Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Bitcoin's fragile power: It's meaningless

What do land titles, marriage certificates, diamonds, ballots, aircraft parts and medical records have in common? They are all apparently able to be managed "on the blockchain". But enough with the metaphors. What does it mean to be "on the blockchain"?

To put a physical asset "on" the blockchain requires two mappings. Firstly, the asset needs to be mapped onto a token. For example, the serial number or barcode of a part or a diamond is inserted as metadata into a blockchain transaction, to codify the transfer of ownership of the asset. Secondly, asset owners need to be mapped onto their respective blockchain wallet public keys (through the sort of agent or third party which Nakamoto, let's remember, expressly tried to get rid of with the P2P consensus algorithm). The mapping can be pseudonymous, but buyers and sellers of land for instance, need to be confident that the counterparties control the keys they claim to.

How does the "naked" blockchain get away without these mappings? It's because Bitcoins don't exist off-chain. In fact they don't exist "on" the chain either; the blockchain itself only records subtractions and additions of balances.

Furthermore, possession of the private key is the only thing that matters with Bitcoin. Control a wallet's private key and you control the wallet balance. The protocol doesn't care who is in control; it will simply ensure that a quantity of Bitcoin will be transferred from one wallet to another, regardless of who "owns" them.

So unlike any other cryptographic security system, Bitcoin key pairs need not be imbued with any extrinsic significance, or associated with (bound to) any real world attributes. Bitcoins have no symbolic meaning. And in fact that is blockchain's magic trick!

But to make tokens stand for anything else - anything real - breaks the spell. Symbols are defined by authorities, and keys and attributes can only be assigned by third parties. If you have administrators, you just don't need the additional overhead of the blockchain, which exists purely to get around Nakamoto's express assumption that nobody in his system of electronic cash was to be trusted.

Bitcoin is often said to be anonymous, but its special property is actually that it has no meaning. It's truly amazing that such a thing can have value and be relied upon, which is a testament to its architecture. Blockchain was deliberately designed for a non fiat crypto currency. It's brilliant yet very specific to its intended trust-less environment. To re-introduce trusted processes simply undoes the benefits of blockchain.

Posted in Trust, Security, Payments, Blockchain

Card Not Present Fraud up another 25% YOY

The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. For a decade now, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is doing - and not doing - about Card Not Present fraud. Here is our summary for the financial year 2015 stats.

CNP trends pic to FY 2015

Card Not Present (CNP) fraud has grown over 25 percent year-on-year from FY2014, and now represents 84 percent of all fraud on Australian cards.

APCA evidently has an uneasy relationship with any of the industry's technological responses to CNP fraud, like the controversial 3D Secure, and tokenization. Neither get a mention in the latest payment fraud media release. Instead APCA puts the stress on shopper behaviour, describing the continuing worsening in fraud as "a timely reminder to Australians to remain vigilant when shopping online". Sadly, this ignores that fact that card data used for organised criminal CNP fraud comes from mass breaches of databases, not from websites. There is nothing that shoppers can do when using their cards online to stop them being stolen, because they're much more likely to get stolen from backend systems over which the shoppers have no control.

You can be as careful as you like online - you can even avoid Internet shopping entirely - and still have your card data stolen from a regular store and used in CNP attacks online.

APCA says:

    • "Financial institutions and law enforcement have been working together to target skimming at ATMs and in taxis and this, together with the industry’s progressive roll-out of chip-reading at ATMs, is starting to reflect in the fraud data".

That's true. Fraud by skimming and carding was halved by the smartcard rollout, and has remained low and steady in absolute terms for three years. But APCA errs when it goes on:

    • "Cardholders can help these efforts by always protecting their PINs and treating their cards like cash".

Safeguarding your physical card and PIN does nothing to prevent the mass breaches of card data held in backend databases.

A proper fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. Apple for one has grasped the nettle, and is using its Secure Element-based Apple Pay method (established now for card present NFC payments) for Card Not Present transactions, in the app.

See also my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).

Abstract

The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

With all the innovation in payments leveraging cryptographic Secure Elements in mobile phones, perhaps at last we will see CNP payments modernise for web and mobile shopping.

Posted in Smartcards, Security, Payments, Innovation, Fraud

Weak links in the Blockchain

One of the silliest things I've read yet about blockchain came out in Business Insider Australia last week. They said that the blockchain “in effect” lets the crowd police the monetary system.

In the rush to make bigger and grander claims for the disruptive potential of blockchain, too many commentators are neglecting the foundations. If they think blockchain is important, then it’s all the more important they understand what it does well, and what it just doesn’t do at all.

Blockchain has one very clever, very innovative trick: it polices the order of special events (namely Bitcoin spends) without needing a central authority. The main “security” that blockchain provides is nottamper resistance or inviolability per se -- you can get that any number of ways using standard cryptography -- but rather it’s the process for a big network of nodes to reach agreement on the state of a distributed ledger, especially the order of updates to the ledger.

To say blockchain is “more secure” is a non sequitur. Security claims need context.

  • If what matters is agreeing ‘democratically’ on the order of events in a decentralised public ledger, without any central authority, then blockchain makes sense.
  • But if you don't care about the order of events, then blockchain is probably irrelevant or, at best, heavily over-engineered.
  • And if you do care about the order of events (like stock transactions) but you have some central authority in your system (like a stock exchange), then blockchain is not only over-engineered, but its much-admired maths is compromised by efforts to scale it down, into private chains and the like, for the power of the original blockchain consensus algorithm lies in its vast network, and the Bitcoin rewards for the miners that power it.

A great thing about blockchain is the innovation it has inspired. But let’s remember that the blockchain (the one underpinning Bitcoin) has been around for just seven years, and its spinoffs are barely out of the lab. Analysts and journalists are bound to be burnt if they over-reach at this early stage.

