Copyright©2016byJeromeSvigals.
ISBN:Softcover978-1-5144-4967-7
eBook978-1-5144-4966-0
Allrightsreserved.Nopartofthisbookmaybereproducedortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopying,recording,orbyanyinformationstorageandretrievalsystem,withoutpermissioninwritingfromthecopyrightowner.
Any people depicted in stock imagery provided by Thinkstock are models, and such images are being used forillustrativepurposesonly.
Certainstockimagery©Thinkstock.
Rev.date:01/19/2016
Xlibris
1-888-795-4274
www.Xlibris.com733197
CONTENTSDedication
Preface
ExecutiveSummary
Chapter1FiftyYearsofTransactionSecuritySolutions
Chapter2TheSPARCSecuritySolution(SSS)andProcessDescription
Chapter3SPARCSecuritySolution–AsSeenBytheSDUser
Chapter4SPARCSSRevenuePotential(SPARCrev)
Chapter5DealingwithHybridEnvironments
Chapter6WhyYouNeedthisBook
Chapter7ThisisaSmartDevice
Chapter8TheInternetRoleInTransactions
Chapter9KeylessRetailTransactions
Chapter10SPARCpay
Chapter11Securingan“InternetofThings”(IOT)
Chapter12SPARCHealth
Chapter13ImplicationsofIntroducingInternetsecurity
Chapter14GoodreasonsToDe-Identify
Chapter15SPARCBitStreamProcessing
Chapter16SPARCloudSecuritySolution
Chapter17SecuringUnsolicitedMessages
Chapter18IntroducingSPARCoogle–aFreeSecurityService
Chapter19SPARCSecuritySolutionsQuestionsandAnswers
Chapter20UseofPriorSecuritySolutions,Standards,Programs
Chapter21SummaryofSPARCSecuritySolutionPatents
Chapter22SPARCSecuritySolutionSmartDeviceSimulation.
Chapter23SPARCSecuritySolutionsversusForeignHackers
Chapter24SPARCSecurityProcessKeyNumbers(SINandTN)
Chapter25SecuringagainstRansomWareandotherMalware
Chapter26Underwriter’sLaboratorySecureTransactionListing
Chapter27UsingPartialSYIUSolutions
Chapter28ComplyingwithPaymentCardIndustryDataSecurityStandard
Chapter29ThePriceofNOTUsingTheSPARCSecuritySolution
Chapter30AllAgainInSummary
ASPARCSecuritySolutionsGlossary
DedicationPurpose:IdentifyindividualsAssistingUs.
Action:Showappreciation.
ADedication
As a 22 year old engineer in an 88 year old body, letme first thank the group ofprofessionals that keep me alive and well. They include Drs Gary Aron, BruceBenedick,PardisKelly,PhilipNgand(Mrs)BlancaVargasofthePowerhouseGyminRedwoodCity,CA.Also,many thanks topatent attorneyEdRadlo ofRadloip,LosGatos,CA.
PrefacePurpose:ProvideanIntroductiontothisBook.
Action:Providebackgroundnecessarytousethisbook.
Purpose of this book: The transaction world is quickly evolving from an era ofelectronictransactions,basedonplasticcardsandreadablechecks,toaneweraofsmart device transactions, based on hand-held, communication’s based, storedprogramoperated,transactiondevices(SmartDevices)communicatingvianetworks,primarilytheworldwideInternet.
This book is intended to help you understand the use of Smart Devices on theInternetinpreparingfortheInternetsecuritychallenges.ItisintendedtointroduceyoutotheInternetanditsrole,intheSmartDevicesera.
SmartDevicesConcepts
Thehandheldcommunicatingsmart(programmed)devicehasintroducedanewwayoflife.Itofferswalkingandtravelingconversation.Standonanystreetcorner,inanycityatanytimeofthedayandyouwillobserveallclassesofsocietygoingbyewithahandheldcommunicationsdevicebeingheldnexttotheirear.Usagestatisticsclaimmorethan80%of the world’s population have access to and use a communicating phone like device.Theiruse ranges fromsocializingandsafety tocommercialand financialactivities.Theusersrangefrom8or10yearsoldtoimmobileseniorcitizensseekingsocialinteractionandasubstituteforphysicalmotion.
SmartphoneBasedFinancialTransactions:
TheSmartphoneisahand-held,internetbased,storedprogramcomputerwhichincludescellphonefunctions.
TheInternetisaworldwidenetworkofcomputerbasedcommunicationsystems,usingacommon information protocol.Market migration to an all electronic, Smartphonebased, financial transactions concept will have significant impact on conventionalbankingfacilities.Itwillimpactthephysicalattributesofthebankbranch.
Branchbanktellersforface-to-facetransactionprocessingwilldisappearastheyarereplacedbyremotesmartdevices,communicationsbased,selfservice,transactions.It will significantly change the roll of branch banking personnel. It will reducephysicaleffortssuchasmaildeliveryandprocessing.Itwillreplacephysicalmoneyandcheckneedswithnetwork/electronicbasedsecurefunctionsandstrategies.Visitstothe“branch”fortransactionswillbeaccomplishedelectronically.ThebusinessofSmartphone based banking will be 24/7. Successful bankers will need to moverapidly to keep up with the rapidly changing, remote, electronic functionalenvironmentalmarketplace.
ForcesforChange
TheforcesformigrationofthebanktoaSmartphonebasedrolechangewillinclude:(1) the rapid growth of cell phones and Smartphones as the prime vehicle ofindividualcommunications,andtheirreplacingtransactioncards;(2)theroleoftheInternet as the dominant world wide communications network in almost allindustries including bank, health, retail, education and government; (3) thedisappearance of paper in the bank industry, including the growth of electronicmoney, check images, and remote/interactive self service; and (4) themigration ofbankbased Smartphone systems from stand alone facilities toCloud systemswiththeremovalofallgeographicandphysicalboundaries.ACloudsystemistheuser’sportionofalarger,internetbased,remotecomputersystem
MobileBankingwithSmartphones
Mobile banking is the use of a portable communications device to access and usefinancialservices.Thisconceptiswellestablishedwiththeuseofwirelessphonestofind bank account balances and their status. As portable communications devicesevolvedintoSmartphones,portablecomputersthatallowphonecalls,theirbankingfunctions are further increasing in sophistication. For example, Smartphones arenowbeing used to capture and transmit check images for electronic deposits. Theportable device also runs banking applications. For example, they can be used tocalculate currency conversions and mortgage loan tables. Self service is the directbenefitoffortyyearsofmagneticstripedcardbasedselfservicebanking.
TheInternet
The Internet, a world-wide communications network, allows access from morepoints, more quickly and more easily than any other network in the history ofnetworks. Thus, along with its new facilities comes new and serious securityexposures.Thethreemostchallengingare(1)preventingthemisuseoflostorstolensmart devices; (2) preventing the effective use of overheard transmissions; and (3)preventing the downloading of fraudulent applications,Malware or viruses. Sincethere is no central authority dealingwith these security exposures, the usersmustinsurethattheyareprotectingInternetplansandbankingactivityprograms.Theiractions must protect your Internet plans and programs. Please take this note ofcautionveryseriously.TherearesecuritytoolstoprotectyourInternetactions.Yourgoalmustbetousethemeffectively.TheyaretheSPARCSecuritySolutions.
ExecutiveSummaryPurpose:ProvideasummaryofthisBook.
This report is intended to help you understand the use of Smart Devices, e.g.Smartphones, on the Internet inpreparing for “SecuringYour InternetUse”. It isintended to introduce you to the Internet and its role, in the Internet basedtransactionsand“InternetofThings”era.
TheInternet
TheInternetallowsaccessfrommorepoints,morequicklyandmoreeasilythananyothernetwork in thehistoryofnetworks.Thus,alongwith itsnew facilities comesnewandserioussecurityexposures.Sincethereisnocentralauthoritydealingwiththese security exposures, the users must insure that they are protecting Internetplansandbankingactivityprograms.TheiractionsmustprotectyourInternetplansandprograms.There are security tools toprotect your Internet actions.Yourgoalmustbetousethemeffectively.
CardandCheckMigration
Physicalcheckentry to thebankdisappearedwith theadventofcheck imagecapture inATM’s,cellphonesandSmartphones.However,therealtestistheprocessbywhichtheindividual originates a “check-like” based payment. The payment needs to identify thepayerandthepayee.Wherebillsarebeingpaid,thepayeeisidentifiedbythedemandforpayment.TheopticalimagefeatureoftheSmartphonecanbeusedtocapturethatdatajustasitisusedtocapturecheckimagesforprocessing.
ThePlasticCardEquivalentTransaction
Use of the mobile banking device as a magnetic striped card equivalent signal sourcerequiresawireless transmission from themobilebankingdevice to the signalacceptingunit. A NFC, (Near Field Communications) signal is emitted by the mobile bankingdevice. The mobile banking device displays multiple striped card equivalent typedesignations.Arecordiscapturedinthemobilebankingunitforlaterreference,ifneeded.Theacceptancedeviceprocessesthe“card-like”transactionintothebankingsystem.ThevariableamountofthetransactionisaddedtothesignaltransmittedintheNFCsignaltothe accepting device. The complete transaction data is then processed by the bankingsystem.
SmartphoneandCloudComputing
SmartphonebasedCloud computing is thedelivery of commonSmartphonebasedbank transaction business computer applications from a remote facility, online,throughtheInternet.TheseSmartphonebasedapplicationsareaccessedwithaWebBrowser. It uses software and data stored on servers (computer subsystems). Thebank Cloud user rents a portion of the Cloud infrastructure from a third party.These Smartphone based Cloud processes reduce cost to the bank by sharing the
Cloud computer power and resources. The bank does not have to provide addedcapacities forpeak loads.Theusermustbe concernedabout the securityofCloudstoredinformationanditsprotection.
BankOrganizationof2020
Theprimary,government-licensed,bankfunctionalunits(teller, loanandpayments)willbethesamein2020.Theprimarychangesof2020willbeintheimplementationofeachtransaction. The former implementationwith paper based,manual processing and localhandlingwillbereplaced.TheywillbereplacedbySmartphonebased“electronicpaper”,transactionprocessingandremoteInternetbasedprocessing.Thiswillbeachievedbytheuse ofmobile transaction devices, use of the world wide Internet, and electronic logicimplementationsmartdevices.
InternetBankAccountsandTransactions
Theall electronicbankof year2020willuse the Internet toprovidebankaccountrecords,accessandall“branch”typefunctionsandtransactionsforcustomersusingtheInternet.Smartphonebasedaccesstothe2020bank,withallelectronicaccounts,will start with the URL (Internet address) of the Web page assigned to eachcustomer’s account. An explicit URLwill be a uniqueWeb page address for eachcustomer’s bank account. The customer’s Web page, in turn, will provide directaccesstoallbankrelationsforthatcustomer.
WhatisaSmartphone?
Thesimple,handheld,portabletelephonehasevolvedintoahandheldcomputer,Internetbased,andprovidingphonefunctions.Itistheresultofdecadesofelectroniccomponentfunctionalgrowthandphysicalsizereduction.Thesimple,hand-held,portabletelephonehas evolved to a compact, fist-sized, computer capable of 95% of the function of yourdesk top computer. Its portability reaches any place you can contact cellular phoneelectromagnetic signals. Its computational ability exercises anyprogrammable computerapplicationwithin the capability of its operational program system. In otherwords, theroom full of computers in past decades now operate efficiently in your palm as aSmartphone. Furthermore, it has a full display, a keyboard, an operating system andcommunicationsinterface.
CreditCardonaPhone
TheSmartphoneusesNFC(NearFieldCommunications)capabilitytocommunicatewithatransactionacceptor.TheSmartphoneisbroughtwithin4inches(or10centimeters)ofthe acceptor. Select card equivalent information. Initiate the emission of a selectedtransactioncard.Thisisequivalenttoswipingamagneticstripedtransactioncardthrougha card slot reader. To enable this transaction, the Smartphone contained application isopenedwith keying in a PIN, a personal identification number. The application allowsloading the equivalent of multiple account information (card equivalents), within oneSmartphone.ThismultipleaccountfacilityisusednowinSoutheastAsiacountriesandisspreading around the world. The NFC function allows two way communications.However,payment transactionsareonewaywithaccountnumbergoingto theacceptor.
VisahastestedthisfunctionintheUnitedStatesandSoutheastAsia.
SmartphoneApplications
Anapplicationisasoftwareprogramdesignedtoproduceaspecificresultorsolutiontoan identified need. Itmay also be a computer configuration (input, computation and/orresultuse)designedtoachieveaspecificresult.AnapplicationsolutionmayalsobetheuseofSmartphonefunctionsandfeaturesdesignedtoachieveaspecificresult.
SelectandExecuteanApplicationProgram
Access the Smartphone’s application directory for descriptions, prices, capacityrequirements for storage and execution, display logo, network attachment, andperformance needs. The selected applications are downloaded to the Smartphone. Anidentifying logo is displayed for later selection and execution. There are more than400,000SmartphoneapplicationsdependingontheSmartphoneandoperatingsystemyouare using. To illustrate the range of applications, there is a list of the “must-own”Smartphoneapplications.
Familiarization(BasedontheBlackBerrySmartphone).
Findthe“On”button.Itisgenerallyinthelowerrightcornerwithasun-likeicon.Itmayalsobeabuttonintheupperleftcorner.Whenthebuttonisdepressedthescreenbecomesilluminated. The keyboard also becomes illuminated. Identify the speaker, microphoneand earphone connection socket. On the reverse side find the removable cover for thebattery and SIM card. The SIM card contains the information giving you access to acarrierandtoaspecificphonenumber.MovingtheSIMcardtoanotherSmartphonegivesit access to the identified phone number and carrier. Welcome to the world of thumbtyping.YourthumbsenterinformationwhiletheotherfingerssupporttheSmartphone.
SmartphonePolitics.
ThefastandsuccessfulpaceofSmartphoneusagegrowthattractsanumberofinterestedparties,especiallythoseassociatedwithprevioustechnologiesandmarketentries.
