"What good is the CVV number? Who says this is any proof whatsoever that you have your card in your posission? Sure its on the back of your card, and not raised, so in the old 'roller' machines which took imprints of your card, it's not left on the counterfoil."
Eactly right. The CVV made sense at first because dumpster diving was the main way to steal personal IDs, and the CVV was hard to obtain. But now that it is commonly collected online and saved god-knows-where, it is no harder for crooks to obtain that the PAN. We might as well move to 19 digital credit card numbers!
Stephen Wilson.
18 Oct 2008 04:35 Read comment
I firmly agree that PCI compliance in and of itself does little to mitigate replay attacks using account data stolen through tampered terminals or invading backend databases as in the TJX case.
But I don't see signs that the payments system is broken to the extent that it needs the sort of patching or reengineering as some suggest. The four cornered payment model is fundamentally sound; the root cause of much fraud, especially CNP fraud, is that merchants are vulnerable to stolen ID data. If it was harder to steal and replay personal data, then we could live with the model for years to come. Remember that the total cost of modifying the underlying model is due to much more than just new technology; the biggest cost cmponent comes from new legal arrangements. Every time we add a new player, like an SMS service or an authentication gateway let alone a radical new mobile method, we inject new business risks, extra accountabilities, new complexities and overheads.
There are relatively simple ways that we can thwart the replay of stolen ID data against merchant servers, preserving the four cornered payment system model as is, cutting CNP fraud, simplifying backend information systems, and enhancing individual privacy all at the same time.
Cheers,
Stephen Wilson, Lockstep.
17 Oct 2008 22:06 Read comment
It's curious that the terms "ordinary investor" and "ordinary shareholder" are used interchangeably. But until recently, I suggest that the "ordinary investor" was probably a deposit bank account holder, content with a few percent p.a. ROI.
Shareholders can actually be seen as extraordinary investors. They are, of course, part owners in their traded companies. As such, why should anyone be surprised that they are liable for the losses of their companies as well as their gains?
Stephen.
13 Oct 2008 22:06 Read comment
Thanks Matt.
Indeed, the group scretariat proved very helpful. They confirmed that the report is not yet online but will be shortly.
10 Oct 2008 01:05 Read comment
Hi Dean.
I'm afraid I couldn't follow much of your last post. What's NFC got to do with anything?
All we know about your proposal, the only things you've ever revealed about it publicly, is that it's phone based, and that it's some sort of new "neutral third party transaction processing system". My point is that new transaction processing models entail so much legal novelty that regardless of their technical goodness, they scare the daylights out of people.
To redress online ID theft, I advocate a minimal security model that preserves the underlying payments business model (i.e. four cornered CNP processing) and therefore minimises legal perturbations. We would get an immense breakthough if we used chips to vouchsafe the pedigree of credit card numbers and other personal ID data, allowing merchant servers to trust presented numbers, 'on their face', and then proceed to process the transaction via orthodox CNP arrangements. That is, no change whatsoever to the backend interfaces between merchants, acquirers and issuers.
Let's concentrate on a minimal problem: restoring confidence in IDs (credit card numbers) online. For PC browsers, an elegant and increasingly practical solution involves smartcards in connected readers. For smartphone browsers, let's use the SIM or other on-board crypto processor. But let's not introduce any new third party processors.
18 Sep 2008 12:05 Read comment
Dean Procter argues for a new model, and that's true of course, but I don't believe we need any new third party scheme. Existing schemes - CNP payments processing in particular - are not fundamentally broken in my view, but they are tremendously vulnerable to replay attack because they were not built in anticipation of the ID theft vectors that plague the Internet (as opposed to the mail order / telephone order channel that was the archetype for these systems).
So instead of abandoning CNP processing and replacing it with something new, unfamiliar and complicated by extra third parties, why not extend the longevity of CNP processing by fixing the vulnerabilitiy of credit card numbers to replay attack?
Lockstep's approach is to leverage current technlogies, notably EMV chips (and also SIMs), so that the pedigree of numbers presented online can be assured and recognised by merchant server software. This means there is no change at all to CNP rules and card scheme arrangements. It also means that stolen numbers (as in the TJX case) would be worthless.
I've been in authentication and PKI for 13 years, and over and over I've seen that the kiss of death for a new scheme is not necessarily technical complexity, but rather it is legal complexity or even sheer legal novelty. It takes years to establish legal confidence in payments schemes; changing schemes, including introducing new 'independent' or 'neutral' players is a really big deal simply because they are new. How long will it take lawyers to understand, analyse and sign off on the contracts involved in any fundamentally new payments scheme with new backend players (especially if those players are little known startups)??
