Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Iiw13 identifying with_your_bank

518 views

Published on

With the adoption of EMV bank cards by the US, a strong authN, global identity system is possible, using the payment card network to handle the identity transactions

Published in: Economy & Finance, Business
  • Good article ! I am thankful for the details . Does someone know if my assistant might be able to find a fillable Us dept of labor ls 1 form version to fill in ?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Iiw13 identifying with_your_bank

  1. 1. Identifying with your Bank Sid Sidner, Ping Identity IIW 13 - October, 2011
  2. 2. EMV Smart Chip Banking Cards AreComing to the U.S.● Visa has created financial incentives that should drive issuers to issue EMV bank cards and merchants to accept them, by 2015● The U.S. has been the last holdout in worldwide EMV bank card deployment● These cards will support NFC● This event offers new possibilities in identity● The banks could offer a global, strong identity system, with fees proportionate to the risk● I want to know what you think! ○ Feasibility? ○ Risks? ○ Desirability?
  3. 3. Why are chips so important?● S/w is only good for low value transactions due to malware● You need hardware crypto w/ dedicated display and user input that cant be corrupted by software
  4. 4. Tamper Resistant Security Module Architecture
  5. 5. IBM ZTIC
  6. 6. VASCO 865Commercial ZTIC implementation
  7. 7. Why do EMV bank cards change theworld of identity?Several factors make EMV bank cards so important: ● Eventually every Internet user in the world will have one or more. ● They are very secure. ● They work well with personal computers, mobile devices, and even physical lock systems. ● The global banking payment network can easily authenticate them and collect fees based on the value of the authentication.
  8. 8. Bank Card Network Links
  9. 9. How would EMV bank cards work foridentity?● The global bank card network adds a new identity transaction to the payment network (ISO 8583, ISO 20022)● The fee for the transaction is scaled, based on the risk associated with using the authentication (E.g. ordinary login, $0.001; $50,000 purchase, $5.00)● Relying parties use their existing interface to the payment network● Readers added to PCs and mobile devices (and door locks)
  10. 10. What’s so special about EMV?Ubiquity! ● 20 years: security & deployment ● Hundreds of millions EMV bank cards have been issued. ● Largest public key infrastructure that has ever been deployed ● EMV transactions are routed over the standard global payment card network so EMV bank cards can be issued and used anywhere. ● A business model for exchanging cash for value
  11. 11. Alternatives? ● Specialize smart cards: DoD CAC card, Hong Kong national ID card ● SIMs used in GSM mobile phones (AT&T, T-Mobile, European telcos) ● SD cards: memory + crypto ● TPM (Trusted Platform Module): widely deployed in Dells and othersNone of them have all the key attributes ● Global ● Secure key distribution framework ● Monetization of risk to incent secure behavior among stakeholders
  12. 12. What about fraud?● There is risk of fraud in any transaction - goal: drive is small enough to include in transaction fees● EMV has been hacked to bits. See the most recent Cambridge one in the Links page - amazing. But it gets addressed, which is what makes EMV so strong
  13. 13. What needs to happen?1. The rest of the PCI needs to follow Visa2. The PCI networks need to add an authentication transaction into the transaction set3. Standard reader implementation, UX, and protocol need to be defined4. Issuers need to offer these authN services; relying parties need to use them5. "EMV in a phone" needs to be defined, to replace bank cards
  14. 14. LinksPingTalk blog entries ● https://www.pingidentity.com/blogs/pingtalk/index. cfm/2011/9/27/Identifying-with-your-bank--part-1-of-2 ● https://www.pingidentity.com/blogs/pingtalk/index. cfm/2011/9/28/Identifying-with-your-bank--part-2-of-2Visa announcement: http://corporate.visa.com/media-center/press-releases/press1142.jspEMV: http://www.emvco.com/NFC: http://arstechnica.com/gadgets/guides/2011/02/near-field-communications-a-technology-primer.ars/Sids InfoCard/3DSecure idea: http://tootallsid.blogspot.com/2006/12/infocard-and-e-commerce.html
  15. 15. More LinksZeus: http://en.wikipedia.org/wiki/Zeus_(trojan_horse)ZitMo: http://www.hackprotector.com/tag/zitmo-malware/ZTIC: http://www.zurich.ibm.com/ztic/VASCO: http://www.vasco.com/products/digipass/digipass_readers/connectable/digipass_865.aspxDoD CAC: http://www.cac.mil/SIM: http://en.wikipedia.org/wiki/Subscriber_Identity_ModuleTPM: http://en.wikipedia.org/wiki/Trusted_platform_moduleCambridge EMV hack: (watch video!) http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ISO 8583: http://en.wikipedia.org/wiki/ISO_8583ISO 20022: http://www.iso20022.org/

×