Are your online credit card transactions really safe?

Image: RTÉ Brainstorm
Apr 30 2020 Posted: 13:29 IST

Author: Dr Michael McGettrick, School of Mathematics, Statistics and Applied Mathematics

Opinion: advances in quantum computing will mean secure transaction sites will have to up their game to stay clear of quantum hackers

You've just purchased your groceries online or transferred €700 from your current account to pay an outstanding bill. You probably did this by credit card, using a "secure" site. At least, the site seemed secure - well, it's run by a bank, or a reputable company, so it must be OK, right?

The unsettling fact - and one probably unknown by the general public - is that there are tens of thousands of people who know how to "hack" in to your secure transaction, and basically do whatever they want (benign or malicious) once they have that info. These people are not some shady cybercriminals, merely any mathematician worth their salt in any university in the world.

But - and here's the big but - knowing how to do something, and being able to do it quickly or efficiently are two different things. If one was to know how to do something (i.e. have an algorithm or step by step procedure for it), but could only do it very slowly, you might say at some point that the procedure is useless in practice because it takes so long.

From RTÉ Radio 1's The Business, Liam Geraghty reports on the history of the credit card

This is exactly the case in point with online payments through secure transaction sites. They rely on a simple mathematical idea that mathematicians all believe, but none have proven to be correct: Factoring large numbers is hard!

Suppose I ask you to break 24 into its multiplicative parts. Well, the answer is (2)(2)(2)(3). How long did that take you? Now I ask you to break 3016 into its parts. The answer it turns out is (2)(2)(2)(13)(29). If you were able to do it, how long did that take you? There are lots of (clever) algorithms for factoring large numbers (a credit card number with 16 digits is large, right?), known by lots of clever mathematicians, but none of them are efficient. In fact, the best are so inefficient that it would take years for the result to come out even on a supercomputer. There's not much point hacking someone's secure transaction if it takes years to get in.

Enter quantum computers. In a quantum computer, we work with both the two classical bits, 0 and 1, and the infinite number of numbers that are in between these. These correspond to the states of the smalled objects in the Universe, or fundamental particles. Manipulating a particle, which can be in a superposition of two different states, and sets of interacting particles, that can be in a state which is called entangled - more than the sum of the parts, is what gives quantum computers their power.

From RTÉ lyric fm's Classic Dive, Aisling Kelliher on the uncertain new horizons of quantum computing

But - and it’s a big but - we cannot necessarily use this power unless we are clever about the measurement of the output. In quantum mechanics, we can never measure the full state (or wave function) or even a particle, never mind a collection of particles. There are nonetheless measurements we can make on global properties of the (wave) function which harvest this power.

A celebrated result in quantum computer science is the Shor Factoring algorithm, named after the MIT mathematician Peter Shor. This factorizes any large integer exponentially faster than any known classical algorithm on a classical supercomputer. "Exponentially faster" here means that what used to take years can now be done in minutes.

So, does that mean the quantum hackers can break all these supposedly secure sites in minutes? Yes and no. In principle, they can, but in practice they can't (yet) because the physical quantum computers that are around are still very primitive and just have a few quantum bits. Right now, they could factorise efficiently say 21 to get (3)(7), and not much more. But every few months, the research teams of physicists and engineers  successfully control another quantum bit, each time making the quantum computer much more powerful.

For the moment, no one is worried. There’s only a handful of quantum computers in the world, and the banks and credit card companies know where they are (a couple of universities and a few companies). But once the quantum computers come of age, the "secure transaction" sites will have to fundamentally change the basis for their security to stay clear of the quantum hackers.

Marketing and Communications Office