[Dave Birch] I had a lovely time chairing the panel on mobile payments at the April meeting of Mobile Money at the GSMA. I was lucky to have a great set of panelists, including Neil Daly who is the Mobile Money Director at the GSMA. Neil made a terrific presentation, but I can’t tell you about it because all of this slides were marked “confidential” and I don’t want to get into trouble. So, anyway, what does all of this have to do with identity? Well, during the excellent panel discussion, John Lunn from Paypal, whose opinions I always take seriously, made (I think) a profound point. He said that as payments are disappearing into the cloud, they are going to merge, so that mobile payments and internet payments and all other payments (including retail payments) become the same thing, essentially. He’s not the only person who thinks this.
Most consumers still pay offline, like in restaurants or stores. But I have no doubt that in future all these businesses will be connected to the Internet and then, virtually all payments will be made online.
A few days later, at the Future of Money This makes for some interesting thinking, because the use of new devices and new networks to access the cloud data means that all sorts of new services can be provided. But it also means that the evolution of digital money and digital identity will be wholly interconnected because the problem of all payments will resolve down to identifying the payment “account” associated with the individuals (or the individual and the merchant) and then authenticating that they are who they claim to be. Once these steps have been taken, then moving a few bytes around to execute the payment is not much of an effort. (Almost) anyone can do it and absolutely everyone can use it.
A software platform—perhaps in the cloud– can lower those costs by investing in linking to the multitude of software programs that handle various elements of payments. By exposing APIs, this software platform then makes it possible for entrepreneurs to quickly integrate into most relevant aspects of the payments business… A great deal of innovation can be unleashed once these APIs are exposed.
Following along this line of thinking, where are the high added-value nodes in the new value network? If anyone can provide the engine, anyone can access the APIs, anyone can come up with ideas for using the new payments platform, what is there that not anyone can do? One fruitful area for exploration might be security.
There’s a real problem with payment security. Actually, there are a number of real problems with the technology needed to provide security for retail payment transactions, as neatly outlined by Patrick Gauthier.
1. The variety of devices is exploding:
From PCs to mobiles, to kiosks, to off premises ATMs, to SD cards… the ever increasing number and variety of commerce enabling devices makes it difficult to manage their compliance with security standards developed by the payment industry.
2. Transaction types are multiplying:
Beyond MOTO and e-commerce transactions, witness the growth, of unattended terminals from gas pumps to supermarkets; of micropayments aggregated to payment cards or third party bills themselves settled through secondary payment transaction; of person to person payments; or of cross border transactions in professional online marketplaces… Each present different risk management profiles which have lead to patchwork of payments services
3. Authentication methods are bifurcating:
The growing number of card payment use cases has lead to a fragmentation of the authentication landscape. As I prepared this post, I used my Amazon password here; my iTunes password there; my Verified by Visa PassCode from time to time; my CVV2/identity code more often; my zip code at the pump (fortunately I don’t live in Canada and fill up in the US!) and my address at a catalog merchant; my PIN at the ATM and merchants where I forgot that a CheckCard is a credit card; my email address for ACH transfers; and even parts of my card swipe at airports check-in counters. Throughout, I left a contrail of identity and account telltales providing the criminal mind with as many potential attack vectors on the system.
4. Payment data is used in a growing number of applications:
Repeated industry studies since the CSSI breach have shown how the shadow of payment data extends far beyond payment applications.
5. More delivery intermediaries are participating:
Once upon a time a card would get swiped at a standalone POS, which dialed up an acquirer system for entry into the secure world of the payment networks. Alas these are times are gone. Witness the TJX case and the vulnerability of the in-store/in-chain network; or map the many hops that card data will make in a Tier 4 e-commerce merchant, through a checkout provider, possibly to an ISO and acquirer, but also a fulfillment agent, a third party customer service provider and why not, a combined loyalty program.
Looking at all of these very real issues, it seems to me that a key step forward that we have to make (and a significant break from the past) is to separate the payment system from the identification and authentication systems and to separate the identification and authentication network from the “content” network. If we’re talking about the Internet, then we need to push identification and authentication off of the edge of the Internet so that the Internet (and the store networks, POS terminals, vending machines and everything else can be completely insecure without compromising the payment. With the payment vanishing out in to the cloud, commercial providers are already looking for ways to hook up the services that are needed to do this (bringing together OAuth, OpenID and so on).
VeriSign, Inc, the trusted provider of Internet infrastructure services for the networked world, today announced an industry collaboration aimed at building trusted online identity solutions — a lynchpin requirement for the widespread adoption of cloud computing and software as a service (SaaS) solutions. The industry effort combines technologies and best practices from Conformity, Ping Identity, TriCipher, Qualys, and VeriSign.
There are different ways of doing this, of course, but our good friends at Innopay have just outlined one very good way to do it in a report on “A Network Approach to e-Identification” that they prepared for the Dutch Ministry of Economic Affairs and published earlier this year. They suggest, in essence, using the two-sided network approach of Identity Providers and Authentication Providers (rather like Identrust, for example) but with 2FA to couple the “identity” to devices. So you register your clever USB key to authenticate your identity with, say, your bank and then you can use your USB key to log in at any other service that will accept your bank’s identification.
My guess is that, were such a system to become operational, then the device of choice for most people would be their mobile phone. This means that the mobile device becomes important as an authentication device, rather than as a payment device, if you see what I mean. This is hardly a new idea and a number of services already exist to do this kind of thing.
To help organizations fight the persistent advance of fraud techniques, the platform’s out-of-band authentication capabilities have been enhanced with the inclusion of one-time-passcode (OTP) SMS soft tokens. This new feature enables organizations to send a configurable number of OTPs to a mobile device for use during authentication. Automatically replenished as needed, this dynamic soft-token approach delivers the strength of out-of-band authentication without the concern for constant network availability, delivery timing or software deployment to a mobile device.
I don’t like SMS-based solutions because, should they become widespread then they will become spoofed, so I would much prefer an industry-wide approach to a genuinely secure solution with key pairs generated inside the SIM and SIM-based applications for encryption and signing (thereby not depending on security in the network or handset) using the kind of technologies that we’ve discussed here before (eg, with Turkcell).
So far, so not controversial. The mobile phone provides a better platform for identity and authentication than a card does. But what identities would people want to bind to their phone? Would they be government identities, effectively substituting the national identity card for a national identity app?
European security agency Enisa is calling on banks and governments to work together to extend the application of national electronic identity cards as tokens for online banking authentication and remote account opening.
Now this makes obvious sense, provided that the national authorities responsible for the online authentication of the ID cards accept responsibility for the identification (which, I have to say, in the case of the UK they have proven extremely reluctant to do). But actually in many countries the reverse is becoming the standard: the banks implement 2FA-based strong authentication and then the government uses the bank authentication, not the other way round. They used to do this with passwords, then TANs (remember the paper lists of numbers?), then SMS. But now some are doing it with SIM-based PKI.
Mobile BankID, a new digital identity service for mobile phones has been launched by financial services provider Swedbank along with telecom operators TeliaSonera and Telenor. The service can be used for electronic identification and for approving documents on the internet using mobile phones.
This is a real basis for moving forward and building new businesses. If the operators provide SIM-based PKI and then rent it out on reasonable terms, banks will be only the first mass market to shift identity and authentication out of the cloud and on to the handsets. Identity really is the new money (and the mobile phone is the new metal strip down the middle of a £10 note so that you know it is real).
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]