Category: Business

The case for Identification and Authentication

As we continue to explore the case for Identification and Authentication I share the below article.

What is becoming clear is standards are being embraced.

In the Payment space

Will it be W3C WebAuthN, 3DC and Webpayments or EMVCo SRC & Tokenization?

My guess depends on if standards bodies can play well together. EMV (contact or contactless) will remain the many stay for physical world commerce, until the App takes over the Omni Channel shopping experience. then the merchant will properly authenticate their loyal customer and use card on file scenarios for payments. The question of interchange rates for CNP will see a new rate for “Cardholder Present&Authenticated/ Card Not Present.”. In time when a reader is present I can see an out of band “tap to pay” scenario emerging using WebPayments and WebAuthN.

In the identity space

I contend the government and enterprise market will go for a pure identification solution with the biometric matched, in the cloud, in a large central database. In order to maintain a unique and secure cloud identity, they might probably make use of various opportunities that come their way (you can hover over at this website to learn more).

However, does that mean it includes what you know username, email address or phone number? Maybe! If it is simply the captured image or behavior, then it is a 1 to many match. If it is with an identifier, it is classic authentication with a one-to-one match.

In the pure authentication space where the relying party simply wants to know it is the person they registered. Then, the classic FIDO solutions work perfectly and will be embedded into most of our devices. Additionally, the use of a visitor sign in sheet synced with the security database could expedite the sign-ins of visitors. It could also see its applications with employee log authentication and verification. Or, as we’ve seen with some enterprises, the relying party will embrace U2F with be a FIDO Key, like what Yubico and Google recommend.

The classic process needs to be thought about in respect to what can be monetized.

  • Enrollment = I would like to become a client or member
  • Proofing = Ok you are who and what you claim, we have checked with many to confirm your Identity – This is where federation comes in.
  • Registration – Verification = Ok, now we confirm it is you registering your device(s)
  • Authorization & Authentication = Transaction with multiple FIDO enabled relying parties using your duly registered authentication.

How Microsoft 365 Security integrates with the broader security ecosystem-part 1

by toddvanderark on July 17, 2018

Today’s post was coauthored by Debraj Ghosh, Senior Product Marketing Manager, and Diana Kelley, Cybersecurity Field CTO.

This week is the annual Microsoft Inspire conference, where Microsoft directly engages with industry partners. Last year at Inspire, we announced Microsoft 365, providing a solution that enables our partners to help customers drive digital transformation. One of the most important capabilities of Microsoft 365 is securing the modern workplace from the constantly evolving cyberthreat landscape. Microsoft 365 includes information protection, threat protection, identity and access management, and security managementproviding in-depth and holistic security.

Across our Azure, Office 365, and Windows platforms, Microsoft offers a rich set of security tools for the modern workplace. However, the growth and diversity of technological platforms means customers will leverage solutions extending beyond the Microsoft ecosystem of services. While Microsoft 365 Security offers complete coverage for all Microsoft solutions, our customers have asked:

  1. What is Microsofts strategy for integrating into the broader security community?
  2. What services does Microsoft offer to help protect assets extending beyond the Microsoft ecosystem?
  3. Are there real-world examples of Microsoft providing enterprise security for workloads outside of the Microsoft ecosystem and is the integration seamless?

In this series of blogs, well address these topics, beginning with Microsofts strategy for integrating into the broader security ecosystem. Our integration strategy begins with partnerships spanning globally with industry peers, industry alliances, law enforcement, and governments.

Industry peers

Cyberattacks on businesses and governments continue to escalate and our customers must respond more quickly and aggressively to help ensure safety of their data. For many organizations, this means deploying multiple security solutions, which are more effective through seamless information sharing and working jointly as a cohesive solution. To this end, we established the Microsoft Intelligent Security Association. Members of the association work with Microsoft to help ensure solutions have access to more security signals from more sourcesand enhanced from shared threat intelligencehelping customers detect and respond to threats faster.

Figure 1 shows current members of the Microsoft Intelligent Security Association whose solutions complement Microsoft 365 Securitystrengthening the services offered to customers:

Figure 1. Microsoft Intelligent Security Association member organizations.

Industry alliances

Industry alliances are critical for developing guidelines, best practices, and creating a standardization of security requirements. For example, the Fast Identity Online (FIDO) Alliance, helps ensure organizations can provide protection on-premises and in web properties for secure authentication and mobile user credentials. Microsoft is a FIDO board member. Securing identities is a critical part of todays security. FIDO intends to help ensure all who use day-to-day web or on-premises services are provided a standard and exceptional experience for securing their identity.

Microsoft exemplifies a great sign-in experience with Windows Hello, leveraging facial recognition, PIN codes, and fingerprint technologies to power secure authentication for every service and application. FIDO believes the experience is more important than the technology, and Windows Hello is a great experience for everyone as it maintains a secure user sign-in. FIDO is just one example of how Microsoft is taking a leadership position in the security community.

Figure 2 shows FIDOs board member organizations:

Figure 2. FIDO Alliance Board member organizations.

Law enforcement and governments

To help support law enforcement and governments, Microsoft has developed the Digital Crimes Unit (DCU), focused on:

  • Tech support fraud
  • Online Chile exploitation
  • Cloud crime and malware
  • Global strategic enforcement
  • Nation-state actors

The DCU is an international team of attorneys, investigators, data scientists, engineers, analysts, and business professionals working together to transform the fight against cybercrime. Part of the DCU is the Cyber Defense Operations Center, where Microsoft monitors the global threat landscape, staying vigilant to the latest threats.

