Philip Andreae’s Thoughts

In response to the article published by Consult Hyperion

Conference paper e-ID as a public utility Neil A. McEvoy

Universality

Interesting that as soon as you identify that I should be able to provide my identity to anyone anywhere you state that a national government can offer such a scheme.  That is counter intuitive and fraught with the issue of achieving global standards of identification, given the bureaucracy of most national governments. 

Yes, ICAO was able to agree on a template and specification for the e-passport.  Fortunately they had a template and various agreements and treaties to justify the work.  But when we start out with the basic premise that my identity is how I wish to project myself; we immediately move into a world of nuance with built in mechanisms to embrace and resist change.  That being said Homo sapiens’ have a perchance to employ tools we morph as society and our world evolves.

Picking the right band of stakeholders to assure universality requires that at some point people abandon the idea that there is Profit in defining how we will digitally represent a person’s identity.  Instead because the consumer/citizen wishes to project or required to provide their identity; we leave it to those seeking to receive the information to find the profit in knowing something about me. 

Having been raised in America I am drawn to the words in our declaration of independence that give us the right to life, liberty and the pursuit of happiness.  Behind these words I believe I also have the right to my privacy and do not want to learn that morphing my identity into a digital form puts my identity at risk.  The citizen/consumer must be able to decide when and what information someone is able to scan.

All of this tempers my thinking about who should be engaged in defining the global standard for digital identity.

The two-way street

I could not say it better myself.  Like my business card, a police persons badge or a company id card.  We present these to each other to create trust between various parties and provide a degree of certainty that:

·         I am who I say I am

·         This is how you can locate and communication with me

·         Here is proof that I have the following rights and capabilities

Quick transaction

Very well said the exchange of information about my identity must be as easy as handing you my business card.  Everything after that is about the context of the transaction and will parallel the discussion and negotiations between the parties.

The gadget

My only addition to the supposition that the phone is the right gadget is the reality that we are talking about something that the citizen must be able to carry most anywhere.  So it must be the one object we always carry.  Some would argue this is the mobile phone; I would suggest that we not forget the more primitive device the purse or wallet.  Maybe as we think of identity we must also think of ergonomists and think about merging the phone into the wallet not the wallet into the phone.  Leather is eco-friendly warm and comfortable to the touch.  Metal or plastic tends to be brittle and cold. 

The next thought in respect to the gadget is it becomes the device I trust and will protect at almost any cost.  Should I worry about how trustworthy your device is?  All I want from you is the information you wish to share and any certificates others provide you that allow me to authenticate your rights and capabilities.  My trusted gadget is what I use to share information and certificates and what helps me absorb and as appropriate verify information and certificates others offer to me.

Extensions

Yes my information is mine and what I offer to others is my choice.

Scheme considerations

I am not convinced of the need for a central register.  Yes there is a need for third parties to attest to the citizen’s identity that others can trust and in lies the complexity of introducing a digital solution.  In fact what the citizen needs is a device they trust.  A device we trust, carries the information and certificates that third parties, who the counterparty trusts, capable of exchanging the appropriate digital data electronically.  In order to achieve this goal we must develop and support a cascade of standards, regulations, contracts and relationships that enable global interoperability thus assuring a meaningful means of exchanging our digital identity.

Before we go about defining the techniques that should be employed, I think we must first establish base principles.  Key must be the idea that there is no centralized register.  Instead those parties we as consumers are willing to trust and wish to position themselves as trusted third parties can build registries, recording those individuals they are willing to authenticate.  The citizen may wish to contract with an entity to provide support for the trusted gadget and the various relationships it supports. 

The author’s position on protecting privacy and meeting the needs of law enforcement is laudable yet scary.  I’d rather the protection offered by a distributed environment that still is capable of responding to directed queries from law enforcement and not blanket access to everything I or others have collected about me.

Make my gadget the gate keeper; allow service providers and those parties wanting the security of digital identity the ability through standards to build affordable infrastructure to read, with my permission, data stored in my gadget.  Avoid the complexity of establishing a global resister.  What we need to define is the architecture for a gadget that is capable of carrying and supporting a myriad of digital relationships with their linked need to assure proper identification.  We then need to agree on a common set of information that all sectors share.  Maybe the v-card is the base.

