Words all bound to who we claim to be – How do we identify ourselves on the Internet or in Cyberspace?

Identifier – Something you create or are provided to digitally identify yourselves. Identifiers are things like an alias, user name, email address are examples.

Identity – This is who we are or wish to represent ourselves to be. These are attributes and information about: where we live, who we work for, which banks we have relationships with, who our friends are, which clubs we belong to, our certified skills, what schools we graduated from, which country(s) we are citizens of, our LinkedIn profile, Our Twitter handle, our Facebook identifier, our phone number … . It is the sum of the attributes we can and will share with others, be they individuals, governments, entities or organizations; as we establish relationships and prove to them who and often what we are.

Authentication – The method we employ to assure that you, based on the identifier presented, are who we (the relying parties) thinks you are. You are the person the relying party accepted when you registered that Identifier as how you would digitally identify yourself. By itself the method of authentication should not allow another party to be able to determine anything about your identity. Privacy is the goal. FIDO Alliance and W3C have defined standards to support authentication.

Verification – The process of confirming that the secret or biometric match the secret or biometric that where originally registered to that Identifier.

Identification – A means of authentication that is bound to your identity. A EMV payment instrument “Chip and PIN”, a PIV card, an electronic passport, a membership card, a drivers license, a national ID are all forms of identification issued by a party that should be trusted to have performed a proof of the individuals Identity, based on a defined and often published criteria.

This particular word, for many, has an alternate meaning. In the biometric community they see Identification as the ability to use a biometric to determine ones Identity. This is achieved by performing a one (the person present) to many match (persons registered). The goal is the same, bind Identity to the mean of Authentication by using the Biometric as the Identifier.

Proof – The method a relying party or an individual uses to validate your claim of a specific Identity. In many cases this is achieved by relying on knowledge of another party. The relying party accepts the due diligence to proof your claimed identity was done to their satisfaction by another party. This other party is often referred to as a Trusted party. This effort to proof the identity of an individual is linked to words and acronyms like KYC “Know Your Customer”, ID&V “Identity and Verification” and Self Sovereign Identity. We classically assume that documents provided by a Government e.g. drivers License and Passports are a solid proof of the claims asserted on those same documents.

In a digital world this is the most important element of a how we as people, entities, governments and corporations can be assured that you are who we believe you to be.

I am once again am reminded of the 1994 New Yorker Cartoon

The challenge of voice recognition and the need for multiple modalities to the question of authentication

A Good Mimic Can Bypass Voice Recognition Authentication, Research Suggests

The idea of voice many see as one of the more interesting biometric solutions as seen from an ergonomic perspective and something that can readily enhance the call center consumer experience and related security. The user simply needs to say something into a microphone (telephone) and presto they can be identified or authenticated.

But is it a safe and secure approach or simply the starting point for the identification and therefore associated with additional authentication processes.

Personally I am not convinced a voice is a good solution to the challenge of authentication. Yes, as one element of a multi-factor multimodal approach it is an excellent modality. But not as the only biometric modality. My fear emerged from a conversation with a sound engineer. She told me they could, at the level of a single vowel, splice and change the intonation of a word in a movie sound track.

The above article clearly identifies real world examples of voice biometrics being fooled and concludes by remind us that a multimodal solution is essential.

Classic Multi-Factor Authentication wants to pair multiple unique and none replicable elements together.

Some thing you have
Some thing you know
Something you are

When I think about multi-factor authentication I wonder what would happen if the object “what you have” can be stolen. This therefore means the second factor must to assure that only the legitimate user is presenting the object. If a mime can replicate a voice, after stealing the object, then, this combination of factors can be compromised.

EMV, when implemented as Chip and PIN, matches a unique chip card (what you have) with a PIN (what you know). Apple Pay is EMV and stores the secrets and executes the cryptographic functions, inside hardware, the Secure Enclave (what you have) and combines this with a sensor to capture the Biometric (what you are). The electronic passport ICAO use similar chips and carries within it a facial image. The US PIV & CAC cards uses the same style Chip and are paired it with a fingerprint and sometimes also requires the user to enter their PIN.

Yet are they truly secure? We know Apple X’s, facial recognition, as currently implemented, can be fooled. We know that Touch ID was spoofed. Without liveness testing, most if not all biometrics, will accept a clone or replica of the biometric it employs.