Figure 3 shows the DCU operations Center:

Figure 3. Microsoft Cyber Defense Operations Center.

Digging deeper

In part 2 of our series, well showcase Microsoft services that enable customers to protect assets and workloads extending beyond the Microsoft ecosystem. Meanwhile, learn more about the depth and breadth of Microsoft 365 Security and start trials of our advanced solutions, which include:

Something to wonder about

What You Have

The Two Sided Market

When we think of investing in various macro business needs e.g. revenue. We see that establishing relationships with customers to stimulate sales is why we create the goods and services, hopefully, others want.

If the buyer has something the seller wants, in exchange for the good or service they desire, then a transaction occurs. The challenge is simple, each party defines the value of what they are providing or exchanging and presto the trade occurs.

When society grows and the complexity of what each of us produces and when our needs are not aligned to this process called barter, a means of monetization is established. Society creates a trusted form of exchange – pebbles, coins, money, a promissory note or now even cyptocurrencies.

In other words, society creates an answer to enable the exchange of goods and services between parties who do not have goods and services the other party seeks in exchange.

With cash, coins or other trangible representations of value, commerce is easy. When we complicate things and worry about carrying cash and seek to buy things with debt. A need for a Network emerges.

These payment networks, by necessity, add complexity. They create the need to establish two sides to the market, one focused on the relationship with the buyer and the other with the seller.

Issuance and Acceptance. Two words to descibe the two sides of a network. It’s only when the two sides of the market have sufficient participants. Only at the tipping point, enough critical mass exists, to create a self sustaining network. This is the network. At this moment the network blossoms. If either side of the market does not achieve critical mass, the network collapses.

Any two entities familiar and trusting in the Brand, or each other, can easily establish a temporary relationship. Adding anonymity to the requirements, increases the leave of trust and recognition the Brand must establish.

In a digital environment we have to define mechanisms to share and establish trust across trillions of electrons. The two sides will not pursue understanding of nor focus on security. Until the risk exceeds a threshold unique to each party on either side of the market.

To often in the past, the idea of the individuality of the individual or the need to design security in from the beginning. Has left us with a legacy of system all needing design of custom approaches to how to integrate security with requisites necessary to capture, calculate and manage risk.

The Artifact of Trust

When a mutually trusted set of parties gives the citizen, consumer, employee or courtier a card, a device or an object and provides every acceptor with a reader capable of recognizing the trusted thing; then the two parties are in a position to establish “trust”. The consumer has a thing which is recognized and trusted by the acceptor. This is often referred to as “What You Have”.

Once the thing is recognized by the acceptor, then, the process of identification and authorizations (the transaction) can take place. The object – the artifact – carries an identifier. It possesses characteristics that establish its unique character. The object also posesses a means of assuring the acceptor the presentation of that identifier repreents a unique entity.

The simplest artifact of establishing “trust” is a hand held thing, be it a key, fob, card, watch, pendant, phone, ear piece. It does not matter what it is, all that counts is that the merchant recognizes it and that the consumer is willing to carry and present it.

Trust, for the merchant, means they can, according to the rules, recognize and authenticate the thing. They are then in a possition to pursue a temporary and trusted relationship. What can be achieved during the time the relationship of trusted is bounded, is the constrained by an additional layer. In this layer the consumer, the acceptor and any third parties address which the rights and privileges are to be granted or pursued. This is when the exchange, sale, conversation, tranaction, event or access is granted.

Two sides meet several common mediums of exchange are available.

[contact-form][contact-field label=”Name” type=”name” required=”true” /][contact-field label=”Email” type=”email” required=”true” /][contact-field label=”Website” type=”url” /][contact-field label=”Message” type=”textarea” /][/contact-form]

Digital Identity

Question for all those who advocate migration from card to electronic

We all are aware and many of us dream of a time when all of our physical identity artifacts are digital. We dream of consolidating these credentials in our electronic wallet, otherwise known as our mobile phone.

Today while visiting an outpatient imaging center, I was asked for my driver’s license. She would only accept the physical document, I offered to send an image by email. Her goal to scan my identity document into the electronic patient file she was creating. The idea of an image of the driver’s license in an email, well.

Sure the system could easily be changed to record digital credentials delivered by NFC or BLE. The first question, given the expensive medical system we have here in America; at whose cost?

Time could not be argued as a saving, she would only have saved a second or three of time to pass the card back to me.

People discuss contactless cards and contrast them to the convenience of a Mobile Wallet. What we often forget is the reality. As long as we need to carry other physical identity artifacts, the convergence of our leather wallet into our electronic device is not happening.

In my humble opinion, it is an all or nothing situation. Yes, I will add digital credentials into the mobile wallet. But, unfortunately, the leather wallet is still part of my attire.

Better still, it does not need to be recharged. My leather wallet still works after the phone’s battery has died.

Authentication or Identification

Two words Authentication and Identification.

Reading what Wikipedia had to say about authentication leads to an interesting array of discussions across a wide set of sciences and other social segments. The exploration led to a search for a definition of Identification:

  • The act of identifying, or proving to be the same.
  • The state of being identified.
  • A particular instance of identifying something.
  • A document or documents serving as evidence of a person’s identity.

Next exploring what Wikipedia had to say about Authentication leads to a much richer discussion aligned around the idea of assuring the truth of a particular attribute, someone is claiming to be true. Seeking to assure a degree of parallelism to the discussion:

Authentication is

  • something which validates or confirms the authenticity of something
  • computing proof of the identity of a userlogging on to some network

These two words: authentication and identification, some think represent the same act, yet when we bring into the conversation – privacy the two words have very different meanings.

