SECUREYOURINTERNETUSE

JeromeSvigals

Copyright©2016byJeromeSvigals.

ISBN:Softcover978-1-5144-4967-7

eBook978-1-5144-4966-0

Allrightsreserved.Nopartofthisbookmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,orbyanyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthecopyrightowner.

Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used forillustrativepurposesonly.

Certainstockimagery©Thinkstock.

Rev.date:01/19/2016

Xlibris

1-888-795-4274

www.Xlibris.com733197

CONTENTSDedication

Preface

ExecutiveSummary

Chapter1FiftyYearsofTransactionSecuritySolutions

Chapter2TheSPARCSecuritySolution(SSS)andProcessDescription

Chapter3SPARCSecuritySolution–AsSeenBytheSDUser

Chapter4SPARCSSRevenuePotential(SPARCrev)

Chapter5DealingwithHybridEnvironments

Chapter6WhyYouNeedthisBook

Chapter7ThisisaSmartDevice

Chapter8TheInternetRoleInTransactions

Chapter9KeylessRetailTransactions

Chapter10SPARCpay

Chapter11Securingan“InternetofThings”(IOT)

Chapter12SPARCHealth

Chapter13ImplicationsofIntroducingInternetsecurity

Chapter14GoodreasonsToDe-Identify

Chapter15SPARCBitStreamProcessing

Chapter16SPARCloudSecuritySolution

Chapter17SecuringUnsolicitedMessages

Chapter18IntroducingSPARCoogle–aFreeSecurityService

Chapter19SPARCSecuritySolutionsQuestionsandAnswers

Chapter20UseofPriorSecuritySolutions,Standards,Programs

Chapter21SummaryofSPARCSecuritySolutionPatents

Chapter22SPARCSecuritySolutionSmartDeviceSimulation.

Chapter23SPARCSecuritySolutionsversusForeignHackers

Chapter24SPARCSecurityProcessKeyNumbers(SINandTN)

Chapter25SecuringagainstRansomWareandotherMalware

Chapter26Underwriter’sLaboratorySecureTransactionListing

Chapter27UsingPartialSYIUSolutions

Chapter28ComplyingwithPaymentCardIndustryDataSecurityStandard

Chapter29ThePriceofNOTUsingTheSPARCSecuritySolution

Chapter30AllAgainInSummary

ASPARCSecuritySolutionsGlossary

DedicationPurpose:IdentifyindividualsAssistingUs.

Action:Showappreciation.

ADedication

As a 22 year old engineer in an 88 year old body, letme first thank the group ofprofessionals that keep me alive and well. They include Drs Gary Aron, BruceBenedick,PardisKelly,PhilipNgand(Mrs)BlancaVargasofthePowerhouseGyminRedwoodCity,CA.Also,many thanks topatent attorneyEdRadlo ofRadloip,LosGatos,CA.

PrefacePurpose:ProvideanIntroductiontothisBook.

Action:Providebackgroundnecessarytousethisbook.

Purpose of this book: The transaction world is quickly evolving from an era ofelectronictransactions,basedonplasticcardsandreadablechecks,toaneweraofsmart device transactions, based on hand-held, communication’s based, storedprogramoperated,transactiondevices(SmartDevices)communicatingvianetworks,primarilytheworldwideInternet.

This book is intended to help you understand the use of Smart Devices on theInternetinpreparingfortheInternetsecuritychallenges.ItisintendedtointroduceyoutotheInternetanditsrole,intheSmartDevicesera.

SmartDevicesConcepts

Thehandheldcommunicatingsmart(programmed)devicehasintroducedanewwayoflife.Itofferswalkingandtravelingconversation.Standonanystreetcorner,inanycityatanytimeofthedayandyouwillobserveallclassesofsocietygoingbyewithahandheldcommunicationsdevicebeingheldnexttotheirear.Usagestatisticsclaimmorethan80%of the world’s population have access to and use a communicating phone like device.Theiruse ranges fromsocializingandsafety tocommercialand financialactivities.Theusersrangefrom8or10yearsoldtoimmobileseniorcitizensseekingsocialinteractionandasubstituteforphysicalmotion.

SmartphoneBasedFinancialTransactions:

TheSmartphoneisahand-held,internetbased,storedprogramcomputerwhichincludescellphonefunctions.

TheInternetisaworldwidenetworkofcomputerbasedcommunicationsystems,usingacommon information protocol.Market migration to an all electronic, Smartphonebased, financial transactions concept will have significant impact on conventionalbankingfacilities.Itwillimpactthephysicalattributesofthebankbranch.

Branchbanktellersforface-to-facetransactionprocessingwilldisappearastheyarereplacedbyremotesmartdevices,communicationsbased,selfservice,transactions.It will significantly change the roll of branch banking personnel. It will reducephysicaleffortssuchasmaildeliveryandprocessing.Itwillreplacephysicalmoneyandcheckneedswithnetwork/electronicbasedsecurefunctionsandstrategies.Visitstothe“branch”fortransactionswillbeaccomplishedelectronically.ThebusinessofSmartphone based banking will be 24/7. Successful bankers will need to moverapidly to keep up with the rapidly changing, remote, electronic functionalenvironmentalmarketplace.

ForcesforChange

TheforcesformigrationofthebanktoaSmartphonebasedrolechangewillinclude:(1) the rapid growth of cell phones and Smartphones as the prime vehicle ofindividualcommunications,andtheirreplacingtransactioncards;(2)theroleoftheInternet as the dominant world wide communications network in almost allindustries including bank, health, retail, education and government; (3) thedisappearance of paper in the bank industry, including the growth of electronicmoney, check images, and remote/interactive self service; and (4) themigration ofbankbased Smartphone systems from stand alone facilities toCloud systemswiththeremovalofallgeographicandphysicalboundaries.ACloudsystemistheuser’sportionofalarger,internetbased,remotecomputersystem

MobileBankingwithSmartphones

Mobile banking is the use of a portable communications device to access and usefinancialservices.Thisconceptiswellestablishedwiththeuseofwirelessphonestofind bank account balances and their status. As portable communications devicesevolvedintoSmartphones,portablecomputersthatallowphonecalls,theirbankingfunctions are further increasing in sophistication. For example, Smartphones arenowbeing used to capture and transmit check images for electronic deposits. Theportable device also runs banking applications. For example, they can be used tocalculate currency conversions and mortgage loan tables. Self service is the directbenefitoffortyyearsofmagneticstripedcardbasedselfservicebanking.

TheInternet

The Internet, a world-wide communications network, allows access from morepoints, more quickly and more easily than any other network in the history ofnetworks. Thus, along with its new facilities comes new and serious securityexposures.Thethreemostchallengingare(1)preventingthemisuseoflostorstolensmart devices; (2) preventing the effective use of overheard transmissions; and (3)preventing the downloading of fraudulent applications,Malware or viruses. Sincethere is no central authority dealingwith these security exposures, the usersmustinsurethattheyareprotectingInternetplansandbankingactivityprograms.Theiractions must protect your Internet plans and programs. Please take this note ofcautionveryseriously.TherearesecuritytoolstoprotectyourInternetactions.Yourgoalmustbetousethemeffectively.TheyaretheSPARCSecuritySolutions.

ExecutiveSummaryPurpose:ProvideasummaryofthisBook.

This report is intended to help you understand the use of Smart Devices, e.g.Smartphones, on the Internet inpreparing for “SecuringYour InternetUse”. It isintended to introduce you to the Internet and its role, in the Internet basedtransactionsand“InternetofThings”era.

TheInternet

TheInternetallowsaccessfrommorepoints,morequicklyandmoreeasilythananyothernetwork in thehistoryofnetworks.Thus,alongwith itsnew facilities comesnewandserioussecurityexposures.Sincethereisnocentralauthoritydealingwiththese security exposures, the users must insure that they are protecting Internetplansandbankingactivityprograms.TheiractionsmustprotectyourInternetplansandprograms.There are security tools toprotect your Internet actions.Yourgoalmustbetousethemeffectively.

CardandCheckMigration

Physicalcheckentry to thebankdisappearedwith theadventofcheck imagecapture inATM’s,cellphonesandSmartphones.However,therealtestistheprocessbywhichtheindividual originates a “check-like” based payment. The payment needs to identify thepayerandthepayee.Wherebillsarebeingpaid,thepayeeisidentifiedbythedemandforpayment.TheopticalimagefeatureoftheSmartphonecanbeusedtocapturethatdatajustasitisusedtocapturecheckimagesforprocessing.

ThePlasticCardEquivalentTransaction

Use of the mobile banking device as a magnetic striped card equivalent signal sourcerequiresawireless transmission from themobilebankingdevice to the signalacceptingunit. A NFC, (Near Field Communications) signal is emitted by the mobile bankingdevice. The mobile banking device displays multiple striped card equivalent typedesignations.Arecordiscapturedinthemobilebankingunitforlaterreference,ifneeded.Theacceptancedeviceprocessesthe“card-like”transactionintothebankingsystem.ThevariableamountofthetransactionisaddedtothesignaltransmittedintheNFCsignaltothe accepting device. The complete transaction data is then processed by the bankingsystem.

SmartphoneandCloudComputing

SmartphonebasedCloud computing is thedelivery of commonSmartphonebasedbank transaction business computer applications from a remote facility, online,throughtheInternet.TheseSmartphonebasedapplicationsareaccessedwithaWebBrowser. It uses software and data stored on servers (computer subsystems). Thebank Cloud user rents a portion of the Cloud infrastructure from a third party.These Smartphone based Cloud processes reduce cost to the bank by sharing the

Cloud computer power and resources. The bank does not have to provide addedcapacities forpeak loads.Theusermustbe concernedabout the securityofCloudstoredinformationanditsprotection.

BankOrganizationof2020

Theprimary,government-licensed,bankfunctionalunits(teller, loanandpayments)willbethesamein2020.Theprimarychangesof2020willbeintheimplementationofeachtransaction. The former implementationwith paper based,manual processing and localhandlingwillbereplaced.TheywillbereplacedbySmartphonebased“electronicpaper”,transactionprocessingandremoteInternetbasedprocessing.Thiswillbeachievedbytheuse ofmobile transaction devices, use of the world wide Internet, and electronic logicimplementationsmartdevices.

InternetBankAccountsandTransactions

Theall electronicbankof year2020willuse the Internet toprovidebankaccountrecords,accessandall“branch”typefunctionsandtransactionsforcustomersusingtheInternet.Smartphonebasedaccesstothe2020bank,withallelectronicaccounts,will start with the URL (Internet address) of the Web page assigned to eachcustomer’s account. An explicit URLwill be a uniqueWeb page address for eachcustomer’s bank account. The customer’s Web page, in turn, will provide directaccesstoallbankrelationsforthatcustomer.

WhatisaSmartphone?

Thesimple,handheld,portabletelephonehasevolvedintoahandheldcomputer,Internetbased,andprovidingphonefunctions.Itistheresultofdecadesofelectroniccomponentfunctionalgrowthandphysicalsizereduction.Thesimple,hand-held,portabletelephonehas evolved to a compact, fist-sized, computer capable of 95% of the function of yourdesk top computer. Its portability reaches any place you can contact cellular phoneelectromagnetic signals. Its computational ability exercises anyprogrammable computerapplicationwithin the capability of its operational program system. In otherwords, theroom full of computers in past decades now operate efficiently in your palm as aSmartphone. Furthermore, it has a full display, a keyboard, an operating system andcommunicationsinterface.

CreditCardonaPhone

TheSmartphoneusesNFC(NearFieldCommunications)capabilitytocommunicatewithatransactionacceptor.TheSmartphoneisbroughtwithin4inches(or10centimeters)ofthe acceptor. Select card equivalent information. Initiate the emission of a selectedtransactioncard.Thisisequivalenttoswipingamagneticstripedtransactioncardthrougha card slot reader. To enable this transaction, the Smartphone contained application isopenedwith keying in a PIN, a personal identification number. The application allowsloading the equivalent of multiple account information (card equivalents), within oneSmartphone.ThismultipleaccountfacilityisusednowinSoutheastAsiacountriesandisspreading around the world. The NFC function allows two way communications.However,payment transactionsareonewaywithaccountnumbergoingto theacceptor.

VisahastestedthisfunctionintheUnitedStatesandSoutheastAsia.

SmartphoneApplications

Anapplicationisasoftwareprogramdesignedtoproduceaspecificresultorsolutiontoan identified need. Itmay also be a computer configuration (input, computation and/orresultuse)designedtoachieveaspecificresult.AnapplicationsolutionmayalsobetheuseofSmartphonefunctionsandfeaturesdesignedtoachieveaspecificresult.

SelectandExecuteanApplicationProgram

Access the Smartphone’s application directory for descriptions, prices, capacityrequirements for storage and execution, display logo, network attachment, andperformance needs. The selected applications are downloaded to the Smartphone. Anidentifying logo is displayed for later selection and execution. There are more than400,000SmartphoneapplicationsdependingontheSmartphoneandoperatingsystemyouare using. To illustrate the range of applications, there is a list of the “must-own”Smartphoneapplications.

Familiarization(BasedontheBlackBerrySmartphone).

Findthe“On”button.Itisgenerallyinthelowerrightcornerwithasun-likeicon.Itmayalsobeabuttonintheupperleftcorner.Whenthebuttonisdepressedthescreenbecomesilluminated. The keyboard also becomes illuminated. Identify the speaker, microphoneand earphone connection socket. On the reverse side find the removable cover for thebattery and SIM card. The SIM card contains the information giving you access to acarrierandtoaspecificphonenumber.MovingtheSIMcardtoanotherSmartphonegivesit access to the identified phone number and carrier. Welcome to the world of thumbtyping.YourthumbsenterinformationwhiletheotherfingerssupporttheSmartphone.

SmartphonePolitics.

ThefastandsuccessfulpaceofSmartphoneusagegrowthattractsanumberofinterestedparties,especiallythoseassociatedwithprevioustechnologiesandmarketentries.

All of the instruments associated with earlier solutions of the payment and marketingsolutionswillbeimpacted.Financialtransactioncards,SmartCards,ATMs,conventionalretail marketing solutions, telephones, paper money, face to face Financial branchtransactions and the conventional cash Register will all be impacted by the mobileSmartphone.

Aggressive,formerindustrygroupswillcarveoutarollforthemselvesinthistransition.For example, if their prior solution used integrated circuit chips, they will use that asevidencethattheyshouldautomaticallyhaveakeyroleinthesubsequentdevelopments.Thatmaynotbeentirelywrong.TheSmartphoneerawillneedstandards.