All of the instruments associated with earlier solutions of the payment and marketingsolutionswillbeimpacted.Financialtransactioncards,SmartCards,ATMs,conventionalretail marketing solutions, telephones, paper money, face to face Financial branchtransactions and the conventional cash Register will all be impacted by the mobileSmartphone.
Aggressive,formerindustrygroupswillcarveoutarollforthemselvesinthistransition.For example, if their prior solution used integrated circuit chips, they will use that asevidencethattheyshouldautomaticallyhaveakeyroleinthesubsequentdevelopments.Thatmaynotbeentirelywrong.TheSmartphoneerawillneedstandards.
TheUnbankedandtheUnderbanked
Unbanked refers to any household or individual that does not make use of a financialinstitution for any type of financial or banking service or transaction.Underbanked aresmallbusinesseswithaccesstofinancialservicesbutdonotusethem.TheUnbankedare
reportedas10%ofUSApopulation.Underbankedarereportedatanadditional15%ofheUSApopulation.Thesearecurrentlyreportedas28millionplus45millionpeople.Bothgroups, theUnbankedandUnderbanked,spend$130millionperyearonalternativebutrelatively expensive financial services. These include check cashing services, pay dayloansandmoneytransferservices.Bothhavebeenseenasfuturebusinessopportunitiesbymostbankers.
NewSmartphoneBankingRoleandRevenues
A remarkable characteristic of the Internet is the amount of free material available toanyone.Someproviders,likeGoogle,haveevolvedaplantogetadvertiserstopayforthefree resultsprovided to itsusers.That isverymuch like thepaymentbyadvertisers forfreeradiobroadcastprogramswhichclearlyidentifythesponsor.However,itisexpectedthatsomewebprovidersinthefuturewillexpectpaymentfortheircontent.Bankservicesarepaidforbythebank’scustomersintheformofloanandmortgagepaymentsandtheuseofdeposits.
Micropayments
Futurebankservicesmayneedtransactionpaymentamountswhicharesmallerinvalue.Similarly, Internetproviderswillneed toavail themselvesof techniques forcollectingalargervolumeofsmalleramountsinpayments.
SmartphoneEconomics2020
Thebankof2020willbeconsiderablydifferentwithstaffuseandfacilities.Thatwillnotnecessarily reduce the cost of providing the bank. There will be major changes in themechanization and supporting personnel. The physical branches size will decreasesignificantly. However, therewill be expenses associatedwith smaller service facilitiesandremoteCloudfacilities.Therewillbemoreexpensesassociatedwithmaintainingthesoftwareanddatabasesneedtosupportthenewbranchequivalentvirtualizationstructure.Moving to theall electronicbankwill alsomove thebank toa24hour, sevendaysperweekresponseorganization.Thebankstructurewillbemuchmoreunattended.However,that requires operating facilities, power on, with fully operable communications andnetwork services.Money will go into facilities to support this type of operation, theiroperatingandmaintenancestaffs.
SecurityArchitecture
As an Internet user, youmust understand your own requirements. As a user, youmustprovidekeyinformationsuchascreditcardnumbers.Themerchantprovidesimportant informationintheformofreceiptsandpayment information.Vitaldataflowsinbothdirections.Hence,yoursecurityobjectivesmustdescribeyourpossibleexposures and your planned responses. A security approach must be selected,implemented and the response evaluated for adequacy. Any solution will involvetradeoffs.Theusermustdecidewheretodrawthelinebetweenexpenseandsecurityadequacy.
PCISecurityStandardsCouncil
The Payment Card Industry Security Standards Council was founded by five globalpayment organizations. They are American Express, Discover Financial Services, JCB(JapanCard)International,MasterCardWorldwide,andVisaInc.
The PCI DSS has six major objectives. A formal information security policy must bedefined,maintained,andfollowedatalltimesandbyallparticipants
WhoisWhoinSmartphoneBasedMobileBanking
Thisisalistofsoftwaresuppliersatthetimethisreportwasprepared.ItisimportanttorepeatasearchoftheInternetforthemostrecentlistwhenyouarepreparingtousethisinformation.This isa fastmoving industry.Only themostcurrentofsearch resultswillprovideyouwithacurrentlistofsoftwaresuppliers.
KeylessInternetProcesses
Forty years experience with magnetic striped cards, used with self service unitsranging from mass transit to Automatic Tellers, demonstrates why 80% of theworld’s population is implementing self-service transactions in all industries. Bycontrast, 72%of ourpopulation are shopping on the Internet, but only 15% shopwithmultiple vendors. The need is for a “Keyless Internet Transaction” structurewhich canbeunderstoodandrepeatedwithONEuse.Thatwas theprime successfactorformagneticstripedcarduse.The“keyless”processisdemonstrated.
TravelingwithaSmartphone
Historically, travelingmeant leaving your entertainment devices at home– yourmusic,yourbooks,yourreferencematerials,yourmoviesandyourTV.Today,theyalltravelwithyou, thanks to the Smartphone and networks. In addition, your Smartphone providesimportantassistanceonyourtravels.
SmartphoneUserinterface
The Smartphone display is the principle interface to the user. Its goal is to quicklycommunicate to theuser thenatureof theapplicationand toenablequickuserresponseforoptionselection,informationentryandactioninitiation.Asstatedpreviously,thegoalof effective user interaction is to achieve a “LearningCurve ofOne”. The Smartphonedisplay is probably the singlemost important element needed to achieve the “LearningCurveofOne”.Thisguidewilltrytoprovidesuggestionstomakemoreeffectiveuseofthe display.Theywill highlight those display characteristics needed to aid in achievingthatgoal.
PCI-DSSPaymentCardIndustry–DataSecurityStandards
The Payment Card Industry (VISA,MasterCard,American Express,Discover and JCB(JapanCard Banks)) lists 12 requisites tomaintain the security of payment card basedtransactions.The12requirementsarein6areas,allofwhichareprovidedbytheSPARCSecuritySolutions.
ThePriceofNotUsingtheSPARCSecuritySolutions
The price is two-fold.One is the requirement to investigate and understand the various
attacks on the starting information content. There is the need to maintain the startinginformation content in a useable form. The second need is to continually educate cardholdingcustomerstotheirpotentialattacks.Thecardholdersneedtomaintaincontinuedvigilance against attacks and that takes education and technical support. Securing theInternetUse removesan important subsetofattacks.Hence, reducingdemands forcardholdereducationandcontinuedprotection.
ChangesandBanks
The bank’s five year plan will continue to be a critical element of a successful bankstrategy. However, experience dictates that any plan is valid only until its next annualreview. Changes are introduced by the innovative bank leaders. New concepts emerge.Technology,informationsystems,deliveryalternativesandapplicationsmoveontotheirnextphase.Transactionscenariosadjusttomarketdemands.
Thesecretofpreparingforthefutureistotaketoday’sbestestimateandadjustannuallytoany reasonable anddesirable change.The same applies to your plan.Results shouldbecompared with the projected plan, and marketplace movement compared with yourplanningassumptions.Inboththeplanandit’sbuildingblocks, the importantneedis toadjustactivitiestomarketrealities.
The customer interfacewill continue to be the crucial link in transaction success. Thatinterfacein2020willbeasdifferentasitwasinpriordecades.Thinkbackandcomparethedifferences.Thechangesareacceleratingandtheroleofthebankeristostayaheadofthechangeprocess.Tobeforewarnedistobeforearmed.Thetaskistorecognizechangefor what it is - the demand for defining “customer convenience” and “business goals”contentinanewtimeframewithimprovingtechnology.
Chapter1
FiftyYearsofTransactionSecuritySolutionsPurpose:ReviewTransactionSecuritySolutionsEvolution
Action:Usethehistorytoshapefutureefforts.
TheStart:
Themediabasedtransactiondevicestartedinthelate19thcenturywith theuseofpaperbusiness cards for identification and transactionbilling.Authorizationof transactions inthis formative period were via personal phone calls to a clerk in the card carrier’sorganization.Theeraoflargevolumemachinereadabletransactioncardsstartedlaterwiththemagnetic striped card development in 1966 and their first large scalemarket use in1970. The first 250,000magnetic striped cardswere used in an airline ticketing test atO’Hare airport, Chicago, Il., in the first quarter of 1970. The cards were used in apioneering self-service reservation and ticketing machine, from the IBM AdvancedSystem Development Division, Los Gatos, CA at American Airlines with AmericanExpressmagneticstripedplasticcreditcards.Unfortunately,thosestripedcardscostmorethan$2.25eachtoproduce.
TheTechnologySelection:
Thecarddevelopersquicklyrecognizedadevelopmentdilemma.Thecarddevelopershadtoproduceasinglecardsolutionthatwouldworkwithbothalphabeticallyaccessedairlinerecords and numerically based bank record access. Magnetic stripes were the onlytechnology that had a multiple track capacity and a recording density capable ofaccommodating those multiple industry requirements. At the same time, the magneticstripe was easily read and re-recordable. Security solutions such as encryption werequicklyrejectedduetotheircomplexityandlargeexecutiontime,theaddedSmartdeviceexpenseandtimerequiredforakeybasedencryptionprocess.Themagneticstripedcardplus a signatureprovideda two factor, dual control, security solution.Tokenization andde-identification techniques came later. Tokenization required a second device fortransactionorigination.De-identificationusedaprocesstohidethetrueidentificationofamessageintransmission.
DataBasedControl:
Useofacentrallymaintaineddatabasewithconsolidatedactivity recordingbecame thepreferredsecuritysolutionformagneticstripedcards.More than thirtyyearsofpositivedatabasecontrolexperiencehasconfirmedthatoriginalprojection.Duringthatperiodanewmachine readablemedia technologywas introducedeverydecade.Theplastic cardwithoutstripeswasusedinthe1970s.Thestripewasstilltooexpensive.Bythe1980sthestriped card cost had fallen to an acceptable level, e.g. $ 0.25 each, with high volumeproductionthatalloweditsmassdistributionanduse.Theearly1980salsowitnessedthe
introductionof largeauthorizationnetworksbyVisa,MasterCardandothercardissuers.Theirnetworksweredesigned to allowon-linepoint-of-saleunits to connectdirectly tothedatabasesmaintainedbycard issuer.Thedatabasescollectedall transactionvaluesand locations. Simultaneously, in the early 1980’s the Smart Card, with an imbeddedmicrocircuitchip,wasbeingdevelopedinJapanandGermany.
EntertheSmartCard:
Bythemid1980stheNorthAmericanbasedcardassociationsnetworksfacedadecision.Stay with their magnetic striped cards and their recently installed on-line networks, ormigratetotheSmartCards.StudiesshowedthataswitchtoSmartCards,withtheirbuilt-inPINvalidationprocesswould reduce installednetworkusebyat least75%since theSmartCardprovidedlocalPINvalidation.InNorthAmericathecardnetworksoptionedtostaywithmagneticstripesandtheiron-linenetworks.OutsideNorthAmericathecardissuersconcluded that their less thanperfectnetworkperformancedictated switching toSmart Cards with their local Smart Card based, PIN based, authorization for mosttransactions.
TheCellPhonesArrived:
Thenextdecade,(the1990’s),sawtheintroductionofthecellphonewithitsvoicebasedauthorizationand the startof the Internet.The firstdecadeof the smartphone followedwiththedevelopmentofInternetbasedshopping.The2000’switnessedimportantchangesin industry direction.With Smart phones, the consumer provided the infrastructure, theapplication programs and the Near Field Communications or Wi-Fi communicationstechnologybetweenthecustomer’sdeviceandthemerchant’sPOSunit,whichcouldbeanothersmartphone.
TheNorthAmericanMagneticStripedCardsContinued:
Muchtotheamazementoftheoriginalmagneticstripedcarddeveloper,stripedcardusecontinued inUnitedStates into the2010’sdecade. It lasted that longfor tworeasons. Itprovidedahighvolumeusefortheelaborateandexpensiveauthorizationnetworks.Theotherreasonwasthat thedatabasecontrolledauthorizationsystemcontinuedtoprovideadequateoveralltransactionsecurity.Yes,thereweresuccessfulattacksandlosses,butafewpercentagelossoftotaldollarsalesvolumewasconsideredsmallandanacceptablecostofdoingbusiness.SeeanannualVISAreportforspecifics.
TheNewChallenges:
AlongwiththesmartphoneandtheInternetcameanewsetofchallenges.Theseincludedlost or stolen Smart Device units, over-heard transmissions and downloading on theInternetoffraudulentapplications,malwareandviruses.Unfortunately, theprotectiontodate have been piecemeal solutions, e.g. encryption, after the fact device location orcontenterasure,andantivirussoftware.Arecentlypatentedsecuritysolution,theSPARCSecurity Solution ©, has introduced a new comprehensive transaction methodologysecuritysolutionthatdoesnotuseconventionalPINs,passwordsorencryption.However,itprotectsagainstallthreeInternetbasedsecuritychallenges.
TheSPARCSecuritySolution:
The patented SPARC Security Solution combines three security techniques usedsuccessfullyformore than20years.TheseareDualControl,De-identificationandDataBasedControl.Thethreesolutioncombinationsolvesallthreesecuritychallenges–Lostor Stolen smart device units, Over-heard transmissions andDownloading of fraudulentapplications,malwareandviruses–allwithouttheuseofconventionalPINs,passwordsorencryption.MoreinformationabouttheSPARCSecuritysolutionfollowsinthisbook.
Fifty years of progress has produced great progress in transaction security, speed andeconomics. However, sufficient challenges remain to seek further evolution of theresponsestomarketneedsforthenext50yearsoftransactionmethodologyevolution.
Chapter2
TheSPARCSecuritySolution(SSS)andProcessDescriptionPurpose:ProvideacompleteSSSprocessdescription
Action:UsetoexamineallSPARCSSoptions:
TheSPARCSecuritySolutioncombinesthreeprovensecuritysolution(usingafinancialtransactionsample):
Note: Steps added by the SPARCSecurity Solution are preceded by an #. Steps in theapplicationprogramaredenotedbya%.
!.Dualcontrol:
Openthefinancialtransfertransaction.