We then have to think about the how and the what we are attempting to do.

In the physical world there are a set of situations and considerations. We will leave those for another article.

When we think about the digital world, this place were our physical presence is not present. We must find solutions that prove we are who we are without necessary needing another to vouch for our identity each time.

As a consumer we want the freedom to visit multiple sites and believe that where we visit and who we interact with is not open to all to know.

As I write, I can hear some say, all our stuff is known so why try to hide. They are correct and then they miss the concern – who knows. Not to get distracted.

Verification, a third word must enter into the discussion. In order for anything associated with only serving or sharing with a clear and identified party one needs to be able to provide Identity.

Trust – the truth of our identity

Such a big word.

This Sunday our minister spoke of Mark 5:20-43 and how we must trust in Jesus.

Her evocative sermon provoked a wider or is it broader question,

“What is Trust”.

First we must ask the classic question what does the Dictionary and Wikipedia say. This then leads us to have to think of the use of the term. Are we using it to describe a legal structure, the nature of a business, a computational concept or the name of a film, song or other human creation?

Given this discussion started as a result of a sermon, the best approach is to consider the social and emotion context of trust. Understand the sociology, psychology, philosophy, economics and systems perspective, may offer clarity to the words “we trust … “. In the first paragraph the Wikipedia authors condensed a lot of thought into a short paragraph. {formatting of my doing}.

Definitions of trust typically refer to a situation characterized by the following aspects:

  • One party is willing to rely on the actions of another party (trustee); the situation is directed to the future.
  • In addition, the abandons control over the actions performed by the trustee.
  • As a consequence, the is uncertain about the outcome of the other’s actions; they can only develop and evaluate expectations.
  • The uncertainty involves the risk of failure or harm to the trustor if the trustee will not behave as desired.

In this flow of thought it is clear this word trust carries with it risk. It assumes we are thinking of tomorrow and there is an expectation the trustee will act in a manner that is consistent with our “the trustors” wishes, hopes and desires.

Vladimir Ilych Lenin expressed this idea with the sentence “Trust is good, control is better”.

In the field I have spent the better part of my life, computers have played a big part. Be it as a tool we programmed to perform a function or task. Or, the systems supporting the products and services we sought to promote. More recently, as we look to this global village we are a member of. We think about the need to establish mechanisms to assure trust between parties. Parties who probably will never meet, in person or even by chance speak to. We must therefore establish acceptable social and psychological mechanism with machines which we inherently are wary of.

Looking to the sociology of trust set of sentences stands out

“It does not exist outside of our vision of the other. This image can be real or imaginary, but it is this one which permits the creation of the Trust.” … “Because of it, trust acts as a reductor of social complexity, allowing for actions that are otherwise too complex to be considered (or even impossible to consider at all); specifically for cooperation.”

All of this leads one to wonder how in a anonymous world can trust be established.

Trust is specifically valuable if the trustee is much more powerful than the trustor, yet the trustor is under social obligation to support the trustee.

In a social context this thought offers a view as to the dominance a position the trustee must have in society. It also frames the responsibility and the obligation established by the trustor in the trustee.

This then leads one think about Multi-Factor Authentication. MFA is emerging as the standard method companies are used to assure one of degree of “trust”. Trust in a claim of the identity of another, be it a customer, employee, citizen or recognized guest.

Is this enough? How can a company be assured of the identity of an individual? How can we, a third party, accept the claims or attributes offers when they are presenting themselves to us. Especially when they present themselves across a global digital highway, prone to the nefarious acts of those who seek to take advantage and profit.

Proof of identity therefore becomes the primary means of establishing trust in an seemingly anonymous space – Cyber Space. This need for proof of identity is the role of the Trustee. These parties who we instinctively have faith in can give us the ability to trust in the claims of identity and the associated attributes representing the characteristics, assets and relationships a person has.

For now I will stop. The next step is to think of and look at words. enrollment, proof, identification,registration, identifier, authentication, rights, privileges, claims, certificates and authority.

Mobile Payment – Thoughts after listening

Thoughts resulting from The webinar Doug King of the Atlanta Federal Reserve gave on “Future Proofing Payments”

The long standing question of the future of Mobile Payments, again discussed and again similar conclusions.

  • Will the American market embrace the idea of mobile payments?
  • Is it a question of when or a question of why?
  • Why do emerging markets embrace new ways and mature markets resist?
  • Is it all about acceptance and the merchants investment in contactless reader capability?
  • Is it an all or nothing concern?
  • Could it be simply reality, as ling need our wallet with other cards e.g. our drivers license, why eliminate payment cards from the physical wallet?

Doug touched on all of these questions. He shared relevant statistics demonstrating the slow and possibly indistinguishable grow in usage of mobile wallets. He shared the success of several of the merchant proprietary mobile payment approaches.

Which leads me down the path of another question. What is the value proposition that will ignite the use of our phone and devices as carriers of our means of payment? The possibility to create value simply with a electronic wallet carrying only means of payment, does not create an exciting proposition.

Our mobile phones and connected devices provide us with such value

We have embraced dozens of apps. They help us to navigate, shop, explore, play and learn. Our phones are beginning to become security devices, taking advantage of sensors to integrate biometrics into how we access and authenticate ourselves as we browse and explore the ever increasing digital place we now call cyber space.

There is another phenomena emerging as a result of how we are transforming how we engage. Some called it the “Uberization” of payments, the ability to make payments frictionless. A change so profound we must stop and reflect and ponder what next.

