Van Buren v United States

Date & Time:
Tuesday, June 29th, 2021
10:30 AM PT | 1:30 PM ET

Explained: A Legal Perspective on the Future of Cybersecurity Research

The Supreme Court’s Van Buren decision earlier this month aimed to clarify the ambiguous meaning of “exceeding authorized access” in the Computer Fraud and Abuse Act, the federal computer crime law.

In the context of protecting critical infrastructure from hackers, this particular ruling will define how we manage, report, and handle unauthorized access.

It also raises some foundational questions that, if weighed carefully, have the potential to foster a collaborative relationship between researchers and companies. How should good-faith researchers conduct themselves? Does this redefine the relationship between companies and hackers? Is every researcher considered to be in violation of CFAA if they’ve not sought permission to access a system?

Jared L. Hubbard and Christopher Hart have followed this ruling closely and worked on amicus briefs to aid the Court in this matter. They will discuss the case and answer questions.

Speakers:

Jared L. Hubbard, Partner, Fitch LP
Christopher Escobedo Hart, Partner, Co-Chair, Privacy & Data Security Practice – Boston, FoleyHoag LLP


Register on Eventbrite


Follow us on Twitter and LinkedIn to stay in the loop with updates!

Copyright © 2021 Voatz. All rights reserved.

Thinking Voting

Today we seek to ensure each citizen eligible to vote can vote. Issues like location, geography, education are all elements of the values we must embrace as we work to assure the citizens ability to vote.

The first question of voter and eligibility takes us into the realm of who or how elections are managed. Candidates, contests, question are all elements of what is presented to the voter as a ballot. According to practices and rules, contests involve selecting candidates. While questions focus on yes/no answers or a score.

Anonymity creates a need to construct a mechanism to assure one vote per voter while preserving the privacy of the voters identity. This one requirement solved reduces the risk landscape significanttly and complicates the angle of attack.

Adhering to a security first continous improvement principles and integrating prevention and detection into the design of the source code.

I believe Voatz has solved the most challenging task and embraced best of breed components and partners to build a secure immutable record of each unique anonymously signed ballot.

The rest, as long as vendor certification mechanisms and coherent standards exist, has been done over and over again in: financial services, government services, defense, health, and retail. With sound software design and release procedures, built on quality principles inherent in the companies ethos

All we need is the right to improve democracy.

What is a DAO and how do we govern tomorrow

Distributed autonomous organizations, a DAO.

When we think of governance and how we control society, we immediately must consider the realities of people in the tribes they belong to.

Recently the emergence of bitcoin, the understanding of the power of a distributed ledger, the use of a hash chain, the power of cryptographic processes, and the security of the devices we carry establishes a foundation for a brave new world.

What is governance? It is the method processes and mechanisms a society puts in place to establish order and ensure harmony?

The ancient Turks, Greeks, slave spoke of democracy, the idea that each member of the tribe, the town, the city, or the state could assemble and determine new laws, regulations, and best practices. We then evolved into Republican governments the concept of a group of people representing a larger number of citizens.

Influence and power define what shall evolve. In my lifetime, the idea of being able to plug the handset of your telephone into the back of a terminal and establish a connection to a computer somewhere out there was a novelty. For my father it is Time in Geneva when Aryanism stood out as a challenge, opportunity or threat. Telephones were just emerging and radios were available. TV was still not present. Paper books and libraries surrounded the environment we will call Geneva.

City on the Lake, what is this thing place in his history his is as relevant as your or mine.

One question why anonymity at the profound process of engagement. When you are something called anonymous I am not sure I want to play. If your anonymous is mandatory; I don’t want to play.

The innovative spiritual and the. Nurturing essence of life.. How this evolves involves countless engagements.

Each sublime note to the fabric of the virtual environment we present to the public is.

And, all of us form the fabric of the public.

He answered them, “And why do you break the commandment of God for the sake of your tradition? 4 For God said,* ‘Honor your father and your mother,’ and, ‘Whoever speaks evil of father or mother must surely die.’ 5 But you say that whoever tells father or mother, ‘Whatever support you might have had from me is given to God,’* then that person need not honor the father.* 6 So, for the sake of your tradition, you make void the word* of God. 7 You hypocrites! Isaiah prophesied rightly about you when he said:

8 ‘This people honors me with their lips,

but their hearts are far from me;

9 in vain do they worship me,

teaching human precepts as doctrines

“Listen and understand: 11 it is not what goes into the mouth that defiles a person, but it is what comes out of the mouth that defiles.”

