Archive for May, 2008

In response to the article published by Consult Hyperion

Conference paper e-ID as a public utility Neil A. McEvoy

 

 

Universality

Interesting that as soon as you identify that I should be able to provide my identity to anyone anywhere you state that a national government can offer such a scheme.  That is counter intuitive and fraught with the issue of achieving global standards of identification, given the bureaucracy of most national governments. 

Yes, ICAO was able to agree on a template and specification for the e-passport.  Fortunately they had a template and various agreements and treaties to justify the work.  But when we start out with the basic premise that my identity is how I wish to project myself; we immediately move into a world of nuance with built in mechanisms to embrace and resist change.  That being said Homo sapiens’ have a perchance to employ tools we morph as society and our world evolves.

Picking the right band of stakeholders to assure universality requires that at some point people abandon the idea that there is Profit in defining how we will digitally represent a person’s identity.  Instead because the consumer/citizen wishes to project or required to provide their identity; we leave it to those seeking to receive the information to find the profit in knowing something about me. 

Having been raised in America I am drawn to the words in our declaration of independence that give us the right to life, liberty and the pursuit of happiness.  Behind these words I believe I also have the right to my privacy and do not want to learn that morphing my identity into a digital form puts my identity at risk.  The citizen/consumer must be able to decide when and what information someone is able to scan.

All of this tempers my thinking about who should be engaged in defining the global standard for digital identity.

The two-way street

I could not say it better myself.  Like my business card, a police persons badge or a company id card.  We present these to each other to create trust between various parties and provide a degree of certainty that:

·         I am who I say I am

·         This is how you can locate and communication with me

·         Here is proof that I have the following rights and capabilities

Quick transaction

Very well said the exchange of information about my identity must be as easy as handing you my business card.  Everything after that is about the context of the transaction and will parallel the discussion and negotiations between the parties.

The gadget

My only addition to the supposition that the phone is the right gadget is the reality that we are talking about something that the citizen must be able to carry most anywhere.  So it must be the one object we always carry.  Some would argue this is the mobile phone; I would suggest that we not forget the more primitive device the purse or wallet.  Maybe as we think of identity we must also think of ergonomists and think about merging the phone into the wallet not the wallet into the phone.  Leather is eco-friendly warm and comfortable to the touch.  Metal or plastic tends to be brittle and cold. 

The next thought in respect to the gadget is it becomes the device I trust and will protect at almost any cost.  Should I worry about how trustworthy your device is?  All I want from you is the information you wish to share and any certificates others provide you that allow me to authenticate your rights and capabilities.  My trusted gadget is what I use to share information and certificates and what helps me absorb and as appropriate verify information and certificates others offer to me.

Extensions

Yes my information is mine and what I offer to others is my choice.

Scheme considerations

I am not convinced of the need for a central register.  Yes there is a need for third parties to attest to the citizen’s identity that others can trust and in lies the complexity of introducing a digital solution.  In fact what the citizen needs is a device they trust.  A device we trust, carries the information and certificates that third parties, who the counterparty trusts, capable of exchanging the appropriate digital data electronically.  In order to achieve this goal we must develop and support a cascade of standards, regulations, contracts and relationships that enable global interoperability thus assuring a meaningful means of exchanging our digital identity.

Before we go about defining the techniques that should be employed, I think we must first establish base principles.  Key must be the idea that there is no centralized register.  Instead those parties we as consumers are willing to trust and wish to position themselves as trusted third parties can build registries, recording those individuals they are willing to authenticate.  The citizen may wish to contract with an entity to provide support for the trusted gadget and the various relationships it supports. 

The author’s position on protecting privacy and meeting the needs of law enforcement is laudable yet scary.  I’d rather the protection offered by a distributed environment that still is capable of responding to directed queries from law enforcement and not blanket access to everything I or others have collected about me.

Make my gadget the gate keeper; allow service providers and those parties wanting the security of digital identity the ability through standards to build affordable infrastructure to read, with my permission, data stored in my gadget.  Avoid the complexity of establishing a global resister.  What we need to define is the architecture for a gadget that is capable of carrying and supporting a myriad of digital relationships with their linked need to assure proper identification.  We then need to agree on a common set of information that all sectors share.  Maybe the v-card is the base.

For more information I offer the following background and a concept for consideration.

The Promise of multi-application Smart Cards, refined to consider the device as the media

A bit of research to prove the consumer will understand

UK consumers reject mobile payments

Security is a major hindrance, says study Written by Angelica Mari, 23 May 2008

I must admit I am confused about the potential for the Mobile Phone becoming a mechanisms we employ when making payments.  If I was simply to take the reaction in an article recently published on VNUNET.com, I would worry.  Yet in other articles and industry analyst speculate that by 2012 we will evolve to employing the mobile phone as our i means of payment.  As I suggested in a previous posting there is still a lot of work to do in developing the business case. 