I recognize there is a repetitive theme to my musing.

When physical world merchants fully embrace the concept of omni channel and build their virtual and physical experiences to complement and augment one another, then, with the ability to integrate payment seamlessly into the shopping experience a value proposition emerges.

What is EMVCo goal with the release of their SRC framework

October 2017 EMVCo published version 1.o of their Secure Remote Commerce Technical Framework.  Today I decided to read and appreciate what they are trying to accomplish and then consider how it ties into what I remember and think we need to do moving forward.

Clearly the challenge links back to the now infamous New Yorker Cartoon.  We have not successfully established a means of assuring the identity of an individual when presenting payment credentials (the PAN, Expiry date, name, billing address and CVV.  The first attempt, still not 100% implemented, was the introduction of CVV2, CVC2 or CID a 3 or 4 digit number printed on the back or the front of the payment card.

We then developed something called SET or Secure Electronic Transactions and unfortunately the payment networks were not willing to allow Bill Gates and Microsoft to earn 0.25% of every sale for every transaction secured by SET he proposed to build into Microsoft’s browser.  Without easy integration into the consumer browser, the challenges of integrating SET into the merchant web pages and the Issuer authorization systems caused this effort to fail the death of some many other noble but complicated attempts to create a means of digital authentication.

Next came 3D-Secure, a patented solution Visa developed.  It offered what was considered a reasonable solution to Cardholder authentication.  Unfortunately, given the state of HTML and the voracious use of pop-ups, the incremental friction, led to abandon shopping carts and consumer confusion.  Another aborted attempt at Internet fraud mitigation.

Yet 3D-Secure was not a total failure.  Many tried to enhance it, exploit it and avail themselves of the shift of liability back to the Issuer.  Encouraging consumer engagement and adoption was futile in some markets mandated and cumbersome in others.

Now let’s consider what EMVCo is attempting to do with their Secure Remote Commerce Technical Framework.  As I started to read, I ran into this:

“As remote commerce becomes increasingly targeted and susceptible to compromise, it is important to establish common specifications that protect and serve Consumers and merchants.”

Clearly the authors do not have institutional memory and cannot remember the various attempts alumni of these same organizations spent time on and encouraged many to invest in their implementing.  Clearly this lack of historic context will leave some pondering the purpose of this paper.

I then read this sentence and reflect back on a recent hearing on “Social Security Numbers Loss and Theft Prevention” in front of The House Ways and Means Subcommittee on Social Security

“Over time the Consumer has been trained to enter Payment Data and related checkout data anywhere, making it easy for bad actors to compromise data and then attempt fraud.”

Once again, I stand  troubled by how the Payment Data clearly printed on the face of the card and especially the PAN, 11-19 digits, designed to simply be an identifier, was converted into an authenticator.  Like the social security number, the drivers license number, the passport number and your library card number, the PAN and other “Payment Data” was never designed to be an authenticator.  It was meant to be data a merchant could freely record.

The secure features of the card now the EMV cryptographic techniques otherwise referred to as the Application Request Cryptogram “ARQC” were meant to offer the “What You Have”  factor in a multi-factor authentication scheme.

As I began to appreciate the scope of this document, the term “Consumer Device” becomes critical.  I began to wonder if a PC is a consumer device or if a consumer device is only something like a mobile phone, watch or other like appliance.  Fortunately, later in the document, the definition clears up any confusion created by the earlier use of this term..  This said, I then wonder about the difference between what they define as Cardholder Authentication and Consumer Verification?

After reading through all the definitions, I ponder why the authors had to change terminology?  Why could they not embrace known and recognized nomenclature.  Do we need a new vocabulary?

I wondered:

If this is another attempt to create a revenue stream for the payment networks?

Or, is this the effort of a “closed standards” body to reduce the potential value of the W3C WebPayments activity?

 In search of an answer to this last question, I found this discrete comment inside the SRC FAQ.

9. Are any other industry bodies working in this area?

EMV SRC is focused on providing consistency and security for card-based payments within remote payment environments.

EMVCo aims to work closely with industry participants such as W3C to capitalise on opportunities for alignment where appropriate.

Having read bits and pieces of this and the WebPayments efforts one does wonder what is EMVCo trying to do.  We shall see?

Why do we need Tokens and Tokenization

Recently I was directed to a link http://paymentsjournal.com/tokens-work-because/ and wanted to write the author Sarah Grotta.  As I wrote the message crystallized in my head and maybe as this prior post already discussed, this idea of tokenization made me cringe.

I contend that Tokens exist because we turned the PAN Personal  / Primary Account Number, like we turned the SSN Social Security Number, into an authenticator.  One can must ask the question.  How can a random value (an identifier) become an authenticator and remain secure?

EMV works because it renders the Card unique, hence addressing the question of counterfeit, by employing the first factor of the classic MFA Multi-Factor Authentication concept “What You Have”.  EMV defined a common set of secrets and digital credentials; securely stored in a Secure Element or Chip Card.

We here in the United States decided not to implement the second factor, the Personal Identification Number or PIN, for a variety of reasons. Hence, why Lost and Stolen remains an issue or weakness in the American Card Payment environment.

Biometrics are emerging and could solve for the assurance of cardholder presence.  The challenge is how to effectively (cost and convenience) locate the biometric sensor and facilitate the matching of the sensors output to the persons registered biometric.  Let alone, how does one make sure the right persons biometric was registered and associated with the device.

