Community

Here's how I visualise these sums of money.  If you stack up $100 bills, tightly pressed, to a metre in height, you will have around a million dollars. 

Take that stack and lie it down, and keep layering $100 bills in a big long worm.  Do this for a thousand kilometres (say from London to Glasgow and back again) and you will have yourself a trillion dollars. 

I'm very very concerned by any formulation of the identity management challenge that builds in biometrics like this.  It is just not true that "the ability to verify the identity of an individual ... is only possible when using a biometric".

The biometrics industry is awash with hype and brand new R&D hot off the bench, but very light on actual performance specs.  In security, brand new products are actually regarded with suspicion by the professionals, so it surprises me that biometrics advocates keep foisting new technologies on us.  Robert's blog mentions several options, some are unproven, some aren't even commercially available! Handwritten signature verification was a flash in the pan in the 1990s.  DNA gets mentioned with monotonous regularity but there is no affordable DNA based authentication system on the market (portable forensic DNA labs used to identify disaster victims are as big as shipping containers and take hours to generate results).  And as for gait, I cannot imagine how it could be used in practical ID management.

Biometrics are soooo sexy - see how vendors use sci-fi movie clips as if there were case studies - but we need to get real about performance.  There are no agreed ways to test False Accept and False Reject rates.  Wild figures get bandied about like error rates of "one in a million" but they're never sustainable in real world settings.  Proponents gloss over the fact that False Positives and False Negatives have to be traded off; to get false matches anywhere near 1 in 10,000, the false reject goes up to 10 percent and vice versa!

What error rate testing that does exist is subject to the "Zero Imposter Assumption".  That is, biometric testing only picks up accidental matches and non-matches, and assumes that nobody is trying to fool the system.  The FBI reported earlier this year that "When a dedicated effort is applied toward fooling biometrics systems, the resulting performance can be dramatically different". This is fatal.  How can banking security systems be evaluated when nobody can tell us how they perform when a criminal is actually trying to break in?

Stephen WIlson, Lockstep.

"Is it terrible customer exerience to require a non-replayable pincode for an Internet transaction?"

Well, yes, it is terrible! Static one time passcodes are totally broken in light of Man In The Middle attack.  Dynamic OTPs (what's called "transaction signing" in the Remote Chip Authentication protocol) are very awkward, un-natural, and entail lots of extra data keying into the disconnected reader. Why should anyone want to deal with a second keypad, especially when different readers seem necessary for different banks?

The most universally habituated behaviour for users to authenticate themselves -- not just in banking but also in government service delivery, transport, employee security, building entry, public telephones, healthcare and so on -- is the plastic card.  It's very deeply ingrained, almost instinctive: you insert the right card into a terminal, enter a PIN, and you get service.  Simple.  We do it every day in multiple settings, without a second thought. 

We are so close to extending this habit to the Internet that I can almost smell it.  There are well over a billion smartcards in circulation now, in EMV, healthcare, driver licenses, government ID and employee ID.  Increasingly laptops come with built in smartcard readers (see the Dell E6500 that has both contact and contactless readers!).

And I don't think anyone is "villifying" magnetic stripes.  That's a very emotive way to characterise the criticism.  Rather, we are deprecating magnetic stripe technology.  It is undeniably past its use-by date.  Why waste time and money extending mag stripes further, perpetuating fundamental security vulnerabilities, when what we need across the board is a shift to better and uniform protection of digital identities?

Cheers,

Stephen Wilson, Lockstep.

A single channel can be made secure by digitally signing (asymmetric cryptography) each transaction, using a private key in a tamper resistant store, invoked from a host machine hardened against Man In The Browser attack.  The key store is easy -- use a smartcard and connected reader, or equivalent (e.g. WPKI enabled mobile device)  Hardening against MITB is a bit harder but there are plenty of obfuscations that make life hard for the attacker, and the Trusted Platform may be gaining traction which ought to thwart all forms of malware. 

So I suggest we should put our collective energies into elegant, robust, long term architectures, and not awkward multi-channel compromises. 

This is a good and very timely blog.  The insider threat needs much more attention, because it's basically insurmountable. 

In particular, security policy and security audits -- including the PCI regime -- are simply powerless in the face of the irresistable rewards to be had on the black market for stolen personal data.  If organised crime approaches say a database administrator and offers a hundred grand bribe to burn 10 million account records onto a CD, what conceivable security policy could keep the insider honest?  What surveillance system couldn't be subverted?  Especially by the guys that put it in!

The only sensible course of action now is to prevent stolen identities from being misused, thus removing the profit motive for ID theft. 

Stephen Wilson, Lockstep.

I have to agree with the detail of Keith's arguments.  However, the fact that we are increasingly drawn into these excrutiatingly detailed examinations of audit processes points to an deep mallaise.  Empirically, PCI is looking increasingly impotent.  I say bravo that the US Homeland Security Committee has asked the plain question, Has PCI compliance curtailed cyber crime?