As Marite observed, Lockstep's proposals involve connected smartcard readers and of course these have been problematic. But they are coming. The new Dell E series latitudes even have a contactless reader built in. I take a long view. Remember when CDs were first used for read-only storage? We had a single CD ROM burner at the place where I worked in 1990; it was controlled by the IT Department, you had to book time on it and fork out $50 for a blank disk. 10 years later and CD ROM burners had become completely standard in laptops. I see smartcard readers going the same way, driven by EMV, national health card and ID schemes, FIPS 201, and by Microsoft who have built smartcard compatibility into multiple layers of their platform. There are close to a billion EMV smartcards and at least 200 million health cards on issue; 2 billion more will come in India and China. The plastic card form factor is natural and totally habitualised. It will not disappear overnight.
Unlike others in this community, I don't have strident views about whether mobiles are better or worse than cards. I am quite pragmatic: several billion EMV smartcards will be with us for a long time, and they happen to provide cryptographic capabilities that can be pressed into service to protect personal numbers on line. If we leverage these resources, then we can extend the longevity of CNP payments processing without any new business models or legal arrangements. We can simplify the online payments architectures to return to the four cornered model at the core of the payments business model. No extra authentication servers or extraneous profit making players.
13 Sep 2008 04:12 Read comment
Dean Procter speculated: "Would a neutral third party transaction processing system which easily plugs into any bank's existing infrastructure solve the problem?"
But why introduce yet another third party scheme, with all the attendant novelty, business risk, fresh complexity in the chain of trust, and costs?
Our research has led to a far simpler proposition that cuts back on extraneous authentication servers and services, and instead makes use of the cryptographic capacity of chip cards to convey credit card numbers. The validity of a number can be checked by the merchant server internally, withut having to revert to a third party scheme. In effect, the merchant server talks direct to the chip. We've proven such a system using bog standard browser, merchant server and smartcard readers.
Stephen Wilson
Lockstep Technologies
11 Sep 2008 22:22 Read comment
It was asked "How would EMV secure card numbers? ... The TJX breach was related to 41 million card NUMBERS".
Excellent point. One of the most acute problems is that numerical personal data -- the stuff of Card Not Present payments and so many other transactions -- has no innate pedigree. Credit card numbers can be stolen or simply made up, and e-merchants cannot tell genuine numbers from stolen ones or fakes. In a vain effort to detect fraud, merchants gather more and more personal data and forward it to clearing houses and third party processors ... only to have it stolen, traded and replayed. Fighting CNP fraud by checking more personal details is like putting out fire with gasoline.
It is true that the EMV scheme in and of itself wouldn't prevent the TJX breach, nor defuse all forms of ID theft, because the scheme is concerned with terminal transactions. But better use of the cryptographic capacity sitting within many EMV cards (or equally, SIM cards) can be co-opted to authenticate credit card numbers and other personal data when presented by a cardholder online. That is, when a number is presented online, the receiver can tell that the number is genuine and has been presented with its owner's consent.
See Lockstep Technologies' research & development into identifier safety.
It is often said that 'EMV has nothing to do with the CNP problem' and as far as the scheme is concerned that's true. But I urge smarter use of the chips that EMV has delivered to hundreds of millions of online shoppers, so that alongside EMV, the chips can be used to enhance "safety in numbers".
Lockstep Technologies.
10 Sep 2008 02:35 Read comment
In response to Colin Henderson's points ...
These are important points to consider in choice of a solution, but hardly reasons to write off biometrics, so I am not sure what point is being made in this original post, nor in the responses to reasoned comments.
I have been trying to make a few points:
Point 2 is irrelevant because there are enough biometric solutions which fail on dacapitation.
Well actually we don't have proven and standardised liveness detection! Fingerprint liveness detection was debunked by Mythbusters.
And in my opinion we don't have adequate contingency plans for recovery from biometric identity theft. Various ideas get tossed around casually, like switching to different fingers, or injecting fuzziness into the templates, but these are just ideas. None have been standardised much less actually deployed. I contend that this is a bizarre and unprecedented way to treat security technology!
To dig deeper ...
Meanwhile we still have people suffering the misapprehension that biometrics just cannot be spoofed. The claim 'you cannot steal my biometric' keeps being made, and it's so not true.
09 Jul 2008 00:09 Read comment
OK, so Chris Skinner has withdrawn. It's a pity, because he does not appear to have yet engaged with the issues I've been trying to raise in good faith. For the benefit of others who are still listening, and who care to avoid any false sense of security, his answers do merit follow up ...
Stephen Wilson (SW) - what to do about identity theft?
Chris Skinner (CS) - That's the point of adding biometric, or other identification techniques, to chip & PIN or passwords.
I think he has missed the point. The question was, what if someone steals my biometric? If my password or smartcard is compromised, I get a new one, but with biometrics that isn't possible. Once someone has created a faithful copy of my fingerprint, how can I be given a new one? There are said to be interesting novel refreshable biometrics being researched, but nobody should buy security technologies that are fresh out of the lab.
[Sadly, the usual response to this question is "liveness detection" but that's a flawed answer for two reasons. Firstly and most obviously, liveness detection is easy to spoof (see Mythbusters). Less obvious but actually more important is the point that no security system should ever be designed on the basis of some core technology being assumed to be perfect. A sound end-to-end biometric security system should be designed to cope with the in-principle compromise of the measurement. Advocates cannot duck this responsibility with a claim that liveness detection makes identity theft impossible. The "What If" question always remains, and the onus of proof lies with the security provider.]