In the mail order / telephone order, now cyberspace, we did not replicate merchant authentication, the first factor – “What You Have. The card, once was secured with things like the magnetic stripe, using CVV1, the Hologram and the other physical features.  We simply shifted the liability to the merchant and called it a “card not present” transaction.

People can claim all sorts of goodness because of tokenization.  They can talk about how the EMVCo’s tokenization framework describes the use of tokens in device and domain specific scenarios.  All of this, an issuer, could have done; if they, like some did, simply issued another number, a PAN, to the wife, bracelet, watch, ring or whatever other permutation they deemed appropriate.  They can talk about dynamic data.  yet what they often forget to include when they use the words “Dynamic Data” they are really talking about a cryptographic value as described in EMVCo Book 2.

Yes, this does mean the question of how the PAN and its digital credentials get deployed; has to be addressed.  This said, GSMA with EPC did offer some thoughts, last decade, when they described the Trusted Service Manager

Instead handset oligopolies replaced the MNO with the their Mobile Pay wallets.  They working with the Payment Networks and focused on control and the creation of income.  They, as monopolist will, have created barriers, restricting others from offering comparable services.  The TSP now becomes this restrictive service that guarantees the power of companies like Apple and Google, supported by their friends, the payment network operators.

The original article also spoke of the PAR; another data element merchants, processors and the industry, will have to invest in supporting.

I ask the question.

If we had assured the authentication and verification of every payment transaction
Using Multi-Factor Authentication
Why did we need to turn the PAN into a dynamic value? 

My contention, simply use the appropriate level of  cryptography.

If the Issuer or their processor is in control and understands basic EMV and Cryptography, then securing the PAN is not an issue.

Consider household financial management.  If each member of a household has a unique PAN; budget, tax preparation and understanding who spent what where is a lot easier.  The husband,wife and children should have their own unique PAN, stored in the clear in their devices and on their card.

The real requirement, my personal devices, including my payment card, simply need to be linked to one PAN their Personal Account Number, associated with the individual.  The PAN Sequence number could easily allows each device to be uniquely identified, if necessary.  The card and devices becomes the carrier of your identifier.  A thing that can be authentication as something you have.

Here is where the second factor comes in.  Is the person presenting the PAN the rightful and authorized individual? All this required, is assurance to the shareholders that the presentment of the PAN is a unique and authorized event.  This is best achieve by using either something you know or something you are to bind the individual to the instrument carrying the Identifier.

Yes, a bit of friction to assure the  consumer they are securely paying for what they want to buy

Since the World Wide Web came of age and merchants saw its potential.  The question of how to secure the Card Not Present space, this question of cardholder presence, has not been properly addressed.  Visa and MasterCard (when they were not for profit associations) created the utility of the Card Verification Result CVV2, CID or CVC2 which would be printed on  on the card and not part of the magnetic stripe, the problem the bad guys could still steal the card or get hte card number and capture CVV2..  MasterCard and Visa then created SET, 3D-Secure and now, as for profit owners of EMVCo, are proposing, maybe even will mandate, the industry implement EMV 3D-Secure.

Each, an attempt to provide some means of Authentication and Verification.

Each introducing a level of friction as a means of security.

This is the problem.  The market did not start by emphasizing the need for security by educating the consumer.  The industry needed to help the consumer understand they should care and want to securely pay for what they intend to buy.

Instead:

  • The Zero Liability Policy was adopted.
  • The merchant was more than happy to sustain a degree of lose (fraud) in exchange for sales and profits.

The result, as all anticipated would happen, was blissfully ignored and eventually they cried out about.

Fraud migrated to the weakest point
Just like water finds its way to the lowest point. 

EMV, introduced in the Face to Face card present environment, pushing the bad guys: be they criminals, state actors and terrorists to find alternate another channels for their financial gain.

EMV and now the recently published WebAuthN and FIDO specifications create effective mechanisms for Consumer Authentication.

Let us please remember – the PAN, a user name, your social security number or your email address are excellent Identifiers.  They should not be authenticators and they are not a means of “Identification”.

Let us also remember, the term Identification means that one is assured of the irrefutability of identity.

The big question:

  • Why did we have to get rid of or replace the PAN?
  • Why did we and continue to need to invent and invest in all this addition overhead?
  • Why did we not simply address authentication?

Some will argue the challenge of using the PIN or a Password, as a means of Verification, is because it is to hard to remember. Especially, if each password people use to access website, services, building, has to be unique.  Some will argue imposing friction to add security is not convenient.  Others will remind us that security is and has been a necessity since the beginning of time.

Why didn’t we when we created this great new digital shopping mall?

Bottom line each of the devices used to present or acquire the PAN, must be capable of authenticating the identity of the authorized presenter, in both the physical and virtual world.

At least these are the views of someone who believe history provides a baseline for tomorrow and tomorrow must be designed as a function of where you want to be, knowing where things came from.

 

Of NFC, Mobile and History

Today I read Karen Augustine’s  Mobile Payments Use in the U.S. Lags

As I read and reflected on what Karen wrote, I reflected on my experiences as a sagged payment consultant and executive, with international experience.

What I see is an issue of legacy and muscle memory – setting a pattern for the future.  Said another way – our history defines the boundaries of our future.

Asia did not have electronic payments.  I am sure did not want to embrace the globally dominate American solution.  Therefore, they had the opportunity to start fresh.  It is very much like what Spain went through, went they moved from cash to electronic card-based payments.  They bypassed the check.

