To connect or disconnect this is the quandry

Pymnts.com in conjunction with Visa published a study of the connectedness of the American population. While reading I wondered how they could identify 36% of our population as Super Connected Consumers. Thinking this profile might be people like myself. I began to wonder how could such a large percent of the population be so connected.

Reaching out to the publisher it became clear this report was well developed and the sample matched the citizen of this country. This led me to wonder about our connected world and how over 42 years I have gone from carrying a beeper to having thermostats, phones, watches, computers, Alexa, TVs, security systems and who knows what else connected somehow to that great network we once dreamed about.

Digital Identity and Multi-Factor Authentication, A Necessity in an Increasing Digital World

Last night November 8, 2018, Bryan Cave Leighton Paisner hosted the Atlanta Chapter of BayPay’s

Digital Identity and Multi-Factor Authentication,
A Necessity in an Increasing Digital World

The panel moderated by Philip Andreae, Principal at Philip Andreae & Associates included:

  • Clay Amerault, First Vice President, Digital Delivery Lead at SunTrust
  • Blair Cohen, Founder, Chief Evangelist & President at AuthenticID
  • Jennifer Singh, Innovation Specialist & Digital Identity Strategist at Thomson Reuters
  • John Dancu, CEO at IDology
  • Vivian van Zyl, Senior Product Architect at FIS

The panel focused on the need to address Digital Identity and Authentication with a clear focus on the user experience.  The discussion considered the balance between friction and security.  All of the panelist  articulating the demand for convenience.  The Audience questions which is it the desire, or is it the demand, of the American consumer.

All agreed, the key issue, as we move towards digital only relationships, is the challenge of Identity Proofing.  The panel also reminded the audience to layer various techniques in order to recognize the presence of the right user and the need to incorporate various fraud mitigation strategies to manage risk and assure identification.

Some of the participants asked if we should start educating the consumer and help them to understand the balance between a frictionless experience and one where a degree of friction is a symbol of how the enterprise (relying party) demonstrates its concern for the consumer’s data and responsibility to protect the consumers assets and identity attributes.

The question of centralize biometric databases versus distributed biometric databases, reminded people of the reality, our data, attributes and identity is already available on the Dark Web.  How we restore privacy and what will happen as the new GDPR regulations go into force in Europe, and as California moves to introduce its privacy legislation; requires each of us to  watch carefully and be part of the move to  restore the consumers’, OUR, right to the data that is us.

The Dual Interface Business Case

These cards and often times the terminals are more expensive than a classic “Dip” EMV card

How much, is dependent on volume, complexity and the pure skill of negotiation. This incremental expense is the first factor one must quantify when building the business case

  • for enabling, in the case of the terminal
  • adding in the case of the card, the contactless antenna
  • upgrading the software by adding the contactless terminal kernels or selecting the appropriate chip software and profile

This then must be compared to the incremental value
For the merchant, issuer and ultimately the cardholder

To explore the benefits lets think about

  • The user experience
  • Availability of merchant contactless acceptance
  • The intersect of the cardholder base with the contactless acceptance infrastructure

As we look around the world and consider what stimulates dual interface card issuance and merchant NFC enablement. Two scenarios emerge.

  • A country made a collective decision and drove NFC terminal enablement and dual card issua.
  • A merchant segment, typically transit, decided to introduce electronic fare-collection.

The first scenario is often driven:

  • By the payment schemes
  • The belief NFC “Near Field Communications” mobile payments will happen
  • A country simply wants to start dual interface and prepare for mobile payments

Which ever option they select, the merchant and financial institutions, within the country, typically migrate together.

In the case of the second scenario, merchant driven migration. We can look to the United Kingdom as a perfect example. “Transit For London” made the decision to migrate from paper tickets to an electronic fare-collection solution based on NFC. The initial deployment was a closed loop payment card, branded the Oyster Card, they quickly decided to upgrade the solution to support Open Loop e.g. Visa, MasterCard and American Express enable dual interface cards and NFC enabled mobile phones.

Given the importance of public transit to the urban demographic. Their decision to embrace open contactless fear collect, becomes a driving factor for issuers and therefore a ripple effect on merchant enablement.

America, as is true in many things, is different.

Contactless was tried last decade without much success.

Issuers did not see any significant lift in consumer spend nor did the merchant see any real increase in revenues. This experiment did not create a perception of a real benefit for either the merchant of the cardholder. Later in this same period, Starbucks launched their QR code mobile payment solution. From its original deployment to now it has been a resounding success.

Around the same time and based on the work of GSMA and the European Payment Council, major telecom operators began toying with NFC based mobile payments. Here in the United States two pilots emerged, the original Google Pay pilot and ISIS (SoftCard) offer. The results were intriguing, the commitment half hearted and frankly both solutions had issues. Google Pay tried to model its solution after de-coupled debit. Whereas the mobile network operators behind SoftCard, wanted to charge the issuers rent and load fees associated with the payment credentials they would store within the SIM.

Merchants Attempted to Create a new Payment Scheme

Major retailers in their continued quest to improve the customer experience and reduce the cost of payments; came together to create MCX the Merchant Commerce eXchange. The hope, merge their existing private label charge card programs together into a Mobile App capable of working across the family of MCX merchants.