TheUnbankedandtheUnderbanked

Unbanked refers to any household or individual that does not make use of a financialinstitution for any type of financial or banking service or transaction.Underbanked aresmallbusinesseswithaccesstofinancialservicesbutdonotusethem.TheUnbankedare

reportedas10%ofUSApopulation.Underbankedarereportedatanadditional15%ofheUSApopulation.Thesearecurrentlyreportedas28millionplus45millionpeople.Bothgroups, theUnbankedandUnderbanked,spend$130millionperyearonalternativebutrelatively expensive financial services. These include check cashing services, pay dayloansandmoneytransferservices.Bothhavebeenseenasfuturebusinessopportunitiesbymostbankers.

NewSmartphoneBankingRoleandRevenues

A remarkable characteristic of the Internet is the amount of free material available toanyone.Someproviders,likeGoogle,haveevolvedaplantogetadvertiserstopayforthefree resultsprovided to itsusers.That isverymuch like thepaymentbyadvertisers forfreeradiobroadcastprogramswhichclearlyidentifythesponsor.However,itisexpectedthatsomewebprovidersinthefuturewillexpectpaymentfortheircontent.Bankservicesarepaidforbythebank’scustomersintheformofloanandmortgagepaymentsandtheuseofdeposits.

Micropayments

Futurebankservicesmayneedtransactionpaymentamountswhicharesmallerinvalue.Similarly, Internetproviderswillneed toavail themselvesof techniques forcollectingalargervolumeofsmalleramountsinpayments.

SmartphoneEconomics2020

Thebankof2020willbeconsiderablydifferentwithstaffuseandfacilities.Thatwillnotnecessarily reduce the cost of providing the bank. There will be major changes in themechanization and supporting personnel. The physical branches size will decreasesignificantly. However, therewill be expenses associatedwith smaller service facilitiesandremoteCloudfacilities.Therewillbemoreexpensesassociatedwithmaintainingthesoftwareanddatabasesneedtosupportthenewbranchequivalentvirtualizationstructure.Moving to theall electronicbankwill alsomove thebank toa24hour, sevendaysperweekresponseorganization.Thebankstructurewillbemuchmoreunattended.However,that requires operating facilities, power on, with fully operable communications andnetwork services.Money will go into facilities to support this type of operation, theiroperatingandmaintenancestaffs.

SecurityArchitecture

As an Internet user, youmust understand your own requirements. As a user, youmustprovidekeyinformationsuchascreditcardnumbers.Themerchantprovidesimportant informationintheformofreceiptsandpayment information.Vitaldataflowsinbothdirections.Hence,yoursecurityobjectivesmustdescribeyourpossibleexposures and your planned responses. A security approach must be selected,implemented and the response evaluated for adequacy. Any solution will involvetradeoffs.Theusermustdecidewheretodrawthelinebetweenexpenseandsecurityadequacy.

PCISecurityStandardsCouncil

The Payment Card Industry Security Standards Council was founded by five globalpayment organizations. They are American Express, Discover Financial Services, JCB(JapanCard)International,MasterCardWorldwide,andVisaInc.

The PCI DSS has six major objectives. A formal information security policy must bedefined,maintained,andfollowedatalltimesandbyallparticipants

WhoisWhoinSmartphoneBasedMobileBanking

Thisisalistofsoftwaresuppliersatthetimethisreportwasprepared.ItisimportanttorepeatasearchoftheInternetforthemostrecentlistwhenyouarepreparingtousethisinformation.This isa fastmoving industry.Only themostcurrentofsearch resultswillprovideyouwithacurrentlistofsoftwaresuppliers.

KeylessInternetProcesses

Forty years experience with magnetic striped cards, used with self service unitsranging from mass transit to Automatic Tellers, demonstrates why 80% of theworld’s population is implementing self-service transactions in all industries. Bycontrast, 72%of ourpopulation are shopping on the Internet, but only 15% shopwithmultiple vendors. The need is for a “Keyless Internet Transaction” structurewhich canbeunderstoodandrepeatedwithONEuse.Thatwas theprime successfactorformagneticstripedcarduse.The“keyless”processisdemonstrated.

TravelingwithaSmartphone

Historically, travelingmeant leaving your entertainment devices at home– yourmusic,yourbooks,yourreferencematerials,yourmoviesandyourTV.Today,theyalltravelwithyou, thanks to the Smartphone and networks. In addition, your Smartphone providesimportantassistanceonyourtravels.

SmartphoneUserinterface

The Smartphone display is the principle interface to the user. Its goal is to quicklycommunicate to theuser thenatureof theapplicationand toenablequickuserresponseforoptionselection,informationentryandactioninitiation.Asstatedpreviously,thegoalof effective user interaction is to achieve a “LearningCurve ofOne”. The Smartphonedisplay is probably the singlemost important element needed to achieve the “LearningCurveofOne”.Thisguidewilltrytoprovidesuggestionstomakemoreeffectiveuseofthe display.Theywill highlight those display characteristics needed to aid in achievingthatgoal.

PCI-DSSPaymentCardIndustry–DataSecurityStandards

The Payment Card Industry (VISA,MasterCard,American Express,Discover and JCB(JapanCard Banks)) lists 12 requisites tomaintain the security of payment card basedtransactions.The12requirementsarein6areas,allofwhichareprovidedbytheSPARCSecuritySolutions.

ThePriceofNotUsingtheSPARCSecuritySolutions

The price is two-fold.One is the requirement to investigate and understand the various

attacks on the starting information content. There is the need to maintain the startinginformation content in a useable form. The second need is to continually educate cardholdingcustomerstotheirpotentialattacks.Thecardholdersneedtomaintaincontinuedvigilance against attacks and that takes education and technical support. Securing theInternetUse removesan important subsetofattacks.Hence, reducingdemands forcardholdereducationandcontinuedprotection.

ChangesandBanks

The bank’s five year plan will continue to be a critical element of a successful bankstrategy. However, experience dictates that any plan is valid only until its next annualreview. Changes are introduced by the innovative bank leaders. New concepts emerge.Technology,informationsystems,deliveryalternativesandapplicationsmoveontotheirnextphase.Transactionscenariosadjusttomarketdemands.

Thesecretofpreparingforthefutureistotaketoday’sbestestimateandadjustannuallytoany reasonable anddesirable change.The same applies to your plan.Results shouldbecompared with the projected plan, and marketplace movement compared with yourplanningassumptions.Inboththeplanandit’sbuildingblocks, the importantneedis toadjustactivitiestomarketrealities.

The customer interfacewill continue to be the crucial link in transaction success. Thatinterfacein2020willbeasdifferentasitwasinpriordecades.Thinkbackandcomparethedifferences.Thechangesareacceleratingandtheroleofthebankeristostayaheadofthechangeprocess.Tobeforewarnedistobeforearmed.Thetaskistorecognizechangefor what it is - the demand for defining “customer convenience” and “business goals”contentinanewtimeframewithimprovingtechnology.

Chapter1

FiftyYearsofTransactionSecuritySolutionsPurpose:ReviewTransactionSecuritySolutionsEvolution

Action:Usethehistorytoshapefutureefforts.

TheStart:

Themediabasedtransactiondevicestartedinthelate19thcenturywith theuseofpaperbusiness cards for identification and transactionbilling.Authorizationof transactions inthis formative period were via personal phone calls to a clerk in the card carrier’sorganization.Theeraoflargevolumemachinereadabletransactioncardsstartedlaterwiththemagnetic striped card development in 1966 and their first large scalemarket use in1970. The first 250,000magnetic striped cardswere used in an airline ticketing test atO’Hare airport, Chicago, Il., in the first quarter of 1970. The cards were used in apioneering self-service reservation and ticketing machine, from the IBM AdvancedSystem Development Division, Los Gatos, CA at American Airlines with AmericanExpressmagneticstripedplasticcreditcards.Unfortunately,thosestripedcardscostmorethan$2.25eachtoproduce.

TheTechnologySelection:

Thecarddevelopersquicklyrecognizedadevelopmentdilemma.Thecarddevelopershadtoproduceasinglecardsolutionthatwouldworkwithbothalphabeticallyaccessedairlinerecords and numerically based bank record access. Magnetic stripes were the onlytechnology that had a multiple track capacity and a recording density capable ofaccommodating those multiple industry requirements. At the same time, the magneticstripe was easily read and re-recordable. Security solutions such as encryption werequicklyrejectedduetotheircomplexityandlargeexecutiontime,theaddedSmartdeviceexpenseandtimerequiredforakeybasedencryptionprocess.Themagneticstripedcardplus a signatureprovideda two factor, dual control, security solution.Tokenization andde-identification techniques came later. Tokenization required a second device fortransactionorigination.De-identificationusedaprocesstohidethetrueidentificationofamessageintransmission.

DataBasedControl:

Useofacentrallymaintaineddatabasewithconsolidatedactivity recordingbecame thepreferredsecuritysolutionformagneticstripedcards.More than thirtyyearsofpositivedatabasecontrolexperiencehasconfirmedthatoriginalprojection.Duringthatperiodanewmachine readablemedia technologywas introducedeverydecade.Theplastic cardwithoutstripeswasusedinthe1970s.Thestripewasstilltooexpensive.Bythe1980sthestriped card cost had fallen to an acceptable level, e.g. $ 0.25 each, with high volumeproductionthatalloweditsmassdistributionanduse.Theearly1980salsowitnessedthe

introductionof largeauthorizationnetworksbyVisa,MasterCardandothercardissuers.Theirnetworksweredesigned to allowon-linepoint-of-saleunits to connectdirectly tothedatabasesmaintainedbycard issuer.Thedatabasescollectedall transactionvaluesand locations. Simultaneously, in the early 1980’s the Smart Card, with an imbeddedmicrocircuitchip,wasbeingdevelopedinJapanandGermany.

EntertheSmartCard:

Bythemid1980stheNorthAmericanbasedcardassociationsnetworksfacedadecision.Stay with their magnetic striped cards and their recently installed on-line networks, ormigratetotheSmartCards.StudiesshowedthataswitchtoSmartCards,withtheirbuilt-inPINvalidationprocesswould reduce installednetworkusebyat least75%since theSmartCardprovidedlocalPINvalidation.InNorthAmericathecardnetworksoptionedtostaywithmagneticstripesandtheiron-linenetworks.OutsideNorthAmericathecardissuersconcluded that their less thanperfectnetworkperformancedictated switching toSmart Cards with their local Smart Card based, PIN based, authorization for mosttransactions.

TheCellPhonesArrived:

Thenextdecade,(the1990’s),sawtheintroductionofthecellphonewithitsvoicebasedauthorizationand the startof the Internet.The firstdecadeof the smartphone followedwiththedevelopmentofInternetbasedshopping.The2000’switnessedimportantchangesin industry direction.With Smart phones, the consumer provided the infrastructure, theapplication programs and the Near Field Communications or Wi-Fi communicationstechnologybetweenthecustomer’sdeviceandthemerchant’sPOSunit,whichcouldbeanothersmartphone.

TheNorthAmericanMagneticStripedCardsContinued:

Muchtotheamazementoftheoriginalmagneticstripedcarddeveloper,stripedcardusecontinued inUnitedStates into the2010’sdecade. It lasted that longfor tworeasons. Itprovidedahighvolumeusefortheelaborateandexpensiveauthorizationnetworks.Theotherreasonwasthat thedatabasecontrolledauthorizationsystemcontinuedtoprovideadequateoveralltransactionsecurity.Yes,thereweresuccessfulattacksandlosses,butafewpercentagelossoftotaldollarsalesvolumewasconsideredsmallandanacceptablecostofdoingbusiness.SeeanannualVISAreportforspecifics.

TheNewChallenges:

AlongwiththesmartphoneandtheInternetcameanewsetofchallenges.Theseincludedlost or stolen Smart Device units, over-heard transmissions and downloading on theInternetoffraudulentapplications,malwareandviruses.Unfortunately, theprotectiontodate have been piecemeal solutions, e.g. encryption, after the fact device location orcontenterasure,andantivirussoftware.Arecentlypatentedsecuritysolution,theSPARCSecurity Solution ©, has introduced a new comprehensive transaction methodologysecuritysolutionthatdoesnotuseconventionalPINs,passwordsorencryption.However,itprotectsagainstallthreeInternetbasedsecuritychallenges.

TheSPARCSecuritySolution:

The patented SPARC Security Solution combines three security techniques usedsuccessfullyformore than20years.TheseareDualControl,De-identificationandDataBasedControl.Thethreesolutioncombinationsolvesallthreesecuritychallenges–Lostor Stolen smart device units, Over-heard transmissions andDownloading of fraudulentapplications,malwareandviruses–allwithouttheuseofconventionalPINs,passwordsorencryption.MoreinformationabouttheSPARCSecuritysolutionfollowsinthisbook.

Fifty years of progress has produced great progress in transaction security, speed andeconomics. However, sufficient challenges remain to seek further evolution of theresponsestomarketneedsforthenext50yearsoftransactionmethodologyevolution.

Chapter2

TheSPARCSecuritySolution(SSS)andProcessDescriptionPurpose:ProvideacompleteSSSprocessdescription

Action:UsetoexamineallSPARCSSoptions:

TheSPARCSecuritySolutioncombinesthreeprovensecuritysolution(usingafinancialtransactionsample):

Note: Steps added by the SPARCSecurity Solution are preceded by an #. Steps in theapplicationprogramaredenotedbya%.

!.Dualcontrol:

Openthefinancialtransfertransaction.

Entertherequiredfields:

Transfertoaccountnumber.

Enteramount.

#EntertheSPARCPINofsixcharacters.

%#TheapplicationgeneratestheSPARCSecurityNumber(theSIN):

%#Theapplicationuniqueidentificationnumber.

%#TheTransactionnumber,astoredintheapp.

%#TheSPARCPINisaddedtothetrueaccountno.(TAN)

2.De-Identification:

%#TheSINreplacetheTANinthetransactionmessage.

ThetransactionistransmittedviatheInternet.

ThetransactionarrivesatApplicationControlInstitute(ACI).

3.DataBaseControl:

%#TheSINisextractedandaccessestheTANdatabase.

%#TheTNoftheSINtransactionnumberisvalidated.

%#TheSPARCPINnumberisextractedandvalidated.

TheTANisusedtoaccesstheaccountdatabase.

Thetransactionisprocessed.