The initiatives to build smaller, private or special purpose distributed ledgers, to get away from Bitcoin and payments, detract from the original innovation, in two important ways. Firstly, even if they replace the Bitcoin incentive for running the network (i.e. mining or “proof of work”) with some other economic model (like “proof of stake”), they compromise the tamper resistance of blockchain by shrinking the pool. And secondly, as soon as you fold some command and control back into the original utopia, blockchain’s raison d'etre is no longer clear, and its construction looks over-engineered.

Business journalists are supposed to be sceptical about technology, but many have apparently taken leave of their critical faculties, even talking up blockchain as a "trust machine". You don’t need to be a cryptographer to understand the essence of blockchain, you just have to be cautious with magic words like “open” and “decentralised”, and the old saw "trust". What do they really mean? Blockchain does things that not all applications really need, and it doesn't do what many apps do need, like access control and confidentiality.

Didn't we learn from PKI that technology doesn't confer trust? It's been claimed that putting land titles on the blockchain will prevent government corruption. To which I say, please heed Bruce Schneier, who said only amateurs hack computers; professional criminals hack people.

Posted in Security, Payments, Innovation, Blockchain, Trust

Who buys Bitcoin for Identity?

You’ll have to forgive the deliberate inaccuracy in the title, but I just couldn’t resist the wordplay. The topic of this blog is the use of the blockchain for identity, which is not exactly Bitcoin. By my facetiousness, and by my analysis, you’ll see I don’t yet take the identity use case seriously.

In 2009, Bitcoin was launched. A paper was self-published by a person or persons going by the nom de plume Satoshi Nakamoto, called “Bitcoin: A Peer-to-Peer Electronic Cash System” and soon after an open source software base appeared at http://www.bitcoin.org. Bitcoin offered a novel solution to the core problem in electronic cash: how to prevent double spending without reverting to a central authority. Nakamoto’s conception is strongly anti-authoritarian, almost anarchic, with an absolute rejection of fiat currency, reserve banks and other central institutions. Bicoin and its kin aim to change the world, and by loosening the monopolies in traditional finance, they may well do that.

Separate to that, the core cryptographic technology in Bitcoin is novel, and so surprising, it's almost magical. Add to that spell the promise of security and anonymity, and we have a powerful mix that some people see excitedly as stretching far beyond mere money, and into identity. So is that a reasonable step?

Bitcoin’s secret sauce

A decentralised digital currency scheme requires some sort of community-wide agreement on when someone spends a virtual coin, so she cannot spend it again. Bitcoin’s trick is to register every single transaction on one public tamper-proof ledger called the blockchain, which is refreshed in such a way that the whole community in effect votes on the order in which transactions are added or, equivalently, the time when each coin is spent.

The blockchain ledger is periodically hashed to keep it to a manageable length, but all transactions are visible, archived in effect for all time. No proof of identity or KYC check is needed to register a Bitcoin account, and currency – denominated "BTC" – may be transferred freely to any other account. Hence Bitcoin may be called anonymous (but the unique account identifiers are set in stone, providing a rock solid money trail that has been the undoing of many criminal Bitcoin users).

The continuous arbitration of blockchain entries is effected by a peer-to-peer network of servers that race each other to double-check a special hash value for the refreshed chain. The particular server that wins each race is rewarded for its effort with a tiny fraction of a Bitcoin. The ongoing background computation that keeps a network like this honest is referred to technically as "Proof of Work"; with Bitcoin, since there is a monetary reward, it’s called mining.

Whether or not Bitcoin lasts as a form of electronic cash, there is a groundswell of enthusiasm for the blockchain as a new type of public ledger for a much broader range of transactions, including “identity”. The scare quotes are deliberate on my part, reflecting that the blockchain-for-identity speculations have not been clear about what part of the identity puzzle they might solve.

For identity applications, the reality of Bitcoin mining creates some particular challenges which I will return to. But first let’s look at the positive influence of Bitcoin and then review some of its cryptographic building blocks.

Bitcoin inspirations

People will argue about its true originality, but we can regard Bitcoin and the blockchain as providing an innovative and practical solution to the unsolved double-spend problem. I like Bitcoin as the latest example of a wondrous pattern in applied mathematics. Conundrums widely accepted as impossible are, in fact, solved quite often, after which frenetic periods of innovation can follow. The first surprise or prototype solution is typically inefficient but it can inspire fresh thinking and lead to more polished methods.

One of the greatest examples is Merkle’s Puzzles, a theoretical method invented by Ralph Merkle in 1974 for establishing a shared secret number between two parties who need only exchange public pieces of data. This was the holy grail for cryptography, for it meant that a secret key could be set up without having to carry the secret from one correspondent to the other (after all, if you can securely transfer a key across a long distance, you can do the same with your secret message and thus avoid the hassle of encryption altogether). Without going into detail, Merkle’s solution could not be used in the real world, but it solved what was thought to be an unsolvable problem. In quick succession, practical algorithms followed from Diffie & Hellman, and Rivest, Shamir & Adleman (the names behind “RSA”) and thus was born public key cryptography.

Bitcoin likewise has spurred dozens of new digital currencies, with different approaches to ledgers and arbitration, and different ambitions too (including Ripple, Ethereum, Litecoin, Dogecoin, and Colored Coins). They all promise to break the monopoly that banks have on payments, radically cut costs and settlement delays, and make electronic money more accessible to the unbanked of the world. These are what we might call liquidity advantages of digital currencies. These objectives (plus the more political promises of ending fiat currency and rendering electronic cash transactions anonymous or untraceable) are certainly all important but they are not my concern in this blog.

Bitcoin’s public sauce

Before looking at identity, let’s review some of the security features of the blockchain. We will see that safekeeping of each account holder’s private keys is paramount – as it is with all Internet payments systems and PKIs.

While the blockchain is novel, many elements of Bitcoin come from standard public key cryptography and will be familiar to anyone in security. What’s called a Bitcoin “address” (the identifier of someone you will send currency to) is actually a public key. To send any Bitcoin money from your own address, you use the matching private key to sign a data object, which is sent into the network to be processed and ultimately added to the blockchain.