Entertherequiredfields:
Transfertoaccountnumber.
Enteramount.
#EntertheSPARCPINofsixcharacters.
%#TheapplicationgeneratestheSPARCSecurityNumber(theSIN):
%#Theapplicationuniqueidentificationnumber.
%#TheTransactionnumber,astoredintheapp.
%#TheSPARCPINisaddedtothetrueaccountno.(TAN)
2.De-Identification:
%#TheSINreplacetheTANinthetransactionmessage.
ThetransactionistransmittedviatheInternet.
ThetransactionarrivesatApplicationControlInstitute(ACI).
3.DataBaseControl:
%#TheSINisextractedandaccessestheTANdatabase.
%#TheTNoftheSINtransactionnumberisvalidated.
%#TheSPARCPINnumberisextractedandvalidated.
TheTANisusedtoaccesstheaccountdatabase.
Thetransactionisprocessed.
Theupdateddatabaserecordisstored.
Thereturnconfirmationtransactionmessageisprepared.
%#Thereturntransactionnumber(TN)isprepared.
%#ThereturnSINispreparedandinsertedinthemessage.
4.De-Identification
ThereturnTransactionmessageistransmitted.
Thetransactionarrivesattheoriginatingsmartdevice.
5.DataBasedControl.
%#TheSINisextracted.
%#TheApplicationvalidatesthereturnSIN.
%#ThetransactionnumberTNisextractedandvalidated.
Thetransactioniscompleted.
Potentialattacks:
LostorstolenunitlacksSPARCPIN.
OverheardtransmissionshaveincorrectSINTN.
Downloadingfraudulentapps,malwareorviruseslackproperSIN.
SPARCSecuritySolutionsattributes:
100%compatiblewithexistingstandardsanddatabases.
Allowsuseofpreviousprograms,databasesanddevices.
Useablewithanysmartdeviceanditsoperatingsystem.
Doesnotusepasswords,conventionalPINsorencryption.
Lackofencryptionallowsuseoflowercostsmartdevices.
#MinorapplicationchangestoprovideandvalidateSINs.
Easytounderstandwithcompatiblestandardsformat.
Doesn’trequirepurchaseofpiecemealsecuritypackages.
AllowsuseoflowercostInternetnetwork.
Significantlyreduceseducationneedsforsecurityfunctions.
AllowsadvertisingsecuritybySPARCSecuritySolutions.
Note:ThereareanumberofdatabasesystemsavailableontheInternetforinitialsysteminstallation.
Chapter3
SPARCSecuritySolution–AsSeenBytheSDUser
Purpose:DemonstratetheSPARCSSsimplicity
Action:FollowtheSPARCSecuritySolutionTransactionProcess
Introduction:
UseaconventionalSmartDevicewithanAndroidOperatingsystem.Selectatransactionapplicationforadesignatedindustry.Forexample,afinancialtransactiontotransferfundsfromyouraccounttoanotheraccountwiththesamebank.
InputtotheSelectedTransaction:
Theapplicationrequeststhreeentries.Theseare(1)Thepaytoaccountnumber,(2)TheDollaramounttobetransferred.(3)YoursixcharacterSPARCPINCode.
Youtransmitthetransaction,
Almostimmediatelyyoureceivetheconfirmationmessagefromthebank.Thisincludesacopyofthelineentry.Thesamelineentryappearsinyourmonthlytransactionreport.
Chapter4
SPARCSSRevenuePotential(SPARCrev)Purpose:ToIdentifytheSPARCSecurityRevenuePotential
Action:EstablishandRealizetheSPARCrev
TheOpportunity:
ThereareawidevarietyofrevenuesourcesfromSSSapplication.Hereareexamples:
OfferNewServices:
Securevitaldatainfiles,DBsandtransmissions.
OffersecureInternetuseservices.
PreventInternetfraudulentdownloading.
Secure“InternetofThings”installations.
Protectmisuseoflostorstolensmartdevices.
Establishsecureinternetelectronicpostoffice.
SPARCoogleforsecurityinfo,advertisingincome.
EliminateCostlyPiecemealSolutions:
Eliminateencryption,antimalware,firewalls.
Eliminatekillswitchesandrecoverypackages.
ImprovedSmartDevicesDesign:
Cheaperunits,smallermemories,slowerspeeds.
Addinternetinterfaceisolationbuffers.
TheSPARCrevattackpreventionopportunity(anexample):
Thisserviceprotectsanindividual’sInternetservicefrom(1)effectiveuseofalostorstolen smart device; (2) use of overheard transmissions; and (3) downloading of
fraudulentapplications,malwareandviruses.
Theattackpreventionservicesuggestedcosts$1permonthperemailaddressand$0.02perInternettransaction.Theeconomicsofthisnewandimportantservicefollows:
Wikipedia; InternetAvailableStatistics (fromauthoritative industrysources footnoted inWikipedia):
Theworld’spopulation: 7.22Billion
InternetUsers: 3.04Billion
USAInternetUsers: 0.28Billion
Internettransactionsperuser: 12,500/year(1,042/month)
Assume10%USApenetration: 28Millionusers
Revenueat$12/user/yr: $336millionannualcharge
($1/month/user)
Revenueat$0.02/transaction: $7.0Billion
TotalUSARevenue: $7.3Billionperyear
OutsidetheUSworldwideInternetusers:
Assume1%penetration: 28MillionUsers
TotalNonUSARevenue: $7.0Billionperyear
Thatis$14.3Billionperyearwithonly10%penetrationofUSAInternetusersand1%outsidetheUSAwillingtopayasmallamounttoobtainsecureattackpreventionInternetusage.Thatis(1)noeffectiveuseoflostorstolenSmartDevices.(2)noeffectiveuseofover-heard transmissions; and (3) prevents down loading of fraudulent applications,malwareandviruses.
SPARCrevRevenueAttributesandImplementation.
More important, this revenue is produced without branch offices, without a sizablemarketingorganizationandwithouttheneedforasizableimplementingorganization.
This arrangement is easily set up. Use the client’s usual email address for the service.
When received, the emailmessage is scannedwith an anti-malware detecting program.Thevolumeof transactionactivity is recorded for automaticbilling/payment.Thecleanemail is thenforwardedwithaSPARCIdentificationNumber toasecondemailaddresssetuptoreceivecleanemailfromthisservice.Thatarrangementcanbeestablishedonatotallyautomaticandremotebasis.
TheotherSPARCrevattributesinclude:
No conventional PINs, passwords or encryption are required. That allows use of lessexpensive smart device units, compatible with current transaction standards. Droppingencryptionallowsuseofaslowerandreducememorysmartdevice.Thiscreatesa“SecureInternetOperation”whileusingexistingsystemcommunications&DataBaseproducts.
SPARCrevappearstobetheonlycomprehensivesecuritysolutionavailable.
Nosmartdeviceoroperatingsystemmodificationisneeded.
TheSPARCSecuritySolutioniseasilyaddedtoexistingsystems.TheSSSworkswithallsmart devices& their operating systems.TheSSS is based on security techniqueswithgreater than 20 years installed experience. This solution (and patents) work with allindustrytransactionsystems,“SPARCInternetofthings”andunsolicitedtransactions.
SSSprovidesBEFOREthefactLostorStolendeviceprotection.Mostindustrysolutionswork “AFTER the fact”. It is easily understood and implemented. Patented withalternativeimplementations.SecuresInternetuse,Also“InternetofThings”,Thisavoidstheneedforpiecemealsolutions,e.g.encryption.However,SSSalsoavoidsencryptionkeymanagementissues.
The Information by-product: The anti-malware scanning process provides a wealth ofusefulinformation.Types,sources,andtraits.
Chapter5
DealingwithHybridEnvironmentsPurpose:DescribetheapproachtoSecuringHybridEnvironments
Action:ApplyforaPatenttosecureHybridenvironmentswithSSS
WhatistheHybridEnvironment?
Weliveinaverycomplexsociety.AmazonBookslists250,000booksontheInternet.25,000 of those books pertain to Internet Security. There are many proposedsolutions.SomeareverynarrowwithsingleproblemsolutionssuchasEncryption.Others discuss “Before the Fact” solutions. Those prevent a problem before theyoccur. Other discuss “After the Fact” solutions such as “Kill Switches” or stolendevice tracking. Some solutions are installed. Others are to be installed. Somesecurity solutions are focused on one industry’s needs, such as banking or retail.Othersfocusonfunctionalsystemsecurityneedssuchas“transaction”or“Internetof Things” systems. There are other alternatives based on providers or historicachievements.One further factor forces aHybrid environment. It takes time for acomplete security solution tobe installed in a geographicallydispersedormultiplelocationorganization.
DealingwithHybridenvironments
Thisenvironmentisdealtwithinoneoftwoways.Oneistokeepaninventoryofknownsecurity solutionparticipants.Thoseare the“easy”participantswithwhomtodeal.Thesecond approach, for the rest of the potential population is to use an inquiry basedcommunication.
TheSPARCSecuritySolutioninterfacestoavarietyofusagesituations.Theseinclude:
Transactionsystemsdealingwithapplicationcontrolinstitute(ACI),e.g.abankwithadata based control system. This solution generates and uses a SPARC IdentificationNumber (a SIN). The SIN consists of the security application’s or device’s uniquenumber
“Internetof things”Systems.DealingwithInternetconnectedsourceorrecipientwitheachsourceorrecipientinterfacedtotheInternetthroughaSPARCSSchiporalogicdevice. That chip/logic device relies on an inventory of know recipients and asynchronizedtimetestofthetransactionreceipt.
Smartdevicetosmartdevicetransfers.Thesearesecuredwiththesameconceptasusedwith “Internet of Things”. Namely, each an inventory of know recipients and a timesynchronized reception test. In this process, unsecured smart devices fail the securitytest and theirmessages are isolateduntil they join the securityprocess.Theymaybecommunicatedwithanunsecuredprocess,butbythentheirexposureisknown,“before
thefact”.
Inadditiontothevarioustypesofsecurityenvironments,hereareseveraladdedsecurityissues. Namely, solution details and algorithms are used to generate SIN and TN.Allowing a thief to order these applications shouldNOT provide access to the SPARCSecuritySolutionimplementingknowhow.Althoughthereistheneedtoprotectvitaldatain the messages. That includes government and other key numbers or data. Theseprotectionsareachievedbythesesteps:
1. The TN generation occurs only in the protected area of the ACI data basesystem.Whengeneratedondemand, it includesa“timeof issue”, aswith theIOT security process. That result goes to the unsecured recipient and is thenreturnedtotheACI,whereitistimeintervalchecked.
2. Vitaldataisprotectedbyaddingthetrueaccountnumber(TAN)of40digitstotheVitalDatausingabsolutearithmetic(noarithmeticcarries).TheTANisnotcarriedinthemessage.Hence,anover-herdtransmissionisfullyprotected.
Patentactionrequired:
The necessary patent action was taken with the “Internet of Things” patent action. Atmost, thepatentactionneedsonemoresentence.Namely,addasentence that states the“Internetofthings”patentapplicationalsoappliestodealingwithuninsuredsmartdevicesinasmartdevicetosmartdeviceinteractionSPARCSecuritySolution.
Chapter6
WhyYouNeedthisBookPurpose:PreparereaderstounderstandwhytheyneedSSS
Action:Haveagoodunderstandingofyourrequiredactions.
TheOldSolutionsProviders:
A large number of firms are still selling the old piecemeal solutions. That includes theEncryptors,theFirewalls,themalwaredetectors,killswitchesandthelike.Theywanttocontinuesellingtheir inadequateofferings.Thesmartdevicesproviderswanttosellyouthelargermemoriesandfastercalculatorsneededfortheoldsolutions.Anothergroupthatwants you to continue using dedicated networks. They want the Internet securitychallengesnottobeattractivetoyourusedespitetheirlowercostsandworldwideaccess.
TheHybridEnvironmentChallenges
Mostcompaniesofferasetofmobileapplications.Letmesuggestasimpletestforthosecompanyexecutiveswhomightbeinterestedinwhytheyshouldact.Whatarethecurrentactivitystatisticswiththesecompanyprovidedapplications?
1) Howmanyoftheircustomers’smartdeviceswerereportedlostorstoleninthepastyear?Whathavebeentheresultinglosses–by thecustomers–orby thecompany?
2) How many attempts have been made to reuse overheard transmissions fromsmartdevices?Withwhatresultinglosses?
3) How many of their customers reported usage problems of downloadedfraudulentapplications,malwareorviruses?Withwhatreportedlosses?
4) Who pays how much for the smart devices to install piecemeal securitypackages such as encryption, firewalls, virus detection and repair, post lossremotefindingorremoteusagekilling?
5) Who pays how much to upgrade customers’ smart devices to implementencryption?(Morememoryandfasterinternalspeed).
Thesequestionswilltellthecompanyexecutiveshowseriousistheirneedtounderstandthissecuritysubject.TheseareallgoodreasonstousetheSPARCSecuritySolutions.
Note: SmartDevices include all sorts of smart phones, tablets, phablets, and any otherstoredprogramoperateddevices.
Chapter7
ThisisaSmartDevicePurpose:TodescribetheSmartDeviceandexamineitsuse.
Action:ToprovideaSmartDeviceselectionbasis.
SmartDeviceEvolution
Thesimple,handheld,portabletelephonehasevolvedintoahandheldcomputer,Internetbased,andprovidingphonefunctions.Itistheresultofdecadesofelectroniccomponentfunctionalgrowthandphysicalsizereduction.Thesimple,hand-held,portabletelephonehas evolved to a compact, fist-sized, computer capable of 95% of the function of yourdesk top computer. Its portability reaches anyplaceyou can contact a networkofferingmobile phone electromagnetic signals. Its computational ability exercises anyprogrammable computer application within the capability of its operational programsystem.Inotherwords,theroomfullofcomputersinpastdecadesnowoperateefficientlyin your palm as a Smart Device. Furthermore, it has a full display, a keyboard, andcommunicationsinterface.