For more information I offer the following background and a concept for consideration.

The Promise of multi-application Smart Cards, refined to consider the device as the media

A bit of research to prove the consumer will understand

UK consumers reject mobile payments

Security is a major hindrance, says study Written by Angelica Mari, 23 May 2008

I must admit I am confused about the potential for the Mobile Phone becoming a mechanisms we employ when making payments.  If I was simply to take the reaction in an article recently published on VNUNET.com, I would worry.  Yet in other articles and industry analyst speculate that by 2012 we will evolve to employing the mobile phone as our i means of payment.  As I suggested in a previous posting there is still a lot of work to do in developing the business case. 

Yes Vivotech reports phenomenal numbers of devices installed and Inside Contactless talks about the significant numbers of contactless cards deployed.  Standards are emerging and I am sure that EMVCO will develop the necessary security to protect Mobile Payments (assuming you don’t lose your phone).  Then there is the interesting reality that there are more mobile phone users than there are people with Bank accounts.  Micro-finance and developing worlds are embracing work like what Vodaphone is doing to drive payments in the P2P space to the mobile device. Yet when will all of these experiments and trials prove that the key issues of security and stakeholder profit are there?

Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

Today I sat down and read through all of the testimony and must admit, understanding the concepts of interchange, I am troubled by the testimony provided by both Visa and MasterCard.  Neither provided sound arguments to justify interchange.  Whereas those opposed, clearly demonstrated that Interchange benefited the large issuing banks at the expense of the merchant and consumer.  The only testimony that offered any sound support for interchange was that offered by John Blum.  Yet his arguments simply argued that without a fixed interchange structure smaller players would not be able to play, which does suggest the interchange mechanism, as a competitive process, is flawed.

Regulation is not the answer.  Yet, something must be done to assure that there are sufficient free market forces surrounding the calculation of the default Interchange rates.  

 Chairman’s Opening Statement

Witness list and links to their statements

Today on Payments News - from Glenbrook Partners” they posted an article referencing the hearing taking place

Thursday 05/15/2008 - 11:00 AM
2141 Rayburn House Office Building
Judiciary Committee Antitrust Task Force
Hearing on H.R. 5546, the “Credit Card Fair Fee Act of 2008”

House Judiciary Committee Holds Hearing on US Interchange Fees

As we mentioned here on Payments News on Monday, the House Judiciary Committee is holding a hearing on Thursday, May 15th beginning at 11 AM Eastern time on H.R. 5546, the “Credit Card Fair Fee Act of 2008”. As of tonight, the committee’s website doesn’t list the witnesses who will be testifying - but it promises that a live webcast of the hearing will be available.

As an editorial comment, many of us in the payments industry find the “solution” proposed in this legislation to be overly complex. Read the actual text of the draft legislation - and you may reach the same conclusion! We wonder whether the merchant community in fact would be well served by the remedies proposed. A very basic question comes to mind: “Is this the best you can do?”

The legislation that is under review can be found at http://judiciary.house.gov/hearings.aspx?ID=204

My sense is that like Australia, Europe and other countries the USA Congress is ready to challenge the nature of how interchange is calculated and define methods of assuring merchants much reduced rates.  How the financial lobby will engage and how the associations will defend there position, should make for an interesting debate.

Reported by Epaynews.com

According to EAST, skimmed data is also increasingly being sent to countries in and outside Europe where EMV cards can be used as magnetic-stripe cards in ATMs. This takes advantage of a process known as “mag-stripe fallback”, which is designed to ensure that a card can be used even if its EMV chip is damaged or faulty.

How Thieves Copy Credit and Debit Cards and Drain Accounts

By ELISABETH LEAMY - ABC News

May 2, 2008—

 While your ATM card is tucked in your wallet, thieves half a world away could be cloning it and using it. The crime is called “white card fraud,” and ABC News investigated just how easy it is for thieves to make a copy of your card and use it to drain your account.

It’s difficult to get an exact figure, but it’s estimated that identity thieves net an estimated $345 million this way every year. Gary Burkey of Wilmington, Del., discovered somebody was withdrawing money from his account at ATM machines in a part of Pennsylvania he had never even visited.

Criminals get people’s numbers in a variety of ways. One way they capture card numbers is by installing skimmer devices over the slot where you insert your card when you use an ATM.