The only authoritative record of anyone’s Bitcoin balance is held on the blockchain. Account holders typically operate a wallet application which shows their balance and lets them spend it, but, counter-intuitively, the wallet holds no money. All it does is control a private key (and provide a user experience of the definitive blockchain). The only way you have to spend your balance (that is, transfer part of it to another account address) is to use your private key. What follows from this is an unforgiving reality of Bitcoin: your private key is everything. If a private key is lost or destroyed, then the balance associated with that key is frozen forever and cannot be spent. And thus there has been a string of notorious mishaps where computers or disk drives holding Bitcoin wallets have been lost, together with millions of dollars of value they controlled. Furthermore, numerous pieces of malware have – predictably – been developed to steal Bitcoin private keys from regular storage devices (and law enforcement agencies have intercepted suspects’ private keys in the battle against criminal use of Bitcoin).

You would expect the importance of Bitcoin private key storage to have been obvious from the start, to ward off malware and destruction, and to allow for reliable backup. But it was surprisingly late in the piece that “hardware wallets” emerged, the best known of which is probably now the Trezor, which first appeared in 2013. The use of hardware security modules for private key management in soft wallets or hybrid wallets has been notably ad hoc. It appears crypto currency proponents pay more attention to the algorithms and the theory than to practical cryptographic engineering.

Identifying with the blockchain

The enthusiasm for crypto currency innovation has proven infectious, and many commentators have promoted the blockchain in particular as something special for identity management. A number of start-ups are “providing” identity on the blockchain – including OneName, and ShoCard – although on closer inspection what this usually means is nothing more than reserving a unique blockchain identifier with a self-claimed pseudonym.

Prominent financial services blogger Chris Skinner says "the blockchain will radically alter our futures" and envisages an Internet of Things where your appliances are “recorded [on the blockchain] as being yours using your digital identity token (probably a biometric or something similar)”. And the government of Honduras has hired American Bitcoin technology firm Factom to build a blockchain-based land title registry, which they claim will be “immutable”, resistant to insider fraud, and extensible to “more secure mortgages, contracts, and mineral rights”.

While blockchain afficionados have been quick to make a leap to identity, the opposite is not the case. The identerati haven’t had much to say about blockchain at all. Ping Identity CTO Patrick Harding mentioned it in his keynote address at the 2015 Cloud Identity Summit, and got a meek response from the audience when he asked who knew what blockchain is (I was there). Harding’s suggestions were modest, exploratory and cautious. And only now has blockchain figured prominently in the twice-yearly freeform Internet Identity Workshop unconference in Silicon Valley. I'm afraid it's telling that all the initial enthusiasm for blockchain "solving" identity has come from non identity professionals.

What identity management problem would be solved by using the blockchain? The most prominent challenges in digital identity include the following:

  • account creation including validation of identity or other attributes
  • the cost and inconvenience of multiple account registrations
  • the inconvenience and insecurity of multiple usernames and passwords
  • identity theft and account takeover
  • interoperability of identity data or attributes between services and applications
  • provenance of attributes.

    What does the blockchain have to offer?

    Certainly, pseudonymity is important in some settings, but is rare in economically important personal business, and in any case is not unique to the blockchain. The secure recording of transactions is very important, but that’s well-solved by regular digital signatures (which remain cryptographically verifiable essentially for all time, given the digital certificate chain). Most important identity transactions are pretty private, so recording them all in a single public register instead of separate business-specific databases is not an obvious thing to do.

    The special thing about the blockchain and the proof-of-work is that they prevent double-spending. I’ve yet to see a blockchain-for-identity proposal that explains what the equivalent “double identify” problem really is and how it needs solving. And if there is such a thing, the price to fix it is to record all identity transactions in public forever.

    The central user action in all blockchain applications is to “send” something to another address on the blockchain. This action is precisely a digital (asymmetric cryptographic) signature, essentially the same as any conventional digital signature, created by hashing a data object and encrypting it with one’s private key. The integrity and permanence of the action comes from the signature itself; it is immaterial where the signature is stored.

    What the blockchain does is prevent a user from performing the same action more than once, by using the network to arbitrate the order in which digital signatures are created. In regular identity matters, this objective simply doesn’t arise. The primitive actions in authentication are to leave one’s unique identifying mark (or signature) on a persistent transaction, or to present one’s identity in real time to a service. Apart from peer-to-peer arbitration of order, the blockchain is just a public ledger - and a rather slow one at that. Many accounts of blockchain uses beyond payments simply speak of its inviolability or perpetuity. In truth, any old system of digitally signed database entries is reasonably inviolable. Tamper resistance and integrity come from the digital signatures, not the blockchain. And as mentioned, the blockchain itself doesn't provide any assurance of who really did what - for that we need separate safeguards on users' private keys, plus reliable registration of users and their relevant attributes (which incidentally cannot be done without some authority, unless self-attestation is good enough).

    In addition to not offering much advantage in identity management, there are at least two practical downsides to recording non Bitcoin activity on the blockchain, both related to the proof-of-work. The peer-to-peer resolution of the order of transactions takes time. With Bitcoin, the delay is 10 minutes; that’s the time taken for an agreed new version of the blockchain to be distilled after each transaction. Clearly, in real time access control use cases, when you need to know who someone is right away, such delay is unacceptable. The other issue is cost. Proof-of-work, as the name is meant to imply, consumes real resources, and elicits a real reward.

    So for arbitrary identity transactions, what is the economics for using the blockchain? Who would pay, who would be paid, and what market forces would price identity, in this utopia where all accounts are equal?

    Posted in Innovation, Identity, Federated Identity, Blockchain, Payments

  • Card Not Present fraud trends (sadly) back to normal

    The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. For years, Lockstep has been monitoring these figures, plotting the trend data and analysing what the industry is and is not doing about it. A few weeks ago, statistics for calendar year 2014 came out.