The challenge is establishing the appropriate benchmarks for the various biometric implementations such that enterprises, governments, merchants and corporations can select and implement a consumer experience that satisfies the needs of security and convenience.

Acronyms like FRR, FAR and PAD become critical to selecting the appropriate implementation of a biometric solution.

The False Reject Rate or FRR is all about convenience and not refusing the legitimate user. Perfection is a ratio of 0 in ∞
The False Accept Rate or FAR is all about not approving a transaction or event by an imposter. Perfection is a ratio of 0 in 1
The Presentation Attack Detection or PAD is all about addressing the reality that anything can be duplicated; therefore it is essential to make sure the biometric presented in alive and genuine. Perfection is a ratio of 0 in 1.

The challenge is establishing a balance between the cost and the acceptable FRR, FAR and PAD.

Measuring and establishing the test results of a particular element of a multi-factor solution is not cheap. EMV, PIV, ICAO software and “Secure enclave” / “Chip Card” / “Secure Element” suppliers spend 100’s of thousands of dollars developing and certifying the functional and security characteristics of the “what you have” element of these solutions. We know that passwords and PIN can and have been compromised with Phishing attacks and hidden cameras.

When we think about biometrics there is complexity in the read and match processes. When the user established their identity and their biometric the reference template is create. This reference template is then used in the matching process to identify if template resulting from the biometric just presented, is the same. Unfortunately reality dictates that each presentation of the user’s biometric will generate a unique result. This unique result will never absolutely match the reference template. Hence the need to understand and test the sensor and establish its FRR, FAR and PAD. The more foolproof the match must be, dictates the complexity of the solution and the number of different individual needed during the test process to establish the sensors FRR, FAR and PAD.

Therefore selecting the most appropriate solutions means quantify the risk of the event or transaction and measuring it against the cost and certified characteristics of the authentication mechanisms.

A layered approach that combines two or more factors must also considered including multiple modalities for at least the “what you are modality” is what we must consider. Using cryptography and hardware to address what you are, Passwords and demographic information to match what you know and layering various elements like location, behavior and some set of biometrics to understand who you are, will offer the highest level of security with the lowest degree of inconvenience.

Bottom Line Multi-Modal & Multi Factor

Authentication of Identification is what we must implement

Always mindful a modality will lose its ability to assure uniqueness

Over time.

We must take care when we speak or sell the power of that which may not be

I always enjoy reading the words David writes.

This particular post creates a moment to reflect. As we consider the implications of the Fourth Industrial Revolution, we must remember the significance many have attributed to Artificial Intelligence. Those two letters AI are clearly key to the what, why and wherefore of the change ahead.

Clearly machines that work faster, search deeper and are capable of studying vast realms of data are changing the nature of so much. Simply consider the risks to our security cyber hackers and terrorists wrought on this world or the shenanigans many claim the Russians use to disrupt as they explore and exploit the power of social media.

Moreover as we look afield many industries are being disrupted: movies, books, music, news … to name few. Outsourcing and robotics is changing the nature of work and the skills necessary to compete and ultimately survive to enjoy the pleasures available in our increasingly digital world.

David makes the point that the intelligence Isaac Asimov and other science fiction envisioned has not yet emerged. I think he is right. The message I take aware -we who market these solutions should walk forward with care.

People are clearly feeling threatened by the change impacting their towns, families and livelihood.

We must be mindful that complexity breeds confusion. Confusion drives disillusion. This then causes people to react, often in nonsensical ways.

Take On Payments

Federal Reserve Bank of Atlanta

How Intelligent Is Artificial Intelligence?

Posted: Nov 27, 2017 10:51 am

At the recent Money20/20 conference, sessions on artificial intelligence (AI) joined those on friction in regulatory and technological innovation in dominating the agenda. A number of panels highlighted the competitive advantages AI tools offer companies. It didn’t matter if the topic was consumer marketing, fraud prevention, or product development—AI was the buzzword. One speaker noted the social good that could come from such technology, pointing to the work of a Stanford research team trying to identify individuals with a strong likelihood of developing diabetes by running an automated review of photographic images of their eyes. Another panel discussed the privacy and ethical issues around the use of artificial intelligence.