Yes Vivotech reports phenomenal numbers of devices installed and Inside Contactless talks about the significant numbers of contactless cards deployed.  Standards are emerging and I am sure that EMVCO will develop the necessary security to protect Mobile Payments (assuming you don’t lose your phone).  Then there is the interesting reality that there are more mobile phone users than there are people with Bank accounts.  Micro-finance and developing worlds are embracing work like what Vodaphone is doing to drive payments in the P2P space to the mobile device. Yet when will all of these experiments and trials prove that the key issues of security and stakeholder profit are there?

Interchange is under threat

Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

Today I sat down and read through all of the testimony and must admit, understanding the concepts of interchange, I am troubled by the testimony provided by both Visa and MasterCard.  Neither provided sound arguments to justify interchange.  Whereas those opposed, clearly demonstrated that Interchange benefited the large issuing banks at the expense of the merchant and consumer.  The only testimony that offered any sound support for interchange was that offered by John Blum.  Yet his arguments simply argued that without a fixed interchange structure smaller players would not be able to play, which does suggest the interchange mechanism, as a competitive process, is flawed.

Regulation is not the answer.  Yet, something must be done to assure that there are sufficient free market forces surrounding the calculation of the default Interchange rates.  

 Chairman’s Opening Statement

Witness list and links to their statements

Thomas L. Robinson
Vice President of Reglations
National Association of Convenience Stores
Joshua R. Floum
General Counsel and Corporate Sec.
Visa Inc.
Steve Cannon
Chairman
Constantine Cannon, LLP
Joshua Peirez
Chief Payment System Integrity Officer
MasterCard Worldwide
John Blum
Vice President of Operations
Chartway FCU
Edward Mierzwinski
Consumer Program Director U.S. PIRG

Alternative Payment Methods

Ed Kountz of jupiter in his recent blog on Alternative online Payments offers an opinion that credit and debit cards where not designed for the Internet.  It is interesting to reflect back in history and remember when it was not the magnetic strip that was important to the execution of the transaction but the numbers printed on the front of the card a merchant could simply would say into a phone or type onto their telephone keypad to get an authorization. 

Move to the Internet and instead of asking the merchant to type in the account number and expiry date we ask the consumer to fill in an Internet form.  How can one argue that ISO7810-3 cards where not built for the Internet.

Back in the day, circa 1993, when we began to think about how we would secure payments over the Internet and address words like dis-intermediation.  It was clear that by any definition the ubiquitous credit card was already a vehicle for enabling eCommerce.  All the internet did was to take mail order and catalogue business and give it the power to become a global operation; no longer limited by the cost of a telephone call or postage.

Yes Mr Kountz is correct, there is a real issue with security and the Internet.  Yet the issue is no greater than what was faced when Card Not Present transactions started happening as telephone ordering became common place.  Did the payment associations attempt to keep up? MAYBE! 

First we saw the introduction of CVC2/CVV2 and address verification as tools to address the risks of someone who had captured the data on the face of the card from employing that card maliciously.  Not a bad solution, if the merchant was willing to make the changes to their web sites and call center procedures. 

Next came SET, now here was the perfect solution, yet at a cost that simply did not offer anyone a reason return on investment; even if Card Not Present Fraud was an issue.  Since then the payment associations tried to develop a simpler yet equally secure solution called 3D-Secure, Verified by Visa or SecureCode.  The idea is sound.   The issue of adoption came down to the simple issue of figuring out how to get the consumer to go through the additional step of activating their 3D-Secure password and better yet remember it.  Versus what became the reality, they simply said this is too difficult, I don’t need to buy that today, so they abandon the shopping cart.  Merchants saw 3D-Secure as a way to lose potential business and at a rate alarmingly larger than the cost of fraudulent transactions.

So what is the answer?  Create new means of payment that are designed for the specific trading environment (mobile, Internet, Mail Order, telephone Order, face to face …) or figure out how to get everyone to work together to come up with a workable solution that exploits the power of the Visa, Discover, MasterCard and American Express Brands.

In my opinion it is about communications and working together as a team.  Not once has the merchant been asked to participate in developing more secure solutions to payments.  They are simply told through compliance and rule changes this is what they shall do. 

Maybe the new Visa and MasterCard will find that merchants are now shareholders and bringing them to the table is in the interest of everyone especially the consumer.  Or is it time for a new payment Brand that is built to serve the merchant and operated by the Banks?

Today on Payments News – from Glenbrook Partners” they posted an article referencing the hearing taking place

Thursday 05/15/2008 – 11:00 AM
2141 Rayburn House Office Building
Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

House Judiciary Committee Holds Hearing on US Interchange Fees

As we mentioned here on Payments News on Monday, the House Judiciary Committee is holding a hearing on Thursday, May 15th beginning at 11 AM Eastern time on H.R. 5546, the “Credit Card Fair Fee Act of 2008”. As of tonight, the committee’s website doesn’t list the witnesses who will be testifying – but it promises that a live webcast of the hearing will be available.

As an editorial comment, many of us in the payments industry find the “solution” proposed in this legislation to be overly complex. Read the actual text of the draft legislation – and you may reach the same conclusion! We wonder whether the merchant community in fact would be well served by the remedies proposed. A very basic question comes to mind: “Is this the best you can do?”