    CNP trends pic to CY 2014

    As we reported last time, despite APCA's optimistic boosting of 3D Secure and education measures for many years, Card Not Present (CNP) online fraud was not falling as hoped. And what we see now in the latest numbers is the second biggest jump in CNP fraud ever! CY 2014 online card fraud losses were very nearly AU$300M, up 42% in 12 months.

    Again, APCA steadfastly rationalises in its press release (PDF) that high losses simply reflect the popularity of online shopping. That's cold comfort to the card holders and merchants who are affected.

    APCA has a love-ignore relationship with 3D Secure. This is one of the years when 3D Secure goes unmentioned. Instead the APCA presser talks up tokenization, I think for the first time. Yet the payments industry has had tokenization for about a decade. It's just another band-aid over the one fundamental crack in the payment card system: nothing stops stolen card numbers being replayed.

    A proper fix to replay attack is easily within reach, which would re-use the same cryptography that solves skimming and carding, and would restore a seamless payment experience for card holders. See my 2012 paper Calling for a Uniform Approach to Card Fraud Offline and On" (PDF).

    Abstract

    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

    This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

    With all the innovation in payments leveraging cryptographic Secure Elements in mobile phones - the exemplar being Apple Pay for Card Present business - it beggars belief that we have yet to modernise CNP payments for web and mobile shopping.

    Posted in Security, Payments, Fraud

    Card Not Present fraud shows no sign of turning

    The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. Lockstep monitors these figures and plots the trend data. We got a bit too busy in 2014 and missed the last couple of APCA releases, so this blog is a catch up, summarising and analysing stats from calendar year 2013 and AU financial year 2014 (July 2013 to June 2014).

    CNP trends pic to CY 2013
    CNP trends pic to FY 2014



    In the 12 months to June 2014,

    • Total card fraud rose by 22% to A$321 million
    • Card Not Present (CNP) fraud rose 27% to A$256 million
    • CNP fraud now represents 80% of all card fraud.

    APCA is one of the major payments systems regulators in Australia. It has only ever had two consistent things to say about Card Not Present fraud. First, it reassures the public that CNP fraud is only rising because online shopping is rising, implying that it's really not a big deal. Second, APCA produces advice for shoppers and merchants to help them stay safe online.

    I suppose that in the 1950s and 60s, when the road toll started rising dranatically and car makers we called on to improve safety, the auto industry might have played down that situation like APCA does with CNP fraud. "Of course the road toll is high" they might have said; "it's because so many people love driving!". Fraud is not a necessary part of online shopping; at some point payments regulators will have to tell us, as a matter of policy, what level of fraud they think is actually reasonable, and start to press the industry to take action. In absolute terms, CNP fraud has ballooned by a factor of 10 in the past eight years. The way it's going, annual online fraud might overtake the cost of car theft (currently $680 million) before 2020.

    As for APCA's advice for shoppers to stay safe online, most of it is nearly useless. In their Christmas 2014 media release (PDF), APCA suggested:

    Consumers can take simple steps to help stay safe when shopping online including:

    • Only providing their card details on secure websites – looking for the locked padlock.
    • Always keeping their PC security software up-to-date and doing a full scan often.

    The truth is very few payment card details are stolen from websites or people's computers. Organised crime targets the databases of payment processors and big merchants, where they steal the details of tens of millions of cardholders at once. Four of the biggest ever known credit card breaches occurred in the last 18 months (Ref: DataLossDB):

      • 109,000,000 credit cards - Home Depot, September 2014
      • 110,000,000 credit cards - Target, December 2013
      • 145,000,000 credit cards - eBay, May 2014
      • 152,000,000 credit cards - Adobe, Oct 2013.

    In its latest Data Breach Investigations Report, Verizon states that "2013 may be remembered as ... a year of transition to large-scale attacks on payment card systems".

    Verizon DBIR 2014 Fig 11 Number of breaches per category over time

    Verizon has plotted the trends in data breaches at different sources; it's very clear that servers (where the datsa is held) have always been the main target of cybercriminals, and are getting proportionally more attention year on year. Diagrag at right from Verizon Data Breach Investigations Report 2014.

    So APCA's advice to look for website padlocks and keep anti-virus up-to-date - as important as that may be - won't do much at all to curb payment card theft or fraud. You might never have shopped online in your life, and still have your card details stolen, behind your back, at a department store breach.


    Over the course of a dozen or more card fraud reports, APCA has had an on-again-off-again opinion of the credit card scheme's flagship CNP security measure, 3D Secure. In FY2011 (after CNP fraud went up 46%), APCA said "retailers should be looking at a 3D Secure solution for their online checkout". Then in their FY2012 media release, as losses kept increasing, they made no mention of 3D Secure at all.

    Calendar year 2012 saw Australian CNP fraud fall for the first time ever, and APCA was back on the 3D Secure bandwagon, reporting that "The drop in CNP fraud can largely be attributed to an increase in the use of authentication tools such as MasterCard SecureCode and Verified by Visa, as well as dedicated fraud prevention tools."

    Sadly, it seems 2012 was a blip. Online fraud for FY2014 (PDF) has returned to the long term trend. It's impossible to say what impact 3D Secure has really had in Australia, but penetration and consumer awareness of this technology remains low. It was surprising that APCA previously rushed to attribute a short-term drop in fraud to 3D Secure; that now seems overly optimistic, with CNP frauds continuing to mount after all.

    In my view, it beggars belief the payments industry has yet to treat CNP fraud as seriously as it did skimming and carding. Technologically, CNP fraud is not a hard problem. It's just the digital equivalent of analogue skimming and carding, and it could be stopped just as effectively by using chips to protect cardholder data, just as they do in Card Present payments, whether by EMV card or NFC mobile devices.

    In 2012, I published a short paper on this: Calling for a Uniform Approach to Card Fraud Offline and On (PDF).