Theupdateddatabaserecordisstored.

Thereturnconfirmationtransactionmessageisprepared.

%#Thereturntransactionnumber(TN)isprepared.

%#ThereturnSINispreparedandinsertedinthemessage.

4.De-Identification

ThereturnTransactionmessageistransmitted.

Thetransactionarrivesattheoriginatingsmartdevice.

5.DataBasedControl.

%#TheSINisextracted.

%#TheApplicationvalidatesthereturnSIN.

%#ThetransactionnumberTNisextractedandvalidated.

Thetransactioniscompleted.

Potentialattacks:

LostorstolenunitlacksSPARCPIN.

OverheardtransmissionshaveincorrectSINTN.

Downloadingfraudulentapps,malwareorviruseslackproperSIN.

SPARCSecuritySolutionsattributes:

100%compatiblewithexistingstandardsanddatabases.

Allowsuseofpreviousprograms,databasesanddevices.

Useablewithanysmartdeviceanditsoperatingsystem.

Doesnotusepasswords,conventionalPINsorencryption.

Lackofencryptionallowsuseoflowercostsmartdevices.

#MinorapplicationchangestoprovideandvalidateSINs.

Easytounderstandwithcompatiblestandardsformat.

Doesn’trequirepurchaseofpiecemealsecuritypackages.

AllowsuseoflowercostInternetnetwork.

Significantlyreduceseducationneedsforsecurityfunctions.

AllowsadvertisingsecuritybySPARCSecuritySolutions.

Note:ThereareanumberofdatabasesystemsavailableontheInternetforinitialsysteminstallation.

Chapter3

SPARCSecuritySolution–AsSeenBytheSDUser

Purpose:DemonstratetheSPARCSSsimplicity

Action:FollowtheSPARCSecuritySolutionTransactionProcess

Introduction:

UseaconventionalSmartDevicewithanAndroidOperatingsystem.Selectatransactionapplicationforadesignatedindustry.Forexample,afinancialtransactiontotransferfundsfromyouraccounttoanotheraccountwiththesamebank.

InputtotheSelectedTransaction:

Theapplicationrequeststhreeentries.Theseare(1)Thepaytoaccountnumber,(2)TheDollaramounttobetransferred.(3)YoursixcharacterSPARCPINCode.

Youtransmitthetransaction,

Almostimmediatelyyoureceivetheconfirmationmessagefromthebank.Thisincludesacopyofthelineentry.Thesamelineentryappearsinyourmonthlytransactionreport.

Chapter4

SPARCSSRevenuePotential(SPARCrev)Purpose:ToIdentifytheSPARCSecurityRevenuePotential

Action:EstablishandRealizetheSPARCrev

TheOpportunity:

ThereareawidevarietyofrevenuesourcesfromSSSapplication.Hereareexamples:

OfferNewServices:

Securevitaldatainfiles,DBsandtransmissions.

OffersecureInternetuseservices.

PreventInternetfraudulentdownloading.

Secure“InternetofThings”installations.

Protectmisuseoflostorstolensmartdevices.

Establishsecureinternetelectronicpostoffice.

SPARCoogleforsecurityinfo,advertisingincome.

EliminateCostlyPiecemealSolutions:

Eliminateencryption,antimalware,firewalls.

Eliminatekillswitchesandrecoverypackages.

ImprovedSmartDevicesDesign:

Cheaperunits,smallermemories,slowerspeeds.

Addinternetinterfaceisolationbuffers.

TheSPARCrevattackpreventionopportunity(anexample):

Thisserviceprotectsanindividual’sInternetservicefrom(1)effectiveuseofalostorstolen smart device; (2) use of overheard transmissions; and (3) downloading of

fraudulentapplications,malwareandviruses.

Theattackpreventionservicesuggestedcosts$1permonthperemailaddressand$0.02perInternettransaction.Theeconomicsofthisnewandimportantservicefollows:

Wikipedia; InternetAvailableStatistics (fromauthoritative industrysources footnoted inWikipedia):

Theworld’spopulation: 7.22Billion

InternetUsers: 3.04Billion

USAInternetUsers: 0.28Billion

Internettransactionsperuser: 12,500/year(1,042/month)

Assume10%USApenetration: 28Millionusers

Revenueat$12/user/yr: $336millionannualcharge

($1/month/user)

Revenueat$0.02/transaction: $7.0Billion

TotalUSARevenue: $7.3Billionperyear

OutsidetheUSworldwideInternetusers:

Assume1%penetration: 28MillionUsers

TotalNonUSARevenue: $7.0Billionperyear

Thatis$14.3Billionperyearwithonly10%penetrationofUSAInternetusersand1%outsidetheUSAwillingtopayasmallamounttoobtainsecureattackpreventionInternetusage.Thatis(1)noeffectiveuseoflostorstolenSmartDevices.(2)noeffectiveuseofover-heard transmissions; and (3) prevents down loading of fraudulent applications,malwareandviruses.

SPARCrevRevenueAttributesandImplementation.

More important, this revenue is produced without branch offices, without a sizablemarketingorganizationandwithouttheneedforasizableimplementingorganization.

This arrangement is easily set up. Use the client’s usual email address for the service.

When received, the emailmessage is scannedwith an anti-malware detecting program.Thevolumeof transactionactivity is recorded for automaticbilling/payment.Thecleanemail is thenforwardedwithaSPARCIdentificationNumber toasecondemailaddresssetuptoreceivecleanemailfromthisservice.Thatarrangementcanbeestablishedonatotallyautomaticandremotebasis.

TheotherSPARCrevattributesinclude:

No conventional PINs, passwords or encryption are required. That allows use of lessexpensive smart device units, compatible with current transaction standards. Droppingencryptionallowsuseofaslowerandreducememorysmartdevice.Thiscreatesa“SecureInternetOperation”whileusingexistingsystemcommunications&DataBaseproducts.

SPARCrevappearstobetheonlycomprehensivesecuritysolutionavailable.

Nosmartdeviceoroperatingsystemmodificationisneeded.

TheSPARCSecuritySolutioniseasilyaddedtoexistingsystems.TheSSSworkswithallsmart devices& their operating systems.TheSSS is based on security techniqueswithgreater than 20 years installed experience. This solution (and patents) work with allindustrytransactionsystems,“SPARCInternetofthings”andunsolicitedtransactions.

SSSprovidesBEFOREthefactLostorStolendeviceprotection.Mostindustrysolutionswork “AFTER the fact”. It is easily understood and implemented. Patented withalternativeimplementations.SecuresInternetuse,Also“InternetofThings”,Thisavoidstheneedforpiecemealsolutions,e.g.encryption.However,SSSalsoavoidsencryptionkeymanagementissues.

The Information by-product: The anti-malware scanning process provides a wealth ofusefulinformation.Types,sources,andtraits.

Chapter5

DealingwithHybridEnvironmentsPurpose:DescribetheapproachtoSecuringHybridEnvironments

Action:ApplyforaPatenttosecureHybridenvironmentswithSSS

WhatistheHybridEnvironment?

Weliveinaverycomplexsociety.AmazonBookslists250,000booksontheInternet.25,000 of those books pertain to Internet Security. There are many proposedsolutions.SomeareverynarrowwithsingleproblemsolutionssuchasEncryption.Others discuss “Before the Fact” solutions. Those prevent a problem before theyoccur. Other discuss “After the Fact” solutions such as “Kill Switches” or stolendevice tracking. Some solutions are installed. Others are to be installed. Somesecurity solutions are focused on one industry’s needs, such as banking or retail.Othersfocusonfunctionalsystemsecurityneedssuchas“transaction”or“Internetof Things” systems. There are other alternatives based on providers or historicachievements.One further factor forces aHybrid environment. It takes time for acomplete security solution tobe installed in a geographicallydispersedormultiplelocationorganization.

DealingwithHybridenvironments

Thisenvironmentisdealtwithinoneoftwoways.Oneistokeepaninventoryofknownsecurity solutionparticipants.Thoseare the“easy”participantswithwhomtodeal.Thesecond approach, for the rest of the potential population is to use an inquiry basedcommunication.

TheSPARCSecuritySolutioninterfacestoavarietyofusagesituations.Theseinclude:

Transactionsystemsdealingwithapplicationcontrolinstitute(ACI),e.g.abankwithadata based control system. This solution generates and uses a SPARC IdentificationNumber (a SIN). The SIN consists of the security application’s or device’s uniquenumber

“Internetof things”Systems.DealingwithInternetconnectedsourceorrecipientwitheachsourceorrecipientinterfacedtotheInternetthroughaSPARCSSchiporalogicdevice. That chip/logic device relies on an inventory of know recipients and asynchronizedtimetestofthetransactionreceipt.

Smartdevicetosmartdevicetransfers.Thesearesecuredwiththesameconceptasusedwith “Internet of Things”. Namely, each an inventory of know recipients and a timesynchronized reception test. In this process, unsecured smart devices fail the securitytest and theirmessages are isolateduntil they join the securityprocess.Theymaybecommunicatedwithanunsecuredprocess,butbythentheirexposureisknown,“before

thefact”.

Inadditiontothevarioustypesofsecurityenvironments,hereareseveraladdedsecurityissues. Namely, solution details and algorithms are used to generate SIN and TN.Allowing a thief to order these applications shouldNOT provide access to the SPARCSecuritySolutionimplementingknowhow.Althoughthereistheneedtoprotectvitaldatain the messages. That includes government and other key numbers or data. Theseprotectionsareachievedbythesesteps:

1. The TN generation occurs only in the protected area of the ACI data basesystem.Whengeneratedondemand, it includesa“timeof issue”, aswith theIOT security process. That result goes to the unsecured recipient and is thenreturnedtotheACI,whereitistimeintervalchecked.

2. Vitaldataisprotectedbyaddingthetrueaccountnumber(TAN)of40digitstotheVitalDatausingabsolutearithmetic(noarithmeticcarries).TheTANisnotcarriedinthemessage.Hence,anover-herdtransmissionisfullyprotected.

Patentactionrequired:

The necessary patent action was taken with the “Internet of Things” patent action. Atmost, thepatentactionneedsonemoresentence.Namely,addasentence that states the“Internetofthings”patentapplicationalsoappliestodealingwithuninsuredsmartdevicesinasmartdevicetosmartdeviceinteractionSPARCSecuritySolution.

Chapter6

WhyYouNeedthisBookPurpose:PreparereaderstounderstandwhytheyneedSSS

Action:Haveagoodunderstandingofyourrequiredactions.

TheOldSolutionsProviders:

A large number of firms are still selling the old piecemeal solutions. That includes theEncryptors,theFirewalls,themalwaredetectors,killswitchesandthelike.Theywanttocontinuesellingtheir inadequateofferings.Thesmartdevicesproviderswanttosellyouthelargermemoriesandfastercalculatorsneededfortheoldsolutions.Anothergroupthatwants you to continue using dedicated networks. They want the Internet securitychallengesnottobeattractivetoyourusedespitetheirlowercostsandworldwideaccess.

TheHybridEnvironmentChallenges

Mostcompaniesofferasetofmobileapplications.Letmesuggestasimpletestforthosecompanyexecutiveswhomightbeinterestedinwhytheyshouldact.Whatarethecurrentactivitystatisticswiththesecompanyprovidedapplications?

1) Howmanyoftheircustomers’smartdeviceswerereportedlostorstoleninthepastyear?Whathavebeentheresultinglosses–by thecustomers–orby thecompany?

2) How many attempts have been made to reuse overheard transmissions fromsmartdevices?Withwhatresultinglosses?

3) How many of their customers reported usage problems of downloadedfraudulentapplications,malwareorviruses?Withwhatreportedlosses?

4) Who pays how much for the smart devices to install piecemeal securitypackages such as encryption, firewalls, virus detection and repair, post lossremotefindingorremoteusagekilling?

5) Who pays how much to upgrade customers’ smart devices to implementencryption?(Morememoryandfasterinternalspeed).

Thesequestionswilltellthecompanyexecutiveshowseriousistheirneedtounderstandthissecuritysubject.TheseareallgoodreasonstousetheSPARCSecuritySolutions.

Note: SmartDevices include all sorts of smart phones, tablets, phablets, and any otherstoredprogramoperateddevices.

Chapter7

ThisisaSmartDevicePurpose:TodescribetheSmartDeviceandexamineitsuse.

Action:ToprovideaSmartDeviceselectionbasis.

SmartDeviceEvolution

Thesimple,handheld,portabletelephonehasevolvedintoahandheldcomputer,Internetbased,andprovidingphonefunctions.Itistheresultofdecadesofelectroniccomponentfunctionalgrowthandphysicalsizereduction.Thesimple,hand-held,portabletelephonehas evolved to a compact, fist-sized, computer capable of 95% of the function of yourdesk top computer. Its portability reaches anyplaceyou can contact a networkofferingmobile phone electromagnetic signals. Its computational ability exercises anyprogrammable computer application within the capability of its operational programsystem.Inotherwords,theroomfullofcomputersinpastdecadesnowoperateefficientlyin your palm as a Smart Device. Furthermore, it has a full display, a keyboard, andcommunicationsinterface.

SmartDeviceAcceptance

Recentexecutivesurveysindicatethatmorethan80%ofSmartDeviceusingexecutiveswouldreachfortheirSmartDevicebeforetheirmorningcupofcoffee.Mostexecutives(over 80%), would conduct business on their Mobile Phone before their desk phone.Familywise, their8yearsoldchildrenhavealreadyaskedfor theirownMobilePhone.You are likely to provide it to your 8 year old child for safety purposes, to allow theirfrequent family socializing and to provide instant access to their roaming. Some SmartDevices incorporate geographic positional sensing (GPS) to enable parents to quicklylocate,physically,theirchildren,tofurtherenhancetheirMobilePhonebasedsafety.Thebuilt-ingeographicposition sensinghasbeenused tovery successfully trackand locatelostorstolenSmartDevices.

MajorSmartDeviceComponentParts

TheSmartDeviceisacompletecommunicationsbasedcomputersystemwithavarietyofinput and output components. It is used to execute a variety of application programsintendedtoprovidetheuserwithspecificsetoftransactionrelatedplansandresults.Someof the applications are used for general financial results such as currency conversion,measurementconversions,andtraveloptions.Otherapplicationsmaybeusedforpersonalsubjects of interest to the Smart Device owner. The major Smart Device componentsinclude:

Acompactphysicalcontainer/structure.

Protectscomponentsfromweatherandmoisture.

