Online fraud is a booming trade, with underground marketplaces that sell credit cards becoming increasingly streamlined, and breaches of merchants such as CVS recenlty making the news. When a site or service is hit by hackers, it's possible for the thieves to make off with credit card information from thousands if not millions of customers.
One product wants to change that. Although in the early stages, PocketKey aims to provide end-to-end encryption for online transactions, meaning that even if a breach occurs, the data stolen would be useless to hackers.
David Marsyla, CEO of Pocket Systems, explained in a phone interview that the small box, about the size of a credit card, connects to your smartphone or PC and encrypts information about an online transaction with a one-time use key. "When you plug in the device, it will enter your encrypted payment automatically and securely auto-fill every required field for billing and shipping," a press release from the company explains.
The PocketKey comes preloaded with 500,000 unique 256-bit keys, Marsyla said, supposedly enough to allow a lifetime of online shopping. It also includes another smaller key for "signing" transactions. If a payment comes into the bank claiming to be from one person, but hasn't been "signed" by the customer's key, it should be easy to spot as fradulent.
Once the transaction data has been encrypted, it is sent to the merchant. From here, it is sent to the customer's bank, where the corresponding keys are stored and the data decrypted.
This is where collaboration from banks and card issuers comes in: They would need to provide a back-end server to handle the decryption process. For that reason, PocketKey "is something we would sell to card issuers. This isn't something that consumers are going to go out and buy on their own," Marsyla said.
The idea is that the merchant never has access to the clear text version of the transaction data. Even if data from their site is stolen, all hackers will get is a bunch of encrypted information.
At the moment, Marsyla said the company is "in talks" with banks, and he hopes for a pilot of the product next year.
"It's definitely the right idea," Grady Summers, senior vice president and CTO of cybersecurity company FireEye told Motherboard over the phone, although he couldn't comment on the technical side of the product without more information.
As for what effect end-to-end encryption might have on the credit card trade, Summers said that "No technology is going to make criminals go away." Instead, he suggested that criminals would move away from merchants and perhaps focus on the two end-points: the bank doing the decrypting, and the PocketKey itself. In an email, a PR representative for Pocket Systems claimed that the device was "unhackable," but as Summers pointed out, "Rule number one for any security product is never claim that you're unhackable, because creative people will set out to prove you wrong immediately."
The idea of end-to-end encrypted online transactions is a great one. Whether PocketKey will be able to deliver that remains to be seen.