The legislation that is under review can be found at http://judiciary.house.gov/hearings.aspx?ID=204

My sense is that like Australia, Europe and other countries the USA Congress is ready to challenge the nature of how interchange is calculated and define methods of assuring merchants much reduced rates.  How the financial lobby will engage and how the associations will defend there position, should make for an interesting debate.

Reported by Epaynews.com

May 08 2008 : In 2007, ATM fraud losses rose by 43 percent in Europe to €439.01 million (US$683.7 million) from €306.48 million in 2006, reports EAST (the European ATM Security Team). Most of the losses in 2006 and 2007 were due to card-skimming at ATMs, the non-profit organization says.The year-on-year increase in fraud losses was mainly due to a €173.6 million increase in cross-border losses in 2007.
“These (cross-border) losses are occurring globally in countries where all or part of the ATMs deployed are not yet EMV-compliant,” EAST says. “Domestic European fraud losses have fallen year on year, an indication that the roll out of EMV-compliant ATMs is driving down fraud.”
 According to EAST, 78 percent of European ATMs are now EMV-compliant.
Card fraudsters are being forced to seek out non-EMV compliant ATMs to obtain cash, EAST says. “Incidents continue to be reported where data skimmed from EMV cards in European countries where ATMs are EMV-compliant, has been sent by criminals to European countries where ATMs are not fully EMV-compliant,” it says.
The skimmed data is used to make counterfeit cards that enable fraudsters to illegally withdraw cash from ATMs.

According to EAST, skimmed data is also increasingly being sent to countries in and outside Europe where EMV cards can be used as magnetic-stripe cards in ATMs. This takes advantage of a process known as “mag-stripe fallback”, which is designed to ensure that a card can be used even if its EMV chip is damaged or faulty.

How Thieves Copy Credit and Debit Cards and Drain Accounts

By ELISABETH LEAMY – ABC News

May 2, 2008—

 While your ATM card is tucked in your wallet, thieves half a world away could be cloning it and using it. The crime is called “white card fraud,” and ABC News investigated just how easy it is for thieves to make a copy of your card and use it to drain your account.

It’s difficult to get an exact figure, but it’s estimated that identity thieves net an estimated $345 million this way every year. Gary Burkey of Wilmington, Del., discovered somebody was withdrawing money from his account at ATM machines in a part of Pennsylvania he had never even visited.

Criminals get people’s numbers in a variety of ways. One way they capture card numbers is by installing skimmer devices over the slot where you insert your card when you use an ATM.

They also use hidden cameras to record your PIN. Miami Beach police have actual footage from a crook’s camera in Florida that shows a victim inputting his PIN. Clear as day: 1-4-2-6.

Click here for tips to protect you from today’s modern identity thieves.

“What makes this really sneaky, really devious, is once the criminals get the account information, they wait on it for a little while, said Cpl. Jeff Whitmarsh of the Delaware State Police. They replicate the cards and when the consumer least expects, that’s when they go in and hit the account.”

ABC News found the machines used to copy cards for sale right on the Internet, even though there are very few legitimate uses for them. We had our choice of 30 machines and bought one for about $500. We were even able to request priority shipping and received the package the next day.

ABC took the device to Chris O’Ferrell, an ethical hacker for a computer company called Command Information, which helps the federal government secure its systems.

We handed over an ABC News credit card and O’Ferrell swiped it so the machine could capture the information on the magnetic strip. Right away, the data popped up on the computer screen: name and account information.

With another swipe, O’Ferrell transferred it to a blank white card that came with our kit. Any card with a magnetic strip can be made into a clone — gift cards, hotel key cards, etc.

In less than five seconds, we had a duplicate credit card.

“That’s it. That’s all there is to it,.” O’Ferrell said.

We cloned an ATM card too. At one point we even accidentally deleted the data on one of our source cards, but since we had a clone, we were able to put the data back on.

Once we had clones of our cards, the question was, would they work? We tried the Visa card out at a gas pump. Without actually making a purchase (we didn’t want to violate any laws) we inserted the card to see if it would get authorized.

When the “lift the handle and begin fueling” message came up, we knew our clone was working. We tested the cloned ATM card by checking our balance at an ATM machine. When the screen read “Hello Elisabeth Leamy,” that was our first clue that that one was working.

It’s a bonanza for crooks. They used to have to risk going into stores to buy pricey merchandise, which they then sold for cash. Now they can just drain ATMs. Authorities say specialized crews do nothing but hit ATMs, cashing out on behalf of other identity thieves and taking a commission. One Bulgarian gang pulled $200,000 out of a single cash machine in Florida.

More than 65 other countries in Europe, Asia and South America now use smart chip technology that makes card cloning almost impossible. But the United States has stayed with magnetic strips to avoid the cost of converting ATMs. By one estimate, we have 400,000 cash machines in this country.

“It’s totally unacceptable,” O’Ferrell said. “It makes it extremely easy for the criminals to clone our cards and steal our identities.” Experts say since U.S. credit and debit cards are so much easier to tap, U.S. cardholders have become targets.

Copyright © 2008 ABC News Internet Ventures