But do any of these applications marketed as AI pass Alan Turing’s 1950s now-famous Turing test defining true artificial intelligence? Turing was regarded as the father of computer science. It was his efforts during World War II that led a cryptographic team to break the Enigma code used by the Germans, as featured in the 2014 movie The Imitation Game. Turing once said, “A computer would deserve to be called intelligent if it could deceive a human into believing that it was human.” An annual competition held since 1991, aims to award a solid 18-karat gold medal and a monetary prize of $100,000 for the first computer whose responses are indistinguishable from a real human’s. To date, no one has received the gold medal, but every year, a bronze medal and smaller cash prize are given to the “most humanlike.”

Incidentally, many vendors seem to use artificial intelligence as a synonym for the terms deep learning and machine learning. Is this usage of AI mostly marketing hype for the neural network technology developed in the mid-1960s, now greatly improved thanks to the substantial increase in computing power? A 2016 Forbes article by Bernard Marr provides a good overview of the different terms and their applications.

My opinion is that none of the tools in the market today meet the threshold of true artificial intelligence based on Turing’s criteria. That isn’t to say the lack of this achievement should diminish the benefits that have already emerged and will continue to be generated in the future. Computing technology certainly has advanced to be able to handle complex mathematical and programmed instructions at a much faster rate than a human.

What are your thoughts?

By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

Europe Led the way with EMV yet Europe appears to prefer cash

Europeans still love paying cash even if they don’t know it

Interesting to reflect on how much we allow Europe to lead as we think about EMV and the technology we use to secure our payment cards. Maybe American’s need to embrace and take over the management of these key standards that drive an economy.

Identity and Payments

A presentation provided at the December United States Payment Forum to an audience of 50 plus individuals

USPF-Dec-2017- Identity_and_Payments

Digital Identity

Words to ponder as we think about the best way to secure our digital persona.

Identifier – A text string we use to uniquely identify ourselves to a relying party, person, government, employer, club or entity we wish to have or need to maintain a relationship with. This group of entities hereafter will referred to as a replying party.

Identity – We each are unique and have attributes

Verification – A process the entity we seek to establish a relationship with uses to determine the truth of the attributes we share. One could argue this is or should be a mutual process. Many call this identity verification or identity proofing.

Registration – When we take these three words identifier, verification and identification and think about the first time we present ourselves to a relying party in the global digital environment. We typically present ourselves through a user interface to the entity we are interested in establishing a relationship with. We register and the relying party creates a record of our existence. They seek to recognize and record our identity.

This process typically requires us to invent or the relying party to present us with a unique identifier and agree to identify ourselves with this unique string, often called a user name, email address, bank account number, social security number, employee id, passport number, drivers license number or payment (card) account number ‘PAN’. The ultimate goal of registration is for the relying party tonassure themselves we are unique and that the attributes we share are linked to our person. They verify our identity.

Today the challenge is to find an efficient, convenient and none intrusive method of Verification.

Authentication – We exist, we can be recognized and are able to present oneself over and over again to the relying party, using our identifier. The challenge is how do we prove or assure our identity to the relying party each time. We need to authenticate ourselves.

Identification – Many confuse the dialogue above with this word. The difference is how we present ourselves or better said how the relying party expects us to present ourselves.

With the wide use of biometrics and many of the identifier we spoke of earlier, our identifier many not simply be some random string. A biometric is personal and linked to our body or actions. This biometric can be converted into an identifier and therefore once accepted as genuine and integrates the act of authentication into recognition of our identity.

Certain identifiers create a level of assurance, because the relying party trusts the attributes it asserts based on who issued that identifier. They are willing to trust in our identity and associated attributes because of the verification done by the isuing party. It a passport, an employee id, bank card or a drivers license. The instrument has characteristic, privileges and attributes linked to the issuing party, not simply attributes associated with the individual.

As we move from a physical world to a digital world. As people seek to use our identity to present themselves as someone they are not. As we seek to separate the various relationships we establish. Requires that we find ways of assuring our privacy while securing our relationships. All this demands we find more secure methods of authentication that are convenient.