They also use hidden cameras to record your PIN. Miami Beach police have actual footage from a crook’s camera in Florida that shows a victim inputting his PIN. Clear as day: 1-4-2-6.

Click here for tips to protect you from today’s modern identity thieves.

“What makes this really sneaky, really devious, is once the criminals get the account information, they wait on it for a little while, said Cpl. Jeff Whitmarsh of the Delaware State Police. They replicate the cards and when the consumer least expects, that’s when they go in and hit the account.”

ABC News found the machines used to copy cards for sale right on the Internet, even though there are very few legitimate uses for them. We had our choice of 30 machines and bought one for about $500. We were even able to request priority shipping and received the package the next day.

ABC took the device to Chris O’Ferrell, an ethical hacker for a computer company called Command Information, which helps the federal government secure its systems.

We handed over an ABC News credit card and O’Ferrell swiped it so the machine could capture the information on the magnetic strip. Right away, the data popped up on the computer screen: name and account information.

With another swipe, O’Ferrell transferred it to a blank white card that came with our kit. Any card with a magnetic strip can be made into a clone — gift cards, hotel key cards, etc.

In less than five seconds, we had a duplicate credit card.

“That’s it. That’s all there is to it,.” O’Ferrell said.

We cloned an ATM card too. At one point we even accidentally deleted the data on one of our source cards, but since we had a clone, we were able to put the data back on.

Once we had clones of our cards, the question was, would they work? We tried the Visa card out at a gas pump. Without actually making a purchase (we didn’t want to violate any laws) we inserted the card to see if it would get authorized.

When the “lift the handle and begin fueling” message came up, we knew our clone was working. We tested the cloned ATM card by checking our balance at an ATM machine. When the screen read “Hello Elisabeth Leamy,” that was our first clue that that one was working.

It’s a bonanza for crooks. They used to have to risk going into stores to buy pricey merchandise, which they then sold for cash. Now they can just drain ATMs. Authorities say specialized crews do nothing but hit ATMs, cashing out on behalf of other identity thieves and taking a commission. One Bulgarian gang pulled $200,000 out of a single cash machine in Florida.

More than 65 other countries in Europe, Asia and South America now use smart chip technology that makes card cloning almost impossible. But the United States has stayed with magnetic strips to avoid the cost of converting ATMs. By one estimate, we have 400,000 cash machines in this country.

“It’s totally unacceptable,” O’Ferrell said. “It makes it extremely easy for the criminals to clone our cards and steal our identities.” Experts say since U.S. credit and debit cards are so much easier to tap, U.S. cardholders have become targets.

Copyright © 2008 ABC News Internet Ventures

Each day I receive a variety of articles on the subject of mobile payments and find countless opinions about the evolution, risks and capabilities of mobile payments.

As is always good form a definition is in order.  I could begin by suggesting a mobile payment is any time that while moving about I can purchase something from someone using some recognised means of payment or currency.  So at the most basic level of understanding carrying cash in our pockets was and still remains a form of mobile payments.  Yet this is not what we mean when we discuss mobile payments.  What we have done is combined two words from two worlds into a new thought.  Mobile emerging from the arena of telephony and the use of the concept of a phone that does not need to be connected with a piece of wire.  Wireless, cellular and mobile all are terms that we associate with the use of radio waves to connect a telephone to a network allowing us to make phone calls from someplace that is in proximity to a receiver or cell tower or satellite.  Now I’m sure all of my readers know these things and are wondering what is the point.

The point is that we also talk about contact-less payments that concept of waving a card in front of an antenna, thus  allowing the card to receive power through induction and then communicate with the device controlling the antenna.  Some people call it that “Tap and Go” feeling others refer to it a PayPass, Visa Wave, Express Pay card and if we travel the world we will find an assortment of other brand names such as Dexit.  In many cities transit agents discovered that by employing contact-less cards interfacing with - terminals they could create efficiencies, improve information about ridership and maybe even reduce fraud. 

So now we have to discuss the application of the technology.  This brings us to the idea of closed loop and open loop systems.  Neither are new thoughts, charge cards issued by department stores are closed loop they only work at that companies stores.  Open loop refers to systems that are widely accepted because someone has gone out and branded a concept, convinced merchants it is convenient and then offered a “Card” to you and I so that we can be identified and employ this “Means of Payment”.  Classic brands that we think of as Open Loop systems include money, MasterCard, Visa, Interac, PIN, eurocheque and an assortment of national brands.