Terms where written, in particular one agreeing these merchants would not accept another competing Mobile Wallet. Net result, the merchants agreed not to enable the NFC interface for any of the Visa, MasterCard, Discover or American Express contactless cards or NFC enabled mobile payment devices.
MCX slowly faded into oblivion, as the merchants struggles with the idea of sharing customer relationships and transaction data. Some merchants notably Walmart, Target, Macy’s and Kohl’s set out to build their won mobile wallets embracing QR codes and other none NFC based techniques.

The Introduction of HCE

While this was going on, north of the American border, the idea of HCE “Host Card Emulation” was created by the founders of Simply tapping 2011. It was ultimately by Android and released as part of KitKat in version 4.4 of the Android operating system. With HCE now inside the Android Operating System it unlocked the NFC interface from dependence on the SIM and MNOs. Now any application could take advantage of the NFC interface, once supported by the internarional payments schemes, enabling wider deployment of NFC enabled mobile payments. Google moved ahead to expand its payment ecosystem and Royal Bank of Canada embraced HCE. As Issuers enabled the ability to authorize the load of EMV secured Payment Credentials into the OEM Mobile Wallet or the Issuer’s own mobile app. Consumer now had the opportunity to experiment with mobile payments that communicate with the POS, just like a dual interface card.

Let’s not forget Apple Pay.

Given their brand value and total control of the Apple operating environment, Apple was able to turn to Issuers and suggest they enable the load of EMV secured Payment Credentials into the Apple Pay Wallet. They came at payments with all guns loaded. They knew the value of their brand and were able, unlike the MNOs to ask for a 0.15% of the issuers’ interchange revenue. Most importantly, they facilitated Visa and Mastercard domination of the role of the Trusted Service Manager TSM-SP or better said the Token Service Provider TSP.

Merchant Acceptance Is Key

As has been true with any solution designed to serve a two sided market, issuance and acceptance must grow together to assure the operator success and prosperity. Without a national imperative and with the experience of the original ZIP (Discover), Express Pay (Amex), PayPass (MasterCard) and PayWave (Visa), the merchant must determine if it is worth the effort to enable the NFC interface and train their staff to support Contactless payments.

Transit, like has been true around the world, absolutely sees the value of using contactless, for fare collection and are busy engaging with Visa and MasterCard to embrace and assure acceptance of bank branded dual interfaces cards. Urban areas such as Chicago (CTA), Salt Lake City (UTA), LA Metro, Portland OR (Trimet) and Philadelphia (SEPTA) are live with deployments. Others are in various stages of planned, including the MTA in New York City.

The Business Case

For issuers, where transit is seeking to exploit open loop contactless payments, at the turnstile, there is a revenue opportunity to deploy dual interface cards.

In rural areas or urban communities where public transportation does not exist. The business case is dependent on what local merchants do and if they intend to or will be forced to enable the NFC capabilities of their POS.

This is the big question. Does the merchant see value? Do they believe contactless will increase revenue, reduce time at checkout or do they believe Apple Pay, Android Pay and the other mobile NFC enabled devices are the future?

  • If the answer to these questions is yes then Issuers should seriously consider deploying dual interface cards.
  • If the jury is still out then the investment in dual interface cards may not yet be worth it!

What is the Future Payment Credential Carrier

One cannot discuss contactless payments without thinking about how Apple Pay, Android Pay, Samsung Pay, OEM Pay, Issuer Pay … Device Pay play into the future of cards. Some years ago there were three belief systems

  1. Cards are here to stay the mobile device is a fad
  2. The wallet is replaced by the mobile device
  3. The card is the token of last resort

I think we know mobile devices are not a fad. Until mobile devices never run out of power they will not replace the wallet or all of the cards.

To say much more, given the fogginess my crystal ball, would be to wild a bet.

The following articles produced by the Secure Technology Alliance offer a series of perspectives on the value of migrating to a dual interface card.

Alliance Activities : Publications : Contactless Smart Cards

Alliance Activities : Publications : Payments : Contactless Payments

Alliance Activities : Events : Webinar: Contactless EMV Payments: Issuer Opportunities

Alliance Activities : Events : Webinar: Contactless EMV Payments: Merchant Opportunities

of Identity and Authentication in a Connected World of things.

Various engagement and conversations pull me into thinking about the realities and the necessities, of this emerging world of connected people, objects and thoughts.

Looking back, this topic has been part of my life since 1982 when I was first introduced to the concept of a smart card. At that time we spoke of using the smart card to securely configure a trading deck on Wall Street and in the City of London. The goal securely and automatically configure the voice, video and digital support a particular market trader.

In 1993 to when I was tasked to drive the development of EMV, we could have talked about the fact we were creating a means of secure digital identity. A trusted Identity document based on the trust that existed between the cardholder and the financial institution.

Instead We talked about:

  • Card Authentication “the CAM” now Data Authentication to assure the card was unique and genuine.
  • Cardholder Verification “the CVM” to verify the right user was presenting the card.
  • Card risk management to allow the issuer to support authorization in a offline world.
  • Should we include an electronic purse to support low value transactions?