Will Wal-Mart Pay surpass Apple Pay, Samsung Pay and Android Pay

Walmart Pay to surpass from pymnts.com – from the Washington Post. – and another

To open the news and find more than a press release in fact true commentary describing the success of a merchant mobile payment solution. This is big news and speaks to the value of loyalty and the power of largest global merchants willingness to focus and innovate.

Thinking about cards

In 1991 I had to learn the difference between million dollar transactions and hundred dollar transactions. As I came to explain, when telling my life story, I had to shift my thinking from 100 transactions at a million to 1,000,000 for a hundred. This transition took me from capital markets to payment cards.

Today, I wonder about the future of the ID-1 based payment card? A piece of plastic 3 3/8 x 2 1/8 with rounded corners.

In another blog I spoke of how this ID-1 object became a token responsible to act as the first factor, something you have. Printed, encoded and embossed characteristics were the security features. Today, with EMV as the global standard for payment CARD security; cryptography and the “secure element” replace those physical security with digitally mastered circuitry embedded inside something capable of protecting those secrets cryptography requires. We digitized the payment card. What we now must do is shift our vocabulary to tokens and credentials.

We need to embrace a new way of speaking we need to think about our “Payment Credentials”.

Today, we now tap our phone to pay, we use our phone to browse the internet, we shop & book tickets with apps and we listen to music & watch movies all from this device we apparently use, thousands of times a day. For those of us who remember computers that filled floors, we now are capable of buying more powerful computers, similar in size to those same cards. Think about the Raspberry Pi, a computer almost as small as a card, not quite! Yet!

The embedded secure element integrated inside our payment cards are being integrated into phones, bracelets, rings and things. The question; will they replace the card we are now comfortable with? Yes – maybe? Will we embrace these objects as the new carriers of our payment credentials? Many hope so.

In oder to think about the probability of cards disappearing, one must begin by think about the number of cards now in circulation. In round numbers we can think about 1.2 billion debit and credit cards, 300 million prepaid cards and 300 million retail branded cards. In round numbers, 1.8 billion payment cards. We next must think about our population and how many people now carry cards – 115 million households and 242 million Americans over the age of 16, according to a recent census. We now has a numerator and a set of denominators.

The question then becomes, how many payment cards does an American want to carry and how many payment credentials will an American end up having.

I would argue a debit card and a credit card is all we need to carry in our leather wallet, purse or pockets. Those other payment credentials can easily be accessed from wallets in the cloud or in our digital objects.

Merchants can integrate payment capabilities and focus on factoring their consumer receivables, behind relationships designed to service, thrill and sell. In an App and API enables economy, cards become a burden as the experience becomes the essential component of our lives.

ICO Independent Coin Offer

Fantasy or a new reality. November 2nd 2017 I attended a conversation about the legal, accounting and tax implications of an ICO. Nelson Mullins was our host and brought their legal might to the discussion.

Language is the first concern in embracing and understanding. The first phrase requiring an appreciation is the “White Paper”. For me, this is something people or entities write to explain a concept; most often intended to educate and inform. In the world of ICOs the meaning is very different. This document is intended to explain what the entrepreneur is trying to do and what the investor is investing in. In other word the “White Paper” is the “Business Plan” or better said the Prospectus.

Next word is “Security”. Here I must admit I was out of my depth. First let’s be clear, the use of this word is not about securing something, it is about an instrument one invests in and ultimately expects to profit from. Having spent 9.

Years immersed in Capital Markets understanding what stocks, bonds and commodities are, this should have been easy. The challenge is we are trying to figure out how to not be classified as a security.

To fully appreciate the discussion one needed to be steeped in the regulations and opinions of the courts and regulators at a national and regional “State” level. What I understood, a key reason ICOs emerged is as a method to avoid the complexity of the regulations surrounding the sale and trading of securities.

Next term is “token”. Once again a term we are constantly confronted with as we move from a physical to a digital environment. I am not exactly sure what a “token” is in the context of the ICO discussion, save ti say it represents something. I appreciate it is another term one must properly framed when discussing ICOs.

With these familiar terms with new meanings it is clear, this digital ecosystem built on the complexity of Block Chain, as a technology, is either a long term transformational technology or a magical mystery tour that will end in confusion and discomfort.