    Abstract

    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. The universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere underpin seamless convenience. So with this determination to facilitate trustworthy and supremely convenient spending in every corner of the earth, it’s astonishing that the industry is still yet to standardise Internet payments. We settled on the EMV standard for in-store transactions, but online we use a wide range of confusing and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked.

    This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same EMV chip and cryptography as do card present payments.

    Posted in Security, Payments

    Making cyber safe like cars

    This is an updated version of arguments made in Lockstep's submission to the 2009 Cyber Crime Inquiry by the Australian federal government.

    In stark contrast to other fields, cyber safety policy is almost exclusively preoccupied with user education. It's really an obsession. Governments and industry groups churn out volumes of well-meaning and technically reasonable security advice, but for the average user, this material is overwhelming. There is a subtle implication that security is for experts, and that the Internet isn't safe unless you go to extremes. Moreover, even if consumers do their very best online, their personal details can still be taken over in massive criminal raids on databases that hardly anyone even know exist.

    Too much onus is put on regular users protecting themselves online, and this blinds us to potential answers to cybercrime. In other walks of life, we accept a balanced approach to safety, and governments are less reluctant to impose standards than they are on the Internet. Road safety for instance rests evenly on enforceable road rules, car technology innovation, certified automotive products, mandatory quality standards, traffic management systems, and driver training and licensing. Education alone would be nearly worthless.

    Around cybercrime we have a bizarre allergy to technology. We often hear that 'Preventing data breaches not a technology issue' which may be politically correct but it's faintly ridiculous. Nobody would ever say that preventing car crashes is 'not a technology issue'.

    Credit card fraud and ID theft in general are in dire need of concerted technological responses. Consider that our Card Not Present (CNP) payments processing arrangements were developed many years ago for mail orders and telephone orders. It was perfectly natural to co-opt the same processes when the Internet arose, since it seemed simply to be just another communications medium. But the Internet turned out to be more than an extra channel: it connects everyone to everything, around the clock.

    The Internet has given criminals x-ray vision into peoples' banking details, and perfect digital disguises with which to defraud online merchants. There are opportunities for crime now that are both quantitatively and qualitatively radically different from what went before. In particular, because identity data is available by the terabyte and digital systems cannot tell copies from originals, identity takeover is child's play.

    You don't even need to have ever shopped online to run foul of CNP fraud. Most stolen credit card numbers are obtained en masse by criminals breaking into obscure backend databases. These attacks go on behind the scenes, out of sight of even the most careful online customers.

    So the standard cyber security advice misses the point. Consumers are told earnestly to look out for the "HTTPS" padlock that purportedly marks a site as secure, to have a firewall, to keep their PCs "patched" and their anti-virus up to date, to only shop online at reputable merchants, and to avoid suspicious looking sites (as if cyber criminals aren't sufficiently organised to replicate legitimate sites in their entirety). But none of this advice touches on the problem of coordinated massive heists of identity data.

    Merchants are on the hook for unwieldy and increasingly futile security overheads. When a business wishes to accept credit card payments, it's straightforward in the real world to install a piece of bank-approved terminal equipment. But to process credit cards online, shopkeepers have to sign up to onerous PCI-DSS requirements that in effect require even small business owners to become IT security specialists. But to what end? No audit regime will ever stop organised crime. To stem identity theft, we need to make stolen IDs less valuable.

    All this points to urgent public policy matters for governments and banks. It is not enough to put the onus on individuals to guard against ad hoc attacks on their credit cards. Systemic changes and technological innovation are needed to render stolen personal data useless to thieves. It's not that the whole payments processing system is broken; rather, it is vulnerable at just one point where stolen digital identities can be abused.

    Digital identities are the keys to our personal kingdoms. As such they really need to be treated as seriously as car keys, which have become very high tech indeed. Modern car keys cannot be duplicated at a suburban locksmith. It's possible you've come across office and filing cabinet keys that carry government security certifications. And we never use the same keys for our homes and offices; we wouldn't even consider it (which points to the basic weirdness in Single Sign On and identity federation).

    In stark contrast to car keys, almost no attention is paid to the pedigree of digital identities. Technology neutrality has bred a bewildering array of ad hoc authentication methods, including SMS messages, one time password generators, password calculators, grid cards and picture passwords; at the same time we've done nothing at all to inhibit the re-use of stolen IDs.

    It's high time government and industry got working together on a uniform and universal set of smart identity tools to properly protect consumers online.

    Stay tuned for more of my thoughts on identity safety, inspired by recent news that health identifiers may be back on the table in the gigantic U.S. e-health system. The security and privacy issues are large but the cyber safety technology is at hand!

    Posted in Fraud, Identity, Internet, Payments, Privacy, Security

    Safeguarding the pedigree of personal attributes

    The problem of identity takeover

    The root cause of much identity theft and fraud today is the sad fact that customer reference numbers, personal identifiers and attributes generally are so easy to copy and replay without permission and without detection. Simple numerical attributes like bank account numbers and health IDs can be stolen from many different sources, and replayed with impunity in bogus transactions.

    Our personal data nowadays is leaking more or less constantly, through breached databases, websites, online forms, call centres and so on, to such an extent that customer reference numbers on their own are no longer reliable. Privacy consequentially suffers because customers are required to assert their identity through circumstantial evidence, like name and address, birth date, mother’s maiden name and other pseudo secrets. All this data in turn is liable to be stolen and used against us, leading to spiraling identity fraud.

    To restore the reliability of personal attribute data, we need to know their pedigree. We need to know that a presented data item is genuine, that it originated from a trusted authority, it’s been stored safely by its owner, and it’s been presented with the owner’s consent. If confidence in single attributes can be restored then we can step back from all the auxiliary proof-of-identity needed for routine transactions, and thus curb identity theft.

    A practical response to ID theft

    Several recent breaches of government registers leave citizens vulnerable to ID theft. In Korea, the national identity card system was attacked and it seems that all Korean's citizen IDs will have to be re-issued. In the US, Social Security Numbers are often stolen and used tin fraudulent identifications; recently, SSNs of 800,000 Post Office employees appear to have been stolen along with other personal records.