SmartDeviceAcceptance
Recentexecutivesurveysindicatethatmorethan80%ofSmartDeviceusingexecutiveswouldreachfortheirSmartDevicebeforetheirmorningcupofcoffee.Mostexecutives(over 80%), would conduct business on their Mobile Phone before their desk phone.Familywise, their8yearsoldchildrenhavealreadyaskedfor theirownMobilePhone.You are likely to provide it to your 8 year old child for safety purposes, to allow theirfrequent family socializing and to provide instant access to their roaming. Some SmartDevices incorporate geographic positional sensing (GPS) to enable parents to quicklylocate,physically,theirchildren,tofurtherenhancetheirMobilePhonebasedsafety.Thebuilt-ingeographicposition sensinghasbeenused tovery successfully trackand locatelostorstolenSmartDevices.
MajorSmartDeviceComponentParts
TheSmartDeviceisacompletecommunicationsbasedcomputersystemwithavarietyofinput and output components. It is used to execute a variety of application programsintendedtoprovidetheuserwithspecificsetoftransactionrelatedplansandresults.Someof the applications are used for general financial results such as currency conversion,measurementconversions,andtraveloptions.Otherapplicationsmaybeusedforpersonalsubjects of interest to the Smart Device owner. The major Smart Device componentsinclude:
Acompactphysicalcontainer/structure.
Protectscomponentsfromweatherandmoisture.
Powersupply–convertsbatteryoutputtocomponentpowerneeds.
Powerstorage,e.g.abattery.
Display:Electronicandcolorwithtouchsensitivescreen.Avarietyofon-screensymbolsforapplicationsandfunctionidentificationandselection.
Communicationsinterfaceandantenna
Digital,programmablecomputer
Wireless/contactlessinterface
Keyboards,functionbuttonsandswitches.
Microphoneandspeaker;Headsetjack.
SIMcardtray(definescommunication/carrierprotocol).
Manufacturer’slabels
Otherpossiblecomponents:
Solarmobilesforpower
Physicalaccesskey
Covertoprotectantennaoperation
Cordloopforcarrying
Plasticcardreadingslot(stripeorcontacts)
Fingergrips
Batteryaccessandcover.
Displaylightlevelcontrol
Speaker/Headsetvolumecontrol
Headsetjack
Displayscrollcontrol
It is important to read the instructions provided by the manufacturer to identify allcomponentsandcontrols.UsingtheSmartDevice,identifyallcomponentsandcontrols.Youshouldbeable to identifyanduse themwithout lookingat theunit.Thatdegreeof
familiaritywill assure your complete understandingof the unit you acquire andplan touse.
WhatisaMobilePhone?
Therearethreetypesofhandheldcommunicationsdevices.
ThePersonalDigitalAssistant(PDA)haswirelesscapabilities.ItusesWi-FiorBluetooth.Wi-Fi is the trademark of theWi-FiAlliance ofmanufacturers providingwireless localarea networks based on an IEEE 802.11 standard. Bluetooth is an open wirelesstechnologyforshortdistancescreatedbyEricssonandmanagedbytheBluetoothSpecialInterestGroup.ThesecondtypeofhandheldcommunicationsdeviceistheMobilePhone(CP) which has PDA (Personal Digital Assistant) capabilities but communicates withmobile communications facilities. The third type is the SmartDevice (SP)which is anInternet based, programmable computer, that has all the Mobile Phone (CP)communicationscapabilities.
There are two types of mobile networks. GSM (Global System for Mobilecommunications)isusedby80%oftheglobalmobilemarket.Itisusedbymorethan4.3billionpeopleacrossmorethan212countries.Thisdigitaltechniqueisconsideredsecondgeneration (2G). CDMA (Code Division Multiple Access) uses a spread spectrumtechniquethatallowsmultiplemessagesonthesamechannel.Phonesintendedtoworkononenetworktypedonotgenerallyworkontheother.
Somenetworkprovidersrequireyoutopurchaseamatchingphonefromthem.Askbeforepurchasing. It ispossible to“Unlock”aphone.Thatallows thephone toworkwithanynetwork. It is possible to buy an unlocking service to enable your phone toworkwithothernetworks.Mostmobileproviderssubsidizethephonepurchasepriceasameanstolock you into a multi-year contract. Hence, buying a phone from another source, amanufacturer or private party,may bemore expensive.However, it allows you amoreflexiblearrangementinchoosingorchangingcarriers.Infact,itallowsyoutobuyprepaidamountsofcommunications,whichisgenerallytheleastexpensivearrangement.
StylesofSmartDevices.
Mobilephonesareavailable inavarietyofphysical shapesand layouts.Theygenerallydifferindisplayandkeyboard/dataentryfeatures.Foreachstyle,youcanfindGSMandCDMAnetworkusingunits.Thetrickistoidentifyyourdesiredcarrierfirst,andthenfindamobilephonetomatchyourinterfaceneedsandoperatingrequirements.
TheseSmartDevicesMayUseAStylus(Touchscreen)
TraditionalStyle:
This typeofphonestylegenerallyhasa largescreenwhichprovidestextentryusinganon-screen, software based, keypad. This operation is generally supported by the use ofWindowsMobilesoftware. It’sdisadvantage is that itmaybeabitawkward touseasamobilephone.Youmaywishtouseaheadsetforbetterphonecommunication.Tryit!
Thumb-padStyle
Thisstyleoffersasquarescreenontopofanalmostequalsizethumb-padtypekeyboard.Itdoesnotofferanon-screenkeyboardeventhoughithasatouchscreenforinteraction.Itworkswell asamobilephoneandgenerallydoesnot requireheadsetuse. Its smallerscreenshowslessinformation.Itsthumb-padkeyboardmaybedifficulttouseortodialnumbersforoperatorswithlargehands.Tryit!
SliderStyle:
Thescreenstronglyresembles the“Traditional”PDA.Thescreensaregenerallysmallerwhichmakes thebetter for use as a phone.Thekeyboard is retracted andhiddenwhenusedasaphone.ThefullQWERTYkeyboardisrevealedbyslidingitout.Whenslidoutthe image on the screen changes automatically from “portrait” to “landscape”. Mostmobileprovidershaveaversionofthisphone.Itissimilartothe“Traditional”PDA.It’ssoftwareisusuallycompatible.Thekeyboardislargerthanthe“Thumbpad”.The“Slide”workswellasaphone.ThereisalargeselectionofusefulWindowsMobilesoftware.Theslider can be boxy. Not all application programs support both portrait and landscapedisplaymodes.
iPadStyle
This is a large surface touch screen. The screen is occupied with the logo for eachapplicationprogramacquired.Thescreenalsomaybescrolledwithfingermovement toget toapplicationsbeyond the initial screencapacity.Theunit isahandymobilephonesize.Caremustbe takennot todamage thescreen.Thescreenalsoneeds tobecleanedfrommanyfingermarksaccumulatedinitsuse.Theuserneedstomemorizethemeaningof the content for each logo. Since there aremore than 400,000 application candidates,thatmemorizationcanbechallenging.
TheFollowingSmartDevicesDoNotUseAStylus
ThumbPadStyle
Microsoft calls these units Smart Devices. All software actions are done by hardwarebuttons. This phone has been popular because these units are very compact and slim.Operation isgeared toaonehandedusage.Thedisplay isnot a touch screen.Softwaremustbewrittenforanontouchdeviceandthoseprogramsaremorelimited.Thethumb-pad works well as a phone. However, the lack of a touch screen may be consideredawkwardbysomeusers.Peoplewithlargefingersmayhavetroubledialingnumbersandthesoftwaremaybelimited.Tryit!
FlipPhoneStyle:
This is a “Clamshell” type phone. Text entry is time consuming as it uses a “T9” textentry.Thismethodoftextentryrequiresmultiplekeystrokesforeachcharacter.Thisunitdoesnothaveatouchscreen.Hence,softwareismorelimited.Touchscreensoftwarewillnotworkonthisstylemobilephone.Theunithasanexcellentshapeforuseasaphone.However, the text entry without a touch screen can be very time consuming. A smallscreenandlimitedsoftwaremaymakethisunitdifficulttouse.
CandyBarStyle
Thisisalesscommonmobilephonestyle.Itusesthetimeconsuming“T9”multiplekeyentrypercharacter.Itlacksatouchscreenandsoftwareisgenerallylimited.However,ithasanexcellentshapeforphoneuse.Lackofatouchscreenandlimitedsoftwaremakethisunitdifficulttouse.
PickingaMobilePhone
Considerthesethreefactors,inthisorder:
1): TheCarrier:dotheyprovidethegeographiccoverage,communicationsfeaturesandtheeconomicalternativesyourequire?
2): TheMobilePhoneorSmartDevicefeaturesandfunctions:Doestheunithavedisplay,interactivefunctionsandthefeaturesyouneed?
3): TheSoftware:Do the functions and featuresmatchyourphonecharacteristics(e.g. touch screen vs key entry). Does the software also offer the growth offunctionsandapplicationsyoumayneed later, suchasnavigating,messaging,multi-media,andservicesupport.
TheGlobal Smartphone shipments are projected to be 2 billion units in 2018. In 2013,76%ofSmartphoneshipmentsusedtheAndroidOperatingSystem.
SmartphoneNomenclature
ThereareasetoftermsandabbreviationsusedtodescribeSmartphones,asfollows:
Apple“G”:Theproductgeneration.
Others“G”:Theproduct’snetworkspeed.
App:Abbreviation forapplication,apreprogrammedsolution toprovidea specificendresult.
CDMA:WirelessstandardforVerizonandSprint.
GSM:WirelessstandardforAT&TandTMobile.
Wi-Fi:Localconnectionsignal
OS:OperatingSystem.AndroidforGoogle.iOSforApple.
BBM:Blackberrymessengerforpictures,videosandvoicenotes.
iPadMini:Apple’ssmalltabletwith7.9”display.
Buyingamobilephone.
SmartDevicesarebecomingmorecomplexandmorelikeminicomputers.Whatcountsiswhatgoesoninsideofthem.Considerthebasicfeatures:
1) TheProcessor:Phoneperformanceisdependentonprocessorspeed.Thefaster,the better. High end Smart Devices generally come equipped with a 1 GHZprocessor.
2) The RAM: The more Random Access Memory capacity, the better able theSmartDevice to domulti-tasking.High-end phones have at least 512MB ofRAM.
3) TheDisplayScreen:Therearetwoimportanttypesoftouchscreens–Resistiveand Capacitive. The Capacitive is considered faster and responds to humantouch.TheResistivescreencanbeusedwithdeviceslikeastylus.
TheOLEDandAMOLEDscreensgivestrongcolorwithamazingbrightnesswhenusedindoorsbutfadewhenusedindoors.SuperAMOLEDhasfixedthatproblem.AMOLEDisalsogoodforwatchingTV.TFTLCDscreenshaveaninadequateviewingangle,presentfaded blacks, and low brightness levels. A screen size of 3.2 to 3.5 inches is the bestviewingsizeandiseasilycarriedinpocketsandpurses.
4) Check thekeyboard:Theseareapersonal,preference,whether realorvirtual.Doyoutouchtypeorhuntandpeck?Doyouneedtactilefeedbackfromakeydepression?
5) Theplatformandapplicationsoftware:Whichapplicationsbestsuityourneeds?Checkthesoftwareoptionsandusagebeforemakingafinaldecision.
TheSmartDeviceUsageChallenges
TherearetwosetsofchallengeswithSmartDevices.Onesetrelatestoyourselectionanduse of a pocket computer interfacing a variety of communication alternatives. Includedare:
SmartDeviceselectionandusagetraining
SmartDeviceeconomics.
SmartDevicesrulesandpolicies–employerandemployee.
Careandfeedingofasophisticatedelectronicdevicee.gSIMcardandbatterychange
ControlandmaintenanceoftheSmartDevice.
Transitiontolatermodels.
TheothersetofchallengesrelatetomanaginganumberofSmartDevicesinterconnectedtoabusinessorganization,including:
Applicationdevelopmentandevolution
“Unlocking”unitstoacceptothernetworksapplications
“JailBreaking”toswitchcommunicationsnetworks.
Communicationssupportandevolution
Maintenanceandservice
Costofoperationandusage
Employeeunitsandcustomerunits
Deviceandnetworkmanagement
Employeetrainingandmonitoring
Managingupgradingandevolution
Privacyandsecurityrequirements
SmartDeviceOperation
YourinterfacetotheSmartDeviceareyoureyesandfingers.Youreyesidentifyiconsonthescreen,locateactionbuttonsorscreentouchpoints.Youreyesreadmessages,symbolsand labels. With the large number of Smart Devices available, there are severalalternativesactionspossibletoachieveagivenoperationonaSmartDevice.Forexample,inonecasea rotatingknobwillbeavolumecontrol. In anotherSmartDevice, a touchsensitivemovingmarkeronthescreenmayproducethesamevolumecontrolresult.Thesetwo devices give equivalent operation. You must discover the mechanism used in theSmartDeviceyouarehandling.
Chapter8
TheInternetRoleInTransactionsPurpose:AnintroductiontotheInternet.
Action:Establishyourtransaction’sfocusontheInternet.
AnInternetNoteofCaution:
Internet components – applications, services, devices, technologies, vendors, users,protocols and standards– growand change each year.This description focuses onthe elements critical for your successful secure use of the Internet. However, thismaterialneedstobeupdatedwhenused.KeyWebpageaddresses,(DomainnamesorUniformResourceLocators),URLs are included to help you quickly assess thelatest transactionstatus.Akey industry informationsource is theInternetRetailerGuidetoE-CommerceTechnology(internetretailer.com).Therearesimilarguidesinothertransactionbasedindustries.
WhatistheInternet?
The Internet allows transaction access frommore points, more quickly andmoreeasily thananyothernetwork in thehistoryofnetworks.Thus,alongwith itsnewfacilities comes new and serious security exposures. Since there is no centralauthoritydealingwiththesesecurityexposures,you,theuser,must insurethatyouare protecting your Internet plans and programs. This chapter will describe yourInternetfacilities.ThechapteronsecuritywilldescribetheoptionsforyouractiontoprotectyourInternetplansandprograms.