The Fourth Industrial Revolution

A new term was added to my learning today The Fourth Industrial Revolution. Better said the age of Disruption.

Is the common man able to embrace the change ahead. Yes, those of us who have the education, the experience and the desire to embrace change; can fathom this new world. What of those that live in the middle – what happens to them in this new age

The Fourth Industrial Revolution – A video to help people understand the change ahead

Then in this weeks issue of the economic

http://www.economist.com/news/leaders/21730412-time-fresh-thinking-about-changing-economics-geography-right-way-help-decliniIfrsc=dg%7Ce

Money 2020 – 2017 – Las Vegas – Wednesday Digital Identity and Payments

With David Birch We asked the Question. Identity – Authentication – Identification – Authorization and ultimately verification, where are we.

Simple. We have the technology. We have the standards and more are coming. Authenticate, is done, use FIDO.

Identification with Biometrics is illuminatingly possible. Even the one I know how to spoof, Voice, with other factors layered in, does the job very well.

The challenge is Privacy and Confidentiality must be inherent while regulatory practices must be incorporated.

PA&A Money 2020 FINAL

Deciphering Digital – Your Phone is Your Wallet

Today Wednesday October 18, 2017. I had the opportunity to provide the closing keynote to the EPCOR Annual Payments conference. Today, I was reminded of the reality that payments is not only about cards it is the engine that fuels the revenue of a financial institution. ACH, Wires, Cards, checks, transfers and even cash are revenue earning services; our community banks call payments.

My speach was about the future and focused on the evolution of our phone in this new digital age we all must learn to embrace.

A look at the actors that support Internet Payments

The payment landscape is a complex space with an array of stakeholders specializing a focusing on various aspects of the processing of a payment. This diagram is oneof several used to form a backdrop to various educational sessions Philip offers to organizations and executives seeking to identify and position themselves in the payments landscape.

This particular one seeks to help people understand who the key actors to a card not present eCommerce transactions.

Citizen Bill of Cyber Bill of Rights

Created in December of 2011 as I reflected on the emergence of the Cyber Risk

My identity is mine electronic or otherwise

I will be prudent in its use

I understand if I enter into an agreement that you can prove it was me
Then I am responsible

I will carry with me an object that can be kept safe from intrusion and can easily be remotely destroyed

You, those entities human and other that I enter into a relationship with
Can offer me anything I am willing to opt-in to

Using a defined set of cryptographic relationships
I agree that a digital contract can be signed and agreed and has the full force of the law behind it

You will recognize that I am your human equal and will,
Save for acts of God and Nature,

Endeavor to provide quality and service

IoT Payments Wednesday Morning

Continuation of my running thoughts as I listen and participate at the Secure Technology Alliance.

Role of the TSP

Wearables a small part of the IoT market and to scale the vendors need to not have to worry about “Payments”.
Should device manufactures understand payments? Can they?
The TSP must appreciate its role and what it is not.
As we look at IoT we need to recognize the scale of the shift from a issuer centric to a consumer centric model. The payment credential carrier no long belongs to the Issuer.

What is the role of the Token Requestor? It provides a consolidated view for the consumer. It consolidates rhe view of all the edge devices.
Who is the ultimate revenue source? The consumer? How does one create the consolidated view with so many instances of tokens?
What is the life of a token? This then leads to the question of the relationship with the manager (issuer) of the Means of Payment.
With the pre-provisioned credential how does one manage long term life cycle.

Root of Trust

Is PKi the right approach to the necessary level of trust this emerging environment requires.
We must remember the complexity of a PKi infrastructure.
In the payment space the use of secure devices e.g. HSM was mainly on the acquiring side. Now as a result of EMV issuers became much more concerned with keys and key management.
As we move into a mobile and more broadly connected world the need to assure trust in the software, device whatever.
This discussion is very much about the value and need for HSMs.
The question is raised as to the future of PKi given the US Gov’t perspective.
And, what of the introduction of Quantum Computing and the associated risk to the available cryptographic algorithms and keys?

In-Vehicle Payments

A car can be used a place to shop, it could pay for service rendered, it can be linked to service providers. NFC/BLE/In-app and Card on File.
The car can host merchant apps.
The idea of a POS device in the car leaves me lost. Who is the seller?