Today the Debit card could easily be enabled as a secure means of digital identification, with the Financial Institution being the trusted party. Simply knowing the public key of the international or domestic debit card payment scheme allows the party reading the card will know the person was issued this card by that financial institution.

While we in financial services focused on our requirements, the telecom industry was working on the SIM & GSM specifications under ETSI leadership. They created another form of Secure Digital Identity. They focused on securing the identity of the communications channel and were less worried about making sure the right consumer was present, although there is the ability to allow the user to lock the SIM and now even the mobile phone.

2013 I had the opportunity to join the FIDO Board. Within that body, the objective was to separate the concept of identity from the act of authentication. It works from the premise that as digital relationships expanded, the use of passwords and PINs are becomes an issue. The FIDO Alliance also recognized that the only way to secure our digital world, like we secured payments and mobile communications was with the introduction of multi-factor authentication rooted in the belief that the first factor had to be “what You Have” a secure element / enclave, TEE, TPM … capable of generating and or storing secret (symmetric) and private (Asymmetric) keys unique to the object and more importantly unique to the relationship.

Clearly identity and authentication are essential to secure relationships. And, in a digital world, communication is the mechanism that connects people and things together.

Helping consumers manage their relationships assuring privacy is an interesting angle. If I am understanding your platform, at least at the level of the subscription for telecommunications services this you are helping to manage.

Anyway. Back to the pitch. I would like to see about scheduling another conversation and figure out if there is anything I can do to earn an income and create revenue for you.

From Password and PIN to Biometrics

The Evolution of Authentication

When first we sought to create secure and convenient means of identification, we relied on user names paired with passwords and PINs.  These values are typically stored centrally within the relying party’s database.  Often times, these values are encrypted at point of entry, and once received by the relying party passed through a one-way function, before being stored in the database.  This use of cryptography to encrypt the PIN or Password in transit and perform the one-way function before storing the result is simply to prevented the PIN or Password from being captured in transit or reverse engineered.

Each time the user logs in, they enter their password or PIN, it is received by the relying party, run through the same one-way function and compared to the value stored at user registration

Over the last 30 or so year there has been mounting concern as to the long-term viability of depending on the user being able to remember, create a unique & complex value and accept responsibility to frequently change their passwords and PINs.  Especially given the myriad of sites and digital relationships we each continue to establish.

To assure the integrity of passwords and PINs, the challenge is making sure the length and randomness creates difficultly and minimizes the chance someone can guess what the Pin or password is.  By adding special characters and insisting on password and PIN policies, the rely party has attempted to reduce risk and the chance for rouge penetration.

Unfortunately, people forget their password, phish & vishing attacks work, key-loggers and other clever ways of obtaining the user name and password have increased.  The threat of rouge intrusions and the resulting reputational and financial lose is out of control.

As these loses escalated, the cost of the various techniques to support more secure authentication have been developed.  The market always understood if we could merge a unique object something you Have, with a secret you Know or a biometric something you Are; you would be able to establish a superb form of multi-factor authentication.  Many, such as the ICAO, EMV and PIV specifications, embraced the idea of cryptography operating within a secure element or smart card. They further embraced the idea of loading the registered biometric rending into the chip and incorporate the matching algorithm within the software.  By then using an external PIN pad or biometric sensor, multi-factor authentication could be enabled.  Unfortunately, at considerable cost.

In Europe, in order to secure access to websites they looked to physical objects capable of displaying a onetime password as the answer.  In some cases, the user had to first enter a PIN then a number displayed on the screen and then type the value displayed on the device into a field in browser window. Something you have with a secret, a one-time password, unique to each event.

Clearly PINs and passwords carry with them two flaws.  They need to be remembered and they need to be typed in.  Biometrics on the other hand offer convenience and do not require the user to remember a complex set of characters.  Fortunately, the size, cost and complexity of biometric sensors has decreased significantly and it is viability to integrate sensors into a user operated device.  The first company to offer a phone with a biometric fingerprint sensor was Motorola, quickly followed by Apple on their iPhone 5S.  Today it is rare to find a mobile phone which does not included a biometric sensor and related algorithms.

Now with an identifier (user name), a device with a unique digital signature and the ability to support biometrics, all the virtues of multi-factor authentication and the wonders of biometrics such as: fingerprints, veins, retina, iris, EKG, behavior or selfies are available to assure the registered user is present.

All because the sensor can capture the biometric and software will render the output of the sensor into images, patterns or templates.  The sensor and the related software have unique characteristics as to how the matching processes work.  It then simply requires us to accept that the output of the sensor becomes the input into the matching algorithm.

The last concern – how do we measure the reliability of the biometric sensors and algorithms.  To help people understand the reliability of these sensors and matching algorithms, there are an assortment of acronyms such as: FRR, FAR and PAD.  These three are the ones I am most familiar with.  They measure and quantify the risk of false acceptance or false rejection and provide a measure of the assurance of life.

We now can leverage the biometric sensors in user devices

Paired with the assurance the device is unique

And be confident the registered user is present.

Dual Interface Construction

When we think about the migration to contactless or Dual Interface cards it is important to have a general understanding of what goes into creating the card and the constraints one has to think about, as they work with their marketing teams to design these cards.