    Update 14 June 2015: Now last week we got news of a hugely worse breach of US SSNs (not to mention deep personal records) of four million federal US government employees, when the Office of Personnel Management was hacked.

    We could protect people against having their stolen identifiers used behind their backs. It shouldn't actually be necessary to re-issue every Korean's ID. Nor should it matter that US SSNs aren't usually replaceable. And great improvements may be made to the reliability of identification data presented online without dramatically changing Relying Parties' back-end processes. If for instance a service provider has always used SSN as part of its identification regime, they could continue to do so, if only the actual Social Security Numbers being received were known to be reliable.

    The trick is to be able to tell "original" ID numbers from "copies". But what does "original" mean in the digital world? A more precise term for what we really want is pedigree. What we need is to be able to present attribute data in such a way that the receiver may be sure of their pedigree; that is, know that the attributes were originally issued by an authoritative body to the person presenting or claiming them, and that each presentation of an attribute has occurred under the owner's control.

    These objectives can be met with the help of smart cryptographic technologies which today are built into most smart phones and smartcards, and which are finally being properly exploited by initiatives like the FIDO Alliance.


    "Notarising" attributes in chip devices

    There are ways of issuing attributes to a smart chip device that prevent them from being stolen, copied and claimed by anyone else. One way to do so is to encapsulate and notarise attributes in a unique digital certificate issued to a chip. Today, a great many personal devices routinely embody cryptographically suitable chips for this purpose, including smart phones, SIM cards, "Secure Elements", smartcards and many wearable computers.

    Consider an individual named Smith to whom Organisation A has issued a unique attribute N (which could be as simple as a customer reference number). If N is saved in ordinary computer memory or something like a magnetic stripe card, then it has no pedigree. Once the number N is presented by the cardholder in a transaction, it has the same properties as any other number. To better safeguard N in a chip device, it can be sealed into a digital certificate, as follows:

    1. generate a fresh private-public key pair inside Smith’s chip
    2. export the public key
    3. create a digital certificate around the public key, with an attribute corresponding to N
    4. have the certificate signed by (or on behalf of) organisation A.

    Pedigree Diagram 140901

    The result of coordinating these processes and technologies is a logical triangle that inextricably binds cardholder Smith to her attribute N and to a specific personally controlled device. The certificate signed by organisation A attests to both Smith’s attribute value N and Smith's control of a particular device. Keys generated inside the chip are retained internally, never divulged to outsiders. It is not possible to copy the private key to another device, so the logical triangle cannot be reproduced or counterfeited.

    Note that this technique is at the heart of the EMV "Chip-and-PIN" system where the smart payment card digitally signs cardholder and transaction data, rendering it immune to replay, before sending it to the merchant terminal. See also my 2012 paper Calling for a uniform approach to card fraud, offline and on. Now we should generalise notarised personal data and digitally signed transactions beyond Card-Present payments into as much online business as possible.

    Restoring privacy and consumer control

    When Smith wants to present her attribute N in an electronic transaction, instead of simply copying N out of memory (at which point it would lose its pedigree), Smith’s app digitally signs the transaction using the certificate containing N. With standard security software, anyone else can then verify that the transaction originated from a genuine device under Smith's control, with an attribute certified by A. And above all, this assurance is reliably made without needing to name Smith or reveal anything about her other than the attribute of interest.

    Note that N doesn't have to be a customer number or numeric identifier; it could be any personal data, such as a biometric template, or a package of medical information like an allergy alert, or an isolated (and anonymous) property of the user, such as her age.

    The capability to manage multiple key pairs and certificates, and to sign transactions with a nominated private key, is increasingly built into smart devices today. By narrowing down what you need to know about someone to a precise attribute or personal data item, we will reduce identity theft and fraud while radically improving privacy. This sort of privacy enhancing technology is the key to a safe Internet of Things, and it is now widely available.

    Addressing ID theft

    Perhaps the best thing governments could do immediately is to adopt smartcards and equivalent smart phone apps for holding and presenting such attributes as official ID numbers. The US government has actually come close to such a plan many times; Chip-based Social Security Cards and Medicare Cards have been proposed before, without realising their full potential. These devices would best be used as above to hold a citizen's identifiers and present them cryptographically, without vulnerability to ID theft and takeover. We wouldn't have to re-issue compromised SSNs; we would instead switch from manual presentation of these numbers to automatic online presentation, with a chip card or smart phone app conveying the data through digitally signatures.

    Posted in Smartcards, Security, PKI, Payments, Identity, Fraud, Biometrics

    Calling for a uniform approach to card fraud, offline and on

    This blog is an edited extract from an article of the same name, first published in the Journal of Internet Banking and Commerce, December 2012, vol. 17, no.3.

    The cryptographic techniques discussed here can be implemented in chip-and-PIN smartcards or mobile phones with secure elements. Both phones and smartcards can now be easily interfaced over NFC to laptops of tablet computers, for a pay-wave type of user experience. Or the secure element in a phone could be used in app to safeguard card-not-present payments from the device.

    The original article in 2012 was written for smartcards, but the equivalence of smartcards and smart phones is noted in square rackets throughout this updated blog..

    Abstract

    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the world. Seamless convenience is underpinned by the universal Four Party settlement model, and a long-standing card standard that works the same with ATMs and merchant terminals everywhere.

    So with this determination to facilitate trustworthy and supremely convenient spending everywhere, it’s astonishing that the payment card industry has yet to standardise Internet payments. Most of the world has settled on the EMV standard for in-store transactions, but online we use a wide range of confusing, clumsy and largely ineffective security measures. As a result, Card Not Present (CNP) fraud is growing unchecked. This article argues that all card payments should be properly secured using standardised hardware. In particular, CNP transactions should use the very same types of chip and cryptography as do card present payments, with tamper-resistant transactions being digitally signed and sent direct from a client to a server, just as they are sent from a smart card to a merchant terminal.