Powersupply–convertsbatteryoutputtocomponentpowerneeds.

Powerstorage,e.g.abattery.

Display:Electronicandcolorwithtouchsensitivescreen.Avarietyofon-screensymbolsforapplicationsandfunctionidentificationandselection.

Communicationsinterfaceandantenna

Digital,programmablecomputer

Wireless/contactlessinterface

Keyboards,functionbuttonsandswitches.

Microphoneandspeaker;Headsetjack.

SIMcardtray(definescommunication/carrierprotocol).

Manufacturer’slabels

Otherpossiblecomponents:

Solarmobilesforpower

Physicalaccesskey

Covertoprotectantennaoperation

Cordloopforcarrying

Plasticcardreadingslot(stripeorcontacts)

Fingergrips

Batteryaccessandcover.

Displaylightlevelcontrol

Speaker/Headsetvolumecontrol

Headsetjack

Displayscrollcontrol

It is important to read the instructions provided by the manufacturer to identify allcomponentsandcontrols.UsingtheSmartDevice,identifyallcomponentsandcontrols.Youshouldbeable to identifyanduse themwithout lookingat theunit.Thatdegreeof

familiaritywill assure your complete understandingof the unit you acquire andplan touse.

WhatisaMobilePhone?

Therearethreetypesofhandheldcommunicationsdevices.

ThePersonalDigitalAssistant(PDA)haswirelesscapabilities.ItusesWi-FiorBluetooth.Wi-Fi is the trademark of theWi-FiAlliance ofmanufacturers providingwireless localarea networks based on an IEEE 802.11 standard. Bluetooth is an open wirelesstechnologyforshortdistancescreatedbyEricssonandmanagedbytheBluetoothSpecialInterestGroup.ThesecondtypeofhandheldcommunicationsdeviceistheMobilePhone(CP) which has PDA (Personal Digital Assistant) capabilities but communicates withmobile communications facilities. The third type is the SmartDevice (SP)which is anInternet based, programmable computer, that has all the Mobile Phone (CP)communicationscapabilities.

There are two types of mobile networks. GSM (Global System for Mobilecommunications)isusedby80%oftheglobalmobilemarket.Itisusedbymorethan4.3billionpeopleacrossmorethan212countries.Thisdigitaltechniqueisconsideredsecondgeneration (2G). CDMA (Code Division Multiple Access) uses a spread spectrumtechniquethatallowsmultiplemessagesonthesamechannel.Phonesintendedtoworkononenetworktypedonotgenerallyworkontheother.

Somenetworkprovidersrequireyoutopurchaseamatchingphonefromthem.Askbeforepurchasing. It ispossible to“Unlock”aphone.Thatallows thephone toworkwithanynetwork. It is possible to buy an unlocking service to enable your phone toworkwithothernetworks.Mostmobileproviderssubsidizethephonepurchasepriceasameanstolock you into a multi-year contract. Hence, buying a phone from another source, amanufacturer or private party,may bemore expensive.However, it allows you amoreflexiblearrangementinchoosingorchangingcarriers.Infact,itallowsyoutobuyprepaidamountsofcommunications,whichisgenerallytheleastexpensivearrangement.

StylesofSmartDevices.

Mobilephonesareavailable inavarietyofphysical shapesand layouts.Theygenerallydifferindisplayandkeyboard/dataentryfeatures.Foreachstyle,youcanfindGSMandCDMAnetworkusingunits.Thetrickistoidentifyyourdesiredcarrierfirst,andthenfindamobilephonetomatchyourinterfaceneedsandoperatingrequirements.

TheseSmartDevicesMayUseAStylus(Touchscreen)

TraditionalStyle:

This typeofphonestylegenerallyhasa largescreenwhichprovidestextentryusinganon-screen, software based, keypad. This operation is generally supported by the use ofWindowsMobilesoftware. It’sdisadvantage is that itmaybeabitawkward touseasamobilephone.Youmaywishtouseaheadsetforbetterphonecommunication.Tryit!

Thumb-padStyle

Thisstyleoffersasquarescreenontopofanalmostequalsizethumb-padtypekeyboard.Itdoesnotofferanon-screenkeyboardeventhoughithasatouchscreenforinteraction.Itworkswell asamobilephoneandgenerallydoesnot requireheadsetuse. Its smallerscreenshowslessinformation.Itsthumb-padkeyboardmaybedifficulttouseortodialnumbersforoperatorswithlargehands.Tryit!

SliderStyle:

Thescreenstronglyresembles the“Traditional”PDA.Thescreensaregenerallysmallerwhichmakes thebetter for use as a phone.Thekeyboard is retracted andhiddenwhenusedasaphone.ThefullQWERTYkeyboardisrevealedbyslidingitout.Whenslidoutthe image on the screen changes automatically from “portrait” to “landscape”. Mostmobileprovidershaveaversionofthisphone.Itissimilartothe“Traditional”PDA.It’ssoftwareisusuallycompatible.Thekeyboardislargerthanthe“Thumbpad”.The“Slide”workswellasaphone.ThereisalargeselectionofusefulWindowsMobilesoftware.Theslider can be boxy. Not all application programs support both portrait and landscapedisplaymodes.

iPadStyle

This is a large surface touch screen. The screen is occupied with the logo for eachapplicationprogramacquired.Thescreenalsomaybescrolledwithfingermovement toget toapplicationsbeyond the initial screencapacity.Theunit isahandymobilephonesize.Caremustbe takennot todamage thescreen.Thescreenalsoneeds tobecleanedfrommanyfingermarksaccumulatedinitsuse.Theuserneedstomemorizethemeaningof the content for each logo. Since there aremore than 400,000 application candidates,thatmemorizationcanbechallenging.

TheFollowingSmartDevicesDoNotUseAStylus

ThumbPadStyle

Microsoft calls these units Smart Devices. All software actions are done by hardwarebuttons. This phone has been popular because these units are very compact and slim.Operation isgeared toaonehandedusage.Thedisplay isnot a touch screen.Softwaremustbewrittenforanontouchdeviceandthoseprogramsaremorelimited.Thethumb-pad works well as a phone. However, the lack of a touch screen may be consideredawkwardbysomeusers.Peoplewithlargefingersmayhavetroubledialingnumbersandthesoftwaremaybelimited.Tryit!

FlipPhoneStyle:

This is a “Clamshell” type phone. Text entry is time consuming as it uses a “T9” textentry.Thismethodoftextentryrequiresmultiplekeystrokesforeachcharacter.Thisunitdoesnothaveatouchscreen.Hence,softwareismorelimited.Touchscreensoftwarewillnotworkonthisstylemobilephone.Theunithasanexcellentshapeforuseasaphone.However, the text entry without a touch screen can be very time consuming. A smallscreenandlimitedsoftwaremaymakethisunitdifficulttouse.

CandyBarStyle

Thisisalesscommonmobilephonestyle.Itusesthetimeconsuming“T9”multiplekeyentrypercharacter.Itlacksatouchscreenandsoftwareisgenerallylimited.However,ithasanexcellentshapeforphoneuse.Lackofatouchscreenandlimitedsoftwaremakethisunitdifficulttouse.

PickingaMobilePhone

Considerthesethreefactors,inthisorder:

1): TheCarrier:dotheyprovidethegeographiccoverage,communicationsfeaturesandtheeconomicalternativesyourequire?

2): TheMobilePhoneorSmartDevicefeaturesandfunctions:Doestheunithavedisplay,interactivefunctionsandthefeaturesyouneed?

3): TheSoftware:Do the functions and featuresmatchyourphonecharacteristics(e.g. touch screen vs key entry). Does the software also offer the growth offunctionsandapplicationsyoumayneed later, suchasnavigating,messaging,multi-media,andservicesupport.

TheGlobal Smartphone shipments are projected to be 2 billion units in 2018. In 2013,76%ofSmartphoneshipmentsusedtheAndroidOperatingSystem.

SmartphoneNomenclature

ThereareasetoftermsandabbreviationsusedtodescribeSmartphones,asfollows:

Apple“G”:Theproductgeneration.

Others“G”:Theproduct’snetworkspeed.

App:Abbreviation forapplication,apreprogrammedsolution toprovidea specificendresult.

CDMA:WirelessstandardforVerizonandSprint.

GSM:WirelessstandardforAT&TandTMobile.

Wi-Fi:Localconnectionsignal

OS:OperatingSystem.AndroidforGoogle.iOSforApple.

BBM:Blackberrymessengerforpictures,videosandvoicenotes.

iPadMini:Apple’ssmalltabletwith7.9”display.

Buyingamobilephone.

SmartDevicesarebecomingmorecomplexandmorelikeminicomputers.Whatcountsiswhatgoesoninsideofthem.Considerthebasicfeatures:

1) TheProcessor:Phoneperformanceisdependentonprocessorspeed.Thefaster,the better. High end Smart Devices generally come equipped with a 1 GHZprocessor.

2) The RAM: The more Random Access Memory capacity, the better able theSmartDevice to domulti-tasking.High-end phones have at least 512MB ofRAM.

3) TheDisplayScreen:Therearetwoimportanttypesoftouchscreens–Resistiveand Capacitive. The Capacitive is considered faster and responds to humantouch.TheResistivescreencanbeusedwithdeviceslikeastylus.

TheOLEDandAMOLEDscreensgivestrongcolorwithamazingbrightnesswhenusedindoorsbutfadewhenusedindoors.SuperAMOLEDhasfixedthatproblem.AMOLEDisalsogoodforwatchingTV.TFTLCDscreenshaveaninadequateviewingangle,presentfaded blacks, and low brightness levels. A screen size of 3.2 to 3.5 inches is the bestviewingsizeandiseasilycarriedinpocketsandpurses.

4) Check thekeyboard:Theseareapersonal,preference,whether realorvirtual.Doyoutouchtypeorhuntandpeck?Doyouneedtactilefeedbackfromakeydepression?

5) Theplatformandapplicationsoftware:Whichapplicationsbestsuityourneeds?Checkthesoftwareoptionsandusagebeforemakingafinaldecision.

TheSmartDeviceUsageChallenges

TherearetwosetsofchallengeswithSmartDevices.Onesetrelatestoyourselectionanduse of a pocket computer interfacing a variety of communication alternatives. Includedare:

SmartDeviceselectionandusagetraining

SmartDeviceeconomics.

SmartDevicesrulesandpolicies–employerandemployee.

Careandfeedingofasophisticatedelectronicdevicee.gSIMcardandbatterychange

ControlandmaintenanceoftheSmartDevice.

Transitiontolatermodels.

TheothersetofchallengesrelatetomanaginganumberofSmartDevicesinterconnectedtoabusinessorganization,including:

Applicationdevelopmentandevolution

“Unlocking”unitstoacceptothernetworksapplications

“JailBreaking”toswitchcommunicationsnetworks.

Communicationssupportandevolution

Maintenanceandservice

Costofoperationandusage

Employeeunitsandcustomerunits

Deviceandnetworkmanagement

Employeetrainingandmonitoring

Managingupgradingandevolution

Privacyandsecurityrequirements

SmartDeviceOperation

YourinterfacetotheSmartDeviceareyoureyesandfingers.Youreyesidentifyiconsonthescreen,locateactionbuttonsorscreentouchpoints.Youreyesreadmessages,symbolsand labels. With the large number of Smart Devices available, there are severalalternativesactionspossibletoachieveagivenoperationonaSmartDevice.Forexample,inonecasea rotatingknobwillbeavolumecontrol. In anotherSmartDevice, a touchsensitivemovingmarkeronthescreenmayproducethesamevolumecontrolresult.Thesetwo devices give equivalent operation. You must discover the mechanism used in theSmartDeviceyouarehandling.

Chapter8

TheInternetRoleInTransactionsPurpose:AnintroductiontotheInternet.

Action:Establishyourtransaction’sfocusontheInternet.

AnInternetNoteofCaution:

Internet components – applications, services, devices, technologies, vendors, users,protocols and standards– growand change each year.This description focuses onthe elements critical for your successful secure use of the Internet. However, thismaterialneedstobeupdatedwhenused.KeyWebpageaddresses,(DomainnamesorUniformResourceLocators),URLs are included to help you quickly assess thelatest transactionstatus.Akey industry informationsource is theInternetRetailerGuidetoE-CommerceTechnology(internetretailer.com).Therearesimilarguidesinothertransactionbasedindustries.

WhatistheInternet?

The Internet allows transaction access frommore points, more quickly andmoreeasily thananyothernetwork in thehistoryofnetworks.Thus,alongwith itsnewfacilities comes new and serious security exposures. Since there is no centralauthoritydealingwiththesesecurityexposures,you,theuser,must insurethatyouare protecting your Internet plans and programs. This chapter will describe yourInternetfacilities.ThechapteronsecuritywilldescribetheoptionsforyouractiontoprotectyourInternetplansandprograms.

Please take this note of caution very seriously. There are many so-called securitytoolstoprotectyourInternetactions.Yourgoalmustbetoselecttheeffectivetoolsandthentousethemeffectively.

TheInternetInitially:

The Internet was an electronically connected set of computers with a commoninformation structure, format and information encoding. It was intended to shareavailablecomputertimebetweengovernmentsupportedcomputerinstallations.Theobjective was to use their surplus available computer time to solve largecomputational problems associates with atomic energy development. It was alsointended to provide an ability to share facilities in case part of the facilities weredestroyed. The communications structure was enlarged to include access to theirlibraries and development records maintained in each of the participatingorganizations.

Eventually–Today

TheInternetisinterconnectedpublicnetworksthatareselfsupportingandrunonacooperative basis. All share a common data format and content code. That is aprotocol called TCP/IP (transmission control protocol/Internet protocol). TheinternationalassociationofcompaniesthatmanagetheInternetiscalledtheWorldWideWeb(www).

WebPagesandOtherNomenclature:

TheInternetprovidesWebpages.AWebpageisacollectionoftext,graphics,soundand,sometimes,video.Together,theycreateasinglewindowofscrollablematerials.Hypertext is the text used on a Web page that leads the user to other relatedinformation, or Web pages. The Web page is found by a Browser. That is thesoftwareusedtofindandaccessaWebpage.

URL or Domain Name: TheWeb page address on the Internet is called URL, aUniformResourceLocator.TheURListhedesignationusedbytheBrowsertoaccessaWebpage.Wheredoes theURLcome from? Itmaybe found in theoutputofaSearch function. It might be provided by theWeb page provider to guide othersdirectly toaWebpageofdirect interest suchasabank, retailerorhealth servicesprovider.Itmaybefoundinpublications,pressreports,ordirectories.Aswithany“address”itwillbefoundwithmostcommunicationsvehicles.

