SCENARIOS FOR THE FUTURE OF THE
CANADIAN PAYMENTS SYSTEM
AUTHENTICATION AND IDENTITY WORKSHOP
NOVEMBER 3, 2010
Greg Wolfond
Are they the same?
2
Identity and Authentication
Authentication (from Greek: αυθεντικός ; real or
genuine, from authentes; author) is the act of
establishing or confirming something (or someone) as
authentic, that is, that claims made by or about the
subject are true ("authentification" is a French language
variant of this word).
● Thanks to Wikipedia
3
Identity and Authentication
3 ways to authenticate.
What I Know
4
Authentication
Knowledge based questions
3 ways to authenticate.
What I Know
What I Have
5
Authentication
3 ways to authenticate.
What I Know
What I Have
What I am
6
Authentication
3 ways to authenticate.
What I Know
What I Have
What I am
Combination is strongest! Eg Chip and PIN
7
Authentication
This graph shows the increase in the number of unique malicious programs used to steal money from Internet users. Source:
Kaspersky Lab
As banks roll out new security technologies and techniques, the criminal underground quickly develops means to defeat these
technologies. The exploits are rapidly (often within 30 days) widely available in numerous crimeware variants that criminals
can purchase over the Internet. Attacks are often hosted on computers in different countries that where the banks and their
customers are located, making it very difficult to get websites that host malware or command & control servers taken down.
Mashevsky concludes that to make meaningful progress in the battle against an exponentially growing threat will require
much tighter cooperation between financial institutions, their customers, the security industry, and government agencies.
8
Challenge with Online Authentication
On Top Of The Direct Revenue
Losses, Cost of Stolen
Goods/Services And The Associated
Delivery/Fulfillment Costs…
…There Are Additional Profit Leaks
From Rejection Of Valid Orders,
Manual Review Costs &
Administration Of Fraud Claims
Source: Annual Fraud Report (2009), CyberSource Corporation
9
$4B Per Year In Online Fraud Losses
For Merchants In The U.S. & Canada
Source: “Fraud, the Facts” 2009
10
Today, Growing CNP Fraud is mostly the merchant
problem online
Complete
Checkout Form Authenticate Pay
Integrated Checkout Solutions Disintermediate FI’s From Clients And Take Transactions
Away From Card Issuers And Networks
11
In the Online space Non-FI’s Are Stepping In To Meet
The Needs Of Shoppers & Merchants
Authentication is often.. (esp in online world)
Authorization is the function of specifying access rights
to resources, which is related to information security
and computer security in general and to access control
in particular.
Separate from
Identification : or Identity Verification
a: an act of identifying : the state of being identified
b: evidence of identity
● Thanks to Wikipedia
12
Identity and Authentication
Most of the time picture ID.
No relationship between the provider of the ID and the
relying party
Often Mag stripe.. Easy to copy. Not easy to verify
What’s the dollar cost to the industry? What’s the value in
making the credentials stronger?
How to make it work in the physical and online worlds?
13
Identity Documents
Privacy is a big factor in any system
No relationship between the provider of the ID and the
relying party is a key tenant
Is privacy good enough today in the physical world? NO
Physical world system wouldn’t work online. (Tap your
card and give everyone your name and address)
How could it be better?
14
Privacy
Authentication - EMV (contact or contactless) at POS
What authentication is needed online?
Identification - Physical and Online - what needs to be
done?
Government involvement needed?
Should playing field be level? All players
do the same KYC, AML or new entrants
ride free?
Privacy - An obstacle or an opportunity?
15
Things to think about for the scenario planning

Greg Wolfond

  • 1.
    SCENARIOS FOR THEFUTURE OF THE CANADIAN PAYMENTS SYSTEM AUTHENTICATION AND IDENTITY WORKSHOP NOVEMBER 3, 2010 Greg Wolfond
  • 2.
    Are they thesame? 2 Identity and Authentication
  • 3.
    Authentication (from Greek:αυθεντικός ; real or genuine, from authentes; author) is the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true ("authentification" is a French language variant of this word). ● Thanks to Wikipedia 3 Identity and Authentication
  • 4.
    3 ways toauthenticate. What I Know 4 Authentication Knowledge based questions
  • 5.
    3 ways toauthenticate. What I Know What I Have 5 Authentication
  • 6.
    3 ways toauthenticate. What I Know What I Have What I am 6 Authentication
  • 7.
    3 ways toauthenticate. What I Know What I Have What I am Combination is strongest! Eg Chip and PIN 7 Authentication
  • 8.
    This graph showsthe increase in the number of unique malicious programs used to steal money from Internet users. Source: Kaspersky Lab As banks roll out new security technologies and techniques, the criminal underground quickly develops means to defeat these technologies. The exploits are rapidly (often within 30 days) widely available in numerous crimeware variants that criminals can purchase over the Internet. Attacks are often hosted on computers in different countries that where the banks and their customers are located, making it very difficult to get websites that host malware or command & control servers taken down. Mashevsky concludes that to make meaningful progress in the battle against an exponentially growing threat will require much tighter cooperation between financial institutions, their customers, the security industry, and government agencies. 8 Challenge with Online Authentication
  • 9.
    On Top OfThe Direct Revenue Losses, Cost of Stolen Goods/Services And The Associated Delivery/Fulfillment Costs… …There Are Additional Profit Leaks From Rejection Of Valid Orders, Manual Review Costs & Administration Of Fraud Claims Source: Annual Fraud Report (2009), CyberSource Corporation 9 $4B Per Year In Online Fraud Losses For Merchants In The U.S. & Canada
  • 10.
    Source: “Fraud, theFacts” 2009 10 Today, Growing CNP Fraud is mostly the merchant problem online
  • 11.
    Complete Checkout Form AuthenticatePay Integrated Checkout Solutions Disintermediate FI’s From Clients And Take Transactions Away From Card Issuers And Networks 11 In the Online space Non-FI’s Are Stepping In To Meet The Needs Of Shoppers & Merchants
  • 12.
    Authentication is often..(esp in online world) Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. Separate from Identification : or Identity Verification a: an act of identifying : the state of being identified b: evidence of identity ● Thanks to Wikipedia 12 Identity and Authentication
  • 13.
    Most of thetime picture ID. No relationship between the provider of the ID and the relying party Often Mag stripe.. Easy to copy. Not easy to verify What’s the dollar cost to the industry? What’s the value in making the credentials stronger? How to make it work in the physical and online worlds? 13 Identity Documents
  • 14.
    Privacy is abig factor in any system No relationship between the provider of the ID and the relying party is a key tenant Is privacy good enough today in the physical world? NO Physical world system wouldn’t work online. (Tap your card and give everyone your name and address) How could it be better? 14 Privacy
  • 15.
    Authentication - EMV(contact or contactless) at POS What authentication is needed online? Identification - Physical and Online - what needs to be done? Government involvement needed? Should playing field be level? All players do the same KYC, AML or new entrants ride free? Privacy - An obstacle or an opportunity? 15 Things to think about for the scenario planning