Her article brings back memories of life in Belgium in the 90’s.  Writing a check was a rare occurrence.  Direct debit mandates, a MisterCash card and a Eurocard was all we needed to buy and enjoy life.  Electronic payments was the norm, paper checks were a rare oddity and cash, well yes there was a very present grey economy.

Here in the USA we developed our payment systems off the back of regional or state banks with acceptance networks limited to a local domain.  Moving to a national system required early adoption of a common national currency.  We then went on to replace IOUs with paper checks and store cards with credit cards.  In time we enhances the ACH system and developed support for remote deposit and check capture.

Why do we need to move the card into the wallet?  Why change habits that are comfortable and work?  Most of us drive to shop and therefore must have our drivers license.  We must carry a physical document with us.  We simply carry two or more ID-1 sized cards.

You make the statement and was once again reminded of times past.

“… universal mobile wallets and more often driven from merchant based applications that often incorporate loyalty and rewards, which to date still remain nascent in universal mobile wallets.

When I produced this rendering, back in 1996, I was on stage talking about a world where leather and technology converged.  I imaged Bluetooth, NFC, secure elements, GPS and our various credentials converging into this personal device.  Those credentials grouped into: travel, identity, membership, loyalty and payments; easy to find and present.

When contactless payments were  introduced, in 2004, by Visa’s with PayWave and MasterCard’s PayPass; I argued why contactless cards – how can the issuer afford the extra dollar per card (cost of the antenna and inlay) and the merchant the extra 60 dollars to enable the NFC reader?  The way Issuer income works, “Interchange”, the consumer would need to spend more on that issuer’s card.  For the merchant to justify the necessary POS investment, meant the retailer believed the consumers would spend more, because it was “easier”.  Was Tap To Pay going to make me spend more.  Maybe for small ticket purchases, I may use cash less; but at the merchants expense!  We argued the cost of cash was more than the Merchant Discount.  Some agreed.  Many wondered what the blank are they trying to sell us!

Around the same time America was exploring this contactless experience, the European Payment Council and GSMA debated and ultimately offered an approach for mobile card based contactless payments https://www.europeanpaymentscouncil.eu/sites/default/files/KB/files/EPC220-08-EPC-GSMA-TSM-WP-V1.pdf .  Handset manufactures like Nokia had already added NFC Antenna’s to their mobile phones and mobile network operators, the MNO, saw the SIM as the secure element capable of holding payment credentials.

Some tried, the Trusted Service Manager as a service was developed and deployed.  The challenge, the economics of the model.  In this case the MNO saw revenue and wanted to charge fees to load the payment credential into the phone and better yet charge rent to store these payment cards in our phones.  Again I ask the question, by changing the way we pay, do I cause us to want to spend more? I think not!

Maybe some would argue, with  a credit card people am able to buy things today that they cannot afford.  Let them end up in debt.  This is true.  But then is debt  at 18% a good thing?  Europeans simply decided to establish a line of credit, as a feature of a Current Account, at reasonable interest rates.

We could go on and talk about how Apple saw the possibility of a 0.15% income stream from ApplePay based mobile payments and how the EMVCo tokenization framework evolved to support their desire to protect the Apple Brand.

What is clear, we could solve George’s problem and replace his Full Grain Vegetable Tanned Cow Leather leather wallet with a Mobile Wallet managed by Apple, Google, Samsung or …

Or, we could think about the consumer and what they really want?

As your article made clear, and so many others have shared, Asia leaped forward.  Be it AliPay or WeChat, the device, the mobile phone, became the consumers wallet, their method of engaging, shopping, learning and exploring.

We need to accept to simply replace what we are comfortable with, with something new; which does not enhance our experience, is simply not worth it!

Many of us, like Karen, would argue the experience of shopping is what the mobile phone can enhance and let the act of payment become the afterthought.  A simple click to say – yes, I agree to pay.

Amazon got it right with One Click.  Others, as the patent expires, are embracing the same technique to simplify payment to a friction-less act of satisfaction.  When my favorite stores offer me an mobile app designed to enhance my shopping experience, to thrill me with offers and entice me with things I want; then yes I will become more loyal, I will shop at their store more frequently and maybe even buy a few things I did not intend to buy.

Many years ago while attending conference of groceries  in Abu Dhabi – one of the speakers share an experience.  when that supermarket executive instructed each store to put the beer across from the diapers, the intended result occurred.  The husband, sent to get the diapers, ended up buying  a six pack too.

Maybe, like this experience reveals, if we focus on the consumer experience and on delighting them.  They will embrace change.

If there is no value why should we?

Years ago I prepared and published an idea.  I called it Cando.  I was still committed to the idea of the mobile wallet.  I was an early adopter of the smart phone and saw its potential.

 

Cando

Block Chain. Hype, the future, fiction or a scheme?

A month or so ago I was asked to speak to an assembly of bankers and processors at the Atlanta Federal Reserve on Cryptocurrencies and blockchain.

 Yesterday over a lunch I ended up synthesizing my thoughts into a neat little package that I would like to start sharing.

Those who extoll the virtues of Block Chain  speak of:

  • Immutability – Cryptographers and mathematicians will prove the immutability of the algorithms, at least for now
  • Distributed – as long as there a multiple diverse and competing stakeholders this is great
  • Trustless – I keep asking the same question Who defines the content of the Block or the ledger or the transaction?  Everyone ultimately agrees a body of people and I sit there and say that sounds like a governance model.  Be it a currency, a ledger, a contract two or more must agree to structure format, content and rules.
  • Consensus – Great as long as we never exceed the 51% participation by A party, the model is superb.