DomainisanotherdesignationfortheaddressofaWebsite.Itmaybemorethananaddress.Ifwellselected, itmayalsobedescriptiveoftheorganizationitaddresses.TheDomainnameconsistsofseveralparts.Theletterswww.atthebeginningofthedomainname indicates the following information isanaddressontheWorldWideWeb.Thelast twoorthree lettersoftheDomainnameindicatethecategoryoftheorganization named. It may be com. commercial, or gov. government, or org.organization,oroneof severalothers.The latterdesignationmaybe followedbyadesignationofthecountrylocationoftheoriginator,suchas.usforUnitedStates,.auforAustraliaand.jpforJapan.

Email:

Themostwidelyusedinternetapplicationisemail.That isamessagewithastatedInternetdestinationandfromanInternetsource.Itisalsoavitalmarketingtool.

It drives business results in the formof increased traffic, customer awareness andcustomer involvement.A recent InternetRetailer study showedmore than40%ofbusiness leaders were planning to increase their email marketing budgets. It willexpandwith a double digit expansion rate for the next five years.Why?Email isinexpensive.Emailiseffectivebecausecustomersrelyonitandmarketinggetsbetterresultsfromitsuse.ItisafrequentcarrierofrelatedURL’s.TheInternetlacksanysecurityfortheuser’sdevice,theURL,ortheemailtransactionmessagecontent.

FavoriteFunction

AnimportantfunctionoftheBrowseristhe“FavoriteFunction”(FF).ItisarecordofspecificWebpagesforrecalllatertoprovidequickBrowserreentrytoaWebpage

previously designatedwith the Favorite Function. It is a quick recall of a specificWeb page,without going through aWeb page search and discovery process. Thatdiscovery process would require a search operation and a search sequence outputstream examination. Use of the Favorite Function enables applications in allindustriestogodirectlytoaWebpageofinterest.

UseoftheFavoriteFunctionforaTransactionApplication:

An Internet based industry provides each customer with a URL which uniquelyidentifiesthelocationofthecustomer’sindustrydataontheInternet.UsingtheURLinaBrowsertakestheusertoanentrypointforthatindustry’stransactionactivities.TheentryWebpagewillimmediatelyimposefurthersecuritycontrolonaccesstothedesignatedWeb page.The softwaremay ask for a Personal Identification number(PIN),apasswordestablishedearlier,oramoreexoticbiometricdeviceoutputsuchasafingerprintreader.

Successfully providing the entry control information, the program now allows aspectrumofindustry’sfunctions.Theserangefromsimpleinquiriestosophisticatedrequestsandcontrolreviews.Theremaybesubsequentcontrolfeaturesthatrespondto larger transaction values, value transfer request actions and sound industrytransactioncriteria.

SpecializedNetworks

TherearehundredsofspecializedusesoftheInternet.TheseareasubsetofInternetusedesignedto interactwithselectedgroupsof individuals,corporations,religious,country residents, governmentagencies and the like.Their function is to allow thespecializedparticipantstomeet,exchangeinformationandsociallyinteract.Popular“Social Networks” include Twitter, Facebook, MySpace and LinkEdit. Thesenetworks offer low cost communications (plus the cost of the needed accessequipmentandsoftware).Insomeinstances,thesenetworksreachuptotwo-thirdsofagroup’sparticipants.Caremustbetakentoavoidorprotectsensitiveinformation.Participantsneedtoestablishandmaintainlistsofparticipantstheywanttoreachineachtypeofnetwork.Fromamarketingpoint-of-viewtheseareexcellentvehiclesformarketingfornewclients.

TheInternetisEssentialforTransactionSolutions:

The Internet is the vital element that ties all of the Smartphone transaction unitstogetherintoaworkingsystem.ItallowstheSmartphoneunittoreachallofthedataelementsandsoftwareelements thatcombinetoprovide the transactionservices tothe Smartphone user. Smartphone transactions provides significant productivityimprovementstothetransactionbasedindustry.YourknowledgeoftheInternetanditsroleinSmartphonetransactionbasedsystemsareessentialforyoutosuccessfullybuildtheseworkingsystems,andtorealizetheirimportantresults.

Chapter9

KeylessRetailTransactionsPurpose:Todescribeworkreducingfunctionsavailable.

Action:UseworkreducingstepsinInternettransactions.

TheRetailtransaction:

Forty years experience with magnetic striped cards, used with self service unitsranging from mass transit to Automatic Tellers, demonstrates why 80% of theworld’s population is implementing self-service transactions in all industries. Bycontrast, 72%of ourpopulation are shopping on the Internet, but only 15% shopwithmultiple vendors. The need is for a “Keyless Internet Transaction” structurewhich canbeunderstoodandrepeatedwithONEuse.Thatwas theprime successfactorformagneticstripedcarduse.

Transactions on the Internet remain complex. A retail purchase requires up to 25steps.Half of the steps require data entry keying and three steps require users toexaminetheresultsoflongsearchresponses.TheuseofimprovedsolutionssuchasAmazon’s “1 click” reduce these efforts by one half, which is still 12 steps and 2searches.

ConventionalInternetTransaction

Placing a conventional retail transaction through the Internet is a 15 to 20 keyed stepsprocess.Theprocesswouldincludethesesteps:

Searchforasearchengine.

Selectasearchengine.

Searchforavendor.

Selectavendor.

Searchforadesireditemtobepurchased.

Selecttheitemtobepurchased.

Selecttheitem’sstyle.

Selecttheitem’ssize.

Selecttheitem’scolor.

Selectthequantity.

Selectthedeliverymethod.

Selectdeliveryoption.

Enterdeliveryaddressandpostalzone.

Confirmacceptanceofthetotalcharge.

Selectpaymentalternative.

Selectcreditcardtobeused.

Enterpaymentamountinformation.

Approvepaymentprocessandamount.

Printinvoiceandshipmentinformation.

TheSmartphoneIntroducesNewFunction

The Smartphone based, keyless process starts with information stored in theSmartphone. Included are: (1)The user’s preferred payment information; (2)Theuser’spreferred shipping requirements; and (3) theuser’spreferred email addressforcommunications.

“Frequent Favorite” is a form of browser based function which provides directInternet access, generally listed in a sequence of URL’s. When one is selected, itprovidesanappropriateInternetwebpageaddress (URL).TheURLautomaticallydirectstheuser’sInternetbrowserunittothewebpagedescribingthearticle,serviceorsubjectbeingconsideredforacquisition.Useofthisfeaturebypassestheneedforusing search engines and scanning long streams of search results. Without anykeying,thebrowserspresentsthewebpageshowingtheURLidentifieditem.Beyondthat, theorderoptions, e.g. color, sizeand so forth,are selectedbyusingamouse.The order completion information for payment and shipping are provided bySmartphonestoredcontent.

KeylessShoppingSpeedsPurchasingInternetAcquisitions

ThisSmartphonesupportedfunctionisatimesavor.Bybypassingtheneedforsearchesandexaminingsearchoutputsisabrowserfunctionprovidedbymostbrowsers.

Your use of this Smartphone supported function will substantially speed your internetaccessandgettingresultsonamoretimelybasis.

Chapter10

SPARCpayPurpose:SmartDeviceswithNFCoffermanypaymentoptions

Action:UseyourSmartDeviceforpayments.

Your Smart Device (SD) with Near Field Communications (NFC) offers a number ofpaymentoptionsinconjunctionwithyourfinancialserviceinstitute,alsoknownasyourApplicationControl Institute (ACI).Thesimplestexample isa funds transfer toanotheraccount.Thatapplicationrequeststhepayeeaccountnumberandtheamountoffundstobetransferred.Thesequenceofstepsthatfollowedthatapplicationentryweredescribedindetailinchapter2,“TheSPARCSecuritySolutions”.

Thereareanumberofsimilarapplicationsfor:

Paymentatapointofsale.

Paymentataretailcheckout.

Paymentatasupermarketcheckout.

PaymentorwithdrawalatanATM.

Paymentatatransitgate.

Paymentinataxicab.

PaymentbybumpingwithanotherSmartDevice.

ReceiptoffundsbybumpingfromanotherSmartDevice.

TheInternetPaymentChallenges:

TheSPARCpayprocessisprotectedbytheSPARCSecuritySolutions.ThoseprotectionsrequireyoutouseadualcontroltoopentheSPARCpayapplication.Dependingonyourchoice,thatrequiresentryofaSPARCPin,ortheuseofasecondsecurityapplicationortheuseofasecuritydevice.AnyofthosepreventtheeffectiveuseofyourSmartDeviceifit is lost or stolen. SPARCpay also prevents the effective use of an over heardtransmission. It also prevents the downloading into your Smart Device of a fraudulentapplication,malwareorviruses.

OtherSPARCpayoptions

YourACIwillprovideyouwithanumberofotherpayoptionsincludingcheckdeposits,loanandmortgagepaymentsandautomaticbillpayments.AllareprotectedbytheSPARCSecuritySolutions.

Chapter11

Securingan“InternetofThings”(IOT)Purpose:Explain IOToperation, security challenges and theSPARCSecuritySolutions

responses.

Action:CommunicatethestepsnecessarytosecureanIOT.

WhatisanInternetofThings?

GartnerforecaststheIOTwillbe26billionunitstalkingtoeachotherviatheInternetby2020. These are a wide range of devices exchanging information via the internet. TheInternet provides lower cost communications.Unfortunately, it alsoprovides a seriesofsecuritychallenges.Theseinclude:

Downloadingoffraudulentapplications.Malware&viruses.

Thefraudulentapplicationsmaybedesignedto:

Usurpcontrol.

Stealindustrialknowhow.

Sabotageormisdirectdeviceoperation.

Providemisleadingresponses.

WhatistheSPARCSecuritySolutionforanInternetbasedIOT?

TheSSSinsertsalogicdevicebetweeneachunitandtheInternet.Thelogicdevicemaybeacustomchip, adedicated logicunit or a smartdevice application. In an IOT situationtherewillbea“Sender”anda“Receiver”.Bothunitsarebidirectional.

WhataretheSSSmessages?

TheSSSIOTsendermessageconsistsof:

The40digitSPARCIdentificationNumber(theSIN).

TheSender’suniqueidentification.

Themessagesendtimeona24hourbasis.

Themessagesenddate.

Themessagetransactionnumber(nonsequential).

Thesecuritychallengesaretopreventacounterfeitmessageorareplayofanoverheardmessagetransmissionfromfoolingthereceivingunit.

TheIOTreceivingunitprovidesthesetestsbeforeacceptingtheincomingmessage:Theseare:

From an acceptable source? This requires the receiver to maintain a list of acceptablesources.

Withinanacceptabletimeperiodfromthesendingtime?Thisrequiresthereceivetohavean internal clock, and a time synchronizing mechanism. Also, this requires anacceptablemaximumintervalforeachphysicallocation.Anacceptableintervalwillbesetformovingreceivers.

Withthecorrecttransactionnumber?Thisrequiresstorageofthelastsequencenumber,asequencingalgorithmandanextsequencenumbercalculator.

Notethattheacceptabletimeintervalmaybeafractionofasecondfromtransmissiontoreceipt.That requires that theacceptable intervalmustbe set for each IOTbasedon itsphysical dimensions. The acceptable time interval is never transmitted. However, theparticipatingunitsmayrequireaperiodicresynchronizationofallclocksinagivenIOTsuchasdaily.

Howisvitaldataprotected?

Vitaldataisprotectedbyaprotectionvaluekeptwiththeexpectedsourceslist.Thevitaldata is added to the protection value at the sender. The protection value is NOTtransmitted. Upon receipt at the receiver, the protection value is subtracted from theprotectedvaluetorecoverthevitaldata.

CompleteLogicDiagram:

DetailedDesign,SenderandReceiverlogicunitsfromUSPatentApplicationnumberUS2015/0249663A1,datedSeptember3,2015,Figure14.

SummaryofSPARCSecuritySolutionIOTAttributes:

This process does not require the use of PINs, passwords or encryption. The SenderIdentificationNumber is the controllingmechanism. This allows use of lower cost andsimplifiedlogicdevices.

Thisprocessis100%compatiblewithtransactionprocessinganddatabasestandards.

Copiedorcounterfeitmessageswillberejectedbythelogictests.

Downloaded fraudulent applications, malware and viruses are rejected for lack of anacceptableSPARCIdentificationNumber.

Useable with all “Things”, communications technologies, and logic technologies.ImprovesthemarketforIOTdevices.

IncreasestheusabilityandoutputrevenuesoftheInternetwhichdecreasesIOTcostsandoperatingexpenses.

Chapter12

SPARCHealthPurpose:Personalhealthrecord.(PHR).

Purpose:IdentifythePHRContent

TheContent

Thecontentofapersonalhealthrecordaredescribedintwonationalstandards.TheyaretheStandardGuide forContentandStructureof theElectronicHealthRecord–ASTME1384,andCodedValuesfortheElectronicHealthRecord–ASTM1633.

TheInternetrecord–NCBI.NLM.NIH.GOV/PMC/Articles/PHC2047330/.

Providesadetailrecordoftheprescribedcontent.

WhatisthecontentofthePHR?

Thisisacollectionofinformationaboutyourhealth.Thisisnotthesameastheelectronicmedical records which are owned by doctor’s offices, hospitals, and health insuranceplans.YourPHRincludesanythingtohelpyoumanageyourhealth.Itgenerallyincludes:

Yourmedicalidentifications.

Yourprimarycaredoctors’namesandphonenumbers.

Allergies,includingdrugallergies.

Yourmedicationsincludingdosages.

Chronichealthproblems.Yourproblemlist.

Majorsurgerieswithdates.

Livingwilloradvanceddirectives.

Familyhistory.

Immunizationhistory.

Consultations

Physician’sorders

Hospitalstays:Operativeandpathologyreports.Dischargesummaries

ImagingandX-rayreports

Labreports

Consentandauthorizationreports

Alsoaddedmaybeinformationaboutdiseaseprevention.Thismayinclude:

Resultsofscreeningtests.

Cholesterolandbloodpressure.

Exerciseanddietaryhabits.

Healthgoals,suchasstoppingsmokingorlosingweight.

Thepersonalhealthrecordallowsyoutoshareinformation.Italsohelpsyoutomanageyourhealthbetweendoctorvisits.Itenablesyouto:

Trackandassessyourhealth.