What shall we do? Simple honor the one Jesus answered, “The first is, ‘Hear, O Israel: the Lord our God, the Lord is one; 30 you shall love the Lord your God with all your heart, and with all your soul, and with all your mind, and with all your strength.’ 31

You commit to what you believe in with a robust desire to adhere to the moral imperatives. The one God is the same God written about in so many different ancient lore.

The second is this, ‘You shall love your neighbor as yourself.’ There is no other commandment greater than these.” 32

32

Who is your neighbor?

Anyone you engage in an event. An event is is anything we all seek to record. By the way any unit of one can record as long as all parties are aware. It is our contracts and promises. Those such as payment, voting, identity and influence.

See you next time.

It is time to move to Multi-Factor Authentication built on a Restricted Operating Environment

Passwords should become a thing of the past. Here’s why

This morning one of my Google alerts found a blog coming from the World Economic Forum.  It reminds us of the inventor of the password Fernando Corbato.  In an interview with the Wall Street Journal, he said passwords have become “a nightmare”.

The open question is how do we solve for the nightmare of password management we have created that is both effortless and secure.

This article calls for private enterprise and our governments to find answers.  I hope in finding these answers capitalism and profit do not become the reason to act.  I hope social responsibility and community action drive all to find answers that are affordable, convenient, secure and more importantly consumer-friendly.

We Keep Talking About It, When Will We Solve For Identity in the Digital Space

This morning I read an article in the Financial Times The real story behind push payments fraud.  What is disturbing, the acceptance of fraud and the focus of bankers on adding fees (like Interchange) to help cover the cost of fraud.  This article speaks to Push Payments and how liability shifts from the merchant back to the Issuer and ultimately the consumer.  It makes reference to Pull Payments and the use of debit cards where the fraud liability, unless online, is the merchants’.

To address card payment fraud in the physical world the payment schemes developed EMV.  In the digital or eCommerce realm everyone accepted allowing the merchants to not attempt to authenticate the cardholder and simply ask the consumer to provide openly available data {cardholder name, PAN the account number, expiry date, and address details}; if they, the merchant, would accept liability for any fraud.

As the world moves to embrace “Faster Payments” and Real-Time Gross Settlement ‘RTGS’, instead of focusing on assuring the identity of the sender and the recipient; we assume fraud will occur.

Why not focus on solving the problem?  Solving for Digital Identity solves for Card Not Present fraud, RTGS fraud, Faster Payment fraud, and so much more.

 

 

Where are we

Today.

How many passwords are you trying to manage!  Does your LinkedIn contact list connecting you to more than  4,000 individuals?  Does Facebook, Instagram, and other social media websites inundating you with news and stories about your friends, colleagues and interesting people?

How many cookies have your computers accumulated?  How many databases have more information about you than they need?  If we search the dark web, how valuable is your data?

Cando seeks to help you manage your data, identity, assets, and relationships.

Philip lives on Sea Island with his 93-year-old father, the Doctor.  They pursue travel and Philip keeps his head into what is happening in financial services, blockchain, authentication, digital identity, and, whatever else people seeking to understand the transformation; particularly those in the identity and payments space.

What is happening means we can unlock our hotel rooms, cars, and homes from our phones. Our security system iwill be another app we have to find on our phone.

Instead, we need an intuitive assistant seeking to simplify our lives by taking on repetitive tasks like driving, working inside a data table or simply opening up the house for the season.

Normalizing data and performing the analysis capable of earning value is the name of the game.  Management is about stimulating a team to work in the mutual interest of the organization.  Executives define the strategy and articulate the vision in a manner conducive to success.

Cando seeks to help you manage your assets and relationships.  Assets those places and things you use doing your daily life and those interactions you have with people and entities seeking to serve, sell and partner with you.

Then there are friends who we expect to be part of our lives and therefore have privileges and access capabilities.

