Filed Under: Finance and Banking, Identity

Trusted tryst tokens

Leave a Comment

Well. I can’t not write something about the Ashley Madison hack. Massive data breaches that spew people’s credit card information all over the Internet are one thing and I’d sort of given up paying any attention to them. After all, if someone gets hold of my credit card information and uses it to make unauthorised charges against my account, then it’s the bank’s problem and not mine so I don’t really care. That’s the whole point of using credit cards, that it’s not your problem.

But this is different. We’ve all had fun with the story on Twitter, but it’s really no laughing matter. Some people’s lives are going to be made a misery because of this. It’s all very well to take the moral high ground and say that people shouldn’t have registered for the site in the first place but that misses the point. The 28 million men and five million women who registered their sensitive personal details at the site were acting legally and I imagine that they thought they had a reasonable expectation of privacy. It doesn’t seem to be hyperbole to say that someone might well die because of this personal data Chernobyl.

So what should be done? There are really two quite distinct problems here. There is the problem of online payment and then there is the problem of online identity. I haven’t actually registered for Ashley Madison (although somebody else did, using my email address, which is why I periodically get emails asking me if I’m interested in women in Birmingham – see below) but I imagine that they use the credit card information for two purposes: one of which is to establish who you are and that you are over 18, and the other of which is to collect money from you. Note the pernicious interrelationship between the two use cases: using the credit card information to prove who you are means that you are giving Ashley Madison your name and address, which is really none of their business, and that if anything happens to breach their undoubtedly impressive security procedures, your real name and address could be disclosed.

ashleymadison

Is there some insurmountable technological barrier to delivering security and privacy to people? I don’t think so. Emma Lindley, who knows what she is talking about (you can hear my podcast with her here) says that we know what the solution to this problem is, and she is right.

We’re finding that cryptography enabled personal digital identities will increasingly become the answer to this endemic data breach problem

[From Hacked Off? | Emma Lindley | LinkedIn]

You can do things with digital identities that you can’t do with physical identities. One such thing is to partially-disclose: you can prove that you are over 18, for example, without disclosing your age. There are well-known and well-understood techniques that mean that I can prove to Ashley Madison that I am male, resident in the UK, over 18, solvent and known to the authorities without having to give Ashley Madison my name and address. So why don’t we use them? This is a really interesting case of a problem that we know how to fix but don’t because the co-ordination problems are too great. Other than the Apple sheepdog coming along to corrall the stakeholders, I’m out of ideas.

I did see a tweet from Marc Andressen, who you have to take pretty seriously on this stuff, saying that the Ashley Madison hack would stimulate the use of Bitcoin in order to reduce the privacy consequences of such a hack, but I disagree. You could pay Ashley Madison using Bitcoin but you would still have to give them your credit card details in order to prove that you are a real person and over 18. Or give them a photo of your driver’s license or whatever. Solving the payment problem doesn’t solve the identity problem.

Wait. Maybe the Apple sheepdog is going to fix it.

Now, think what will happen at Ashley Madison in an Apple Pay world. You pay online at Ashley Madison using Apple Pay on the web. So you enter your pseudonymous Apple e-mail address and your Apple Wallet pops up on the phone and you put your thumb on the scanner and… done. Instead of getting your real credit card number, Ashley Madison get a token. The bank has implicitly tokenised certain of your personal details in the same way that they tokenised your credit card details. So, Barclaycard can give me a token that says I have a Barclaycard in the UK, and therefore must be over 18, and therefore Barclaycard know who I am, and therefore Ashley Madison don’t need to know who I am, and therefore provided that I can strongly authenticate to prove ownership of the token, there is no need for any of my personal details to be stored at Ashley Madison. All they need is pseudonymous email address and that’s that.

 

Well, sort of. I happened to be leafing through the new MasterCard “Card on File Tokenisation Specification Enhancement” details and I was reminded that the EMV tokenisation standard is being amended to include a unique ID that will be the same for all of the tokens relating to a particular account. So I may not know who you are from your token details saved at Ashley Madison, but if I can see that same Payment Account Reference (PAR) is used at another retailer where it is matched against your name (or something that could lead to your name) then you could still be compromised.

 

A clever solution (and value-added service) for banks to offer would be a Stealth Token as an Apple Pay option so that I can load a token that only the bank can connect to my actual credit card. A Stealth Token could be issued for debit cards too, but only for over-18s. The Stealth Token would zero out the last four digits of the actual PAN and also zero out the PAR. With a Stealth Token, consumers could use Apple Pay or Samsung Pay or Google Pay to purchase adult services (or any other services that they would not want to be linked with – a subscription to the Daily Mail, for example, or online Bingo) safely and securely, in the knowledge that even the merchant would have no idea of their “real” identity (i.e., the account behind the Stealth Token).

 

Most importantly, the legal liability for non-disclosure of the the account behind the Stealth Token (except under presentation of a valid warrant) would rest fairly and squarely with the regulated entity actually able to actually protect the data: the bank. Would I pay a little extra for a Stealth Token? I certainly would, and I bet a lot of other people would too.
The Ashley Madison example shows how interrelated innovation in money and identity could be (but currently isn’t) used to deliver both more security and more privacy online.

0 thoughts on “Trusted tryst tokens”

Leave a Reply

Your email address will not be published. Required fields are marked *

Tags: , ,