The design of a payment card involves assembling multiple of PVC into a sandwich that will be bonded and then punched out to form the card body.

  • On the face of the card: a clear laminate to protect the surface
  • On the back a clear laminate with the magnetic stripe affixed to it

In the middle two printed sheets

  • The front
  • The back

In the middle of the card body, your manufacturer will need to insert an antenna.   The antenna is typically provided to the card manufacturer as an inlay, as seen on the left.  The inlay is a sheet of plastic with the copper antenna, sometimes aluminum embedded within.  The card manufacture will add this inlay into the middle of sandwich.

On the right is an example of a six layer card construction including one element as an example, a metal foil.  This has been included given it has an impact on the effectiveness of the radio signal.  More about this a little later.  Using pressure and heat, the layers of the sandwich are bonded together in a process called lamination.  The bonded sandwich is then run through a series of additional processes designed to create an ID-1 card as specified in the ISO 7810 specifications supplemented by the additional payment network requires, such as the signature panel and the hologram.

After quality inspection the next step is to mill and embedded chip into the card body and simultaneously assure a connection between the contacts on the back of the chip and the antenna.  There are various means of connecting the chip to the antenna.  These different methodologies for connecting the chip to the antenna is a specific skill and is the responsibility of your card manufacturer.  Look to your manufacturers to propose, construct and certify your card to your requirements and employing their unique processes, techniques and technologies.

One thing you will need to be aware of is how the use of the antenna affects the certification process.  It is important to understand that the combination of ink, materials and methods of construct means; each construction will need to go through a unique certification.  This need for certification is a result of the use of radio frequency to communicate between the card and the terminal.  Think of your cell phone when your inside a big building or within an elevator and how the conversation maybe disrupted.  It is this possibility of the radio signal to be disruption based on the materials employed and the method of construction.

When metal elements like metallic foils and layers are used in card construction, the challenge increases.  Eddy currents are emitted by the metal and will interfere with the level of power and quality of communications emanated by the antenna and radio in the POS  received by the antenna and the computer in the card.

So far we have spoken only of the hardware.  The chip in the card is a computer and needs an operating environment, application and data in-order to function.  The introduction of the contactless interface alters the operating environment, the payment applications and the data which is loaded into the card.  All of this impacts the card manufacturing and card personalization process.

 

Will the US truly embrace dual interface cards or is our phone the future

When the US decided to migrate to EMV, it took the safe course

When it was time to migrate to EMV here in the USA, both issuers and acquirers focused on addressing the market and the required technology, one step at a time.  They recognized the confusion created by the Durbin Amendment, the reality of the competitive US debit market, the complexity of the merchant environment and the legacy infrastructure underneath the American card payment system.  Unfortunately unlike in other parts of the world the American merchants tended to migration to  EMV in the following order credit & debit, Common AID, contactless (MSD mode), Mobile Pays and finally contactless (EMV mode).  This journey is still a long way from complete with less than 25% of the terminal base contactless enabled, let alone in EMV contactless mode.

The larger and most invested merchants also worried about the impact of sharing data with the likes of Amazon, Google and Apple.  The “honor all card” rule is also the “honor all wallet” requirement.  Wal-Mart, Target and Home Depot were clear, they did not intend to expose the NFC antenna to the various NFC Mobile Wallets.  Instead they are implementing solutions, post MCX, based on their mobile apps using QR codes and often times enabled to support frictionless payment.

We are now looking at the second wave of card issuance and Issuers are wondering what merchants will finally do about enabling contactless.    As the Issuers prepare to issue their cardholders with their second EMV enabled card they must also think about the future of the card in the context of the future of mobile payments.

Are the payment credentials carried in the mobile wallet the companion of the card
o
r
Is the card the companion (fallback) for the payment credential carried in mobile wallet / device

Or
Are we on a journey to a new paradigm

Where facial recognition, loyalty, geolocation
Enabled by the always connected devices

We surround ourselves with
Help merchants to focus on
the shopping experience

And
Turn the Payment into

A frictionless “thank you”

 

What Happens When the Lights Go Out

Since 1984, when I was told I needed to carry this mobile phone with me, there has been that nagging issue of needing to make sure it had enough life to get me to the next charge point.  My first phone was luck if it could last a half a day so they gave me two, one was always being charged while the other hung on my shoulder.  In 1993 while working on the development of the EMV Specifications we focused on the ability to authorize a transaction when the Point of Sale POS device was unwilling or unable to reach the issuer.  In 2013 I listened to Visa representatives explain how 100% of all payment transactions could be executed online.  Then I ponder getting a Tesla Model 3 and learn it is only capable of traveling a maximum of 310 miles, it make me wonder; how do I finish the last 19 miles to my fathers home.

Today, I was reading an article emanating from the Money 2020 event when IDEMIA spoke of the idea of the mobile drivers license and that nagging feeling emerged.  What happens when the power goes off after the hurricane hit and someone asks me for my drivers license.  Its locked securely inside my dead mobile phone.  I then saw that their competitor Gemalto and even NIST are working on this concept of the mDL.

We live in a world where electricity is becoming as essential as water and food.  Yet, we hear of power outages that last weeks and even months.

It is like with Mobile Payments, if the phone is dead and in order to pay it must, then what?  The card remains the essential element of a successful payment transaction.