All of this with a target of selling integration services to the top million and simply assuring each person has an identity thus serving the bottom billion.  ultimately earning $1 per year per user to simply be there when it all breaks and you wish to restore your digital life.

At the core, your digital security will be based on the use of cryptography and sophisticated matching algorithms designed to assure anyone that you are that one individual in the populatations of the universe.

What You possess, What You Are, What You Claim … Your Certificates

NCCOE NIST Multi-Factor Authentication

What you Possess — The Thing

What you Are — You

Your Relationships

Responsibilities

Authority

Advice

— Secrets

My Certificates

 

 

 

 

 

 

 

 

Seven Words

World Wide Web Consortium

FIDO Alliance

Global Platform

The Trusted Computing Group

Future interests

  • Artificial Intelligence
  • Machine Learning
  • Nature Language Interface
  • Predictive Analytics

Another short description of Blockchain

WTF is The Blockchain? The ultimate 3500-word guide in plain English to understand Blockchain.

This technology called the Blockchain is built on the desire to create a new model to assure “trust”. 

To establish trust between ourselves, we depend on individual third-parties.

Could there be a system where we can still transfer money without needing the bank?

This statement begs the question, What is a Bank.  Is it simply an institution for recording the value we deposit with them and then allow us to move/transfer some portion of that value to another.  This then means the loans a bank makes, based on the sum of the deposits we trust them with, is not part of what a bank does.

If the only role of the intermediary is to maintain a ledger capable of recording and facilitating the transfer to electronic facsimiles of something, then, yes a distributed ledger removes the need for the middle man the trusted intermediary.  Instead of trusting a third party we agree to a methodology “The Distributed Ledger” to record these intangible assets or rights of ownership of a tangible asset in a manner where each of us has a copy of the ledger.  The beauty of this concept is for someone to attempt to change a record in the ledger, recording the disposition of a tangible or intangible asset; 51% of us would have to agree to that alteration.

In the above-linked article, all of what happens can be summaries with this quote

Earlier the third-party/middleman gave us the trust that whatever they have written in the register will never be altered. In a distributed and decentralized system like ours, this seal will provide the trust instead.

 

Review of the IMF The rise of Digital Money

While reading the recent document produced by the IMF I am compelled to wonder.

What is the difference between what they call Bank Deposits and e-money.  My first question, ignoring the words bank deposit.  Both are electronic accounts of value, recorded in someone’s ledger.  These two diagrams extracted from a BIS paper offer a perspective.  

They then speak to four attributed to the “means of payment”

  1. The Type, be it a claim or an object.
  2. The value, be it fixed or variable.
  3. If it is a claim who is liable?
  4. The technology, be it centralized or decentralized


They then speak to the five ‘Means of payment”.

Object-Based

  1. Central Bank Money (cash)
  2. Crypto-currency (non-Bank Issued)

As we think of the evolution of these object-based means of payment, we need to reflect on a new term “Central Bank Digital Currency” CBDC.

As a historian, I then wonder where things like Digi-cash and Mondex fit into the classification.  The value was originated and then distributed into a personal and secure storage device (Wallet).  Redemption or better said the guarantee, was provided by a party.  Maybe not a bank or the central bank, yet, easily embraced by such an institution.  Somehow history seems to lose sight of the origins of money and assumes the existence of a central bank.  Here in the USA, the formation of a Central bank was one of many areas of political discourse.

Claim-Based

  1. b-money (Bank issued)
  2. e-money (Privately issued)
  3. i-money (Investment funds)

The magic word behind all of these discussions is “Liquidity”.  The bottom line does the receiver of the money appreciate the value of the unit of measure and is the receiver confident they will be able to convert that money into another form, of their preference

 

 

2FA – Starts With The “What You Have” Factor

https://twofactorauth.org/

I ran into this site today and am happy to see how Josh has offered a listing of sites, across multiple verticals, who have and have not embraced Multi-Factor Authentication.


What the primary factor is, is the key to the strength of authentication.

“What You Know” could be extremely secure, except we depend on the human to make sure they protect it, make it unique and complex.

“What You Are” can only be as secure as the quality and accuracy of the sensors and the algorithms used to match what is sensed now to what was registered then.