Please take this note of caution very seriously. There are many so-called securitytoolstoprotectyourInternetactions.Yourgoalmustbetoselecttheeffectivetoolsandthentousethemeffectively.
TheInternetInitially:
The Internet was an electronically connected set of computers with a commoninformation structure, format and information encoding. It was intended to shareavailablecomputertimebetweengovernmentsupportedcomputerinstallations.Theobjective was to use their surplus available computer time to solve largecomputational problems associates with atomic energy development. It was alsointended to provide an ability to share facilities in case part of the facilities weredestroyed. The communications structure was enlarged to include access to theirlibraries and development records maintained in each of the participatingorganizations.
Eventually–Today
TheInternetisinterconnectedpublicnetworksthatareselfsupportingandrunonacooperative basis. All share a common data format and content code. That is aprotocol called TCP/IP (transmission control protocol/Internet protocol). TheinternationalassociationofcompaniesthatmanagetheInternetiscalledtheWorldWideWeb(www).
WebPagesandOtherNomenclature:
TheInternetprovidesWebpages.AWebpageisacollectionoftext,graphics,soundand,sometimes,video.Together,theycreateasinglewindowofscrollablematerials.Hypertext is the text used on a Web page that leads the user to other relatedinformation, or Web pages. The Web page is found by a Browser. That is thesoftwareusedtofindandaccessaWebpage.
URL or Domain Name: TheWeb page address on the Internet is called URL, aUniformResourceLocator.TheURListhedesignationusedbytheBrowsertoaccessaWebpage.Wheredoes theURLcome from? Itmaybe found in theoutputofaSearch function. It might be provided by theWeb page provider to guide othersdirectly toaWebpageofdirect interest suchasabank, retailerorhealth servicesprovider.Itmaybefoundinpublications,pressreports,ordirectories.Aswithany“address”itwillbefoundwithmostcommunicationsvehicles.
DomainisanotherdesignationfortheaddressofaWebsite.Itmaybemorethananaddress.Ifwellselected, itmayalsobedescriptiveoftheorganizationitaddresses.TheDomainnameconsistsofseveralparts.Theletterswww.atthebeginningofthedomainname indicates the following information isanaddressontheWorldWideWeb.Thelast twoorthree lettersoftheDomainnameindicatethecategoryoftheorganization named. It may be com. commercial, or gov. government, or org.organization,oroneof severalothers.The latterdesignationmaybe followedbyadesignationofthecountrylocationoftheoriginator,suchas.usforUnitedStates,.auforAustraliaand.jpforJapan.
Email:
Themostwidelyusedinternetapplicationisemail.That isamessagewithastatedInternetdestinationandfromanInternetsource.Itisalsoavitalmarketingtool.
It drives business results in the formof increased traffic, customer awareness andcustomer involvement.A recent InternetRetailer study showedmore than40%ofbusiness leaders were planning to increase their email marketing budgets. It willexpandwith a double digit expansion rate for the next five years.Why?Email isinexpensive.Emailiseffectivebecausecustomersrelyonitandmarketinggetsbetterresultsfromitsuse.ItisafrequentcarrierofrelatedURL’s.TheInternetlacksanysecurityfortheuser’sdevice,theURL,ortheemailtransactionmessagecontent.
FavoriteFunction
AnimportantfunctionoftheBrowseristhe“FavoriteFunction”(FF).ItisarecordofspecificWebpagesforrecalllatertoprovidequickBrowserreentrytoaWebpage
previously designatedwith the Favorite Function. It is a quick recall of a specificWeb page,without going through aWeb page search and discovery process. Thatdiscovery process would require a search operation and a search sequence outputstream examination. Use of the Favorite Function enables applications in allindustriestogodirectlytoaWebpageofinterest.
UseoftheFavoriteFunctionforaTransactionApplication:
An Internet based industry provides each customer with a URL which uniquelyidentifiesthelocationofthecustomer’sindustrydataontheInternet.UsingtheURLinaBrowsertakestheusertoanentrypointforthatindustry’stransactionactivities.TheentryWebpagewillimmediatelyimposefurthersecuritycontrolonaccesstothedesignatedWeb page.The softwaremay ask for a Personal Identification number(PIN),apasswordestablishedearlier,oramoreexoticbiometricdeviceoutputsuchasafingerprintreader.
Successfully providing the entry control information, the program now allows aspectrumofindustry’sfunctions.Theserangefromsimpleinquiriestosophisticatedrequestsandcontrolreviews.Theremaybesubsequentcontrolfeaturesthatrespondto larger transaction values, value transfer request actions and sound industrytransactioncriteria.
SpecializedNetworks
TherearehundredsofspecializedusesoftheInternet.TheseareasubsetofInternetusedesignedto interactwithselectedgroupsof individuals,corporations,religious,country residents, governmentagencies and the like.Their function is to allow thespecializedparticipantstomeet,exchangeinformationandsociallyinteract.Popular“Social Networks” include Twitter, Facebook, MySpace and LinkEdit. Thesenetworks offer low cost communications (plus the cost of the needed accessequipmentandsoftware).Insomeinstances,thesenetworksreachuptotwo-thirdsofagroup’sparticipants.Caremustbetakentoavoidorprotectsensitiveinformation.Participantsneedtoestablishandmaintainlistsofparticipantstheywanttoreachineachtypeofnetwork.Fromamarketingpoint-of-viewtheseareexcellentvehiclesformarketingfornewclients.
TheInternetisEssentialforTransactionSolutions:
The Internet is the vital element that ties all of the Smartphone transaction unitstogetherintoaworkingsystem.ItallowstheSmartphoneunittoreachallofthedataelementsandsoftwareelements thatcombinetoprovide the transactionservices tothe Smartphone user. Smartphone transactions provides significant productivityimprovementstothetransactionbasedindustry.YourknowledgeoftheInternetanditsroleinSmartphonetransactionbasedsystemsareessentialforyoutosuccessfullybuildtheseworkingsystems,andtorealizetheirimportantresults.
Chapter9
KeylessRetailTransactionsPurpose:Todescribeworkreducingfunctionsavailable.
Action:UseworkreducingstepsinInternettransactions.
TheRetailtransaction:
Forty years experience with magnetic striped cards, used with self service unitsranging from mass transit to Automatic Tellers, demonstrates why 80% of theworld’s population is implementing self-service transactions in all industries. Bycontrast, 72%of ourpopulation are shopping on the Internet, but only 15% shopwithmultiple vendors. The need is for a “Keyless Internet Transaction” structurewhich canbeunderstoodandrepeatedwithONEuse.Thatwas theprime successfactorformagneticstripedcarduse.
Transactions on the Internet remain complex. A retail purchase requires up to 25steps.Half of the steps require data entry keying and three steps require users toexaminetheresultsoflongsearchresponses.TheuseofimprovedsolutionssuchasAmazon’s “1 click” reduce these efforts by one half, which is still 12 steps and 2searches.
ConventionalInternetTransaction
Placing a conventional retail transaction through the Internet is a 15 to 20 keyed stepsprocess.Theprocesswouldincludethesesteps:
Searchforasearchengine.
Selectasearchengine.
Searchforavendor.
Selectavendor.
Searchforadesireditemtobepurchased.
Selecttheitemtobepurchased.
Selecttheitem’sstyle.
Selecttheitem’ssize.
Selecttheitem’scolor.
Selectthequantity.
Selectthedeliverymethod.
Selectdeliveryoption.
Enterdeliveryaddressandpostalzone.
Confirmacceptanceofthetotalcharge.
Selectpaymentalternative.
Selectcreditcardtobeused.
Enterpaymentamountinformation.
Approvepaymentprocessandamount.
Printinvoiceandshipmentinformation.
TheSmartphoneIntroducesNewFunction
The Smartphone based, keyless process starts with information stored in theSmartphone. Included are: (1)The user’s preferred payment information; (2)Theuser’spreferred shipping requirements; and (3) theuser’spreferred email addressforcommunications.
“Frequent Favorite” is a form of browser based function which provides directInternet access, generally listed in a sequence of URL’s. When one is selected, itprovidesanappropriateInternetwebpageaddress (URL).TheURLautomaticallydirectstheuser’sInternetbrowserunittothewebpagedescribingthearticle,serviceorsubjectbeingconsideredforacquisition.Useofthisfeaturebypassestheneedforusing search engines and scanning long streams of search results. Without anykeying,thebrowserspresentsthewebpageshowingtheURLidentifieditem.Beyondthat, theorderoptions, e.g. color, sizeand so forth,are selectedbyusingamouse.The order completion information for payment and shipping are provided bySmartphonestoredcontent.
KeylessShoppingSpeedsPurchasingInternetAcquisitions
ThisSmartphonesupportedfunctionisatimesavor.Bybypassingtheneedforsearchesandexaminingsearchoutputsisabrowserfunctionprovidedbymostbrowsers.
Your use of this Smartphone supported function will substantially speed your internetaccessandgettingresultsonamoretimelybasis.
Chapter10
SPARCpayPurpose:SmartDeviceswithNFCoffermanypaymentoptions
Action:UseyourSmartDeviceforpayments.
Your Smart Device (SD) with Near Field Communications (NFC) offers a number ofpaymentoptionsinconjunctionwithyourfinancialserviceinstitute,alsoknownasyourApplicationControl Institute (ACI).Thesimplestexample isa funds transfer toanotheraccount.Thatapplicationrequeststhepayeeaccountnumberandtheamountoffundstobetransferred.Thesequenceofstepsthatfollowedthatapplicationentryweredescribedindetailinchapter2,“TheSPARCSecuritySolutions”.
Thereareanumberofsimilarapplicationsfor:
Paymentatapointofsale.
Paymentataretailcheckout.
Paymentatasupermarketcheckout.
PaymentorwithdrawalatanATM.
Paymentatatransitgate.
Paymentinataxicab.
PaymentbybumpingwithanotherSmartDevice.
ReceiptoffundsbybumpingfromanotherSmartDevice.
TheInternetPaymentChallenges:
TheSPARCpayprocessisprotectedbytheSPARCSecuritySolutions.ThoseprotectionsrequireyoutouseadualcontroltoopentheSPARCpayapplication.Dependingonyourchoice,thatrequiresentryofaSPARCPin,ortheuseofasecondsecurityapplicationortheuseofasecuritydevice.AnyofthosepreventtheeffectiveuseofyourSmartDeviceifit is lost or stolen. SPARCpay also prevents the effective use of an over heardtransmission. It also prevents the downloading into your Smart Device of a fraudulentapplication,malwareorviruses.
OtherSPARCpayoptions
YourACIwillprovideyouwithanumberofotherpayoptionsincludingcheckdeposits,loanandmortgagepaymentsandautomaticbillpayments.AllareprotectedbytheSPARCSecuritySolutions.
Chapter11
Securingan“InternetofThings”(IOT)Purpose:Explain IOToperation, security challenges and theSPARCSecuritySolutions
responses.
Action:CommunicatethestepsnecessarytosecureanIOT.
WhatisanInternetofThings?
GartnerforecaststheIOTwillbe26billionunitstalkingtoeachotherviatheInternetby2020. These are a wide range of devices exchanging information via the internet. TheInternet provides lower cost communications.Unfortunately, it alsoprovides a seriesofsecuritychallenges.Theseinclude:
Downloadingoffraudulentapplications.Malware&viruses.
Thefraudulentapplicationsmaybedesignedto:
Usurpcontrol.
Stealindustrialknowhow.
Sabotageormisdirectdeviceoperation.
Providemisleadingresponses.
WhatistheSPARCSecuritySolutionforanInternetbasedIOT?
TheSSSinsertsalogicdevicebetweeneachunitandtheInternet.Thelogicdevicemaybeacustomchip, adedicated logicunit or a smartdevice application. In an IOT situationtherewillbea“Sender”anda“Receiver”.Bothunitsarebidirectional.
WhataretheSSSmessages?
TheSSSIOTsendermessageconsistsof:
The40digitSPARCIdentificationNumber(theSIN).
TheSender’suniqueidentification.
Themessagesendtimeona24hourbasis.
Themessagesenddate.
Themessagetransactionnumber(nonsequential).
Thesecuritychallengesaretopreventacounterfeitmessageorareplayofanoverheardmessagetransmissionfromfoolingthereceivingunit.
TheIOTreceivingunitprovidesthesetestsbeforeacceptingtheincomingmessage:Theseare:
From an acceptable source? This requires the receiver to maintain a list of acceptablesources.
Withinanacceptabletimeperiodfromthesendingtime?Thisrequiresthereceivetohavean internal clock, and a time synchronizing mechanism. Also, this requires anacceptablemaximumintervalforeachphysicallocation.Anacceptableintervalwillbesetformovingreceivers.
Withthecorrecttransactionnumber?Thisrequiresstorageofthelastsequencenumber,asequencingalgorithmandanextsequencenumbercalculator.
Notethattheacceptabletimeintervalmaybeafractionofasecondfromtransmissiontoreceipt.That requires that theacceptable intervalmustbe set for each IOTbasedon itsphysical dimensions. The acceptable time interval is never transmitted. However, theparticipatingunitsmayrequireaperiodicresynchronizationofallclocksinagivenIOTsuchasdaily.
Howisvitaldataprotected?
Vitaldataisprotectedbyaprotectionvaluekeptwiththeexpectedsourceslist.Thevitaldata is added to the protection value at the sender. The protection value is NOTtransmitted. Upon receipt at the receiver, the protection value is subtracted from theprotectedvaluetorecoverthevitaldata.
CompleteLogicDiagram:
DetailedDesign,SenderandReceiverlogicunitsfromUSPatentApplicationnumberUS2015/0249663A1,datedSeptember3,2015,Figure14.
SummaryofSPARCSecuritySolutionIOTAttributes:
This process does not require the use of PINs, passwords or encryption. The SenderIdentificationNumber is the controllingmechanism. This allows use of lower cost andsimplifiedlogicdevices.
Thisprocessis100%compatiblewithtransactionprocessinganddatabasestandards.
