The credit card number and its additional three-digit security code are automatically scanned and entered onto the web page for you. These numbers are encrypted as they’re scanned and are not displayed on the web page. So, as well as bypassing keyloggers, the SmartSwipe also keeps the card number safe from prying eyes.
There is one loophole, though. You do still need to type in other details, such as your name, address and telephone number, so there’s still potential for keyloggers to get hold of some of your personal details there.
I tested the SmartSwipe by making a number of small purchases online and it did work perfectly well. The only real question is how badly you need that extra level of protection.
The main places where I tend to spend money online are the iTunes Store and Amazon, both of which keep your card details permanently on record – as many other online retailers tend to do as well – so you don’t actually need to re-type your credit card number each time you make a new purchase anyway. And, of course, there are options such as PayPal that can also be used to protect credit card numbers online.
Tech-savvy readers of the Register may well feel that they simply don’t need a device like the SmartSwipe, especially at £70 a pop. Even so, the SmartSwipe might be worth purchasing as a gift for elderly relatives or others who don’t feel comfortable using their credit card online – if only because it provides peace of mind rather than water-tight security. Now, where did I put that credit card..? ®
More Security Gear Reviews...
From the Company's founder
First of all, I should introduce myself as the guy who actually invented the technology behind the product. It seems like a lot of people have misconceptions about the technology. And that criticism is fair - to date we haven't done a good enough job about making technical details of the product available (though they are publicly available if you look - we're not hiding anything). We are in the process of changing that, and will be introducing a section of our website explaining the technology. In the meantime, I recommend you download the whitepaper from www.dynamic-ssl.com to understand exactly what the technology is and how it works.
In the meantime, to alleviate any concerns or misconceptions, I'd like to clarify exactly what the product does, and how it is, in fact, secure.
We use a new process called "Dynamic SSL" to secure the information. What Dynamic SSL does is allow externally encrypted data (e.g. from a card reader) to merge seamlessly with the browser's SSL session, using a tokenization approach to ensure that you real credit card data is never present in the browser (or even at any of the layers below it). If you use a script or HTTP proxy to check the data in the browser or the HTTP request, you'll note that your card number isn't present.
Because your card number is never present, it renders your sensitive information immune to virtually all endpoint attacks, not just keyloggers. If you don't believe me, buy one and try and hack it. I bet you'll be surprised.
As mentioned above, the one thing the device does NOT protect against is sloppy merchant practices. Your first thought may be that this is where most of the risk is. While that was true even a few years ago, it's not as much today. Industry initiatives such as PCI compliance are dramatically lowering the risk on the merchant end, which is driving most of the cyber-criminals to focus on endpoint attacks such as malware, scareware, phishing, etc.. Given that even the most effective endpoint protection is reactive (e.g. works after the fact) and only effectively stops less than 50% of emerging threats, something is needed to protect the end user. That's why this device was invented.
For the tech savvy that know how to protect themselves, it may not be so useful. However, there's a lot of people out there who don't have the knowledge or ability to effectively recognize threats and protect themselves. This product is for them.
If you have questions, let me know. I'm happy to respond to any feedback, both positive and negative.
for what its worth
i am from the company so take what i say with a grain of salt, but i was hoping i could clear a couple of things up.
first off thank you for posting these comments, it has shown me we have done a bad job of making important information available to the public. because of this thread we are going to put up a section of our website dedicated to showing how SmartSwipe works in a more technical way.
i am not going to ramble (too much) about how great i think SmartSwipe is, but one common misconception is that we only protect from keyloggers, but we also protect from different kinds of malware, spyware, man-in-the-middle attacks, man-in-the-browser attacks and it even has some phishing protection. we do this by encrypting the information in the device before it reaches the users computer and it is not unencrypted until it reaches the merchant. the merchant receives the information in the same way they always have because SmartSwipe uses regular ssl encryption. SmartSwipe simply extends that encryption beyond the users computer. endpoint to endpoint encryption.
the reason we started with internet explorer (with Firefox coming very soon) is because it was the browser most in need of a security solution and it was the most used browser by far when we started development.
anyway, thanks for letting me post here. if you would be interested in reading about SmartSwipe security in detail visit dynamic-ssl.com (dynamic ssl is what SmartSwipe uses for security)
more thorough review needed
I can see potential benefit in dedicated hardware for e-commerce authentication so long as it can't be trivially defeated. This requires more detailed review of such devices than in this article. If the manufacturer doesn't publish the design and protocol to maximise independent peer review, Kerckhoff's Law and experience of thousands of badly designed and insecure products proves vendors' "security by obscurity" claims to be worthless and such reviews need to point this out. If these details are published, a quality review needs to consider the implementation details more expertly.
Good stuff thanks. That answers a lot of questions that the review didn't even ask and in my opinion should have done. It deals with all but two of my original misgivings, those that remain being:
1. Using the product requires placing implicit trust in your company, essentially an unknown third party. I guess this could be ameliorated by various verification schemes which you may already have in place. Something which embeds itself in the CSP obviously already has been verified by MS but many people wouldn't view that as enough reassurance.
2. The banner "You are now safe to shop online" is still presumptive - surely there are plenty of other dangers, not least at the merchant end. Even a product which offers good security should be wary of claiming it is offering more than it does.
Kudos for coming back and setting me and others straight.
"Will work for a while, then the next batch of loggers will target track 2 ABA encoded data on the USB port and grab the details there"
That's optimistic. I'm betting the next batch of loggers won't bother because the target market won't be worth the return on investment! Besides, as pointed out I'm betting it's implemented via the HID interface, thus only protecting against physical key loggers. Physical keyloggers aren't used to nick credit card details
"Also, the people that would use these devices are also the same people that are most likely to be hit by the sort of stealth malware that installs loggers"
Actually I'm thinking it's an oxymoron - the type of people that are most likely to need something like this, will not even realise it and would never buy it.
Ignorance is bliss!