Smart Cities and Multi-Modal

To address smart cities one has to think across the wider context.
What are the roles the FTA can support, becomes a question of what the cities want.
Mobility on Demand driven by the needs to reduce congestion and improve life.
Built on local partnership within the community
A recognition that a multimodal approach is necessary. A focus on user centric approaches to transport.

Multimodal Payment Integration

The challenge begins with the fragmentation of the transit environment. It is not transit it is all about Mobility.
They want a brand and system agnostic solution that is intelligent and can help better manage spend.
How large is transit, public only, 6,500 transit operators supporting 1 trillion rides per year.
The roadmap is in development, it is early days.

Wearables – lessons learned

What ìs a wearable? Do define them based of feature and function. Cloths, jewelry…
We use a wearable when we need them. Athletic, climate, entertainment or work.
These electronic wearable needs to consider the use cases that should be integrated into a limited number of devices we would wear.
Three words – simple – connected – enablements
How will we enable more specifically load the various certificates we need to access, employ and pay for.
Interoperability will become the challenge. Do we imagine a world restricted by brand / manufacturer? Or, open to a wide array of designs and capabilities then how do we get there.
Secure element
Data management & personalization
Mobile device software integration
Device life cycle management

Tokenization as a methodology ans ecosystem is essential to the growth of payment in the IoT space.

BLE of IoT Payments

The cloud may restrict what could be communicated.
BLE is “local” allowing secure application management and secure transactions.

Managing Trust and Security

Identity is the key to much.
The next question therefore it trust in the Identifier.
Authentication with what, in what where?
Life cycle management. How do you know your device been wiped clean of all your credentials.

All in a Name

IDEMIA

Here in France, we will stick to “ee-day-myah”…

An Englishmen wrote “Eye” “Dem” “e-ha

Others say “eye dim e-ha”

When the new name was launched the following explanation was offered.

As an expression of this innovative strategy, the group has been renamed IDEMIA in reference to powerful terms: Identity, Idea and the Latin word idem, reflecting its mission to guarantee everyone a safer world thanks to its expertise in trusted identities.

Thinking on the first two syllables and reference to Latin, a definition is found.

idem. is a Latin term meaning “the same”. It is commonly abbreviated as id., which is particularly used in legal citations to denote the previously cited source (compare ibid.). It is also used in academic citations to replace the name of a repeated author.

It is interesting to listen to clients, competitors and industry insiders speak of this new name.

It is the Brand that drives recognition. It is the shape and color which establishes the emotion attachment.

IoT 2017 Payments Tuesday Afternoon

Continuing the learning and commentary

IoT Payments 2017 – Austin TX October 10th and 11th

Context-based payments

Security has always been an after thought as devices were deployed and solutions were developed. Security needs to be built in as a fundamental layer in these emerging IoT objects.
Growth in fraud in online payments is typically a result of the deployment of EMV.
As we think about Dash buttons and the myriad of other interfaces that can access a card on file style shopping and payment experience we must think anew about security.
What is context? Our digital footprint as we go through our daily lives.
The growing number of IoT devices can help to establish context, which can then be used as a fourth factor in an authentication scheme.
It is all about acquiring data and building a profile, your context.
What is the unique identifier that links all the objects to the individual.

Bridging the Security Gap

Brightsight a lab focused on security looking at both physical a logical security at both the operating system and application layer.
The IoT landscape is a world of objects where to goal is sell fast. No security has been built in and the attack surface is broad and wise.
The fear of who is able to access the vast array of data available through these connected devices.
Security is about managing risk. Risk evolves over time. Therefore security must evolve to stay ahead of the current level of risk – continuous improvement.
In the world of IoT who will define the security requirements and who shall pay becomes the key question.
We should consider using Common Criteria as a baseline for the security of IoT devices.
Bottom line – the implementation of security is all about the developer and the use of already certifies components e.g. Integrated Circuit and the Operating System.

The key to top of wallet

Changing our top of wallet card is not something we are driven to do.
So many sites drive to Card on File
The objects will end up with an embedded payment within
There is a hierarchy of needs
BASIC WANTS & NEEDS
MASS & PERMITTED RECOMMENDATION
SOCIAL & RELEVANT 1REFERRALS
ON-BEHALF

As he speaks of On-behalf a document produced back in 1996 must be found
Will the IoT evolution increase consumption, Maybe?

