In 2018 alone, reported fraud cases increased by 18.4 percent from the previous year and over 20 billion dollars were lost. Although not the only source of card fraud, one major concern is the security of Automated Teller Machines (ATMs). With the spread of ATMs throughout the world, personal banking security has become an increasingly prevalent issue. From hijacking ATM terminals using “skimmers,” a device that collects messages sent on the ATMs data lines, to installing cameras to record individuals inputting their PINs, there are numerous ways for scammers to steal sensitive information from under your nose.
To prevent fraud, Claude Crépeau, a professor in McGill’s School of Computer Science, along with researchers from other institutions, is looking to find methods for beefing up modern bank security systems.
Once your bank PIN falls into the wrong hands, the process of resetting it can be a hassle. All the while, your account can be accessed and funds can be taken out. This is where Crépeau’s work comes into play. Using a type of cryptographic method known as zero-knowledge proofs, combined with Einstein’s theory of relativity—which stipulates that matter, and in turn, electronic information, cannot travel faster than the speed of light—the team has developed a new method of combating card fraud.
To understand zero-knowledge proofs, imagine that person A has two identical containers. One contains a coin and the other contains a die. Person B wants to prove to person A that they can identify which container has the coin and which one has the die, even after they are mixed up. In order to do so, person A will mix up the containers and person B will guess which one has each object. If person B does this correctly several times, person A will accept that person B knows which container has the coin. However, person A will still be unaware of how person B knows this.
Although not yet present in ATMs, bank machines could use zero-knowledge proofs in order to verify a cardholder’s identity; the cardholder proves their identity with their PIN, and the ATM machine verifies it without accessing the encrypted information. However, even this method of verification would not be foolproof. Therefore, the difficulty of cracking zero-knowledge proofs often rests upon how difficult it is to solve these equations. Some zero-knowledge proofs have already been cracked, while others may only be solved once quantum computing becomes more advanced. This raises the issue of never knowing the level of security of the proof used by banks until it is too late.
Einstein’s theory of relativity is the second piece of the research puzzle. A fraudulent ATM could record the answers given and attempt to solve the equation used to encode them, thereby cracking the zero-knowledge proof. The team decided to use multiple devices mimicking ATMs, set up approximately 60 metres from one another. A cardholder inserted their bank card into each one, and then the machines performed zero-knowledge proofs in order to prove the cardholder’s identity. For this process to work, the devices were not allowed to communicate with each other. Otherwise, fraudulent devices could potentially share information to help each other crack the code. However, if they aren’t able to collaborate, then it is similar to an investigator interviewing two witnesses separately—if their testimonials do not match up, then their story is impossible to corroborate, and the devices will be proven fraudulent.
If the devices are prevented from communicating, any potential hijacker would be forced to solve not one, but two, highly complicated equations in order to work back to the zero-knowledge proof. Since that information cannot travel faster than light, the transfer of useful information between devices will be limited, preventing access to the encrypted information.
“What we have demonstrated makes it tremendously closer to being practical in the sense that it has never been demonstrated before,” Crépeau said. “We strongly believe that with […] more important investment [in] equipment of a higher quality […] we can bring [the distance between ATMs] down to a couple metres or maybe even a single metre.”
Combining zero-knowledge proofs with Einstein’s theory of relativity could allow for a more secure method of validating one’s own identity that won’t be threatened by the advancement of quantum computing.
Although still just a proof of concept, the team’s research has the potential to dramatically improve currently vulnerable banking security. The research into the dynamic between information, light, and zero-knowledge proofs could have important implications for the future of personal banking security.