    Skimming and Carding

    With “carding”, criminals replicate stolen customer data on blank cards and use those card copies in regular merchant terminals. “Skimming” is one way of stealing card data, by running a card through a copying device when the customer isn’t looking (but it’s actually more common for card data to be stolen in bulk from compromised merchant and processor databases).

    A magnetic stripe card stores the customer’s details as a string of ones and zeroes, and presents them to a POS terminal or ATM in the clear. It’s child’s play for criminals to scan the bits and copy them to a blank card.

    The industry responded to skimming and carding with EMV (aka Chip-and-PIN). EMV replaces the magnetic storage with an integrated circuit, but more importantly, it actively secures the data transmitted from card to terminal. EMV works by digitally signing those ones and zeros in the chip, and then verifying the signature at the terminal. The signing uses a Private Key unique to the cardholder and held safely inside the chip where it cannot be tampered with by fraudsters. It is not feasible to replicate the digital signature on a transaction without having access to the inner workings of the chip, and thus EMV cards resist carding.

    Online Card Fraud

    Conventional Card Not Present (CNP) transactions are vulnerable because, just like the old mag stripe cards, they use clear text cardholder data. On its own, a merchant server cannot tell the difference between the original card data and a copy, just as a mag strip terminal cannot tell an original card from a criminal's copy.

    So CNP fraud is just online carding.

    Despite the simplicity of the root problem, the past decade has seen a bewildering patchwork of flimsy and expensive online payments fixes. Various One Time Passwords have come and gone, from scratchy cards to electronic key fobs. Temporary SMS codes have been popular but were recently declared unsafe by the Communications Alliance in Australia, a policy body representing the major mobile carriers.

    “3D Insecure”

    Meanwhile, extraordinary resources have been squandered on the novel “3D Secure” scheme (MasterCard “SecureCode” and “Verified by Visa”). 3D Secure take-up is piecemeal; it’s widely derided by merchants and customers alike. It is often blocked by browsers; and it throws up odd looking messages that can appear like a phishing attack or other malfunction. Moreover, it upsets the underlying Four Party settlements architecture, slowing transactions to a crawl and introducing untold legal complexities. Payments regulators too appear to have lost interest in 3D Secure.

    So why doesn’t the payment card industry go back to its roots, preserve its global Four Party settlement architecture and standards, and tackle the real issue?

    Kill two birds with one chip

    We could stop most online fraud by using the same chip technologies we deployed to kill off skimming and carding.

    It is technically simple to reproduce the familiar card-present user experience in a standard computer. It would just take the will of the financial services industry to make payments by [smart phone or smartcard] standard. Computers with built-in smartcard readers have come and gone; they're commonplace in some Eastern European and Asian markets where smartcards are normal for e-health and online voting.

    But with dual interface and contactless smartcards, the interface options open right up. Most mobile devices now feature NFC ("Near Field Communications"), a special purpose device-to-device networking capability, which until now has mostly been used to emulate a payment card. But NFC enabled tablets and smartphones can switch into reader emulation mode, so as to act as a smartcard terminal. Other researchers have recently demonstrated how to read a smartcard via NFC to authenticate the cardholder to a mobile device.

    As an alternative, the SIM or other "Secure Element" of most mobile devices could be used to digitally sign card transactions directly, in place of the card. That’s essentially how NFC payment apps works for Card Present transactions – but nobody has yet made the leap to use smart phone hardware security for Card Not Present.

    Using a [smart payment card or smart phone] with a computer could and should be as easy as using Paywave or Paypass.

    Conclusion: Hardware security

    All serious payments systems use hardware security. The classic examples include SIM cards, EMV, the Hardware Security Modules mandated by regulators in all ATMs, and the Secure Elements of NFC devices. With well-designed hardware security, we gain a lasting upper hand in the criminal arms race.

    The Internet and mobile channels will one day overtake the traditional physical payments medium. Indeed, commentators already like to say that the “digital economy” is simply the economy. Therefore, let us stop struggling with stop-gap Internet security measures, and let us stop pretending that PCI-DSS audits will stop organised crime stealing card numbers by the million. Instead, we should kill two birds with one stone, and use chip technology in smart phones and smartcards to secure both card present and CNP transactions, and thus deliver the same high standards of usability and security in all channels.

    Posted in Smartcards, Security, Payments, Fraud

    The ROI for breaching Target

    An unhappy holiday for Target customers

    A week before Christmas, Target in the US revealed it had suffered a massive payment card data breach, with some 40 million customers affected. Details of the breach are still emerging. No well-informed criticism has yet to emerge of Target's security; instead most observers say that Target has very serious security, and therefore this latest attack must have been very sophisticated, or else an inside job. It appears Target was deemed PCI-DSS compliant -- which only goes to prove yet again the futility of the PCI audit regime for deterring organized criminals.

    Security analyst Brian Krebs has already seen evidence of a "fire sale" on carding sites. Cardholder records are worth several dollars each, up to $44 according to Krebs for "fresh" accounts. So the Return on Investment for really big attacks like this one on Target (and before that, on Adobe, Heartland Payments Systems, TJMaxx and Sony) can approach one billion dollars.

    We have to face the fact that no amount of conventional IT security can protect a digital asset worth a billion dollars. Conventional security can repel amateur attacks and prevent accidental losses, but security policies, audits and firewalls are not up to the job when a determined thief knows what they're looking for.

    It's high time that we rendered payment card data immune to criminal reuse. This is not a difficult technological problem; it's been solved before in Card Present transactions around the world, and with a little will power, the payments industry could do it again for Internet payments, nullifying the black market in stolen card data.

    A history of strong standardisation

    The credit card payments system is a paragon of standardisation. No other industry has such a strong history of driving and adopting uniform technologies, infrastructure and business processes. No matter where you keep a bank account, you can use a globally branded credit card to go shopping in almost every corner of the planet. This seamless interoperability is created by the universal Four Party settlement model, and a long-standing plastic card standard that works the same with ATMs and merchant terminals absolutely everywhere.