Copiedorcounterfeitmessageswillberejectedbythelogictests.
Downloaded fraudulent applications, malware and viruses are rejected for lack of anacceptableSPARCIdentificationNumber.
Useable with all “Things”, communications technologies, and logic technologies.ImprovesthemarketforIOTdevices.
Chapter12
SPARCHealthPurpose:Personalhealthrecord.(PHR).
Purpose:IdentifythePHRContent
TheContent
Thecontentofapersonalhealthrecordaredescribedintwonationalstandards.TheyaretheStandardGuide forContentandStructureof theElectronicHealthRecord–ASTME1384,andCodedValuesfortheElectronicHealthRecord–ASTM1633.
TheInternetrecord–NCBI.NLM.NIH.GOV/PMC/Articles/PHC2047330/.
Providesadetailrecordoftheprescribedcontent.
WhatisthecontentofthePHR?
Thisisacollectionofinformationaboutyourhealth.Thisisnotthesameastheelectronicmedical records which are owned by doctor’s offices, hospitals, and health insuranceplans.YourPHRincludesanythingtohelpyoumanageyourhealth.Itgenerallyincludes:
Yourmedicalidentifications.
Yourprimarycaredoctors’namesandphonenumbers.
Allergies,includingdrugallergies.
Yourmedicationsincludingdosages.
Chronichealthproblems.Yourproblemlist.
Majorsurgerieswithdates.
Livingwilloradvanceddirectives.
Familyhistory.
Immunizationhistory.
Consultations
Physician’sorders
Hospitalstays:Operativeandpathologyreports.Dischargesummaries
ImagingandX-rayreports
Labreports
Consentandauthorizationreports
Alsoaddedmaybeinformationaboutdiseaseprevention.Thismayinclude:
Resultsofscreeningtests.
Cholesterolandbloodpressure.
Exerciseanddietaryhabits.
Healthgoals,suchasstoppingsmokingorlosingweight.
Thepersonalhealthrecordallowsyoutoshareinformation.Italsohelpsyoutomanageyourhealthbetweendoctorvisits.Itenablesyouto:
Trackandassessyourhealth.
Makethemostofyourdoctorvisits.
Manageyourhealthbetweenvisits.
Getandstayorganizedforyourhealthactivities.
TheSPARCSecuritySolutionsrole:
Thisisatransaction/databasesystem(Seechapter11).Itemsofdataareprotectedfromsource to data base. They are added to the data basewith confirmationmessage to thesource.Theyareaccessiblebyinquiriesfromknownsources.
Chapter13
ImplicationsofIntroducingInternetsecurityPurpose:ToAnticipateMarketreactiontoImprovedSecurity
Action:Usechangestoguidefutureinvestments/actions.
TheHistoricEvolutionofDedicatedNetworks:
Historically,thelackofInternetsecurityhasbeensolvedintwoways.Onewaytoswitchtotheuseofdedicatednetworks.TwoexamplesarethecreditcardnetworksforVISAandMasterCard.Inbothcasesthededicatednetworkswereusedtocapturetransactionsandtoauthorizetransactions.Furthermore,“SecuringYourInternetUse”alsohasimplicationsinthefuturedesignofSmartDevices.
Dedicated networks incorporate network electronics to assure and maintain networksecurity.However,thisrequirescontinuedmonitoringtoassurenochangeinthesecuritystatus.Italsorequirescontinuedalertnesstoequipmenterosionorfailure.Theseareworldwidenetworks.Thatmeansthereiscontinuedsurveillanceinawiderangeofgeographicconditions.Thesearenotinexpensiveendeavors.
TheHistoricDevelopmentofPiecemealSolutions:
A largenumberofprogramsweredeveloped to solve specific Internetnetwork securitychallenges. Included are commercially available programs to encrypt and de-encryptmessagecontent,anti-malwaredetectionandsuppressionprograms,andvirusesdetection,firewallsandvirussuppressionprograms.
In addition to their cost, these specialized programs require annual renewal and, moreimportantly,theyrequireperiodicupdatingtoreflecttheircontinuedchangeofattacksandtheirrequiredcorrectiontechniques.
AfteraSecureInternetIntroduction
DetectionandcorrectionofanInternetbasedsecurityattackisnottheendoftheproblem.Transactionmessagescarryvitaldata suchas social securitynumbers, tax identificationnumbers and even re-ordering information. All of these vital numbers will need to beprotected even in a “secure” Internet environment. Yes, even a secure Internetenvironment still requires theuseof assorted technique forprotectingvital information.Therewill also be the development of new attack techniques. Further improvements inDe-Identification, in achieving dual control and improvement in data based controlledapplicationswillbeneededtoimprovetheirspeedandapplication.
ImpactonFutureSmartDevicesDesign:
Animportantlessonfromthesubjectpatentsandthistextistheneedtoisolateincomingtransactions and transaction results until their security is validated. Those incoming
transactions need to be isolated until the questioned transactions satisfy the SPARCIdentificationNumber(theSIN)tests.TheisolationbuffersinfutureSmartDeviceswillhold and isolate the questionable materials. That will play a valuable role in SPARCSecurity Solution implementation. This will also provide an opportunity to notify thetransactionsourceofthedispositionofthetransactiontheysent.
LifeisaGoodExample
Throughtheagesprofessionssuchasmedicinehavecontinuedtoevolve.Identificationofnew challenges, development of new responses will be required and education of newprofessionalswillbeacontinuedneed.Welcometo therealworld!Thebattlemayshiftbuteventhechangetoamoresecureenvironmentwillhaveitsnewchallenges.
Chapter14
GoodreasonsToDe-IdentifyPurpose:ExplainthereasonstouseDe-identify
Action:UseforallSPARCSecuritySolutionapplications.
TheSource:
The following reasons for using De-Identification as part of the SPARC SecuritySolutionarefromanIBMreport“6GoodreasonstoDe-IdentifyData”.
WhatisDe-Identify?
This is the data left after the directly identifying data has been removed. Theremainingdatacanno longerbeassociatedwithaspecificaccountnumber (TAN).That alsomeans none of the remaining data can be used to research themissingidentification. That requires that secondary identification data, such as a socialsecurity numbers, alsomust be removed or disguised. The disguisemay be easilyaccomplished by adding the true account number (the TAN) to the secondaryidentification data using “absolute” arithmetic. The TAN is not transmitted. It isavailable in the Application Control Institute’s data base when needed for reidentification.
WhyUseDe-Identify?
ThesixgoodreasonstouseDe-Identificationare:
1. Allowstheremainingdatatobeusedinmanyways.2. Allowstheremainingdatatobeusedformarketingresearch.3. Allows the remaining materials to be used for medical research without
violatingprivacy.4. Protectsprivacyofthematerialsourcesevenifthematerialsdispositionis
notauthorized.5. Significantlyreducestheriskoflegalcomplianceinfractions.6. Demonstratesduediligenceevenifaprivacybreachisalleged.
WhyourInterest?
Aswithseatbeltsincars,othersafeguardsshouldbeusedincludingsafedrivingandpropermaintenanceofthevehicle.
That means rational care of the smart device. Also, taking reasonable steps topreventitslossoritbeingstolen.
Thismaterial is taken from an “IBM forMidsize Business” program intended to
Chapter15
SPARCBitStreamProcessingPurpose:Understandingthedistributionofentertainmentcontent.
Action:ProvideSPARCSSbenefitsforBitStreaming.
WhatisBitStreaming?
Bit Streaming is the distribution of a continuous flow of Information such as motionpicturecontent,performanceeventsandlivesportsevents.Bitstreamingdistributionisanimportant source of revenue producing entertainment content. Bit streaming is usuallydistributed through the Internet. With that transmission comes all the usual Internetchallenges.Thoseincludemalware,viruses,overheardtransmissionsandunapprovedbitstreamingaccessandcopying.
HowdoesSPARCSecuritySolutionssecureBitStreaming?
The SPARCSecurity Solution protects the bit streamingwith two numbers.One is theSPARC Identification Number (the SIN). This is a standard’s compatible value of 40digits. Included in the SIN is the unique identification number of the SPARC Securityserviceprovider.ThesecondnumberisthetransactionnumberportionoftheSIN.Thisisa unique number which is changed for each application of Bit Streaming protectionprocess.
HowistheSPARCSecuritySolutionapplied?
TheaccountnumberisNOTtransmittedintheclear.Ratherthebitstreamisidentifiedbythe applicable SIN. In addition, the bit stream is disguised by adding the true accountnumber,whichisnottransmitted,in40digitincrementstothebitstream.Atthereceivinglocation the true account number is subtracted from the secured bit stream in 40 digitincrements. In other words, the bit streamwas protected by a simpleDe-Identificationprocess.
Thereisamoredirectsolution.ItrequiresusingalogicdevicebetweentheInternetandthedisplaydevicethatimplementstheSPARCSecuritySolutionprocess.Thatisthesamelogic device design that is used to protect individual devices linked to the “Internet ofThings”.
Chapter16
SPARCloudSecuritySolutionPurpose:TodescribetheApplicationofSSStoSecureClouds
Action:ApplySPARCloudSStoLargeCloudInstallations
WhatisCloudComputing?
Cloud computing is the provision of computing power as a service, rather than as aspecificcomputerproduct.Asimpleanalogyiselectricpower.Electricpowercomefromaplug in thewall rather thanbuilding,maintaininganddeliveringpower fromourownpowerplant.
HowisitAccessed?
Cloud computing requires the delivery of vast amounts of data through the Internet orthrough dedicated networks. In either case the delivery process is subject to the usualassortment of security attacks. These may involve stealing vital data, attacks withfraudulentapplications,malwareorviruses.Alsooverhearingwirelesstransmissionsandattemptingtofraudulentlyreusethecapturedvitaldata.
ApplyingtheSPARCSecuritySolution:
Cloudbaseddataismovedinfixedsizeblocks.EachblockhasaSPARCIdentityNumber(a SIN).TheSIN is 100% compatiblewith theTransaction standards.There is a cloudmaintaineddatabaseofknownandacceptableSINs.Eachincomingclouddatablockaddsits assignedSIN to the data base. Part of the SIN includes a redundancy check for theentire data block.TheSIN is validated each time the data block is accessed ormoved.BlocksleavingthecloudarealsoSINchecked.
Failure to validate the SPARC SS SIN results in a defective block destruction orretransmissionof thedatablock.Any redundancycheck failure indicates anadditionorremovalofdatatotheoriginaldatablock.Ifneeded,redundantcloudblockretransmissionmaybeusedoramorecompletecontentvalidationorrecoverycontent.
Summary:
SPARCloudisbuiltonthesameSPARCSecuritySolutionprincipals.DualControlsarebased on controlling data bases and specific SIN based block numbers. The SIN basedblocknumberscompletetheDe-Identificationprocess.Thus,theSPARCSecurityProcesscompletesitssecurehandlingoftheSPARCloudcomputingdataflowsecurityprocess.
Chapter17
SecuringUnsolicitedMessagesPurpose:ToanticipateanInternetfact-of-lifeAction:
Action:PrepareanUnsolicitedmessagesplanofaction.
TheInternetChallenge:
DealingwiththeInternetoccasionallyresultsinaflowofunsolicitedmessages.Theymaybe quickly identified by the absence of an acceptable SPARC Identification Number(SIN).The presence of an acceptableSIN indicates prior handling of themessagewithSPARCSecuritySolutionrules,de-identificationanddatabasedcontrols.
Unsolicitedmessagesmaybefraudulent transactions,malwareorviruses.Assuch, theyrepresentasignificantdangertothereceivingapplicationsorsystems.
UnsolicitedMessagesPlanOfAction:
Processing of unsolicited messages is 100% compatible with the processing of allmessages.Unsolicitedmessagesshouldbesegregatedandstoredseparately.Theyshouldimmediately scanned by a free program such as the “Malwarebytes” anti-malwareprogram.Acontaminatedmessageshouldbedestroyedimmediatelywitharecordofthemessagedispositionsenttothesender.AnuncontaminatedmessagecanbeprovidedwithacorrectSINandprocessedinanormalSSSmanner.
Chapter18
IntroducingSPARCoogle–aFreeSecurityServicePurpose:UseSPARCSecuritySolutionstoAttractAdvertising$
Action:EstablishtheSPARCoogleOrganization
WhatisSPARCoogle?
SPARCoogleistheavailabilityofSPARCSecuritySolutionknowhowfornochargetotherequestors.ThiswillbeadirectresultofthegrowthofSPARCSSexperienceandthevastcommunicationsofSPARCSSusagebenefits.WhattypeofinformationwillbeavailableuniquelythroughSPARCoogle?
EducationalmaterialsprovidedbySPARCSSinsurancecompanies.
SPARCSSregistrationoptionsandInternetaddresses.
Sources of SPARCSS additionalmaterials such asmulti-language instructionmanuals,planningmaterials,andreportingmaterials.
IsThereASPARCoogleAdvertisingorganization?
One of the great contributions of the Google organization was the demonstration thatadvertiserwillsupportthistypeofservicewithalargeamountofpaidadvertising.
SPARCoogleorganizationincludes:
Advertisingreceiptandprocessing.
SPARCoogleInternetNetworkdesign.
ASPARCoogleInternetbrowser.
SetupandmaintenanceofSPARCoogledatabase.
Setupandmaintenanceofamulti-languagedatabase.
Setupandmaintenanceofaworld-wideoperation.
NegotiateacrosslicenseandaccesswithGOOGLE.
Setup,maintain$forfutureSPARCcontributions.
Setup,maintainpressinterfaceforSPARCoogle.
SPARCoogleeducationmaterials,process.
Setupanannualcontributionrecognitionevent,awards.
Chapter19
SPARCSecuritySolutionsQuestionsandAnswersPurpose:Providefrequentlyaskedquestionswithanswers.
Action:Usetoprepareresponsestofrequentquestions.