For me a “Restricted Operating Environment” capable of securing secret and private KEYS and use them to securely performing cryptographic functions, be they Symmetric and / or Asymmetric is the primary factor.  The DEVICE(s) we use to access the service provided by the relying party simply needs to be registered, recognized and therefore the UNIQUE “What We Have” factor.

If we know the device is UNIQUE. Then the only outstanding question is, is the registered user using it, while not under duress.  If the relying party is not comfortable with the presence of the registered user, then the Relying Party needs an additional factor to assure presence.  Be it the “What You Know” and / or “What You Are” one adds to assure presence during the transaction or the authentication dialogue.

If the Relying party is comfortable the registered user is using their registered device, why add friction?

Prevention is what we need to focus on.  Lock the door with strong keys . Detection is after the fact and necessary.  Investigation helps to punish the evil doer and improve the quality of security.

We need to focus on making sure the methods used to allow someone onto the relying parties website or when they execute a transaction.  Like in the physical world, it is about making sure the user’s KEY is unique and the right individual is in possession of the the key.

In other words.  The user is present using a registered and recognized device.

 

Where are we going

Each morning I read trade articles on Blockchain, Faster Payments, Mobile Wallets, Authentication, Identity and other alerts & subjects of interest. Each day the writers leave me thinking about the future of society, howbwe will address cyber security, what we can do to funally eliminate fraud and which solutions will help us to mitigate risk. These then drives concern about where we will end up, as we drive to define effective means of identity and authentication, capable of supporting the individual desire for convenience and gratification.

Facial recognition deployed to speed up entry and exit to and from countries and through airports are here. The surveillance state is emerging at alarming speed. These same cabilities could potentially deliver a safer environment. Which will it be?

Physical and behavioral biometrics many feel should become the primary means of authentication. Yet, false acceptance and more importantly false rejection will result in inconvenience some expect the consumer to tolerate while other remember friction typically ends up with the consumer abandoning the journey.

The cost of payments, the escalating concern of the retail sector, remund us thatnpayments are sourcesnof revenue for some and friction for others.

Identity theft and the ability to create synthetic identifies are the fears of many. Consumers whose identity is stolen struggle to regain their standing.

In the end all we seek is:

  • Pay for something
  • Identify ourselves
  • Protect our hard earned money
  • Live a safe and productive life
  • Be assured you are you and not someone else

Various articles worth the read

Thomas L. Friedman and James Manyika: The world’s gone from flat, to fast, to deep

Federal Reserve of Atlanta Annual Report One Region. Many Economies.

This time it’s war Keynote address to KnowID, Las Vegas, 25h March 2019.

The Chaps Friday March 29th, 2019

 

Multi-Factor Authentication – Faster Payments and the Immutability of a Transaction

Karen Webster
CEO, Market Platform Dynamics
President, PYMNTS.com

Karen,

Last week in your publication I read the article Deep Dive: Security In The Time Of Faster Payments and I had to offer the following thoughts:

The concept of Multi-Factor Authentication is based on the idea of layering multiple authentication techniques on top of each other.

We typically speak of three factors “What You Have”, “What You Know” and “What You Are”.

When we think of “What You Have” we think of a “Thing”.  An object that cannot be replicated or cannot be counterfeited.

An object “a secure computer” that can be upgraded and made more secure as threats like Quantum emerge.
A unique object with a False Reject Rate FRR and a False Accept Rate FAR approaching zero.

In the physical world “the thing” is a card or passport.  You will remember our first discussion, we came to agree the “secure computer” embedded inside provides a future proof mechanism.  In the digital world, we depend on Cryptography.  This Thing, inside our computers, mobile phones and other technologies; many refer to as a ROE “Restricted Operating Environment”.  Technology people may call it a Secure Element, a SIM, an eSIM, a TPM, a TEE, an eUICC or even Security in Chip.  Companies like ARM specialize in creating the design of these things and silicon manufacturers embrace and license their designs.

Today these connected devices (be they: personal computers, identity & payment cards, FOBs, mobiles phones, bracelets, watches and hopefully every IoT device) need to be secured.  This array of cheap ~$1 security circuitry provides a place to create and/or store private keys & secrets keys, perform cryptographic functions and assure the integrity of the BIOS and software being loaded or currently running in these computers.