I dream of the day when I can merge my leather wallet and my mobile device into one.  Yet, I appreciate there are technical challenges like the need for electricity.  Until we lead with these technical challenges and not simply the dream.  Exciting concepts and ideas will go where so many have gone before.

The Future of EMVCo Next Gen

Back in 2011, when I was part of American Express, I was part of the team responsible for our involvement in the work of EMVCo.  At this stage in the work of EMV the discussion had turned to the confusion the multiple contactless kernels was creating in the market and more importantly the challenges we would face as the external threats increased demanding that the length of the RSA keys increase accordingly.  Ultimately we collectively determined the best course of action was to begin the work on what began know as “Next Gen”.  From the beginning it was well understood the migration from where we are today to the “Next Gen” technology solution, both in the card and on the terminal, would be complex and expensive.  In September of 2014 an initial specification was released and my understanding is that a draft has been issued to subscribers and Associates for review and feedback.

This post stems from a conversation with a good friend, he asked me if I thought there was still relevance to what is now being called 2nd Gen.  In that discussion we reviewed the genesis of the work, the baseline for EMV and the unfortunately reality of how contactless was implemented.  Our conversation then turned to the question of what makes the most sense live with what we have today or suffer the expense of the migration to a new solution.

Thinking back to the original reason for “Next Gen” was to consolidate the 7 contactless kernels into one common kernel and replacement  RSA with what was called XDA or Elliptic Curves.  When I think about these two requirements one can only wonder why in the most recent EMVCo Stated EMV® 2nd Generation there is no  reference to enhanced cryptography.  In fact the only thing the document describes is the creation of one unique kernel.

Referring back to the September 2014 Net Gen Specification there is clear reference to enhanced security with specific call out of “an elliptic curve Diffie-Hellman key establishment protocol with blinding applied by the card”.  I then remember hearing about issues with Elliptic Curves and wonder why there is no reference to enhanced cryptograph in this most recent EMVCo document.

Back to the question raised in our conversation.

Do I see value in the world investing in the migration to 2nd Generation?

The answer is I am not sure anymore. 

When EMV started we had four agreed requirements, summarized on this slide I initially created back in 1994.  Offline Authorization, in other words, the issuer’s ability to securely approve a transaction without requiring the terminal to request an expensive online authorization request was the reason Offline Authentication was part of the original design of EMV.

  • If the value of offline authentication, given the ubiquity of wired and wireless telecommunications networks, is deprecated.
  • If  the performance efficiencies, original seen in Elliptic Curves, is no longer as significant, given the increased threats and vulnerability.

Then why make the investment in changing the software in both the card and the terminal to support XDA?

Next

  • If most if not all terminal manufacturers have addressed the complexity of the multi-kernel configurations, compounded by the existence of various unique national contactless kernels.

Then why demand the investment in supporting a complex migration from multiple kernels to a single EMVCo Licensed kernel?

Finally

The threat of quantum cryptograph suggests that most if not all asymmetric cryptographic algorithms commercially available will be broken.

It does beg the question.

What is the business case for driving the world into a expensive, long and complicated migration?

What we created in 1994, and EMVCo has maintained, is a very effective Online Authentication mechanism, the ARQC.  A mechanism based on symmetric cryptography which, as far as I can tell, will remain under the control of the Issuer and is not, as of yet, threatened by quantum computing.

I look forward to your feedback.

 

 

 

 

 

 

A Letter to Karen Webster of PYMNTS.COM

Karen, you come to mind off and on, especially when I’m try to keep up with what is happening in the wild world of payments, block chain, cryptocurrency, identity, authentication, trust, identification and who knows what else.

One thing is clear.  Lot’s of companies are investing significant sums of money in these various “opportunities”.  Yet are we, as a society, on the right path?

We could look to Washington DC, and the other capitals around the world, and this same question would apply.  But, not to get distracted.

Let’s start with identity and authentication in the digital space

As you may remember, EMV was something I got deeply involved with, both here in the USA and back when we originally conceived of the specification.  We the three founding payment associations had one goal – solve for counterfeit.  And, when the issuer or country so desired address lost and stolen fraud.  Focused on the physical world of commerce, the Point of Sale.  Our original goal was simple.  Assure global interoperability by defining a global migration path away from the magnetic stripe.  We mutually agreed we had to select a technology capable of protecting the physical token, the card, well into the 21st century.

Simultaneously, as was so beautifully captured by the Pete Steiner’s famous 1993 New Yorker cartoon, we knew there would be an issue in the digital space, that thing we then call the World Wide Web.  MasterCard and Visa set out to define the Secure Electronic Transactions SET, then Visa patented a concept called 3D Secure and more recently  worked together with the other owners of EMVCo to create EMV 3D Secure.  Each of these, attempts to find a meaningful way of  authenticating the cardholder when they paid with a credit or debit card.

Today billions of identities have been compromised.  The techniques used during an enrollment process online, to verify who you, are no longer viable.  Identifiers like our social security number and Person Account Number (PAN), unfortunately, became authenticators, a role they were never designed to support.  As EMV was deployed criminal shifted their focus to the Internet and PCI had to be introduced to address the challenges of criminals acquiring payment card and PII data.

