
Once you’ve installed the SmartSwipe software and downloaded the latest updates you simply plug the SmartSwipe into a USB port on your PC and get ready to go shopping. It’s PC-only though, with no support for Macs – and even on a PC it will only work when you’re shopping online with Internet Explorer. Rival browsers such as Firefox aren’t supported.
Each time you subsequently launch Internet Explorer, you’ll see the SmartSwipe ‘welcome’ screen appear, reminding you that it’s safe to start shopping. You can turn this welcome screen off if it gets annoying, but people who are still a bit nervous about shopping online might find this reminder reassuring.
You’ll also notice a new SmartSwipe button appear on the Internet Explorer toolbar. When you’re ready to make a purchase and enter your credit card details onto a web page you simply click on the SmartSwipe button and then slide the credit card through the SmartSwipe scanner.
From the Company's founder
First of all, I should introduce myself as the guy who actually invented the technology behind the product. It seems like a lot of people have misconceptions about the technology. And that criticism is fair - to date we haven't done a good enough job about making technical details of the product available (though they are publicly available if you look - we're not hiding anything). We are in the process of changing that, and will be introducing a section of our website explaining the technology. In the meantime, I recommend you download the whitepaper from www.dynamic-ssl.com to understand exactly what the technology is and how it works.
In the meantime, to alleviate any concerns or misconceptions, I'd like to clarify exactly what the product does, and how it is, in fact, secure.
We use a new process called "Dynamic SSL" to secure the information. What Dynamic SSL does is allow externally encrypted data (e.g. from a card reader) to merge seamlessly with the browser's SSL session, using a tokenization approach to ensure that you real credit card data is never present in the browser (or even at any of the layers below it). If you use a script or HTTP proxy to check the data in the browser or the HTTP request, you'll note that your card number isn't present.
Because your card number is never present, it renders your sensitive information immune to virtually all endpoint attacks, not just keyloggers. If you don't believe me, buy one and try and hack it. I bet you'll be surprised.
As mentioned above, the one thing the device does NOT protect against is sloppy merchant practices. Your first thought may be that this is where most of the risk is. While that was true even a few years ago, it's not as much today. Industry initiatives such as PCI compliance are dramatically lowering the risk on the merchant end, which is driving most of the cyber-criminals to focus on endpoint attacks such as malware, scareware, phishing, etc.. Given that even the most effective endpoint protection is reactive (e.g. works after the fact) and only effectively stops less than 50% of emerging threats, something is needed to protect the end user. That's why this device was invented.
For the tech savvy that know how to protect themselves, it may not be so useful. However, there's a lot of people out there who don't have the knowledge or ability to effectively recognize threats and protect themselves. This product is for them.
If you have questions, let me know. I'm happy to respond to any feedback, both positive and negative.
for what its worth
i am from the company so take what i say with a grain of salt, but i was hoping i could clear a couple of things up.
first off thank you for posting these comments, it has shown me we have done a bad job of making important information available to the public. because of this thread we are going to put up a section of our website dedicated to showing how SmartSwipe works in a more technical way.
i am not going to ramble (too much) about how great i think SmartSwipe is, but one common misconception is that we only protect from keyloggers, but we also protect from different kinds of malware, spyware, man-in-the-middle attacks, man-in-the-browser attacks and it even has some phishing protection. we do this by encrypting the information in the device before it reaches the users computer and it is not unencrypted until it reaches the merchant. the merchant receives the information in the same way they always have because SmartSwipe uses regular ssl encryption. SmartSwipe simply extends that encryption beyond the users computer. endpoint to endpoint encryption.
the reason we started with internet explorer (with Firefox coming very soon) is because it was the browser most in need of a security solution and it was the most used browser by far when we started development.
anyway, thanks for letting me post here. if you would be interested in reading about SmartSwipe security in detail visit dynamic-ssl.com (dynamic ssl is what SmartSwipe uses for security)
more thorough review needed
I can see potential benefit in dedicated hardware for e-commerce authentication so long as it can't be trivially defeated. This requires more detailed review of such devices than in this article. If the manufacturer doesn't publish the design and protocol to maximise independent peer review, Kerckhoff's Law and experience of thousands of badly designed and insecure products proves vendors' "security by obscurity" claims to be worthless and such reviews need to point this out. If these details are published, a quality review needs to consider the implementation details more expertly.
Good stuff thanks. That answers a lot of questions that the review didn't even ask and in my opinion should have done. It deals with all but two of my original misgivings, those that remain being:
1. Using the product requires placing implicit trust in your company, essentially an unknown third party. I guess this could be ameliorated by various verification schemes which you may already have in place. Something which embeds itself in the CSP obviously already has been verified by MS but many people wouldn't view that as enough reassurance.
2. The banner "You are now safe to shop online" is still presumptive - surely there are plenty of other dangers, not least at the merchant end. Even a product which offers good security should be wary of claiming it is offering more than it does.
Kudos for coming back and setting me and others straight.
"Will work for a while, then the next batch of loggers will target track 2 ABA encoded data on the USB port and grab the details there"
That's optimistic. I'm betting the next batch of loggers won't bother because the target market won't be worth the return on investment! Besides, as pointed out I'm betting it's implemented via the HID interface, thus only protecting against physical key loggers. Physical keyloggers aren't used to nick credit card details
"Also, the people that would use these devices are also the same people that are most likely to be hit by the sort of stealth malware that installs loggers"
Actually I'm thinking it's an oxymoron - the type of people that are most likely to need something like this, will not even realise it and would never buy it.
Ignorance is bliss!