Think Bitcoin for a second.  The key to its architecture is the Private Key associated with your store of coins.  Lose it and they are lost.  Many people store these in hardware, based on the use of a ROE.

The second factor is all about proving that you are present.  Behavior, location, PIN, fingerprint or passwords are second or even third factors, be they something you know or something you are.

This is what FIDO and what WebAuthN is all about.  Especially since they introducing the security certification regime. This is what the Apple Secure Enclave is and Samsung and others embed into their devices.  This is what we put into payment cards, government identity cards and the Yubico keys we see various enterprises embracing.  This is what Bill Gates started talking about in 2002.  BILL GATES: TRUSTWORTHY COMPUTING

As we move to Faster Payments we must move to Secure payments.  Immutability and irrefutably become key requirements.  To achieve this goal I suggest we need to understand one fundamental security principle.

The First Factor
is Something(s) You Have
My Thing(s)

The Second and Third factors
Prove You Are Present

Storing Biometrics in the Cloud
Creates a Honey Pot
And, begs questions of Privacy

Let me identify myself to My Thing.

Then let My Thing
Authentication my presence to
The Relying Party (Bank or Credit Union)

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience. The discussion considered the balance between friction and security. All of the panelist articulating the demand for convenience. The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing. The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification. In addition to that, it becomes important to have data trails and access history in place to determine and log all access to as well as use of information by employees of the organization or external parties. This can be considered a critical step in resolving any identity fraud or data theft issues that might occur within the company; partnering with trusted digital forensics teams can ensure that the right information is extracted and a proper case built against the attacker.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web. How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to watch carefully and be part of the move to restore the consumers’, OUR, right to the data that is us.

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together. EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience. then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments. The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”. In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database. In order to maintain a unique and secure cloud identity, they might probably make use of various opportunities that come their way (you can hover over at this website to learn more).

However, does that mean it includes what you know username, email address or phone number? Maybe! If it is simply the captured image or behavior, then it is a 1 to many match. If it is with an identifier, it is classic authentication with a one-to-one match.

In the pure authentication space where the relying party simply wants to know it is the person they registered. Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices. Additionally, the use of a visitor sign in sheet synced with the security database could expedite the sign-ins of visitors. It could also see its applications with employee log authentication and verification. Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem-part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

Why do we need Tokens and Tokenization

Recently I was directed to a link http://paymentsjournal.com/tokens-work-because/ and wanted to write the author Sarah Grotta.  As I wrote the message crystallized in my head and maybe as this prior post already discussed, this idea of tokenization made me cringe.

I contend that Tokens exist because we turned the PAN Personal  / Primary Account Number, like we turned the SSN Social Security Number, into an authenticator.  One can must ask the question.  How can a random value (an identifier) become an authenticator and remain secure?

EMV works because it renders the Card unique, hence addressing the question of counterfeit, by employing the first factor of the classic MFA Multi-Factor Authentication concept “What You Have”.  EMV defined a common set of secrets and digital credentials; securely stored in a Secure Element or Chip Card.

We here in the United States decided not to implement the second factor, the Personal Identification Number or PIN, for a variety of reasons. Hence, why Lost and Stolen remains an issue or weakness in the American Card Payment environment.

Biometrics are emerging and could solve for the assurance of cardholder presence.  The challenge is how to effectively (cost and convenience) locate the biometric sensor and facilitate the matching of the sensors output to the persons registered biometric.  Let alone, how does one make sure the right persons biometric was registered and associated with the device.

In the mail order / telephone order, now cyberspace, we did not replicate merchant authentication, the first factor – “What You Have. The card, once was secured with things like the magnetic stripe, using CVV1, the Hologram and the other physical features.  We simply shifted the liability to the merchant and called it a “card not present” transaction.

People can claim all sorts of goodness because of tokenization.  They can talk about how the EMVCo’s tokenization framework describes the use of tokens in device and domain specific scenarios.  All of this, an issuer, could have done; if they, like some did, simply issued another number, a PAN, to the wife, bracelet, watch, ring or whatever other permutation they deemed appropriate.  They can talk about dynamic data.  yet what they often forget to include when they use the words “Dynamic Data” they are really talking about a cryptographic value as described in EMVCo Book 2.

