Identifying with your Bank Sid Sidner, Ping Identity IIW 13 - October, 2011
EMV Smart Chip Banking Cards AreComing to the U.S.● Visa has created financial incentives that should drive issuers to issue EMV bank cards and merchants to accept them, by 2015● The U.S. has been the last holdout in worldwide EMV bank card deployment● These cards will support NFC● This event offers new possibilities in identity● The banks could offer a global, strong identity system, with fees proportionate to the risk● I want to know what you think! ○ Feasibility? ○ Risks? ○ Desirability?
Why are chips so important?● S/w is only good for low value transactions due to malware● You need hardware crypto w/ dedicated display and user input that cant be corrupted by software
Why do EMV bank cards change theworld of identity?Several factors make EMV bank cards so important: ● Eventually every Internet user in the world will have one or more. ● They are very secure. ● They work well with personal computers, mobile devices, and even physical lock systems. ● The global banking payment network can easily authenticate them and collect fees based on the value of the authentication.
How would EMV bank cards work foridentity?● The global bank card network adds a new identity transaction to the payment network (ISO 8583, ISO 20022)● The fee for the transaction is scaled, based on the risk associated with using the authentication (E.g. ordinary login, $0.001; $50,000 purchase, $5.00)● Relying parties use their existing interface to the payment network● Readers added to PCs and mobile devices (and door locks)
What’s so special about EMV?Ubiquity! ● 20 years: security & deployment ● Hundreds of millions EMV bank cards have been issued. ● Largest public key infrastructure that has ever been deployed ● EMV transactions are routed over the standard global payment card network so EMV bank cards can be issued and used anywhere. ● A business model for exchanging cash for value
Alternatives? ● Specialize smart cards: DoD CAC card, Hong Kong national ID card ● SIMs used in GSM mobile phones (AT&T, T-Mobile, European telcos) ● SD cards: memory + crypto ● TPM (Trusted Platform Module): widely deployed in Dells and othersNone of them have all the key attributes ● Global ● Secure key distribution framework ● Monetization of risk to incent secure behavior among stakeholders
What about fraud?● There is risk of fraud in any transaction - goal: drive is small enough to include in transaction fees● EMV has been hacked to bits. See the most recent Cambridge one in the Links page - amazing. But it gets addressed, which is what makes EMV so strong
What needs to happen?1. The rest of the PCI needs to follow Visa2. The PCI networks need to add an authentication transaction into the transaction set3. Standard reader implementation, UX, and protocol need to be defined4. Issuers need to offer these authN services; relying parties need to use them5. "EMV in a phone" needs to be defined, to replace bank cards