Technology

Inventor Ric Richardson's one-click payment system could change internet transactions

Byron Bay inventor Ric Richardson is aiming to revolutionise security in online commerce and possibly other internet transactions with a new one-click payment system.

Richardson gained fame in the technology industry as one of the largest shareholders in Singapore-based Uniloc, which reportedly walked away with a giant settlement after suing Microsoft for infringing on its anti-piracy technology patents. The final settlement was never officially disclosed but it was believed to be around $300 million.

Inventor Ric Richardson.
Inventor Ric Richardson. Photo: Louise Kennerley

Mr Richardson's new company, Haventec, has secured a new technology patent for a payment system that stores credit card information on a user's device in an encrypted form. The encrypted data is then authenticated against a one-time key stored on a merchant's servers to verify transactions.

"Initially the user sees a buy button with a setup tag on it. They are then invited to fill in their credit card details once and after that their credit card details are automatically used each time they purchase" said Richardson. "The big deal is that the details are not stored on a server somewhere but rather encrypted on the user's device, but the key to unlock the encryption is on the merchant's server with the user's account information."

If successful and widely adopted, the system could stem the seemingly constant, embarrassing and costly incidents in which hackers have been able to steal credit card details on a massive scale. The issue gained prominence among consumers around the world in 2014 when Target admitted that hackers stole 40 million credit and debit card numbers from its servers.

However, Target wasn't alone that year. Home improvement franchise Home Depot also reported a breach that compromised 56 million credit cards. Kmart also reported a data breach that year however the number cards affected was not disclosed.

Advertisement

Ty Miller, founder of computer security consultancy Threat Intelligence, said Richardson's approach was "interesting" in that it required credit card information to be encrypted. However, he said that there was no single way to address the security problems on "every last system that touches the credit card information".

Richardson said the system was designed to make life incredibly difficult for hackers. In order to gather credit card details for a merchant's customers, he said, hackers would have to take "huge measures" such as releasing a virus or malware on a mass scale to gain access to the encrypted data on millions of individual devices.

However Miller argued that there were still a large number of attacks of the kind Richardson described.

"These attacks are known as man-in-the-browser and man-in-the-mobile, respectively," Miller said.

"This security control is interesting in that it ensures that credit cards are submitted in an encrypted form. However, there are other attacks that are likely to still be possible," he added.

Worse still, the upstream merchant or bank could be compromised creating another weak link in the security chain upon which the technology presumes to rely.

"If an attacker compromises the organisation's system that decrypts the credit card details using the private key, they then have the ability to access the unencrypted credit card details. This means that instead of stealing insecurely stored credit cards, the attacker captures them in real-time as they are submitted to the application," Miller explained.

Currently, Richardson is working on beta version of the system that will demonstrate it to interested parties test it in a simulated online environment.

He said that he was expecting to send it live some time in the next few weeks.

It's not the first time that Richardson has patented security technology that spares organisations of the risk of storing authentication data on servers.

In 2014Haventec patented a two-factor security system that used a combination of proven private-public key encryption technology and local authentication in a way that eliminated the need for servers to store passwords or biometric information.

It allowed users to log on to their device using a PIN or biometric that generated a private key. The key then generated a string of public keys that became the basis for communication with the server, with the server only accepting the next public key expected from the device for the next session.

It's understood that the system is currently in use in at least one large organisation but Haventec is yet to disclose its identity.

0 comments