Wearables 101

What is the connectivity
Where are the credentials stored
Is it a configurable device relative to which credentials
Types
Contactless cards and devices
The mobile ecosystem introduces the token requestor

A solid overview of the world of tokenization
The tap experience with a wearable is an interesting design experience.
A wearable is smaller and much more personal.
As seen from the payment networks

Like a card

Mobile device (secure element)

HCE

Wearable are in market today

Wearable are in market today

Risk Based Payment Security

Beth took a walk through the history of payment acceptance
The Internet of Things creates the tsunami effect on our world of risk. Both scary and empowering.
Risk is or was always about the balance between security and convenience.
Tokenization moves the authentication responsibility from the Issuer to the payment brand. In this case who has the responsibility in the event of. Has the threat of penetration moved to the payment brand.
The move to mobile devices as a result of the inherent transaction security to the registration and ID&V process.
Interoperability and security standards who controls? IoT is not a market. It is a collections of vertical and closed environments.
We need to agree on a common set of security values not necessarily on a common standard.
When we think about the wider question of the how and what of security. We need to think about the security of the device and the cloud. We need to remember it is also about the ability to spoof and acquirer the credentials of a user.
Security must be designed in from the beginning.

The day came to a close.

IoT 2017 Payments Tuesday Morning

October 10th

Random comments offered as the various speakers speak at the conference at the Hyatt Regency Austin.

MasterCard spoke of the opportunity IoT offers in this connected world and how technology can transform physical retailing.

Prof. Gideon Samid, PhD, PE.

Speaks of the use of randomness as the key to the security of the future.
The challenge of IoT is the processing capabilities of these devices.
Digital Money & Contract you cannot separate identity from the value. Cyber economics and the associated cyber security is all about setting up a scheme where for each action there is a payment for service rendered, hence an audit trail is established for each action.
What happens to anonymity in this new world where every action is identified and recorded.
Anonymity will be dictated by regulation and the political domain. BitMint embraces the controls inherent in the 4th amendment.

IoT payment landscape

A brief wander back through the way back machine as we watch time mover forward.
Samsung shared a vision of what this new world of IoT looks like.
Cars, washing machines and so much more connected and controlled.
Samsung is a Token Requestor post identity and development. The. Samsung Pay technologies now in the phone can easily be transferred into almost any device.
Gemalto was asked to address the multiplicity of devices emerging in the market place. There are just a plethora or new form factors.
The question is all about getting the key set into these devices. The aggregation model as a Token Service Manager is what Gemalto has developed.
There are two basic models the pre-personalized and the over the air personalization.
There is then the emergence of the new domestic Token Service Providers. G&D speaks of the breadth of security required for these IoT devices.
We now need to think about Life Cycle Management especially when considering payment credentials. Key to this conversation relates to upgrading and replacing the device carrying the credential.
How will the consumer figure out where all their payment credentials are.
How shall the standards evolve to support all of this new and competitive plethora of IoT objects?
We must a careful and embrace standardization to support interoperability.
Why can’t this market embraced the device and not cloud model to store the payment credentials.
We are layering security onto the existing legacy infrastructure. The payment brands are responsible to define what the rules and technology requirements.
Tokenization was created as a means of solving for device limitations by pushing the point of compromise into the cloud.
MST is a nice transitional technology, NFC is more than likely the future, at least in some peoples view.
The point of interaction bottom line the point of acceptance.

Lunch

Tuesday Afternoon

Tokenization and the search for Identification and Authentication

These two words began to fascinate me as I began to understand the value of cryptography while working through the goals we established when developing EMV and attempted to secure the payment credentials when used on the Internet.

With EMV we were trying to address the challenge of the fraud (an issuer cost) resulting from the ease of counterfeiting the token of the token which was a token of a token already.

This last broken token is the magnetic stripe on the payment card.

The payment card, in and of itself, is a token. An instrument imbued with physical security features e.g. the hologram and signature panel. Security features the merchant is supposed to check when attempting to allow a buyer, the consumer, to use the payment credential associated with the card to make payment for good and services.