Makethemostofyourdoctorvisits.

Manageyourhealthbetweenvisits.

Getandstayorganizedforyourhealthactivities.

TheSPARCSecuritySolutionsrole:

Thisisatransaction/databasesystem(Seechapter11).Itemsofdataareprotectedfromsource to data base. They are added to the data basewith confirmationmessage to thesource.Theyareaccessiblebyinquiriesfromknownsources.

Chapter13

ImplicationsofIntroducingInternetsecurityPurpose:ToAnticipateMarketreactiontoImprovedSecurity

Action:Usechangestoguidefutureinvestments/actions.

TheHistoricEvolutionofDedicatedNetworks:

Historically,thelackofInternetsecurityhasbeensolvedintwoways.Onewaytoswitchtotheuseofdedicatednetworks.TwoexamplesarethecreditcardnetworksforVISAandMasterCard.Inbothcasesthededicatednetworkswereusedtocapturetransactionsandtoauthorizetransactions.Furthermore,“SecuringYourInternetUse”alsohasimplicationsinthefuturedesignofSmartDevices.

Dedicated networks incorporate network electronics to assure and maintain networksecurity.However,thisrequirescontinuedmonitoringtoassurenochangeinthesecuritystatus.Italsorequirescontinuedalertnesstoequipmenterosionorfailure.Theseareworldwidenetworks.Thatmeansthereiscontinuedsurveillanceinawiderangeofgeographicconditions.Thesearenotinexpensiveendeavors.

TheHistoricDevelopmentofPiecemealSolutions:

A largenumberofprogramsweredeveloped to solve specific Internetnetwork securitychallenges. Included are commercially available programs to encrypt and de-encryptmessagecontent,anti-malwaredetectionandsuppressionprograms,andvirusesdetection,firewallsandvirussuppressionprograms.

In addition to their cost, these specialized programs require annual renewal and, moreimportantly,theyrequireperiodicupdatingtoreflecttheircontinuedchangeofattacksandtheirrequiredcorrectiontechniques.

AfteraSecureInternetIntroduction

DetectionandcorrectionofanInternetbasedsecurityattackisnottheendoftheproblem.Transactionmessagescarryvitaldata suchas social securitynumbers, tax identificationnumbers and even re-ordering information. All of these vital numbers will need to beprotected even in a “secure” Internet environment. Yes, even a secure Internetenvironment still requires theuseof assorted technique forprotectingvital information.Therewill also be the development of new attack techniques. Further improvements inDe-Identification, in achieving dual control and improvement in data based controlledapplicationswillbeneededtoimprovetheirspeedandapplication.

ImpactonFutureSmartDevicesDesign:

Animportantlessonfromthesubjectpatentsandthistextistheneedtoisolateincomingtransactions and transaction results until their security is validated. Those incoming

transactions need to be isolated until the questioned transactions satisfy the SPARCIdentificationNumber(theSIN)tests.TheisolationbuffersinfutureSmartDeviceswillhold and isolate the questionable materials. That will play a valuable role in SPARCSecurity Solution implementation. This will also provide an opportunity to notify thetransactionsourceofthedispositionofthetransactiontheysent.

LifeisaGoodExample

Throughtheagesprofessionssuchasmedicinehavecontinuedtoevolve.Identificationofnew challenges, development of new responses will be required and education of newprofessionalswillbeacontinuedneed.Welcometo therealworld!Thebattlemayshiftbuteventhechangetoamoresecureenvironmentwillhaveitsnewchallenges.

Chapter14

GoodreasonsToDe-IdentifyPurpose:ExplainthereasonstouseDe-identify

Action:UseforallSPARCSecuritySolutionapplications.

TheSource:

The following reasons for using De-Identification as part of the SPARC SecuritySolutionarefromanIBMreport“6GoodreasonstoDe-IdentifyData”.

WhatisDe-Identify?

This is the data left after the directly identifying data has been removed. Theremainingdatacanno longerbeassociatedwithaspecificaccountnumber (TAN).That alsomeans none of the remaining data can be used to research themissingidentification. That requires that secondary identification data, such as a socialsecurity numbers, alsomust be removed or disguised. The disguisemay be easilyaccomplished by adding the true account number (the TAN) to the secondaryidentification data using “absolute” arithmetic. The TAN is not transmitted. It isavailable in the Application Control Institute’s data base when needed for reidentification.

WhyUseDe-Identify?

ThesixgoodreasonstouseDe-Identificationare:

1. Allowstheremainingdatatobeusedinmanyways.2. Allowstheremainingdatatobeusedformarketingresearch.3. Allows the remaining materials to be used for medical research without

violatingprivacy.4. Protectsprivacyofthematerialsourcesevenifthematerialsdispositionis

notauthorized.5. Significantlyreducestheriskoflegalcomplianceinfractions.6. Demonstratesduediligenceevenifaprivacybreachisalleged.

WhyourInterest?

Aswithseatbeltsincars,othersafeguardsshouldbeusedincludingsafedrivingandpropermaintenanceofthevehicle.

That means rational care of the smart device. Also, taking reasonable steps topreventitslossoritbeingstolen.

Thismaterial is taken from an “IBM forMidsize Business” program intended to

providemidsizebusinesseswithtools,expertiseandsolutionstheyneed.

Chapter15

SPARCBitStreamProcessingPurpose:Understandingthedistributionofentertainmentcontent.

Action:ProvideSPARCSSbenefitsforBitStreaming.

WhatisBitStreaming?

Bit Streaming is the distribution of a continuous flow of Information such as motionpicturecontent,performanceeventsandlivesportsevents.Bitstreamingdistributionisanimportant source of revenue producing entertainment content. Bit streaming is usuallydistributed through the Internet. With that transmission comes all the usual Internetchallenges.Thoseincludemalware,viruses,overheardtransmissionsandunapprovedbitstreamingaccessandcopying.

HowdoesSPARCSecuritySolutionssecureBitStreaming?

The SPARCSecurity Solution protects the bit streamingwith two numbers.One is theSPARC Identification Number (the SIN). This is a standard’s compatible value of 40digits. Included in the SIN is the unique identification number of the SPARC Securityserviceprovider.ThesecondnumberisthetransactionnumberportionoftheSIN.Thisisa unique number which is changed for each application of Bit Streaming protectionprocess.

HowistheSPARCSecuritySolutionapplied?

TheaccountnumberisNOTtransmittedintheclear.Ratherthebitstreamisidentifiedbythe applicable SIN. In addition, the bit stream is disguised by adding the true accountnumber,whichisnottransmitted,in40digitincrementstothebitstream.Atthereceivinglocation the true account number is subtracted from the secured bit stream in 40 digitincrements. In other words, the bit streamwas protected by a simpleDe-Identificationprocess.

Thereisamoredirectsolution.ItrequiresusingalogicdevicebetweentheInternetandthedisplaydevicethatimplementstheSPARCSecuritySolutionprocess.Thatisthesamelogic device design that is used to protect individual devices linked to the “Internet ofThings”.

Chapter16

SPARCloudSecuritySolutionPurpose:TodescribetheApplicationofSSStoSecureClouds

Action:ApplySPARCloudSStoLargeCloudInstallations

WhatisCloudComputing?

Cloud computing is the provision of computing power as a service, rather than as aspecificcomputerproduct.Asimpleanalogyiselectricpower.Electricpowercomefromaplug in thewall rather thanbuilding,maintaininganddeliveringpower fromourownpowerplant.

HowisitAccessed?

Cloud computing requires the delivery of vast amounts of data through the Internet orthrough dedicated networks. In either case the delivery process is subject to the usualassortment of security attacks. These may involve stealing vital data, attacks withfraudulentapplications,malwareorviruses.Alsooverhearingwirelesstransmissionsandattemptingtofraudulentlyreusethecapturedvitaldata.

ApplyingtheSPARCSecuritySolution:

Cloudbaseddataismovedinfixedsizeblocks.EachblockhasaSPARCIdentityNumber(a SIN).TheSIN is 100% compatiblewith theTransaction standards.There is a cloudmaintaineddatabaseofknownandacceptableSINs.Eachincomingclouddatablockaddsits assignedSIN to the data base. Part of the SIN includes a redundancy check for theentire data block.TheSIN is validated each time the data block is accessed ormoved.BlocksleavingthecloudarealsoSINchecked.

Failure to validate the SPARC SS SIN results in a defective block destruction orretransmissionof thedatablock.Any redundancycheck failure indicates anadditionorremovalofdatatotheoriginaldatablock.Ifneeded,redundantcloudblockretransmissionmaybeusedoramorecompletecontentvalidationorrecoverycontent.

Summary:

SPARCloudisbuiltonthesameSPARCSecuritySolutionprincipals.DualControlsarebased on controlling data bases and specific SIN based block numbers. The SIN basedblocknumberscompletetheDe-Identificationprocess.Thus,theSPARCSecurityProcesscompletesitssecurehandlingoftheSPARCloudcomputingdataflowsecurityprocess.

Chapter17

SecuringUnsolicitedMessagesPurpose:ToanticipateanInternetfact-of-lifeAction:

Action:PrepareanUnsolicitedmessagesplanofaction.

TheInternetChallenge:

DealingwiththeInternetoccasionallyresultsinaflowofunsolicitedmessages.Theymaybe quickly identified by the absence of an acceptable SPARC Identification Number(SIN).The presence of an acceptableSIN indicates prior handling of themessagewithSPARCSecuritySolutionrules,de-identificationanddatabasedcontrols.

Unsolicitedmessagesmaybefraudulent transactions,malwareorviruses.Assuch, theyrepresentasignificantdangertothereceivingapplicationsorsystems.

UnsolicitedMessagesPlanOfAction:

Processing of unsolicited messages is 100% compatible with the processing of allmessages.Unsolicitedmessagesshouldbesegregatedandstoredseparately.Theyshouldimmediately scanned by a free program such as the “Malwarebytes” anti-malwareprogram.Acontaminatedmessageshouldbedestroyedimmediatelywitharecordofthemessagedispositionsenttothesender.AnuncontaminatedmessagecanbeprovidedwithacorrectSINandprocessedinanormalSSSmanner.

Chapter18

IntroducingSPARCoogle–aFreeSecurityServicePurpose:UseSPARCSecuritySolutionstoAttractAdvertising$

Action:EstablishtheSPARCoogleOrganization

WhatisSPARCoogle?

SPARCoogleistheavailabilityofSPARCSecuritySolutionknowhowfornochargetotherequestors.ThiswillbeadirectresultofthegrowthofSPARCSSexperienceandthevastcommunicationsofSPARCSSusagebenefits.WhattypeofinformationwillbeavailableuniquelythroughSPARCoogle?

EducationalmaterialsprovidedbySPARCSSinsurancecompanies.

SPARCSSregistrationoptionsandInternetaddresses.

Sources of SPARCSS additionalmaterials such asmulti-language instructionmanuals,planningmaterials,andreportingmaterials.

IsThereASPARCoogleAdvertisingorganization?

One of the great contributions of the Google organization was the demonstration thatadvertiserwillsupportthistypeofservicewithalargeamountofpaidadvertising.

SPARCoogleorganizationincludes:

Advertisingreceiptandprocessing.

SPARCoogleInternetNetworkdesign.

ASPARCoogleInternetbrowser.

SetupandmaintenanceofSPARCoogledatabase.

Setupandmaintenanceofamulti-languagedatabase.

Setupandmaintenanceofaworld-wideoperation.

NegotiateacrosslicenseandaccesswithGOOGLE.

Setup,maintain$forfutureSPARCcontributions.

Setup,maintainpressinterfaceforSPARCoogle.

SPARCoogleeducationmaterials,process.

Setupanannualcontributionrecognitionevent,awards.

Chapter19

SPARCSecuritySolutionsQuestionsandAnswersPurpose:Providefrequentlyaskedquestionswithanswers.

Action:Usetoprepareresponsestofrequentquestions.

Introduction:

Paymentprocessesandtechnologieschangerapidly.Historically,theyhavechangedeverydecadeforthepast50years.Iwasfortunatetohaveleadtheefforttocreatethemagneticstripedcardsalmost50yearsago(1966 to1973).Thestripecontentand thesupportingdatabasedauthorizationarchitecturewearchitectedthenhavenowevolvedwithseveralgenerations of card technologies. All indications are they will continue to provide theusage decision base for this vital industry. The following material demonstrates theirabilitytosupportthecomingeraofsmartdevices.Magneticstripedcardsare50yearsold.SmartcardswithPINsandchipsarenowapproaching35yearsofage.Nowisthetimetorecognizetherapidshifttosmartdevices.Thefollowingmaterialisofferedtodemonstratethat the rapid change should be encouraged andwelcome.With it comes the ability tosecure the use of the Internet, a very welcomed event. I wish all the users of theseproposalsthesamesenseofcontributiontosocietythatIfeel.JeromeSvigals.

SPARCSecuritySolutions(SSS)®,aQuestionsandAnswersCompendium©2015.

Q.WhatistheSPARCSecuritySolution(SSS)?

A. SSS provides an enhancedmethod to assure for secure wireless and Internet basedtransactions.SSSusesacombinationofthreesecurityprocesseswhichhavebeenusedbyindustry for more than 20 years, with a SSS provided innovative and patentedimprovement. The entire transaction world is moving rapidly to the use of smart(programmable)devices,suchassmartphonesor tablets.TheSPARCSecuritySolutionallows use of a lower cost smart device. SPARC does NOT require the use of PINs,passwords or encryption. SPARC protects against the three most serious smart devicesecurity challenges: (1) Lost or stolen units (50% in theUSA last year); (2)Misuse ofoverheard transmissions; and (3)Down loadingof fraudulent applications,malwareandviruses.SSSdoesNOTrequiresmartdeviceoroperatingsystemmodification.Itis100%compatiblewithexistingindustrytransactionstandardsanddatabases.

Q.WhywouldusingtheSSSbevaluableinmybusiness?

A.Useofsmartdevicesisbecomingafactoroflifeforanyoneovereightyearsold.Eventhosenotservedbyabankandtheunderbankedaresmartdeviceusersfortransactionswithemploymentandfamily.SmartDevicesareaninfrastructureprovidedbytheusers,ratherthanbytheapplicationprovider,e.g.abank.Hence,allindustrieswillbenefitforanimproved security solution for smart devices. Thus, SSS offers improved economics, a

singlesolutionforthethreemajorsmartdevicessecuritychallenges,andisuseablewiththe existing major investments in networks, data bases and products (hardware andsoftware). More important, SSS departs from previous security solutions which werepiecemeal,expensive,usuallyafter-the-factanddestructivesolutions.

