There are several things that need to be secured:
1. Buyer must trust origin of content. Therefore, the system must provide for offline signing of content with 'trusted' keys (e.g., Verisign certificates). Furthermore, for semi-dynamic content like a newspaper, where a static article is wrapped with dynamic borders, it must be possible to sign part of the page. This lets the buyer verify after-the-fact that they weren't defrauded, which reduces fraud from a compromised web server to a single loss per customer.
For offline signing, I envision this process: put floppy disk of HTML into signing machine, push button, wait while signatures get written to disk, move disk to other machine, and ftp documents and signatures to production server. This would all be automated so it would take minimal effort or thought.
2. Buyer must trust seller's clearinghouse account number. Therefore, seller must sign (offline) account number with 'trusted' key. Even with a compromised web server, payments will never go to a rogue account. Seller reputation could still be tarnished, but there would be no direct financial incentive to compromise server (although there would be the indirect financial incentive of harming a competitor).
3. Seller's web server must only be able to check the clearinghouse account. This means that a compromised web server cannot defraud the seller. In fact, it should only be limited to a short list of recent transactions, to limit the intelligence available to an attacker. This feature would be dead simple for PayPal to add. (In fact, they will add it to support small businesses where low-level clerks can check transaction completion, but only high-level management can debit account.)
4. Buyer's account and client must have limits and warnings for unusual payments. This mitigates losses from compromised client software. Buyer's client must be very careful managing and timing-out passwords. I see the client side -- an endless sea of poorly maintained Windows 98 boxen -- as the weak point.
5. Long term, it would be nice if the buyer had a trusted client, a small PDA-like device that plugged into a USB port and acted as arbiter for transactions. Most of the time it would run in automatic mode, but if it detected excessive transactions it would lock out further transactions and start beeping for attention. It would need its own small display and keyboard. Smart cards are worthless for this application, as you need a trusted user interface. (This product isn't viable to sell now, but will be in a few years when the insecurity-market size curve reaches the massive consumer loss region. When you see the first major congressional committee on Internet fraud, it'll be time to start selling these.)
Incidentally, all this is a pretty good financial argument for open protocols, since the greatest long-term risk in micropayments is information seurity, and the greatest risk to information security is closed algorithms. Unless you are willing to spend a few hundred man years on security before going live, a proprietary protocol is a guaranteed long-term loser. A closed system means bleeding money while the committees cogitate; an open system means that security companies will fight tooth and nail to proactively reduce risk. Openness transforms security from an in-house cost center to an third-party profit center, which generally produces the best product.
(I've got to stop writing so much.)
I don't want the world, I just want your half.
[ Parent ]