As the World Wide Web morphed and grew in value and importance, the potential of monetizing the vast amount of data companies where collected began to scare people;  as this recently found comic so aptly demonstrates.  People, governments and corporations started to struggle with their desire for privacy offset against the value of data corporations are collecting.

Way back then, an opportunity to address the issue was offered by Bill Gates.  As is always the case, Microsoft the then technical giant  wanted something to support what society would ultimately need.  The idea of the social good was lost to the value of corporate profit and control.

As the Internet grew to become this marketplace, library, museum, cinema, place to play and place to meet and connect; we imposed well understood enterprise security techniques (username and password) to the consumer space.  The password thus became our challenge.  How do we convince customers (let alone employees) of the importance of complex, hard to remember passwords – unique to every security conscious relationship we establish on the World Wide Web.

Are biometrics the answer, has the FIDO Alliance and W3C created a set of authentication standards we can all embrace?  Hopefully.  Unfortunately, most opportunists are seeking to monetize their often proprietary solution, creating what they think is a best of breed consumer experience.

My fear, we are moving from the familiar experience of typing our user name and password; to multiple unique experiences at the front door of each and every web site we seek to log-in to. 

As an example my Samsung Android phone has a fingerprint sensor and is FIDO certified.  There is a Samsung Pass Authenticator, Microsoft Authenticator, Google Authenticator and several demo versions of various other authenticators.  I also receive SMS messages with one time tokens I am asked to enter onto the screen.  My PC it also is enabled with a FIDO U2F set of dongles.

Unfortunately my tablet has none of these and assumes I will simply remember, thank you Norton Identity Safe, my various passwords.  What a mess we are created all with monetization and the desire to offer a unique consumer experience as the justification.

With all those already installed, I await the introduction of WebAuthN, within the various browsers installed in my PC, tablet and phone. 

Moving to Block Chain and Cryptocurrencies

The wild west.  The makings of a speculators dream.  The realm of the incomprehensible, built on complex mathematical concepts and the desire to remove the man in the middle and replace them with the miners and nodes distributed around the center.  Or, is the idea of the distributed ledger the solution to the challenges of trust in an every expanding universe of connected people and things.  One can only wonder?

People speak of removing central governments.  Yet, they remind us that there is a governing body, book of rules and set of code that is designed to assure immutability.  If I understand their, logic we should not trust Governments instead we  trust these new open societies and digital enterprises?  they speak of removing intermediaries and replace them with nodes and miners.  New players responsible for creating and signing the new blocks and distributing it all those who maintain a current copy of the chain.

Is there potential, Absolutely.  The challenge is to understand why one would wish to move data from a trusted central repository to a distributed trustless environment.  Cost and latency should be part of the discussion and most importantly the level of trust the parties have with each other, identified intermediaries and governing bodies involved in the ecosystem.

Finally Payments

Barter, gold sovereign, IOU, government or bank back notes and coins, checks, cards, account based solutions, digital coins and what next.  Payments have been this ever evolving space.  Some seek to monetize the methods businesses, consumers and governments use to pay for the good and services they seek to acquirer, use or explore.  Others argue that the cost of payment should not be a source of profit.  The interesting twist here is more about the stage an economy is at in their migration from one from of payment to another.  Questions of legacy and history limit a markets ability to embrace the new and retire the old.

We could shift the conversation and focus on the store of funds: be it the safe in the wall, the checking or savings account at an institutions or digital coins stored in digital memory.  We could talk about the entities that focus on the experience and employ the already existing mechanisms.  We could think about block chain, crypto currency, identity and authentication.

Does the consumer care? or would we be pleased to simply hear the merchant say thank you for your payment.   The frictionless experience of get out of an Uber car or when we click the buy button on Amazon we know the payment will be made and that we will see a receipt in our email.  Remove the friction and make sure that only what I owe is paid, that is the experience we seek.  We the consumer are not interested in the detail.  We just want to know we successfully paid, using the source of funds we set up as our default.

In Conclusion

Yesterday, with this blog incomplete, I listened to  The Economist article titled Rousseau, Marx and Nietzsche – The prophets of illiberal progress – Terrible things have been done in their name.  What grabbed my attention is that it spoke to the depth of my wider concerns.  The article concludes with the following:

The path from illiberal progress to terror is easy to plot. Debate about how to improve the world loses its purpose—because of Marx’s certitude about progress, Rousseau’s pessimism or Nietzsche’s subjectivity. Power accretes—explicitly to economic classes in the thought of Marx and the übermenschen in Nietzsche, and through the subversive manipulation of the general will in Rousseau. And accreted power tramples over the dignity of the individual—because that is what power does.

As I think of our capitalist environment, I am concerned and wonder if the publication of the Economist article is  timed to educate and alarm.  The reality is we are experiencing a concentration of power leading to an increase in the distance between those in the upper 1% and those we call the middle class.  Therefore, there is a need to about what is good for the whole, yes a tiny bit of socialism, to restore balance to make sure the wealth and benefits accrue to all and not just the few.

As identification, authentication and payment systems, discussed above, evolves we need to think about the structure of how these solutions will be offered to the market.  Are we seeking to address a social issue like crime or terrorism? Are we seeking to improve confidence?  Are we attempting to focus on the consumer, citizen and employee needs?  Or, is it all about shareholder value and the search for profit?