I then think about Work and the reward

Be it Proof of Work or Proof of Stake the entities that do the work are intermediaries and will want to be rewarded for their work.

Then one must think about shifting from a solution that rewards someone with a coin to a system that rewards someone with a fee earned.

I then reflect on Bit Coin and its use of Proof of Work

Coins are created by the party who figured out the Nonce, as a reward for solving the cryptographic puzzle.

  • Once they earned 25 Bitcoins
  • Today they earn 12.5 Bitcoins
  • At some point, in the future, the reward will be cut in half and then half again

The challenge

As the chain gets longer the work gets harder

As time moves forward and the number of coins in circulation grows

The reward decreases in notation value. 

Sounds like inflation is built in. 

Real estate, computers and electricity cost money. 

As the work expands the costs increases!

In conclusion

There is inherent Inflation built into the Bit Coin Model.

We simply replace intermediaries with Nodes and Miners.

We require a governance model so we simply change the governor to another.

People will want to be paid for the work they do to build the block or assure consensus of the chain

What is truly revolutionary? 

The math, ok maybe. 

Immutability, it is done today with cryptography, without a block chain.

Multiple copies of the ledger spread around the world.  Yes, as long as we address confidentiality.

We have governance, sure we can always elect a new government

What is so magical?

 

Federation and the Identity Provider

This year, one of many discussions I’ve been involved in revolved around these two foundational terms. In our digital environment and in support of an ever increasing array of people – individuals – engaging and interacting in the physical and virtual world, the questions – who are you and who can prove who you claim to be – becomes a critical element of establishing business and social relationships.

“Once Upon a Time” we lived in villages and knew our neighbors. When we travel afar, we would go with a letter of introduction from a Lord or other important, known and recognized person. A credential signed and sealed would assure safe passage and presented as. Proof of Identity upon arrival. Trusted identify established via a signed and sealed inside a Letter of Introduction.

Federation is a mechanism to convey a proof of identity in a digital world.

of Tokens and Things

Things, now there is a big word.

  • I am a thing
  • It is a thing
  • I know a thing
  • Things must therefore be anything

The dictionary rambles on about things.

Tokens, What is this thing?

Tokenization why is everyone so excited?

Tokenization and the Search for Identity

The belief in tokens emerges from the need to address security in a world where an identifier becomes an authenticator.

The PAN on the front of a ID-1 Card defined and governed by the International standard IS)/IEC 7812-1. When it was originally conceived there was no desire to turn the PAN into PII Data. They simply wanted the PAN to be an index, “a pointer” “an Identifier”, to an account, or relationship, a card issuer (financial institution) created between itself and the cardholder. In our quest to take advantage of the telephone, the mail and ultimately the internet as a set of sales channel. The Payment System actors agreed if the card acceptor “merchant” would accept liability. Then, they could simply use the PAN, the expiry data and cardholders name to effect a card payment. This acceptance of liability was an acknowledgement they could not inspect the card and verify that the physical security features where present, hence the token was not present to be authenticated.

Society in its infinite wisdom followed another path with the Social Security Number. A number originally designed to act simply as a unique value representing each person here in the United States. Unfortunately, as is often true, we took the short cut, assumed this number, stored on hundreds of databases and recorded on an equally large number of forms, could be used to authenticate that you the individual was present.

mysteriously and without thought society allowed these numbers to take on values they where never intended to assume. They became “secrets” number that if known to another could be used to take over our identity. They can make payments in our name. They can apply for loans and take over our financial assets without the true individual being the wiser.

Those that seek to profit and do not share societies morality find ways of taking advantages of our desire to cut cost and reduce friction. They create near perfect counterfeits of these tokens, they take advantage of our naivety and they seek to disrupt and profit.

We could do as we have often done in the past – replace the token with a token. We could claim by tokenizing these identifier with another vale we were adding layers of security. We argued that if this new tokenized value could only be used by that merchant or with that physical device; security would be restored. The question how long would that new think provide the security its champions claimed it would offer.

Payment Card Construct and Dual Interface Deployment

Payment Card Construction

The discussion focused on the construction of the sandwich. Four layers. Clear front laminate to protect the ink, front with the banks design and brand logo, back with the banks back design and a clear laminate with the magnetic stripe integrated into it.

To enhance design additional layers may be added, such a metal foil.

These four sheets are then bonded together, at 120 degrees, in sheets of 21, 36 or 48 or other various sheet sizes. Next step punch out cards, add hologram and signature panel.

For a standard EMV card the next phase is to mill and embed the module with the chip inside. Last, the manufacturer typically loads the O/S & EMV application into the integrated circuit card.

When we move to dual interface caed, this process is modified to add an inlay, with the antenna embedded within. This inlay is inserted in the middle of the sandwich and during the embedded process the contacts exposed on the base of the module are connected to the antenna in the inlay.

Next step, personalization, when the appropriate data is loaded into the chip, along with the encoding of the magnetic strip and printing and/or embossing of the cardholders, name, expiry date, cvv2 and other information onto the card.

Contactless or Not That is a Question

Contactless NFC acceptance and dual interface issuance is all about the chicken and the egg. Who will go first? The merchant or the issuer? Each need each other. Both are wondering about the incremental value.

  • Faster transactions – Yes
  • Less cash – maybe
  • More revenue – good question!
In other parts of the world, transit and their choice of contactless, as the right answer to a more efficient fare collection solution is driving conversion. In other, markets a group decision to adopt or a desire to find the next great thing drives the market. Here in the USA, we have a less than successful history of contactless. Let’s not forget PayPass and PayWave, it was tried the middle of the last decade, to little or no success.
We have Google and the FinTech world looking to mobile payments as the next great adventure. Merchants, like Wal-Mart, are resisting NFC acceptance given their own plans for QR based wallets and desire to limit the sharing of data with competitors.