Q.WhatisuniqueaboutSSS?

A.It’spatentedfeatures.Thisisprimarilythe“SPARCSecurityID”conceptanduse.Thethree security solutions used by SPARC have been used successfully formore than 20years, world-wide. They are (1) Dual control; (2) De-Identification (initially a USGovernmentmedicalspecimenspatent);and(3)Databasedcontrol.TheSSSadvancesareitssimplicity,economics,100%compatibilitywithexistingprocessesanddatabases.SSSuses proven techniques with its unique ability to avoid use of old, piecemeal andexpensive security solutions. SSS ability allows use of the low cost, universal Internetrather thanexpensivededicatednetworks.ThismakesSSSunique.YouwillnotneedtouseVirusDetectionprogramsorEncryptionprograms.ThisSSSattribute is true forallsmartdevices,theiroperatingsystemsandapplicationsinALLindustries.

Q.Doweemployencryption?

A. No. We employ De-Identification. This is a secure process used by the federalgovernment for more than 20 years in the healthcare industry to prevent sourceidentificationofmedicalsamples.Encryptionrequiressubstantiallymorestorage,higherperformance and increased cost in a smart device. De-identification also includestechniquesforprotectingvitaldata.

Q.Doweemploytokenization?

A. No. Tokenization is replacing an identification or account number with a randomnumber.SSSusesanuniquelyandpatentedconstructedversionofthehistorictransactionprocessingstandardaccountnumbertoreplacethetrueaccountnumber(TAN).

Q.Doweusemultifactorauthentication?

A.We use the long used basic dual control, the fundamental security technique of thefinancialindustry,e.g.cardandPIN.

Q.WhousestheSSSsolutiontoday?

A.Everyone.Weusethebasicsecuritytechniquesnowinuse.SSSsimplyredefinestheaccount number content, which is the SSS patented highlight. SSS uses a 40 year old,cross industry account number and data base contained standardized identificationnumber.

Q.Whatproofdowehavethatitworks?

A. The account number based data base systems have been successfully used for fortyyears,world-wide.Forexample, it isusedbyeverycard issuing institution toauthorizetransactions.ThelatestNilsonReportputscurrentcreditcardlossesat$0.06per$100ofgross sales. That is a remarkably small loss ratio, considering decades of frauddevelopmenttechniques.

Q.WhenwillSSShaveproof?

A.SSShasproofnowbyuseinexistingsystems.ProofwillbefurtherconfirmedwhenweobtainUnderwriter’sLaboratoriesTransactionSecuritycertificationearlynextspring.

Q.Howtovalidatethestrengthofsolution?

A.SSSisconfirmedbycurrentindustryusage.TheSSSenhancedsecurityfunctionswillbefurtherconfirmedbyULTransactionSecuritycertification.

Q.HowtosubscribeorbuildSSSmyself?

A.YouwillbuildSSSyourselfasallindustriesnowdo.Youwillneedtomakeaminoraddition to your data base and aminormodification to smart device applications. Thisinserts the SSS process into smart device use. No modifications are required to theoperatingsystem.

Q.HowisSSSconfiguredinallindustries?

A.SSSusesexistingprocesses.

Q.WhatistheSSStimeline?

A. SSS is In use now. SSS requires minor application modification to incorporate thepatenteddefinitionoftheSPARCSecureIDNumber(SIN)andprocess.

Q.WillyouruseofSSSbeuniqueinyourindustry?

A.No.YouwillbethefirsttotakeadvantageofSSSsecurefunctionalimprovementsandeconomics?Eventually,otherswillfollowyourleadership.

Q.HowoftenwillSSShavenewreleases?

A.Itisdifficulttohavenewreleaseswithsecuritytechniqueswhichare20ormoreyearsinuse.WhatwillbenewwillbetheaddedindustryapplicationusesanddevicesthatyouwillnowincorporateinthesewellestablishedSPARCsecuritysolutions.

Q.WhatinfluencesnewSSSreleases?

A.YouwillcontrolhowyouapplytheSSS.

Q.HowtohandleSSSmaintenanceandenhancements?

A. SSS is based on existing industry standardswith established processes for handlingmaintenanceandenhancements.

Q.IsSSSadequatelycapitalized?

A.SincetheSSSisbasedonexistingstandards,allindustrieswillbeartheburdenwithaminimum of guidance. SSS will lead by application development, not by expensiveproduct development. This allows low cost use of the SSS functionality. This greatlyreducestheSSScapitalizationrequirements.

Q.HowareyouprotectedifSSSsellstoyourcompetitors?

A.Thatislikeaskingtheelectriccompanytonotprovidepowertoyourcompetition.The

fact of life is that this simple, low cost, universally applicable and effective SSS willeventuallybeusedbyall.YourchallengewillbetokeepaheadofindustryprogressandleadyourcompetitionintothenewSecureSmartDevicesapplicationswithintheSSSera.

JeromeSvigals

(Leaderof the1966-73IBMmagneticstripedcarddevelopment team,stripemulti-trackdata content architecture anddatabased security architectureusedworldwide formorethan30years.MemberABAandANSIstandardsgroupsformagneticstripedcardspecsand content). Re US Patents 8,453,223, dated 5/28/13, 8,806,603, dated 8/12/14,8,997,188,dated3/31/15and9,009,807dated4/14/15.

Chapter20

UseofPriorSecuritySolutions,Standards,ProgramsPurpose:ReconfirmthatSSSis100%pastsolutionscompatible

Action:Noneisrequiredafterreconfirmationofcompatibility.

Introduction:

This will be the shortest chapter. Fully compatibility gives you the option of using allpreviouslyavailableproducts.Forexample,SPARCSecuritySolutionsDe-Identificationprovidesadequatecontentsecurity.However,ifyouwishtoalsouseencryption,doit.Itisa redundant effort, but do it if you feel more comfortable. After a while, you willrecognizeyourredundantefforts.ThisincludesMalwaredetection,Encryption,Firewalls,VirusesDetectionandelimination,Fraudulentapplicationdetectionandelimination,andsoforth.

Chapter21

SummaryofSPARCSecuritySolutionPatentsPurpose:IdentifyBasicSSSPatents&TheirApplication

Action:UseApplicationDefinitionstoIdentifyMarketUse.

SummaryofSPARCPatentsClaims:

8,453,223dated052813:Systemtoverify transactioncontentwithaone-timeidentifier.Provides Dual Control on transaction origination. Independent of Smart Device andOperating System. Generates SPARC Identification Number used for De-Identification.Uses Data Base Control to recover True Account Number from SPARC IdentificationNumber.

8,806,603dated081214:System toverifya transactionwhich isbiometricallyactuated.Wireless. One-time identifier. separate to and from the application control institution.UsingNFC.Forapluralityofdevices(ThisisIOT).Workswithmagneticstripedmedia.

8,997,188dated033115:Protectsunsolicited transactions.ProtectswithoutuseofPINs,passwords or encryption. Destroys invalid transactions. Transaction count NOTincrementedbyone.(Preventsuseofover-heardtransmission).Acceptstransactionsbasedontime.(AnIOTsecurityfeature).

9,009,807dated041415:Workswithexternaldevices.Determinesifsourceoftransactionis acceptable (This is also IOT). Modifies the smart device to include a buffer totemporarilystoreamessageuntilvalidated.Includesanalarmwhensmartdeviceanddualcontrolsecuritydevicearetoofarapartphysically.

Thesearethemajorclaims.Thereareanumberofclaimsoflesssignificance.

PatentPending:

2015/0249663 published 090315: Patent Application for “Security for the Internet ofThings”.Listing23claims.“Anapplicationcontroldevicecontrolsanotherdevice.”

Chapter22

SPARCSecuritySolutionSmartDeviceSimulation.Purpose:DemonstrateTheSPARCSecuritySolution

Action:UsethesimulationtodemonstrateSPARCSS.

SPARCSecuritySolutionSimulation:

(Note:thisisapatentedprocess)

RequirestwoAndroidSmartPhones,SmartDevice1,(SD1)andSmartDevice2(SD2):

One is the transaction device SD1 with two applications. The second, SD2 is theApplicationControlInstitute,e.g.thebank,withtwoapplications.

App1:Applicationisafinancialtransaction.

App2:ApplicationistheSPARCSecurityApp.

TheProcess:

SD1,App1:CreatesthetransactionwiththeTAN.

SD1,App2:CompletesthetransactionbygeneratingSIN.

SD1,App1:Assembles,transmitsthetransactionwithSIN.

Internet:CarriestheTransactiontoSD2.

SD2,App3:Receivesthetransaction.

SD2,App2:Validatesthetransaction,withtheSIN.

SD2,App3:ProcessesthetransactionwiththeTAN.

SD2,App3:CreatesreturntransactionwithSIN2.

SD2,App2:Completesthetransaction

SD2,App3:Assemblesandtransmitsthetransaction.

Internet:CarriesthetransactiontoSD1.

SD1,App1:Receivesthetransaction,replacesSIN2withtheTAN.

SD1,App2:Validatesthetransaction.

SD1,App2:Completesthetransaction.

TheAppDetails:

(SD1) (SD1/2) (SD2)

SmartDevice SPARCSSapp ApplicationCntrlInst.

OpenfintransApp1:

Enterappinfo

(payto,amount,

SPARCPIN)

SendrequesttoApp2SSS

OpenSSSApp2

EnterSPARCPIN6Char.

GenerateSIN(SPARCIdentificationNumber)

GenTN+!,Store(transactionnumber)

SendSINtoSD1

ReplaceTANwithSIN(Trueaccountnumber)

SendTrnsactntoACI(Applicationcontrolinstitute,e.g.bank)

Opentrnsactn\

ExtractSIN

SeekSINRecord

ExtractTrueAcctNo

ExtractTN

ValidateTransTN

AccessTN

ProcessTNtransaction

Genreturnmsg

SendreturnMsg

RecMsg

ExtractSIN

SendtoSINtoSSDapp

ReceiveSIN

ExtractTN

ValidateTN

CalculateT+1

SendMsgtoSD

Recmsg,CompleteTrans.

Chapter23

SPARCSecuritySolutionsversusForeignHackersPurpose:DescribepastInternetattacksandSPARCSSresponse

Action:UseSPARCSSknowledgetopreventareoccurrence.

TheReport

TheNewYorkTimesreported(8/12/14)thatforeignhackershadsuccessfullyamassed1.2billionWeb credentials (user names and passwords) from an Internet based attack.Theattackamassed4.5billionrecords.

Let’sAssume

That they caught an equivalent amount of SPARC Security Solution based transaction.Whatwouldtheyhave?

Theywouldhavemessageswithouttrueaccountnumbers.

NoPINs,passwordsorencryptionprocessesorresults.

Thetransactionnumbersareoutofsequence.

Therearenoreadableusernamesorvitaldata.

Databaseresponsesoroverheardtransmissionsarenotusable.

NoSmartDevicesaccessinformation.

Insummary,theywouldhavecapturednothingofvalue.

Chapter24

SPARCSecurityProcessKeyNumbers(SINandTN)Purpose:DescribekeycomponentsofSPARCSecuritySolutions

Action:TestSSSbyfulldisclosure.

Wherediditallstart?

Thebasicsecurityconceptoriginatedfiftyyearsagowiththedevelopmentofthemagneticstripe.The challengewith striped cardswas to interface to aminimumof twodifferentcontrolsystems.Onewasthenumericbasedbankingsystemswithaccountnumbers.Thesecondwas thenamebased travel industry systemswith alphabeticnameaccess.Thesebecamethebasisformanyfuturestandards.ThefirstwasISO2984in1983.Ithadthreetracks,but thenumericTrackTwobecamethefinance industrybasic. Itconsistedof40numericdigitsof5bitseach.Theprimaryaccountnumberis19digits.Thereisanadded12digitsformiscellaneousnumberfields.Theremainderofthetrackdigitsareusedforcontrolsentinels.

ThroughTheInterveningYears

As the transaction medium changed from cards to smart cards to smart devices, thesubsequentstandards’contentremainedthesametoprotecttheresultingauthorizingdatabases.ThedesignoftheSPARCSecuritySolutionchoosetousethesameformatforitsSPARCIdentificationNumber,theSIN.UseoftheSINallowedfulluseofexistingdatabases, devices, software and systems. However, there was a remaining challenge.Fraudulent access to the SIN by over-hearing, or use of a lost or stolen smart devicerequiredafurthersolution.

TheNeedforaFurtherIdentificationVariable:

The added challenges of over-hearing misuse of data and use of lost or stolen SmartDevices were solved with the use of a transaction number of 4 digits in the SIN. Forexample use of a SIN value twice has an acceptable account number, except for theduplicationoftheTN.Hence,thefourdigitTNisanaddedprecautionforseveralattackscenarios.

TheaddedTNvaluerequiresanalgorithmtoadvancedthesequence.Thealgorithmmust.avoidmakingthealgorithmknowntoathiefwithhisownSmartDevice.ThatisavoidedbyadvancingtheTNvaluebyalgorithmonlyattheApplicationControlInstitution(ACI)database.

ProtectingVitalData:

The De-Identification process does not protect vital data in the “protected” record ortransaction record. Thismay include telephone numbers, government services numbers

suchassocialsecurity,andavarietyofpasswords,financialidentificationnumberssuchascredit cards, andPINsandother securityaccesscodes.Thesemaybeprotectedbyavery simple but secure process. The De-Identified message LACKS the true accountnumber for the transaction record being protected.Hence, if the data to be protected isaddedtothetrueaccountnumberin40digitsor20alphabeticcharacterssegments.Theprocessiscalled“absolute”arithmeticwhichdoesNOTdoadecimalcarrybetweendigits.TheprocessiseasilyreversedwhenitisnecessarytorecoverthevitaldataattheACI.

FutureKeyNumbers

Thefuturewillseefurtherattacksonthekeynumbers.Correctivestepstofutureattackswilloccurwhenneeded.

Chapter25

SecuringagainstRansomWareandotherMalwarePurpose:Preparetorecognizeandrejectmalware.

Action:Eliminaterecognizedmalware.

WhatisRansomWareandMalware?