It is unedifying to debate whether or not Heartland for instance was "really" PCI compliant.  And it does the consumer no good at all when compromised institutions resort to suing their auditors.  Security audit -- like any audit -- is a very limited tool for combatting crime.  Audits find problems but the absence of audit findings does not mean an absence of problems.  The PCI regime will help prevent accidental breaches and amateur attacks but it is surely powerless against organised crime and inside jobs.

Rather than piling on more and more compliance requirements, we need to render stolen cardholder data useless to criminals. 

Stephen Wilson, Lockstep.

I couldn't disagree more that "privacy is dead".

The chocolate bar study quoted by Robert was a crock.  So people in the street revealed a password for a chocolate.  The "researchers" had no idea if the password was important or even true; neither could they tell if the password was changed as soon as the person got back to their computer.  The "researchers" were had!

Robert oversimplifies the human condition when he says people "think they want security, but they actually want 'easy' and free".  Yes, convenience sometimes trumps security; yes, sometimes users trade-off privacy for a retail reward.   But so what?  People are complex and unpredictable, their behaviour is not black-and-white.

He's right that security and privacy are often confused -- most often I am afraid to say by IT practitioners.  Privacy is all about control of one's information.  And those who cry that the Facebook phenomenon "proves" that privacy is dead are underestimating the control that is exercised by typical Facebook users.  No Facebook user divulges everything about themselves; if they keep anything back, then they are exercising control over their privacy.

We should not make too much of the fact that some young people seem cavalier in social networking, sometimes revealing too much about themselves.  Social networking is still very new, and the way it is used is fast evolving.  The young make all sorts of mistakes, and come to regret some of their actions.  They take risks -- which is why we don't let 20 year old males set road safety policy.  None of this means privacy is dead.  And it certainly doesn't give licence to commercial operators to take the private information of others into their own hands, as we’ve seen some try to do from time to time. 

Stephen Wilson, Lockstep.

Thanks for all that detail Marite, but it's a strawman.

You asked rhetorically at the start whether EMV can fix a particular fraud problem.  You said no. 

One of the weaknesses in your argument was that you conceive of "EMV" cards as still having magnetic stripes.  So to be fair, EMV (chip) really would fix the problem.

Then you changed tack, and argued that EMV is hard to get going in the US.  Fair enough, yet the answer to the question Would EMV fix the fraud problem? is still yes.  

We need to separate the technical issues and the business issues in these debates.  Most online identity fraud modalities are based on the same underlying vulnerability: personal data (the lifeblood of e-business) is replayable, and receivers find it difficult to tell the data's pedigree.  To fix this problem properly we need new ID technologies.  If the business case for switching to new technologies cannot yet be made, then so be it.  In the interim, you can try to squeeze more life out of magnetic stripe cards, or try other stop-gap fixes.  But if you're trying to position some alternative to chip, then you need to be clear about how it compares on business criteria and how it compares on technology criteria, and not get them all mixed up in a messy and exagerated anti-EMV rant.

OK, so the answer to the question "Is EMV the solution to this problem?" should be YES!  Take away the mag stripe and the vulnerability is mitigated.

And when you say "cloning or tampering of the chip is not impossible" without being able to point to an actual attack, then all you're doing is spreading FUD.  Any security technology can be said to be vulnerable.  That's just a statement of the bleeding obvious.  Yes, when EMV penetrates fully, criminals will concentrate on the chips.  But we all know that, and smartcard manufacturers have a long history of knowing and responding to threats (like differential power analysis, and timing analysis attacks).

Smartcards are smart; they can tell what's going on around them, and can be programmed and upgraded to respond to threats.  They provide a platform in which we can respond to criminals' attack modalities as the arms race evolves.  Mag stripe technology on the other hand is a dead end.  I'm surprised anyone would advocate extending it any further.

Marite wrote:

Is EMV the solution to this problem? [As] long as there are POS or ATMs that accept mag-stripes, then the answer is no. This is also assuming that the chip cannot be cloned or cannot be tampered with. But just as the SDA has been subverted which prompted the French issuers to upgrade to DDA, cloning or tampering of the chip is not impossible.

Two things.

Firstly, to say that EMV doesn't fix the problem because ATMs still accept mag stripe is to misrepresent EMV.  The whole point of chip is that mag stripe is insecure.  Issuing cards with both EMV and mag stripe is a simple tradeoff of accessibility vs. security.  The  weaknesses in that hybrid system cannot be blamed on EMV; rather, they prove the need for chip don't they?!

Secondly, there is no absolute assumption that EMV chips "cannot be cloned".  The important thing is that they are much much harder to clone than mag stripe.  Nothing is perfect; there is an arms race going on.  Marite seems to think the upgrade from SDA to DDA is a sign of insecurity, but really it was a sign of continuous improvement.  

Can you point to a known example of the better DDA chips being subverted?