SW - what are acceptable false accept, false reject and fail to enrol specs?
CS - The minimum possible, as proven by the successful roll-outs, such as the 80% of banks in Japan that use palm and vein biometrics
But how do we know if "minimum possible" is good enough? Does anyone even know what the error rates and Failure to Enrol rates actually are for the Japanse ATMs? I don't. But I do know that these stats are remarkably hard to come by in any biometric installation, and in many government systems are kept secret. This is security 1970s style, not good practice.
In any case, the Japanese ATM experience is not altogether relevant to the UK National ID card that was the subject of this thread. What actual quantitative False Match and False Reject rates will the government specify? What actual measured performance limits will bank branch fingerprint detectors be required to operate under? If the government ID card has a published specification of say 5% False Match Rate, and the bank branch equipment has the same spec, and if there is still a mistake (as there will inevitably be) then who is going to be liable for any bad consequences?
SW - what degradation in accuracy is permissable when trying to interoperate between vendors?
CS - Why don't you read this and open your eyes.
I have read this press story but it doesn't mention accuracy, so I'm not sure how it's supposed to open my eyes.
But moreover I've actually studied the standard refered to in the story -- ISO 19092 -- and it doesn't address my concerns. In fact, it acknowledges them, and raises many more. For instance, ISO 19092 says:
Assessing error rates for biometric devices is clearly part of the technical testing process. Beyond that, however, there is little agreement. A review of the technical literature on biometric device testing reveals a wide variety of conflicting nomenclature and protocols.
And
[Performance] testing is always performed with voluntary, supervised, and therefore cooperative, users. Volunteers might even be provided an incentive to correctly use the system, thereby lowering false non-match rates. False match rates are determined by the coincidental matching of two individuals' measures. These are called “zero-effort” impostors. The vulnerability of the false match rate to determined impostors and the effect on false non-match rate of uncooperative users is never measured.
That is, the latest ISO standard for biometrics highlights that testing systemically over-estimates the security of these systems.
It's also telling that in the whole of ISO 19092, as far as I can tell, there is only one instance of a recommended limit for the acceptable performance of biometrics in practice. It states:
For verification systems, the corresponding false non-match rate of the biometrics shall be consistent with equirements for convenient operations, and shall not exceed [10 to the power of minus 2].
I'll come back to that a little later ...
CS - Customer convenience is improved through speed and ease, and customers prefer this way and beyond over PINs and passwords ( I have too many studies to cite in this area). And security ... [sic] that's why Japan, Switzerland and others are using biometrics.
I don't think that answer engaged with the real issue.
Any biometric detector exhibits both false accepts (or matches) and false rejects (or non matches). False rejects are inconvenient to customers; false accepts (where the system mistekenly recognises a user) cause security breaches. Inescapably, the lower the false reject rate, the higher the false accept rate, and vice versa (this niggling little detail often goes unnoticed by lay people who have been led to believe that biometrics just work, like on "Minority Report"). In any biometric system the trick is to strike the right balance -- you cannot arbitrarily increase "speed and ease" and "security" at the same time.
As mentioned, ISO 19092 recommends a false non match rate in "verification systems" (that would include ATMs) of no worse than 1 in a 100. Now, if you can find Detection Error Tradeoff curves (they are surprisingly hard to come by, assuming nobody has anything to hide) then you can look up the False Match Rate that corresponds to the 1% False Non Match benchmark. Testing by the UK Government CESG has showed the following:
For the three different fingerprint methods examined, none of them could achieve a False Reject Rate as low as 1% and therefore there are no corresponding False Detect statistics. And as stressed by standard ISO 19092 itself, these test results reflect accidental "zero effort" False Matches; they do not reflect the security performance under concerted attack.
Going back to the questions at the start of this thread, my specific concern in the cross-over of national ID and banking relates to policy. In a closed system, a bank can make its own decisions about security versus convenience. But in an open system, where the government issues ID cards for national security, and expects banks to use them, getting the balance right is going to be harder. It will also necessitate total transparency of false reject and false accept statistics, accepted public domain test methods, and I suggest, still better tests that indicate resistance to concerted attack, and not just accidental detection errors.
It was said that I'm sounding a bit monotonal on this topic. I'm sorry if anyone's bored by all this, but then again, you'd hope for a reasonable attention span (and attention to detail) for a topic of such importance and controversy. I simply want to know if these debates are occurring. As things stand, I am not even sure that the right questions are being asked let alone worked through.
07 Jul 2008 02:46 Read comment
Online Banking
Transaction Fraud Systems and Analysis
Ian McKenna Managing Director at F&TRC
Vilmos Levente KovacsManaging Director at Simplexion Informatikai Kft.
Christian SpaltensteinManaging Director at AFEX Americas
Pierre LegrandManaging Director at Alvarez and Marsal
Dirk EmmingerManaging Director at knowing finance
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.