The PAN is just a unique number, another token. This unique number is simply the index, The identifier within the payment credentials, which associates the payment with the underlining source of funds.

The source of funds, the PAN or Token pointing to, is then either a line of credit, prepaid balance or bank account.

The card, the hologram, the magnetic stripe and the printed security features and the PAN had reached the end of their useful life, as security features or tokens. The criminal knew how to compromise the card and associated static data.

As we entered the 90’s, the card as the carrier of the payment credential, with those physical security features, was longer a means of Authentication. These layers of authentication had been compromised. In other words the token was broken!

To address this concern, in 1993 the founders of EMV embraced the chip card and its Cryptographic capabilities. In particular, the use of symmetric and asymmetric algorithms to provide a new set of tokens the merchants (asymmetric) and Issuer (symmetric) could use to Authenticate the unique carrier of the payment credential – the token – the chip card.

On the Internet the challenge is different. The physical features of the card are not easily accessible, hence useless. In 1993, when WWW became the thing of conferences, everyone said lets think of the internet in the same way we allow merchants to sell stuff via mail and telephone. Everyone simply decided and agreed to exploit the acceptance rules agreed on for those other virtual environment, the phone and the mail.

Bottom line, in the world of mail order / telephone order and now a browser; merchant simply agrees to accept the cost of fraud, given the CARD is NOT PRESENT. Worse still how do they prove the right cardholder in present?. For the merchant, given the potential of the Internet, it is was a small price to pay.

Everyone simply accepted that be capturing the data embossed on the front (PAN, expiry date and cardholder name) and the CVV printed on the back of the card and, in some cases, using the power of AVS “Address Verification Service” a modicum of security could be factored in. At least for a time!

SET “Secure Electronic Transactions”, a cryptographic mechanism Visa and MasterCard cooked up, was developed circa 1995-1996 and deployment was attempted. The challenge, the limitations of the then deployed technologies and the inability to provide a reasonably convenient user interface. The problem begins with loading payment credentials into the browser and more importantly figuring out how to use them when shopping.

A set of great ideas foiled by convenience.

Next came 3D-Secure, an invention of Visa. This time the idea was to exploit the power of passwords and secret questions to authenticate the user.

Nice idea, well thought out; but, unfortunately not designed with the consumer in mind.

Another feeble failed attempt to develop a mechanism to authenticate the buyer. Or better put, solve the dilemma the New Yorker so aptly described

“On the Internet nobody knows your a dog”.

All this begs the question – how will we secure payments on the Internet?

3D-Secure 2.0, maybe? Or maybe W3C and the FIDO Alliance have the answer in what is called WebAuthN.

To address this question we must begin by defining the problem.

When we think about payments and we think about shopping on the internet it is all about someone or something {read issuer} agreeing that the consumer will make good on the promise to pay and therefore the issuer is willing to guarantee payment towards the merchant. The challenge, how do we confirm it is the legitimate person seeking to pay with their means of payment.

In other spheres of endeavour it’s about granting access to someplace or some website. In the physical world we have a key that we can insert into the lock or a security device {card} we can insert or tap on a reader programmed to recognize our credential and allow us access.

On the Internet, the use of a physical card with physical security features, numbers, letters, and a magnetic stripe was not feasible. Instead, we ended up employing user names, passwords, and payment encryption. Payment encryption, which secures sensitive financial information during online transactions, offers a crucial layer of protection. The user name – a unique identifier, and the password, a secret, support the identification of the person using the browser or connected device, from somewhere out there.

If we could each create and remember complex secrets, these cumbersome things call passwords. And, more importantly, never share them with nefarious individuals seeking to take advantage of our naiveté. All would be at peace in the world of security and convenience. The problem is expecting you and I to remember the myriad of complex passwords and not get tricked into sharing our secrets.

Is there an answer, I believe so and at Money 2020 October 25 we will be discussing this very topic. Wednesday Morning at 8:30 in the Titian room at The Venetian in Las Vegas on Level 2, join us as we discuss Identity is Fundamental: What You Need to Know About Identity & The Future of Money.

Philip Andreae & Associates is Open for Business

With decades of experience in public speaking, management, payments, information technology, cybersecurity, business development and marketing; Philip Andreae is available to help you and your team develop and implement your products and business strategies.