Given these questions and observations, one can only wonder.

Financial Trade Groups Write to House Leaders in Support of Data Breach Notification Bill

https://bankingjournal.aba.com/2018/02/financial-trade-groups-write-to-house-leaders-in-support-of-data-breach-notification-bill/

February 28, 2018

 The American Bankers Association and six other financial trade organizations wrote to House leaders today underscoring the need for businesses across all industries to be held to the same data protection and breach notification standards currently adhered to by regulated financial institutions.

The associations expressed support for draft legislation released by Reps. Blaine Luetkemeyer (R-Mo.) and Carolyn Maloney (D-N.Y.) that would create a level playing field of nationally consistent data protection standards and post-breach notification requirements. This bill would not create duplicative standards for financial institutions which are already subject to robust standards, but rather extend similar expectations to other sectors that handle consumer data.

“The goal of the bill is simple — raise the bar so that all companies protect data similar to how banks and credit unions protect their data, and create a common-sense standard to ensure consumers receive timely notice when a breach does occur,” the groups wrote.

The draft bill contains a provision that recognizes the existing, effective regulatory framework for covered financial sector entities.  While the provision was intended to prevent banks and credit unions from being subject to duplicative notification requirements, it has been the target of recent negative campaigns circulated by the National Retail Federation and the Retail Industry Leaders Association, which incorrectly suggested that banks do not notify customers of breaches on their computer systems and   The ads from the retailer groups also mischaracterize and exaggerate the share of data breaches occurring at banks and credit unions while omitting their members’ (higher) share of data breaches.

The financial trades refuted the notification assertion, noting that “banks and credit unions have long been subject to rigorous data protection and breach notification practices for financial institutions to follow,” and that in the event of a data breach, banks and credit unions work continuously to communicate with customers, reissue cards and enact measures to mitigate the effects of fraud. They added, however, that “no solution will work unless everyone has an obligation to take these steps.” For more information, contact ABA’s Jess Sharp.

The management of our identity

A few weeks ago I learned of the Sovrin Foundation a foundation interested in establish a concept to support the idea of a self Sovereign means of identity.

As an advocate for stronger forms of identification and more important Authentication I am pleased to have received your response today.

Back in 1993 I was part of Europay and drove the creation of the EMV specifications as a form of Authentication and frankly reflecting back a strong form of Identification with the Trust Anchor being the Financial institution issuing the card and the foundation anchor being the payment network that the issuer used to assure acceptance globally.

In 2013 I joined the Board of the FIDO Alliance and eventually become the Secretary of that Board.

Today I am engaged with a company called IPSIDY, that is promoting and selling Identity as a solution.

Clear the conversations we are having include:

  • Device based versus centralized biometric authentication
  • Identification based on a central repository of Biometrics or a simply identifier linked to a means of authentication
  • Claims and assertions one points (URL) to or those that one has in their own possession
  • Repositories or Distributed databases of information
  • Privacy of attributes and rights to defining what can be shared

When I ask about the future of Sovrin, I hear people saying great concept how does it scale to be useful. 

This, as was my experience in the Payments world, is the challenge of a  two sided market

  • Consumer – Merchant
  • IndividualRely Party and those seeking attributes and proofs of identity

The challenge is developing a value proposition and more importantly critical mass that will excite both sides of the market to want to participate.

To further complicate developing the market is the challenge of the “Go To Market” strategy.  Who does one partner with given that the usefulness to the citizen/consumer is predicated on the number of parties or places this solution, token or Identity with a set of sharable attributes can be usefully used.

 

This is the question this is the challenge.

 

A Shift from Check-out to Check-in will reshape the way merchants engage with their consumers

Think Uber, think order ahead, think account on file. With these ideas in your mind think engagement and Omni channel. Then consider the need of merchants to assure revenue by delighting and engaging with their customers in meaningful ways. Their focus, increasing basket size, more frequent visits and loyalty; in other words increased sales.

Then remember, Check-out is about friction, payments and long lines. These characteristics merchants seek to eliminate, reduce the cost of and enhance the experience around.

If we think Check-in, using big-data, geo-location, BLE, facial recognition, consumer centric apps and other techniques, we can image a world where human and device based personal assistants engage with the merchants loyal customers in a friendly, informed and satisfying way.

For payment people this means we need to remember that merchants want lower cost payments and friction-less check-out.

Bottom line, for loyal customers solutions that retain the payment credentials securely in the cloud. For one time and infrequent customers, they will look to incent loyalty and registration or simply accept classic means of payments e.g. cards.

This drive to move from recording a loyal customers visit to engaging when the customer arrives or better yet when they are doing their research is what we the consumer seek.

We are all about saving time, enjoying life and satisfying our needs and wants. Merchants that focus on the customer and their shopping experience will succeed and prosper./ Those that do not focus on delighting their customer will learn.

DIY the Cyber Guy a conversation about Bitcoin and EMV 

https://www.voiceamerica.com/promo/episode/104814

A interesting discussion withDavid the the Cyber Guy.  We spoke of the inherent risk of Bitcoins and the essential issue of the secret and a BitCoin folders resoponsibility to make sure they never lose the secret.

We then wandering off to talk about EMV or Chip and Pin.

Always a pleasure to work with David.