Layered approach
[Dave Birch] We're all getting a little jaded about the continuous stream of reports about password breaches (I don't know even breach is even the right word, seeing as the most common password used by everyone is "password"). But this one caught my eye, because in this case it wasn't the password that was stolen but the knowledge needed to obtain it.
It seems that the cyberthieves gained access by taking over a Global Payments administrative account “by answering the application’s knowledge-based authentication (KBA) questions correctly.”
[From StorefrontBacktalk » Blog Archive » Could Global Payments Breach Finally Kill KBA Questions?]
This madness has got to stop. Any organisation that wants to be taken even slightly seriously has to move to better authentication at the earliest opportunity. But what might this authentication look like in the mass market? Last month MasterCard hosted a great day at their new innovation centre in Dublin to show off their technology platforms and explore some practical ideas about the future of payments.
MasterCard has made Dublin the location of its latest MasterCard Labs office. The 'innovation hub' will lead the development of technology for the company's worldwide operations and will foster projects in the areas of coupon purchases, biometric authentication, near field communication and gesture control.
[From MasterCard unveils Labs office in Dublin | TechCentral.ie]
There were some great demonstrations of the PayPass contactless wallet and PC payments as well the integration of secure (i.e., chip-based) payments into the new digital media age. One of our senior consultants, Tony Pickup, was there and so I asked him for his professional opinion of what was on show. Rahter interestingly told me:
The demo that caught my eye may be not as "sexy" as the contactless and mobile stuff, but it demonstrate a potentially important change in the way we may access funds in the future. This was a demo of the South African entitlement card distribution process and funds distribution to a market expected to be 10 million by the end of 2012. This service may show how remote card account management may develop in the next few years.
The South African Social Card service uses a layered approach to biometrics and their use. The idea is that on registration a voice biometric is captured to support account management, a fingerprint biometric is captured and loaded onto an EMV card only. Also once the biometrics are taken the user is asked to set-up a PIN to enable chip and PIN authentication for purchases at physical POS. The fingerprint biometric is used for authentication purposes when a person presents themselves for an entitlement. This is clever as the biometric is checked by the EMV card using the data collected to prove the customer is ‘alive’., there is no need to collect or match fingerprints in a central database. The voice biometric is used to ensure that if a customer needs to re-issue a card it can be done efficiently. However, this multi-model approach also offers the ability to use the voice biometric if the person is unable to present themselves or their finger to prove their entitlement and access the funds granted to them.
This may show the future for remote authentication and layering biometrics to authorise different types of transactions, but it certainly indicates to me that it is identity, not money, that will be the crucial field of competition in the near future. I'm sure that Visa, MasterCard, Amex and others are all on the case, for the simple reason of economics: if you know who the counterparties to a transaction are, then the payment and settlement part becomes easy.
Kris Ranganath, director of technology and solutions of NEC, pointed out that the latest developments in biometrics focus on multimodal fusion matching, or "person-centric identification". This means that any available biometric data generated by a person can be used for verification. This, he noted, is unlike the past when tools depend solely on a single mode of a person's biometrics such as fingerprints.
[From Biometrics more accurate, but uptake 'disappointing' - ZDNet Asia News]
So what is the path into the mass market? There is no silver bullet for authentication, not even biometrics, but some intelligent multi-modal application can quickly shift authentication into a sweet spot for most transactions, most of the time. Buy a pack of gum, tap. Buy a pair of shoes, chip and PIN. Buy a car, chip and PIN and fingerprint. Buy a house, chip, PIN, fingerprint and voiceprint. Launch nuclear missile, chip, PIN, fingerprint, voiceprint and DNA. That kind of thing, although we don't need to wait for all of these technologies to reach mass market security. There really is no excuse for not implementing better authentication now and I've often wondered why we don't use bank-issued chip and PIN cards to do it: if they can do it in South Africa, we can do it here.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Comments
License
The English language version of this work is licensed under
Creative Commons Attribution-ShareAlike 3.0 Unported License.
If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.
Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.
Meet us at:
Blog Categories
Blog Archives
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010