Introduction:
Paymentprocessesandtechnologieschangerapidly.Historically,theyhavechangedeverydecadeforthepast50years.Iwasfortunatetohaveleadtheefforttocreatethemagneticstripedcardsalmost50yearsago(1966 to1973).Thestripecontentand thesupportingdatabasedauthorizationarchitecturewearchitectedthenhavenowevolvedwithseveralgenerations of card technologies. All indications are they will continue to provide theusage decision base for this vital industry. The following material demonstrates theirabilitytosupportthecomingeraofsmartdevices.Magneticstripedcardsare50yearsold.SmartcardswithPINsandchipsarenowapproaching35yearsofage.Nowisthetimetorecognizetherapidshifttosmartdevices.Thefollowingmaterialisofferedtodemonstratethat the rapid change should be encouraged andwelcome.With it comes the ability tosecure the use of the Internet, a very welcomed event. I wish all the users of theseproposalsthesamesenseofcontributiontosocietythatIfeel.JeromeSvigals.
SPARCSecuritySolutions(SSS)®,aQuestionsandAnswersCompendium©2015.
Q.WhatistheSPARCSecuritySolution(SSS)?
A. SSS provides an enhancedmethod to assure for secure wireless and Internet basedtransactions.SSSusesacombinationofthreesecurityprocesseswhichhavebeenusedbyindustry for more than 20 years, with a SSS provided innovative and patentedimprovement. The entire transaction world is moving rapidly to the use of smart(programmable)devices,suchassmartphonesor tablets.TheSPARCSecuritySolutionallows use of a lower cost smart device. SPARC does NOT require the use of PINs,passwords or encryption. SPARC protects against the three most serious smart devicesecurity challenges: (1) Lost or stolen units (50% in theUSA last year); (2)Misuse ofoverheard transmissions; and (3)Down loadingof fraudulent applications,malwareandviruses.SSSdoesNOTrequiresmartdeviceoroperatingsystemmodification.Itis100%compatiblewithexistingindustrytransactionstandardsanddatabases.
Q.WhywouldusingtheSSSbevaluableinmybusiness?
A.Useofsmartdevicesisbecomingafactoroflifeforanyoneovereightyearsold.Eventhosenotservedbyabankandtheunderbankedaresmartdeviceusersfortransactionswithemploymentandfamily.SmartDevicesareaninfrastructureprovidedbytheusers,ratherthanbytheapplicationprovider,e.g.abank.Hence,allindustrieswillbenefitforanimproved security solution for smart devices. Thus, SSS offers improved economics, a
singlesolutionforthethreemajorsmartdevicessecuritychallenges,andisuseablewiththe existing major investments in networks, data bases and products (hardware andsoftware). More important, SSS departs from previous security solutions which werepiecemeal,expensive,usuallyafter-the-factanddestructivesolutions.
Q.WhatisuniqueaboutSSS?
A.It’spatentedfeatures.Thisisprimarilythe“SPARCSecurityID”conceptanduse.Thethree security solutions used by SPARC have been used successfully formore than 20years, world-wide. They are (1) Dual control; (2) De-Identification (initially a USGovernmentmedicalspecimenspatent);and(3)Databasedcontrol.TheSSSadvancesareitssimplicity,economics,100%compatibilitywithexistingprocessesanddatabases.SSSuses proven techniques with its unique ability to avoid use of old, piecemeal andexpensive security solutions. SSS ability allows use of the low cost, universal Internetrather thanexpensivededicatednetworks.ThismakesSSSunique.YouwillnotneedtouseVirusDetectionprogramsorEncryptionprograms.ThisSSSattribute is true forallsmartdevices,theiroperatingsystemsandapplicationsinALLindustries.
Q.Doweemployencryption?
A. No. We employ De-Identification. This is a secure process used by the federalgovernment for more than 20 years in the healthcare industry to prevent sourceidentificationofmedicalsamples.Encryptionrequiressubstantiallymorestorage,higherperformance and increased cost in a smart device. De-identification also includestechniquesforprotectingvitaldata.
Q.Doweemploytokenization?
A. No. Tokenization is replacing an identification or account number with a randomnumber.SSSusesanuniquelyandpatentedconstructedversionofthehistorictransactionprocessingstandardaccountnumbertoreplacethetrueaccountnumber(TAN).
Q.Doweusemultifactorauthentication?
A.We use the long used basic dual control, the fundamental security technique of thefinancialindustry,e.g.cardandPIN.
Q.WhousestheSSSsolutiontoday?
A.Everyone.Weusethebasicsecuritytechniquesnowinuse.SSSsimplyredefinestheaccount number content, which is the SSS patented highlight. SSS uses a 40 year old,cross industry account number and data base contained standardized identificationnumber.
Q.Whatproofdowehavethatitworks?
A. The account number based data base systems have been successfully used for fortyyears,world-wide.Forexample, it isusedbyeverycard issuing institution toauthorizetransactions.ThelatestNilsonReportputscurrentcreditcardlossesat$0.06per$100ofgross sales. That is a remarkably small loss ratio, considering decades of frauddevelopmenttechniques.
Q.WhenwillSSShaveproof?
A.SSShasproofnowbyuseinexistingsystems.ProofwillbefurtherconfirmedwhenweobtainUnderwriter’sLaboratoriesTransactionSecuritycertificationearlynextspring.
Q.Howtovalidatethestrengthofsolution?
A.SSSisconfirmedbycurrentindustryusage.TheSSSenhancedsecurityfunctionswillbefurtherconfirmedbyULTransactionSecuritycertification.
Q.HowtosubscribeorbuildSSSmyself?
A.YouwillbuildSSSyourselfasallindustriesnowdo.Youwillneedtomakeaminoraddition to your data base and aminormodification to smart device applications. Thisinserts the SSS process into smart device use. No modifications are required to theoperatingsystem.
Q.HowisSSSconfiguredinallindustries?
A.SSSusesexistingprocesses.
Q.WhatistheSSStimeline?
A. SSS is In use now. SSS requires minor application modification to incorporate thepatenteddefinitionoftheSPARCSecureIDNumber(SIN)andprocess.
Q.WillyouruseofSSSbeuniqueinyourindustry?
A.No.YouwillbethefirsttotakeadvantageofSSSsecurefunctionalimprovementsandeconomics?Eventually,otherswillfollowyourleadership.
Q.HowoftenwillSSShavenewreleases?
A.Itisdifficulttohavenewreleaseswithsecuritytechniqueswhichare20ormoreyearsinuse.WhatwillbenewwillbetheaddedindustryapplicationusesanddevicesthatyouwillnowincorporateinthesewellestablishedSPARCsecuritysolutions.
Q.WhatinfluencesnewSSSreleases?
A.YouwillcontrolhowyouapplytheSSS.
Q.HowtohandleSSSmaintenanceandenhancements?
A. SSS is based on existing industry standardswith established processes for handlingmaintenanceandenhancements.
Q.IsSSSadequatelycapitalized?
A.SincetheSSSisbasedonexistingstandards,allindustrieswillbeartheburdenwithaminimum of guidance. SSS will lead by application development, not by expensiveproduct development. This allows low cost use of the SSS functionality. This greatlyreducestheSSScapitalizationrequirements.
Q.HowareyouprotectedifSSSsellstoyourcompetitors?
A.Thatislikeaskingtheelectriccompanytonotprovidepowertoyourcompetition.The
fact of life is that this simple, low cost, universally applicable and effective SSS willeventuallybeusedbyall.YourchallengewillbetokeepaheadofindustryprogressandleadyourcompetitionintothenewSecureSmartDevicesapplicationswithintheSSSera.
JeromeSvigals
(Leaderof the1966-73IBMmagneticstripedcarddevelopment team,stripemulti-trackdata content architecture anddatabased security architectureusedworldwide formorethan30years.MemberABAandANSIstandardsgroupsformagneticstripedcardspecsand content). Re US Patents 8,453,223, dated 5/28/13, 8,806,603, dated 8/12/14,8,997,188,dated3/31/15and9,009,807dated4/14/15.
Chapter20
UseofPriorSecuritySolutions,Standards,ProgramsPurpose:ReconfirmthatSSSis100%pastsolutionscompatible
Action:Noneisrequiredafterreconfirmationofcompatibility.
Introduction:
This will be the shortest chapter. Fully compatibility gives you the option of using allpreviouslyavailableproducts.Forexample,SPARCSecuritySolutionsDe-Identificationprovidesadequatecontentsecurity.However,ifyouwishtoalsouseencryption,doit.Itisa redundant effort, but do it if you feel more comfortable. After a while, you willrecognizeyourredundantefforts.ThisincludesMalwaredetection,Encryption,Firewalls,VirusesDetectionandelimination,Fraudulentapplicationdetectionandelimination,andsoforth.
Chapter21
SummaryofSPARCSecuritySolutionPatentsPurpose:IdentifyBasicSSSPatents&TheirApplication
Action:UseApplicationDefinitionstoIdentifyMarketUse.
SummaryofSPARCPatentsClaims:
8,453,223dated052813:Systemtoverify transactioncontentwithaone-timeidentifier.Provides Dual Control on transaction origination. Independent of Smart Device andOperating System. Generates SPARC Identification Number used for De-Identification.Uses Data Base Control to recover True Account Number from SPARC IdentificationNumber.
8,806,603dated081214:System toverifya transactionwhich isbiometricallyactuated.Wireless. One-time identifier. separate to and from the application control institution.UsingNFC.Forapluralityofdevices(ThisisIOT).Workswithmagneticstripedmedia.
8,997,188dated033115:Protectsunsolicited transactions.ProtectswithoutuseofPINs,passwords or encryption. Destroys invalid transactions. Transaction count NOTincrementedbyone.(Preventsuseofover-heardtransmission).Acceptstransactionsbasedontime.(AnIOTsecurityfeature).
9,009,807dated041415:Workswithexternaldevices.Determinesifsourceoftransactionis acceptable (This is also IOT). Modifies the smart device to include a buffer totemporarilystoreamessageuntilvalidated.Includesanalarmwhensmartdeviceanddualcontrolsecuritydevicearetoofarapartphysically.
Thesearethemajorclaims.Thereareanumberofclaimsoflesssignificance.
PatentPending:
2015/0249663 published 090315: Patent Application for “Security for the Internet ofThings”.Listing23claims.“Anapplicationcontroldevicecontrolsanotherdevice.”
Chapter22
SPARCSecuritySolutionSmartDeviceSimulation.Purpose:DemonstrateTheSPARCSecuritySolution
Action:UsethesimulationtodemonstrateSPARCSS.
SPARCSecuritySolutionSimulation:
(Note:thisisapatentedprocess)
RequirestwoAndroidSmartPhones,SmartDevice1,(SD1)andSmartDevice2(SD2):
One is the transaction device SD1 with two applications. The second, SD2 is theApplicationControlInstitute,e.g.thebank,withtwoapplications.
App1:Applicationisafinancialtransaction.
App2:ApplicationistheSPARCSecurityApp.
TheProcess:
SD1,App1:CreatesthetransactionwiththeTAN.
SD1,App2:CompletesthetransactionbygeneratingSIN.
SD1,App1:Assembles,transmitsthetransactionwithSIN.
Internet:CarriestheTransactiontoSD2.
SD2,App3:Receivesthetransaction.
SD2,App2:Validatesthetransaction,withtheSIN.
SD2,App3:ProcessesthetransactionwiththeTAN.
SD2,App3:CreatesreturntransactionwithSIN2.
SD2,App2:Completesthetransaction
SD2,App3:Assemblesandtransmitsthetransaction.
Internet:CarriesthetransactiontoSD1.
SD1,App1:Receivesthetransaction,replacesSIN2withtheTAN.
SD1,App2:Validatesthetransaction.
SD1,App2:Completesthetransaction.
TheAppDetails:
(SD1) (SD1/2) (SD2)
SmartDevice SPARCSSapp ApplicationCntrlInst.
OpenfintransApp1:
Enterappinfo
(payto,amount,
SPARCPIN)
SendrequesttoApp2SSS
OpenSSSApp2
EnterSPARCPIN6Char.
GenerateSIN(SPARCIdentificationNumber)
GenTN+!,Store(transactionnumber)
SendSINtoSD1
ReplaceTANwithSIN(Trueaccountnumber)
SendTrnsactntoACI(Applicationcontrolinstitute,e.g.bank)
Opentrnsactn\
ExtractSIN
SeekSINRecord
ExtractTrueAcctNo
ExtractTN
ValidateTransTN
AccessTN
ProcessTNtransaction
Genreturnmsg
SendreturnMsg
RecMsg
ExtractSIN
SendtoSINtoSSDapp
ReceiveSIN
ExtractTN
ValidateTN
CalculateT+1
SendMsgtoSD
Recmsg,CompleteTrans.
Chapter23
SPARCSecuritySolutionsversusForeignHackersPurpose:DescribepastInternetattacksandSPARCSSresponse
Action:UseSPARCSSknowledgetopreventareoccurrence.
TheReport
TheNewYorkTimesreported(8/12/14)thatforeignhackershadsuccessfullyamassed1.2billionWeb credentials (user names and passwords) from an Internet based attack.Theattackamassed4.5billionrecords.
Let’sAssume
That they caught an equivalent amount of SPARC Security Solution based transaction.Whatwouldtheyhave?
Theywouldhavemessageswithouttrueaccountnumbers.
NoPINs,passwordsorencryptionprocessesorresults.
Thetransactionnumbersareoutofsequence.
Therearenoreadableusernamesorvitaldata.
Databaseresponsesoroverheardtransmissionsarenotusable.
NoSmartDevicesaccessinformation.
Insummary,theywouldhavecapturednothingofvalue.
Chapter24
SPARCSecurityProcessKeyNumbers(SINandTN)Purpose:DescribekeycomponentsofSPARCSecuritySolutions
Action:TestSSSbyfulldisclosure.
Wherediditallstart?
Thebasicsecurityconceptoriginatedfiftyyearsagowiththedevelopmentofthemagneticstripe.The challengewith striped cardswas to interface to aminimumof twodifferentcontrolsystems.Onewasthenumericbasedbankingsystemswithaccountnumbers.Thesecondwas thenamebased travel industry systemswith alphabeticnameaccess.Thesebecamethebasisformanyfuturestandards.ThefirstwasISO2984in1983.Ithadthreetracks,but thenumericTrackTwobecamethefinance industrybasic. Itconsistedof40numericdigitsof5bitseach.Theprimaryaccountnumberis19digits.Thereisanadded12digitsformiscellaneousnumberfields.Theremainderofthetrackdigitsareusedforcontrolsentinels.