Yet all of these systems have inherent inefficiencies.  Inefficiencies that some see as benefits and others see as highway robbery.  Then there is that class of people who enjoy getting something for “nothing” they like the idea of counterfeiting money, replicating credit and debit cards, capturing our PIN and ultimately stealing our identity and more importantly our hard earned money.  I could also mention merchant discounts, late fees, interest charges, interchange but those are all for another day.

The operators of these systems understand or learn about these various methods of “Stealing” identity and money and have built systems to mitigate the risk, eliminate no minimize yes.  In Europe and throughout the world (except the USA) the members of MasterCard, Visa and the various domestic systems are working to reduce these threats by introducing Smart Cards or Chip Cards all cards employing the EMV specification that have a computer embedded within.  The benefit is that PIN can easily be introduced on credit cards, the cost of telecommunications can be reduced by allowing the computer in the card to make intelligent decisions when ever that card is used to effect a payment.

This movement to secure payment cards with the technology and specifications defined within the EMV specifications began first in France where they went out on their own developed their own specifications and proved to the world that smart cards or chip cards can and will reduce the level of card present fraud and can if employed properly also reduce the cost of telecommunications.  their success can easily be  seen in this chart that tracked their progress and success.

Remarkable success, yet they were now faced with an issue.  First the criminals understood if they disabled the chip (computer) the merchant could still swipe the card and read the magnetic stripe.  This one easily could be solved by eventually not allowing cards that should have a chip to be swiped through the magnetic stripe reader.  But what about when these cards were used in Holland, England or anywhere that had not, and at the time no one had, adopted the same means of defense.  The net result fraud migrated from being a domestic issue to the cards being used in neighboring countries.  Obviously the French became proponents of a global migration to smart cards and convinced Visa, MasterCard and Europay to develop the EMV specifications, recognising that they would have to eventually convert.

I could continue to digress from my main theme and talk about how each country went through its decision making process.  I could then go on and talk about how far along they are in their implementations. Suffice it to say some are finished, others are diligently working towards completion and others are moving at a pace that does not cause undue expense and allowing natural replacement cycles to drive the timescale for implementation.

Here in the country where I live they also have a Chip Migration strategy.  Canada is inpilot or a trial depending on how the lawyers interpret the efforts of banks potentially colluding together.  By the summer cardholders in the Kitchener Waterloo area will be using these chip cards and the media, banks, merchants, processors and associations will be monitoring and learning how the Canadian’s feel about and their willingness to embrace the change.

The following chart outlines Interac’s schedule for deployment.  MasterCard is playing along without committing.  Whereas Visa has stated that they will push the liability for fraudulent transaction not protected by EMV to the Acquirer if their merchants are not compliant by October of 2010. 

So how does all of this affect the introduction of Mobile Payments or Contact-less Cards.  A mobile payment is simply, today, a contact-less payment performed using a mobile phone with the contact-less interface inside as apposed to to using the card as the form factor..  Well some will say not at all, the drivers are different the business case is not the same.  Yet the core technology is a computer in the card.  So why worry, eventually all of this could come together.  Or will the USA decide to take another path all together.

So to end this particular blog I ask a simple question, based on the premise that the mobile and contact-less payments that we see emerging are all about speeding up low value <$25 dollar transactions. What happens when I want to use my contact-less mobile phone for a payment for say a $1,500 hotel bill.  Will I tap my contact-less device “mobile phone”.  Have to find a place to put it while I either enter my PIN or sign the receipt.  Today the clerk typically holds the card for me while I sign the receipt tomorrow what.  Or will they decide to merge contactless and EMV creating a more interesting problem.  I’ll need to keep that phone near the antenna while my PIN is verified and the transaction is authorized.

 Or should we go on and talk about the security concerns that everyone has described in countless articles and numerous logs.  The idea that the criminal will walk down the street reading the content of your purse or wallet with their hidden antenna.

 Or should we talk about who is going to pay the price of adding the contact-less antenna to the merchants point of sale equipment.

 Let me hold those for another day and another flow of thought.