Yes, this does mean the question of how the PAN and its digital credentials get deployed; has to be addressed.  This said, GSMA with EPC did offer some thoughts, last decade, when they described the Trusted Service Manager

Instead handset oligopolies replaced the MNO with the their Mobile Pay wallets.  They working with the Payment Networks and focused on control and the creation of income.  They, as monopolist will, have created barriers, restricting others from offering comparable services.  The TSP now becomes this restrictive service that guarantees the power of companies like Apple and Google, supported by their friends, the payment network operators.

The original article also spoke of the PAR; another data element merchants, processors and the industry, will have to invest in supporting.

I ask the question.

If we had assured the authentication and verification of every payment transaction
Using Multi-Factor Authentication
Why did we need to turn the PAN into a dynamic value? 

My contention, simply use the appropriate level of  cryptography.

If the Issuer or their processor is in control and understands basic EMV and Cryptography, then securing the PAN is not an issue.

Consider household financial management.  If each member of a household has a unique PAN; budget, tax preparation and understanding who spent what where is a lot easier.  The husband,wife and children should have their own unique PAN, stored in the clear in their devices and on their card.

The real requirement, my personal devices, including my payment card, simply need to be linked to one PAN their Personal Account Number, associated with the individual.  The PAN Sequence number could easily allows each device to be uniquely identified, if necessary.  The card and devices becomes the carrier of your identifier.  A thing that can be authentication as something you have.

Here is where the second factor comes in.  Is the person presenting the PAN the rightful and authorized individual? All this required, is assurance to the shareholders that the presentment of the PAN is a unique and authorized event.  This is best achieve by using either something you know or something you are to bind the individual to the instrument carrying the Identifier.

Yes, a bit of friction to assure the  consumer they are securely paying for what they want to buy

Since the World Wide Web came of age and merchants saw its potential.  The question of how to secure the Card Not Present space, this question of cardholder presence, has not been properly addressed.  Visa and MasterCard (when they were not for profit associations) created the utility of the Card Verification Result CVV2, CID or CVC2 which would be printed on  on the card and not part of the magnetic stripe, the problem the bad guys could still steal the card or get hte card number and capture CVV2..  MasterCard and Visa then created SET, 3D-Secure and now, as for profit owners of EMVCo, are proposing, maybe even will mandate, the industry implement EMV 3D-Secure.

Each, an attempt to provide some means of Authentication and Verification.

Each introducing a level of friction as a means of security.

This is the problem.  The market did not start by emphasizing the need for security by educating the consumer.  The industry needed to help the consumer understand they should care and want to securely pay for what they intend to buy.

Instead:

  • The Zero Liability Policy was adopted.
  • The merchant was more than happy to sustain a degree of lose (fraud) in exchange for sales and profits.

The result, as all anticipated would happen, was blissfully ignored and eventually they cried out about.

Fraud migrated to the weakest point
Just like water finds its way to the lowest point. 

EMV, introduced in the Face to Face card present environment, pushing the bad guys: be they criminals, state actors and terrorists to find alternate another channels for their financial gain.

EMV and now the recently published WebAuthN and FIDO specifications create effective mechanisms for Consumer Authentication.

Let us please remember – the PAN, a user name, your social security number or your email address are excellent Identifiers.  They should not be authenticators and they are not a means of “Identification”.

Let us also remember, the term Identification means that one is assured of the irrefutability of identity.

The big question:

  • Why did we have to get rid of or replace the PAN?
  • Why did we and continue to need to invent and invest in all this addition overhead?
  • Why did we not simply address authentication?

Some will argue the challenge of using the PIN or a Password, as a means of Verification, is because it is to hard to remember. Especially, if each password people use to access website, services, building, has to be unique.  Some will argue imposing friction to add security is not convenient.  Others will remind us that security is and has been a necessity since the beginning of time.

Why didn’t we when we created this great new digital shopping mall?

Bottom line each of the devices used to present or acquire the PAN, must be capable of authenticating the identity of the authorized presenter, in both the physical and virtual world.

At least these are the views of someone who believe history provides a baseline for tomorrow and tomorrow must be designed as a function of where you want to be, knowing where things came from.