    So with this determination to facilitate trustworthy and supremely convenient spending in worldwide, it's astonishing that the industry is still yet to standardise Internet payments! We have for the most part settled on the EMV chip card standard for in-store transactions, but online we use a wide range of confusing, piecemeal and largely ineffective security measures. As a result, Card Not Present (CNP) fraud has boomed. I argue that all card payments -- offline and online -- should be properly secured using standardised hardware. In particular, CNP transactions should either use the very same EMV chip and cryptography as do Card Present payments, or it should exploit the capability of mobile handsets and especially Secure Elements.

    CNP Fraud trends

    The Australian Payments Clearing Association (APCA) releases twice-yearly card fraud statistics, broken down by fraud type: skimming & carding, Card Not Present, stolen cards and so on. Lockstep Consulting monitors the APCA releases and compiles a longitudinal series. The latest Australian card fraud figures are shown below.

    CNP trends pic to FY 2013


    APCA like other regulators tend to varnish the rise in CNP fraud, saying it's smaller than the overall rise in e-commerce. There are several ways to interpret this contextualization. The population-wide systemic advantages of e-commerce can indeed be said to outweigh the fraud costs, yet this leaves the underlying vulnerability to payments fraud unaddressed, and ignores the qualitative problems suffered by the individual victims of fraud (as they say, history is written by the winners). It's pretty complacent to play down fraud as being small compared with the systemic benefit of shopping online; it would be like meekly attributing a high road toll to the popularity of motor cars. At some point, we have to do something about safety!

    [And note very carefully that online fraud and online shopping are not in fact two sides of the same coin. Criminals obtain most of their stolen card data from offline retail and processing environments. It's a bit rude to argue CNP fraud is small as a proportion of e-commerce when some people who suffer from stolen card data might have never shopped online in their lives!]

    Frankly it's a mystery why the payments industry seems so bamboozled by CNP fraud, because technically it's a very simple problem. And it's one we've already solved elsewhere. For Card Not Present fraud is simply online carding.

    Skimming and Carding

    In carding, criminals replicate stolen customer data on blank cards; with CNP fraud they replay stolen data on merchant servers.

    A magstripe card stores the customer's details as a string of ones and zeroes, and presents them to a POS terminal or ATM in the clear. It's child's play for criminals to scan the bits and copy them to a blank card.

    The payments industry responded to skimming and carding with EMV (aka Chip-and-PIN). EMV replaces the magnetic storage with an integrated circuit, but more importantly, it secures the data transmitted from card to terminal. EMV works by first digitally signing those ones and zeros in the chip, and then verifying the signature at the terminal. The signing uses a Private Key unique to the cardholder and held safely inside the chip where it cannot be tampered with by fraudsters. It is not feasible to replicate the digital signature without having access to the inner workings of the chip, and thus EMV cards resist carding.

    Online card fraud

    Conventional Card Not Present (CNP) transactions are vulnerable because, like the old magstripe cards themselves, they rest on cleartext cardholder data. On its own, a merchant server cannot tell the difference between the original card data and a copy, just as a terminal cannot tell an original magstripe card from a criminal's copy.

    Despite the simplicity of the root problem, the past decade has seen a bewildering patchwork of flimsy and expensive online payments fixes. Various One Time Passwords have come and gone, from scratchy cards to electronic key fobs. Temporary SMS codes have been popular for two-step verification of transactions but were recently declared unfit for purpose by the Communications Alliance in Australia, a policy body representing the major mobile carriers.

    Meanwhile, extraordinary resources have been squandered on the novel "3D Secure" scheme (MasterCard SecureCode and Verified by Visa). 3D Secure take-up is piecemeal; it's widely derided by merchants and customers alike. It upsets the underlying Four Party settlements architecture, slowing transactions to a crawl and introducing untold legal complexities.

    A solution is at hand -- we've done it before

    Why doesn't the card payments industry go back to its roots, preserve its global architecture and standards, and tackle the real issue? We could stop most online fraud by using the same chip technologies we deployed to kill off skimming.

    It is technically simple to reproduce the familiar card-present user experience in a standard computer or in digital form on a smart phone. It would just take the will of the financial services industry to standardise digital signatures on payment messages sent from a card holder's device or browser to a merchant server.

    And there is ample room for innovative payments modalities in online and mobile commerce settings:

  • A smart phone can hold a digital wallet of keys corresponding to the owner's cards; the keys can be invoked by a payments app, ideally inside a Secure Element in the handset, to digitally sign each payment, preventing tampering, theft and replay.

  • A tablet computer or smart phone can interface a conventional contactless payment card over the NFC (Near Field Communications) channel and use that card to sign transactions (see also the NFC interface demo by IBM Research).

  • Many laptop computers feature smartcard readers (some like the Dell e-series Latitudes even have contactless readers) which could accept conventional credit or debit cards.

  • Conclusion

    All serious payments systems use hardware security. The classic examples include SIM cards, EMV, the Hardware Security Modules mandated by regulators in all ATMs, and the Secure Elements of NFC mobile devices. With well-designed hardware security, we gain a lasting upper hand in the cybercrime arms race.

    The Internet and mobile channels will one day overtake the traditional physical payments medium. Indeed, commentators already like to say that the "digital economy" is simply the economy. Therefore, let us stop struggling with stopgap Internet security measures, and let us stop pretending that PCI-DSS audits will stop organised crime stealing card numbers by the million. Instead, we should kill two birds with one stone, and use chip technology to secure both Card Present and CNP transactions, to deliver the same high standards of usability and security in all channels.

    Until we render stolen card data useless to criminals, the Return on Investment will remain high for even very sophisticated attacks (or simply bribing insiders), and spectacular data breaches like Target's will continue.

    Posted in Smartcards, Security, Payments, Fraud