Like in the article discusses, my fear is Profit will create confusion and complexity.  Not more convenient and frictionless experiences.

Ten steps to making a project successful

Wednesday September 5th, 2018 I had the opportunity to speak to a Information Technology class about my ten successes and learning as a project and program manager.  Below is the presentation I used with this I hope interested room full of student of Kennesaw State University.

Project Management Kennesaw 180905

 

 

NYTimes: Transaction Costs and Tethers: Why I’m a Crypto Skeptic

Transaction Costs and Tethers: Why I’m a Crypto Skeptic https://nyti.ms/2NYYSdw

As a technologist with an understanding of cryptography and very aware that in order to remain secure and tamper proof we increasingly increase the complexity of the work to assure the integrity of what we are using cryptography to protect. I wonder why so many people got so excited about Bit coin and Blockchain. As I have written before the cost to assure the integrity of the ledgar. Be it the original work to calculate the nonce or the subsequent work to confirm that the nonce the miner calculated was the right one, there is a need to spend money buying work specific computers, renting or building a facility to houses these work units and the power to cool and run these computers.

Mr. Krugman properly outlines the challenges. He effectively focuses on two issues. The cost and the idea of tethering.

It is this need to identify the value of the coin. Governments help to stabilize their defined currency. The intrinsic value or use of Gold, establishes its value.

Understanding and being able to clearly articulate how cryptocurrencies are valued and how then can achieve the stability necessary to support commerce is essential. This is what tethering is about. How do we establish and more importantly share the nature of the valuation.

An Identifier is not an Authenticator

Not too long ago, the House Ways and Means committee learned about and understood the difference between Identifiers (such as the PAN SSN, Driver License number, Email, User name, or account number) and an Authenticator.

A recent document produced by the Identity Coalition speaks to the challenge of identity. Found on their website https://www.betteridentity.org/

One paragraph reads

As a general rule, to be useful across multiple systems a widely used identifier must be persistent, meaning that it stays constant over time. The complexities induced by shifting an identifier to one that is not  persistent – but revocable – are significant.

This is a pivotal thought and one we should embed in our thinking.

This report starts with a discussion about who can play a role and who has established coherent verification and proofing mechanisms that can be used as a root of trust.  The Social Security number, given its pervasive place among the data stored about us, became an area of focus:

There are five steps that the government should take to change – and improve – the way we treat the SSN.

  1. Frame every proposal about the future of the SSN on the basis of whether it looks to impact the use of the SSN as an authenticator, an identifier, or both.
  2. Stop using the SSN as an authenticator. Use of the SSN as an authenticator rests on the idea that the SSN is a “secret” – and that knowledge of an SSN can thus be used to prove that someone is who they claim to be.
  3. Preserve use of the SSN as an identifier – but look to reduce its use wherever feasible.
  4. Consider changing laws and regulations that require companies to collect and retain SSN.
  5. The government should not seek to replace the SSN.

As I read through these choices, I replace the acronym SSN with PAN or any other identifier and I end up with the same concern.  We have allowed identifiers to become authenticators and now struggle to replace them with something else (i.e., a token).  When what we should have done is recognized that authentication was the missing element of the identity puzzle.

The report then continues with a set of recommendations including two areas of personal interest.

Strong Authentication Equals Multi-Factor Authentication

Promote and prioritize the use of strong authentication. Inherent in any policy change that prohibits use of the SSN as an authenticator is a way to replace it with something better. Here, the problem is not just with SSNs, but also with passwords and other “shared secrets” that are easily compromised by adversaries.

Multi-stakeholder efforts like the Fast Identity Online (FIDO) Alliance, the World Wide Web Consortium (W3C), and the GSMA have developed standards for next-generation authentication that are now being embedded in most devices, operating systems and browsers, in a way that enhances security, privacy and user experience.

International Coordination and Harmonization.

This one has particular meaning to me.  My family lives in two countries, we are citizens of a third and we have lived in four.  I want to be assured that whatever the process is to authenticate our identities in one will meet the basic requirements of all.

An interesting read and one I strongly recommend we work to promote.

 

Could a US Cryptocurrency Prevent Systemic Harm to the Underbanked and Underserved?

I recently absorbed the following article  and offer the following reflections.

Frankly, it disturbed my social consciousness.

There are an estimated how many million smartphones in the hands of US consumers?

An article answering the question can now be found at this link.
http://paymentsjournal.com/could-a-us-cryptocurrency-prevent-systemic-harm-to-the-underbanked-and-underserved/

After reading the article, I thought about this graph derived from the US Census.  What income level equates to that of the un-banked?  I think of my expenses and about the expenses most people are dealing with.  Health issuance for two people in Georgia is $1,100 a month.  That’s a lot of people struggling to make sure they at least have health insurance!  If $53,700 is the median income and $13 thousand is spent on health Insurance, and then we consider all the other daily expenses we need to live: food, medicine, co-pay, gas, utilities …

Then I remember an economics report which claimed that the hourly wage required to afford a place to live in the least expensive part of the US was something just over $15/hour.  All of this causes me to ask the question – At what income do people find it of value to have a banking relationship, e.g. a card?