Malwareisacomputerprogramthatisdesignedtodounwantedordestructiveactionsnotrequested by the computer user or owner. The malware programs come through theInternet as a routine download. They have a number of other troublesome capabilities.Theyreproducethemselves.TheymakeunauthorizedcopiesandredistributethemontheInternet.Inshort,theyhavetheabilitytoperformmanyundesirableactivitiesasaroutinepartofInternetdownloads.

ThedangersandpossibilityofrecoveringfromRansomWare

RansomWareismalwarewiththeaddedabilitytoencryptedorhidevitaldataandthenoffertorecoveritinreturnforademandedransom.Unfortunately,payingtheransommaynotresultinrecoveryofthehiddendata.RansomWarecomesinmanyformsbutallhavethe same negative characteristics. These are just more types of viruses found on theInternet.

MalwareDefenses:

Themosteffectiveresponsetomalwareisbackingupyourdatafrequently.Thatrequiresdiligentbackupschedules.AnevenmoreeffectivedefenseistoperformthebackuponanexternaldrivethatcanbedisconnectedfromtheInternetwhennotdoingbackup.Keepingyouroperatingsystemuptodatewillalsoprovidearecoverycapability.Agoodoperatingsystem will also include a system restore function to assist in system recovery whenattacked.

Animportantfunctionistoexercisebackupevenifanattackisnotdetected.Inthatwayyouwillbuildyourconfidenceinyourdefensivetools.

Chapter26

Underwriter’sLaboratorySecureTransactionListingPurpose:ExplainULRole

Action:ObtainULTransactionSecuritylisting

WhoisUL?

UL is an international organization. It sets operating and performance standards forarticles used in homes, offices and factories. It offers testing of articles against thestandards definition. The testing results aremadewidely available. Perhaps, theirmostimportantuseisintheInsuranceindustrywheretheresultsareusedtosetinsurancerates.(SeeWikipediaforamorecomprehensivediscussionoftheULrole).

TransactionSecurity:

ArecentadditiontotheULstandardsisoneforTransactionSecurity.Thistestingfunctionforchiprelatedproductsandsystemsincludes:

POStesting

ATMtesting

Brandtesting

Cardpersonalizationtesting

Handsettestingfornetworksattachmenttesting

Mobilesecureelementtesting,and

ISOfunctionaltesting.

These tests assure interoperability, a major step preceding productive operation. Thesestepsassurethetestcandidatesthattheywillmeettherequirementsofaverycompetitivemarketplace.

Moredetailsareavailablefromservices.ul.comontheInternet.

Chapter27

UsingPartialSYIUSolutionsPurpose:Describeuseofapartialusagesolution.

Action:TakeadvantageofSSSinmoresituations.

TheUsualSituation:

TheSPARCSecuritySolutionisdesignedforuseinacompletetransaction.Thatincludesinitiation, transmission, processing, return transmission and completion. What is anincomplete transaction? For example: Initiating a transaction that does not require acompletion.

Theincompletetransaction,suchasapostingofinformation,isstillsubjecttotheInternetchallenges. Itmust still secure a transaction from aLost or Stolen device. Inmust stillprevent the effective use of an over heard transmission. It must still prevent the “uploading” of fraudulent applications, malware or viruses to the Application ControlInstitute.

TheotherprocessesthatmaybepartialincludeIOT,multipleACI’sandpayments.Eachishandled as the partial transmission process. Since the protection is in the applicationprogram,theprotectioncontinuesuntiltheapplicationisended,completelyorpartially.

The objective is to make the application as complete as possible with the SPARC SSprotectionfunctions.ThatassuresthemaximumsurvivaloftheSSSprotectionfunctions.

Chapter28

ComplyingwithPaymentCardIndustryDataSecurityStandard

Purpose:ComplywithPCIDataSS

Action:Demonstrateconformance.

ThePCIDSSRequirement:

ControlObjective: PCIDSSRequirements:

Buildandmaintain 1. Installandmaintainafirewall

asecurenetwork configurationtoprotect

cardholderdata.

2. Donotusevendorsupplied

defaultsforsystempasswords

andothersecurityparameters.

Protectcardholder 3. Protectstoredcardholderdata.

data. 4. Encrypttransmissionof

cardholderdataacrossopen

publicnetworks.

Maintainavulnerability 5. Useandregularlyupdateanti-

managementprograms. virussoftwareonallsystems

commonlyaffectedbymalware.

6. Developandmaintainsecure

Systemsandapplications.

Implementstrong 7. Restrictaccesstocardholder

accesscontrol databybusinessneed-to-know.

measures. 8. AssignauniqueIDtoeachperson

withcomputeraccess.

9. Restrictphysicalaccessto

cardholderdata.

Regularlymonitorand 10. Trackandmonitorallaccessto

testnetworks. networkresourcesand

cardholderdata.

11. Regularlytestsecuritysystems

andprocesses.

Maintainaninformation 12. Maintainapolicythat

securitypolicy. addressesinformationsecurity.

WhoarethePCI?

TheyarethemajorbrandedcreditcardschemesofVISA,MasterCard,AmericanExpress,DiscoverandJCB(JapanCardBusiness).

HowdoesSPARCSecuritySolutionsconformtoPCIDSS?

Let’sstartwithareviewoftheSSSprocess:

TheSSStransactionprocessstartswithaDUALCONTROLTheSmartPhonetransactionprocessstartswith(1)TwoSmartPhoneapplications;or(2)Twosmartphones;or(3)ASmartPhoneandaSecurityDevice.ThoseactionscreateaSPARCIdentificationNumber(theSIN)whichreplacestheTrueAccountNumberforDE-IDENTIFICATION.

The De-Identified message is transmitted via the Internet to the Application ControlInstitute(ACI),e.g.thebank.TheACIusesDATABASEDCONTROLtorecoverthetrueaccountnumber.TheACIprocessesthetransactionandreversestheprocess.AreturnSINiscomputed.Thereturnmessageisde-identified.ThereturnmessagehasitsSINvalidatedDualControlandthetransactioniscompleted.

Howhasthe12StepPCIDSSProcessbeencompleted?:

1. SINvalidationbeforeactingcreatesafirewall.2. Thereisnouseofapassword.3. ACIstoredcardholderdataaccessrequiresaSINvalidation.4. EncryptionisreplacedbyaDe-Identifiedmessage.5. Acceptance is limited to SIN validated messages, hence resisting fraudulent

applications,malwareorviruses.6. SPARCSecuritySolutionsoffersasecuresystemforapplicationaccess.7. AccesstocardholderdatarequiresSINvalidation.8. EachaccessdeviceanduserhasauniqueSIN.9. PhysicalaccesstocardholderdatarequiresavalidatedSIN.10. AllaccessrequiredSINvalidationandidentification.11. Userprocessesallowregularsystemtesting.12. InstallingandusingSPARCSSisaclearsecurityprocess.

OtherPCIDSSbasedPaymentSecurityOfferings

Accertify

ACIUniversal

Authorize.net

Braintree

Cybersource

EBAYEnterprise

Paypal

Shopify

Symantec

Thawte

TrustGuard

Vantiv

Summary: The SPARC SS offering is unique. It is 100% compatible with existingtransactionsecuritystandardsanddatabasedcontrols.ItworkswithallSmartDevicesandtheiroperatingsystemswithoutmodification.Itusessecurityprocesseswithover20yearsdemonstratedsuccess.

Chapter29

ThePriceofNOTUsingTheSPARCSecuritySolutionPurpose:DemonstrateComplexityNOTRequiredbySPARC

Action:IssuesAvoidedasaSpecificResultofAdoptingSPARC

MajorBank’sMessagetoSmartPhoneacceptingmerchants:

BewareofDataCompromiseasamerchant.

WhatisDataCompromise?

Stepstotakewhensuspiciousofdatacompromise.

Containandlimittheexposure.

ProvidenotificationtoBank’sexecutive.

Followlegalrequirementstogovernmentauthorities.

Whathappensduringadatacompromiseinvestigation.

Forensicinvestigation.

Reportfindings.

Identifyaccountsatrisk.

Merchantsdeterminefinesandliabilities.

ComplywiththePCIDSS–validatePCIcompliance.

IsitaCommonPointofPurchase(CPP)?

Asourceofmultiplefraudulenttransactions.

Wheredidthefraudtakeplace?

Whoreportedthefraudulentactivity?

WhatdoesaCPPdo?

WhatdoesthebankdoforareportedCPP?

UnderstandyourPCIcompliancerequirements.

MajorBank’smessagetosmartphoneusingcustomers:

Don’tbefooledbyanimposter

Stayawayfromahardsell

Don’tadoptapetpassword

Putupashield

Usecommonsense

Openwithcare

Beonthelookout

Useinternalcontrols

Guardyourbank’sIDandpassword.

Protectyourselfonline

Logonfrequently

Understandbank’ssecurityprovisions.

Understandmobileproductsandservices.

Chapter30

AllAgainInSummaryPurpose:DescribeanewSmartDevicesecuritysolution.

Action:Addthisapplicationtoyoursmartdevice.

TheInternetChallenges:

UseoftheInternetisveryattractive.Itoffersaworld-wide,lowcostaccesstotheworld.However,with the use of SmartDevices it has three serious challenges. (1) The usingSmartDevicesareLostorStolen.Thatwas50%lastyearintheUnitedStatesandhigherelsewhere.(2)ThewirelesstransmissionfromtheSmartDevicetotheInternet interfaceunit,althoughonly10centimetersdistancewithNFC,alongwithlegitimatedownloads,isover-heardandthetransmissionsarestolenforfraudulentreuse.(3)TheInternetuseisnotsecured and often provides downloads of fraudulent applications,malware and viruses,amongthelegitimatedownloads.

SecuringaTransactionSystem:

Howdowesecurecreditcardtransactions?Thesecretistwo-fold.Eachcreditcardhasafortydigittrueaccountnumber(TAN).Thatisusedtoaccessadatabasewhichcontainsallthereportedtransactionsforthecard.Thatcombinestwosecuritytechniques.OneisacardplusasignatureorSPARCSS6characterPINcode.Thatisdualcontrol.Secondisthe compilationof card activity in a data base.This security solutionhas beenusedbymost card issuers formore than30yearswith losses contained to less than1%of totalsales.(SeethelatestVISAannualreport).

TheMagic40Digits:

The 40 digits contain, in card usage, an issuer identification, a unique card numberidentificationandsomediscretionarydata suchas thecardexpirationdate.TheSPARCSecurity Solution in a smart device uses a separate security application with a uniquesecurity number for each user. This SPARC Security Number (the SIN) is used in themessage to the data base in place of the TAN. This process is calledDe-IdentificationbasedonaUSGovernmentpatentoftwentyyearsago.TheDualControlisachievedbyrequiringa6characterSPARCPINentrytothesecurityapplication.ItthenprovidestheSIN to replace theTAN in the transactionmessage to thedatabasecontroller.TheSINcarries theSPARCPINentry for evaluationat thedatabase andaTransactionNumber(TN).

Whenreceivedatthedatabasecontroller,theSINisusedtorecovertheTAN,validatetheSPARCPINTNandthetransactionisprocessed.ThereturnprocesstotheSmartDevicereversestheprocess.Insummary,theuseoftwoapplicationsandaSPARCPINtoinitiatethetransactionpreventstheeffectiveuseofthesmartdeviceifitislostorstolen.Theuse

oftheSINinplaceoftheTANpreventsanover-heardtransmissionfrombeingeffectivelyuse.UseoftheSINatthedatabaseorinthereturnmessageallowsthesystemtoseparatea genuine transaction, with a valid SIN, from downloading of fraudulent applications,malwareorviruses,allofwhichlackavalidSIN.

This a patented process. However, individual users are granted a free usage license.Anyoneelseshouldcontactsmartcard@sprynet.comforalowcostlicense.Foracompletedescriptionof theprocess, includingprotectionof importantdatasuchassocialsecuritynumbers,contactus.

ASPARCSecuritySolutionsGlossaryPurpose:Providethedefinitionofnewterms

Action:Providethetermsusedinanewapplicationarea.

SPARCSecuritySolutionsReportUsedTerms:

ApplePay:AnAppleCorporationprovidedsmartdeviceusingNFCcommunicationstoinitiatesecurepayments.

Attributes:Aqualityorfeaturesregardedasacharacteristicofsomething.

Bit Stream: A sequence of binary digits sent over a communications path, such as atelevisionshow.

BYODSecure:Securingyourownprovideddevice.

Cardware:Astyleofsoftwaredistribution.

Cloud:AdatacenterconnectedtotheInternet.

Cyber attacks: An unauthorized security attack on a computer or communicationsnetwork.

Databasedcontrol:Usingcumulativeaccountactivitytoassessaccountsecuritystatusortransactionvalidity.

De-Identification:Removalofelementsconnectingdatawith its source.Patentedby theUSGovernment.

DualControl:Asecurityprocessrequiringtwoprocessesoractionstogainauthorizationortoenableaprocess.

Easypay:Adigitalpaymentsdeviceorprogram.

Fraudulentapplication:Asmartdeviceprogramdesignedtoperpetrateanillegalpurpose.

Hacker:OnewhousessoftwaretogainaccesstoortocausedamagetoacomputersystemorviatheInternet.

IdentificationInsurance:Financialprotectionagainstidentificationtheft.

iDoctor:Asetofdigitaltoolsforusebyaphysician.(AccessibleusingUTube).

Ipal6:AnAppleCorporationprovidedSmartDevice.

Malware: A smart device program designed to be harmful, usually delivered via theInternet.

Marketingmanager:Acustomerdefinitionorsalesbasedactionplandirector.

Pay:Togivevalue.

PIN:Apersonalidentificationnumberof4digits.

Powerpoint:Asoftwareprogramtoprovideamultiplescreenpresentation.

Productmanager:Adevicedefinitionorfamilyofdevicesplandirector.

Security:Protectionfromdistortion,abuseoranytypeofattack.

SIN:SPARCIdentificationNumber.ConfomstotheInternationalstandardfortransactionaccountnumber(TAN).

SPARCPIN:Asixalphabeticalcharacterscodeforsecureapplicationaccess.

Things:SmartdevicesthatinterfacetotheInternet.Usuallywithtwodevicesinteracting.

Viruses: A smart device program capable of copying itself and corrupting a computersystemordestroyingdata.

SPARCReporttermsNOTused:

Authentication:Asecurityprocessusingtwomeansofidentification.

Encryption:Akeydrivendataencodingprocess.

Multiple factor authentication: A security process using more than one means ofidentification.

Tokenization:UsingarandomnumbertoreplaceaTrueAccountNumber.