Those who argue that we should migrate from Cash to Card should remember the primary motivation for credit cards is directly related to the profits and revenue the banks, processors and other players who touch the flow of money earn from processing the payment transaction, and the revenues earned by lending money (i.e., a credit card) or by holding your money (a debit card).

Sure, we could propose giving the poor pre-paid cards, as some of the Government’s entitlement programs already do.  But then who will be responsible for the fees to manage the program and who will earn the interchange from each transaction?

The service fees, OK, maybe we the taxpayer will cover, given the perceived social value of supporting the poor.  On the other hand, entitlement is perceived by many to be a scheme to support the lazy, therefore many would say that the fees are part of what the entitlement should cover.

Let’s get back to the real subject at hand:  What is the most economic form of payment and are crypto-currencies the future?

In the world of cards, interchange is a cost to the merchant and revenue to the Banks.  Therefore, since merchants end up loading their processing costs into their price, the consumer pays.  Those who advocate migration away from cash recognize and argue cash has costs, for intance:

  • Cost of Employee pilferage
  • Cost to store and carry to the bank
  • Cost to handle and count

Many would agree that a card is cheaper.  Others would argue they are not.  This becomes a question of faith in your employees, the cost of a safe and a visit to the bank and the fun of sitting up at night counting your earnings.

Are crypto-currencies an answer?  At whose cost?  The nodes or miners who maintain the Blockchain need to be paid to ensure the immutability and consensus inherent in the Bitcoin model.  Someone must pay.

This begs the question: Which is more expensive to society?

  • Cards
  • Crypto-currencies
  • Checks
  • Cash
  • Coins
  • Certificates – in other words, tokens

 

 

Could a US Cryptocurrency Prevent Systemic Harm to the Underbanked and Underserved?

cryptocurrencies

A toll on the Massachusetts turnpike is $4.00, unless you can’t afford an EZPass then it will cost you $7.35*.  This article published in Convenience, the web site of National Association of Convenience Stores (NACS), points out that restaurants are also increasingly eliminating cash and that the impact this has on the poor has finally started to create some pushback in D.C.:

“As more restaurants go cashless, a backlash is building, especially in the nation’s capital, where an increasing number of fast-casual eateries are only accepting credit or debit cards and mobile payments, the Washington Post reports. Sweetgreen, a national chain, doesn’t accept cash at most locations, including its Washington, D.C., unit, while Menchie’s, Barcelona Wine Bar, The Bruery, Jetties and Surfside in the District also refuse cash payments.

‘By denying the ability to use cash as a payment, businesses are effectively telling lower income and younger patrons that they are not welcome,’ said D.C. Council member David Grosso, who has introduced a bill that would require retailers to let customers pay in cash. Chicago didn’t pass a similar bill last year, and Massachusetts has a 1978 law on the books that’s for cash payments but it hasn’t been enforced regularly, according to the state retailers association.” (Emphasis by Payments Journal)

I was unaware of the 1978 Massachusetts law described here, but clearly MassDOT and the Massachusetts legislature are more interested in how it will spend the money saved and the new revenue generated than it is in old laws. The fact that the policy to go all electronic will also increase late payment fines from the poor, perhaps even putting some in jail for non-payment, is just icing on the cake.

In our rush to save money we have ignored the systemic biases this action creates against the poor (if you doubt this statement reread the Justice Department’s report on Ferguson Missouri and how the town’s cost cutting measures created that very same bias). My dollar bill states that “THIS NOTE IS LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE” and yet nobody is considering how this is becoming less true every day and the impact that reality will have and it isn’t just the poor.

It is ludicrous to think that paper currency can survive even as everything around us shifts to electronic bits that are controlled by software. But we mustn’t ignore the ramifications of this shift. Consider what the future would be like if all payments are electronic utilizing our existing payments infrastructure. It is likely the cost burden would move from the Federal government (that prints money) to all the entities that need to send or accept money (because they pay the network and processing fees). In this scenario a) the government will see significant savings, b) the entities making a payment will see increased costs, and c) payment networks will receive increased revenue and profits.

If we would prefer to keep the status quo then the Federal government should support an electronic form of tender, establishing a cryptocurrency that replaces paper but is also recognized as “LEGAL TENDER FOR ALL DEBTS, PUBLIC AND PRIVATE”.

If not done relatively soon, say in the next 5-8 years, then every state and private payment network will be so entrenched that it would likely prove too difficult and costly to switch.

* The difference described above is for anyone driving 113 miles between Natick and West Stockbridge according to MassDOT’s toll calculator

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together.  EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience.  then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments.  The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”.  In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database.  Does it include a what you know username, email address or phone number; maybe!  If it is simply the captured image or behavior, then it is a 1 to many match.  If it is with an identifier, it is classic authentication with a one to one match.

In the pure authentication space where the relying party simply want to know it is the person they registered.  Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices.  Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem—part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protectionthreat protectionidentity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

 

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity



Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credential in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my drivers license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the drivers license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a savings, she would only have a saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion it is an all or nothing situation. Yes I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still it does not need to be recharged. My leather wallet still works after the phone’s battery has died.