ThroughTheInterveningYears
As the transaction medium changed from cards to smart cards to smart devices, thesubsequentstandards’contentremainedthesametoprotecttheresultingauthorizingdatabases.ThedesignoftheSPARCSecuritySolutionchoosetousethesameformatforitsSPARCIdentificationNumber,theSIN.UseoftheSINallowedfulluseofexistingdatabases, devices, software and systems. However, there was a remaining challenge.Fraudulent access to the SIN by over-hearing, or use of a lost or stolen smart devicerequiredafurthersolution.
TheNeedforaFurtherIdentificationVariable:
The added challenges of over-hearing misuse of data and use of lost or stolen SmartDevices were solved with the use of a transaction number of 4 digits in the SIN. Forexample use of a SIN value twice has an acceptable account number, except for theduplicationoftheTN.Hence,thefourdigitTNisanaddedprecautionforseveralattackscenarios.
TheaddedTNvaluerequiresanalgorithmtoadvancedthesequence.Thealgorithmmust.avoidmakingthealgorithmknowntoathiefwithhisownSmartDevice.ThatisavoidedbyadvancingtheTNvaluebyalgorithmonlyattheApplicationControlInstitution(ACI)database.
ProtectingVitalData:
The De-Identification process does not protect vital data in the “protected” record ortransaction record. Thismay include telephone numbers, government services numbers
suchassocialsecurity,andavarietyofpasswords,financialidentificationnumberssuchascredit cards, andPINsandother securityaccesscodes.Thesemaybeprotectedbyavery simple but secure process. The De-Identified message LACKS the true accountnumber for the transaction record being protected.Hence, if the data to be protected isaddedtothetrueaccountnumberin40digitsor20alphabeticcharacterssegments.Theprocessiscalled“absolute”arithmeticwhichdoesNOTdoadecimalcarrybetweendigits.TheprocessiseasilyreversedwhenitisnecessarytorecoverthevitaldataattheACI.
FutureKeyNumbers
Thefuturewillseefurtherattacksonthekeynumbers.Correctivestepstofutureattackswilloccurwhenneeded.
Chapter25
SecuringagainstRansomWareandotherMalwarePurpose:Preparetorecognizeandrejectmalware.
Action:Eliminaterecognizedmalware.
WhatisRansomWareandMalware?
Malwareisacomputerprogramthatisdesignedtodounwantedordestructiveactionsnotrequested by the computer user or owner. The malware programs come through theInternet as a routine download. They have a number of other troublesome capabilities.Theyreproducethemselves.TheymakeunauthorizedcopiesandredistributethemontheInternet.Inshort,theyhavetheabilitytoperformmanyundesirableactivitiesasaroutinepartofInternetdownloads.
ThedangersandpossibilityofrecoveringfromRansomWare
RansomWareismalwarewiththeaddedabilitytoencryptedorhidevitaldataandthenoffertorecoveritinreturnforademandedransom.Unfortunately,payingtheransommaynotresultinrecoveryofthehiddendata.RansomWarecomesinmanyformsbutallhavethe same negative characteristics. These are just more types of viruses found on theInternet.
MalwareDefenses:
Themosteffectiveresponsetomalwareisbackingupyourdatafrequently.Thatrequiresdiligentbackupschedules.AnevenmoreeffectivedefenseistoperformthebackuponanexternaldrivethatcanbedisconnectedfromtheInternetwhennotdoingbackup.Keepingyouroperatingsystemuptodatewillalsoprovidearecoverycapability.Agoodoperatingsystem will also include a system restore function to assist in system recovery whenattacked.
Animportantfunctionistoexercisebackupevenifanattackisnotdetected.Inthatwayyouwillbuildyourconfidenceinyourdefensivetools.
Chapter26
Underwriter’sLaboratorySecureTransactionListingPurpose:ExplainULRole
Action:ObtainULTransactionSecuritylisting
WhoisUL?
UL is an international organization. It sets operating and performance standards forarticles used in homes, offices and factories. It offers testing of articles against thestandards definition. The testing results aremadewidely available. Perhaps, theirmostimportantuseisintheInsuranceindustrywheretheresultsareusedtosetinsurancerates.(SeeWikipediaforamorecomprehensivediscussionoftheULrole).
TransactionSecurity:
ArecentadditiontotheULstandardsisoneforTransactionSecurity.Thistestingfunctionforchiprelatedproductsandsystemsincludes:
POStesting
ATMtesting
Brandtesting
Cardpersonalizationtesting
Handsettestingfornetworksattachmenttesting
Mobilesecureelementtesting,and
ISOfunctionaltesting.
These tests assure interoperability, a major step preceding productive operation. Thesestepsassurethetestcandidatesthattheywillmeettherequirementsofaverycompetitivemarketplace.
Moredetailsareavailablefromservices.ul.comontheInternet.
Chapter27
UsingPartialSYIUSolutionsPurpose:Describeuseofapartialusagesolution.
Action:TakeadvantageofSSSinmoresituations.
TheUsualSituation:
TheSPARCSecuritySolutionisdesignedforuseinacompletetransaction.Thatincludesinitiation, transmission, processing, return transmission and completion. What is anincomplete transaction? For example: Initiating a transaction that does not require acompletion.
Theincompletetransaction,suchasapostingofinformation,isstillsubjecttotheInternetchallenges. Itmust still secure a transaction from aLost or Stolen device. Inmust stillprevent the effective use of an over heard transmission. It must still prevent the “uploading” of fraudulent applications, malware or viruses to the Application ControlInstitute.
TheotherprocessesthatmaybepartialincludeIOT,multipleACI’sandpayments.Eachishandled as the partial transmission process. Since the protection is in the applicationprogram,theprotectioncontinuesuntiltheapplicationisended,completelyorpartially.
The objective is to make the application as complete as possible with the SPARC SSprotectionfunctions.ThatassuresthemaximumsurvivaloftheSSSprotectionfunctions.
Chapter28
ComplyingwithPaymentCardIndustryDataSecurityStandard
Purpose:ComplywithPCIDataSS
Action:Demonstrateconformance.
ThePCIDSSRequirement:
ControlObjective: PCIDSSRequirements:
Buildandmaintain 1. Installandmaintainafirewall
asecurenetwork configurationtoprotect
cardholderdata.
2. Donotusevendorsupplied
defaultsforsystempasswords
andothersecurityparameters.
Protectcardholder 3. Protectstoredcardholderdata.
data. 4. Encrypttransmissionof
cardholderdataacrossopen
publicnetworks.
Maintainavulnerability 5. Useandregularlyupdateanti-
managementprograms. virussoftwareonallsystems
commonlyaffectedbymalware.
6. Developandmaintainsecure
Systemsandapplications.
Implementstrong 7. Restrictaccesstocardholder
accesscontrol databybusinessneed-to-know.
measures. 8. AssignauniqueIDtoeachperson
withcomputeraccess.
9. Restrictphysicalaccessto
cardholderdata.
Regularlymonitorand 10. Trackandmonitorallaccessto
testnetworks. networkresourcesand
cardholderdata.
11. Regularlytestsecuritysystems
andprocesses.
Maintainaninformation 12. Maintainapolicythat
securitypolicy. addressesinformationsecurity.
WhoarethePCI?
TheyarethemajorbrandedcreditcardschemesofVISA,MasterCard,AmericanExpress,DiscoverandJCB(JapanCardBusiness).
HowdoesSPARCSecuritySolutionsconformtoPCIDSS?
Let’sstartwithareviewoftheSSSprocess:
TheSSStransactionprocessstartswithaDUALCONTROLTheSmartPhonetransactionprocessstartswith(1)TwoSmartPhoneapplications;or(2)Twosmartphones;or(3)ASmartPhoneandaSecurityDevice.ThoseactionscreateaSPARCIdentificationNumber(theSIN)whichreplacestheTrueAccountNumberforDE-IDENTIFICATION.
The De-Identified message is transmitted via the Internet to the Application ControlInstitute(ACI),e.g.thebank.TheACIusesDATABASEDCONTROLtorecoverthetrueaccountnumber.TheACIprocessesthetransactionandreversestheprocess.AreturnSINiscomputed.Thereturnmessageisde-identified.ThereturnmessagehasitsSINvalidatedDualControlandthetransactioniscompleted.
Howhasthe12StepPCIDSSProcessbeencompleted?:
1. SINvalidationbeforeactingcreatesafirewall.2. Thereisnouseofapassword.3. ACIstoredcardholderdataaccessrequiresaSINvalidation.4. EncryptionisreplacedbyaDe-Identifiedmessage.5. Acceptance is limited to SIN validated messages, hence resisting fraudulent
applications,malwareorviruses.6. SPARCSecuritySolutionsoffersasecuresystemforapplicationaccess.7. AccesstocardholderdatarequiresSINvalidation.8. EachaccessdeviceanduserhasauniqueSIN.9. PhysicalaccesstocardholderdatarequiresavalidatedSIN.10. AllaccessrequiredSINvalidationandidentification.11. Userprocessesallowregularsystemtesting.12. InstallingandusingSPARCSSisaclearsecurityprocess.
OtherPCIDSSbasedPaymentSecurityOfferings
Accertify
ACIUniversal
Authorize.net
Braintree
Cybersource
EBAYEnterprise
Paypal
Shopify
Symantec
Thawte
TrustGuard
Vantiv
Summary: The SPARC SS offering is unique. It is 100% compatible with existingtransactionsecuritystandardsanddatabasedcontrols.ItworkswithallSmartDevicesandtheiroperatingsystemswithoutmodification.Itusessecurityprocesseswithover20yearsdemonstratedsuccess.
Chapter29
ThePriceofNOTUsingTheSPARCSecuritySolutionPurpose:DemonstrateComplexityNOTRequiredbySPARC
Action:IssuesAvoidedasaSpecificResultofAdoptingSPARC
MajorBank’sMessagetoSmartPhoneacceptingmerchants:
BewareofDataCompromiseasamerchant.
WhatisDataCompromise?
Stepstotakewhensuspiciousofdatacompromise.
Containandlimittheexposure.
ProvidenotificationtoBank’sexecutive.
Followlegalrequirementstogovernmentauthorities.
Whathappensduringadatacompromiseinvestigation.
Forensicinvestigation.
Reportfindings.
Identifyaccountsatrisk.
Merchantsdeterminefinesandliabilities.
ComplywiththePCIDSS–validatePCIcompliance.
IsitaCommonPointofPurchase(CPP)?
Asourceofmultiplefraudulenttransactions.
Wheredidthefraudtakeplace?
Whoreportedthefraudulentactivity?
WhatdoesaCPPdo?
WhatdoesthebankdoforareportedCPP?
UnderstandyourPCIcompliancerequirements.
MajorBank’smessagetosmartphoneusingcustomers:
Don’tbefooledbyanimposter
Stayawayfromahardsell
Don’tadoptapetpassword
Putupashield
Usecommonsense
Openwithcare
Beonthelookout
Useinternalcontrols
Guardyourbank’sIDandpassword.
Protectyourselfonline
Logonfrequently
Understandbank’ssecurityprovisions.
Understandmobileproductsandservices.
Chapter30
AllAgainInSummaryPurpose:DescribeanewSmartDevicesecuritysolution.
Action:Addthisapplicationtoyoursmartdevice.
TheInternetChallenges:
UseoftheInternetisveryattractive.Itoffersaworld-wide,lowcostaccesstotheworld.However,with the use of SmartDevices it has three serious challenges. (1) The usingSmartDevicesareLostorStolen.Thatwas50%lastyearintheUnitedStatesandhigherelsewhere.(2)ThewirelesstransmissionfromtheSmartDevicetotheInternet interfaceunit,althoughonly10centimetersdistancewithNFC,alongwithlegitimatedownloads,isover-heardandthetransmissionsarestolenforfraudulentreuse.(3)TheInternetuseisnotsecured and often provides downloads of fraudulent applications,malware and viruses,amongthelegitimatedownloads.
SecuringaTransactionSystem:
Howdowesecurecreditcardtransactions?Thesecretistwo-fold.Eachcreditcardhasafortydigittrueaccountnumber(TAN).Thatisusedtoaccessadatabasewhichcontainsallthereportedtransactionsforthecard.Thatcombinestwosecuritytechniques.OneisacardplusasignatureorSPARCSS6characterPINcode.Thatisdualcontrol.Secondisthe compilationof card activity in a data base.This security solutionhas beenusedbymost card issuers formore than30yearswith losses contained to less than1%of totalsales.(SeethelatestVISAannualreport).
TheMagic40Digits:
The 40 digits contain, in card usage, an issuer identification, a unique card numberidentificationandsomediscretionarydata suchas thecardexpirationdate.TheSPARCSecurity Solution in a smart device uses a separate security application with a uniquesecurity number for each user. This SPARC Security Number (the SIN) is used in themessage to the data base in place of the TAN. This process is calledDe-IdentificationbasedonaUSGovernmentpatentoftwentyyearsago.TheDualControlisachievedbyrequiringa6characterSPARCPINentrytothesecurityapplication.ItthenprovidestheSIN to replace theTAN in the transactionmessage to thedatabasecontroller.TheSINcarries theSPARCPINentry for evaluationat thedatabase andaTransactionNumber(TN).
Whenreceivedatthedatabasecontroller,theSINisusedtorecovertheTAN,validatetheSPARCPINTNandthetransactionisprocessed.ThereturnprocesstotheSmartDevicereversestheprocess.Insummary,theuseoftwoapplicationsandaSPARCPINtoinitiatethetransactionpreventstheeffectiveuseofthesmartdeviceifitislostorstolen.Theuse
oftheSINinplaceoftheTANpreventsanover-heardtransmissionfrombeingeffectivelyuse.UseoftheSINatthedatabaseorinthereturnmessageallowsthesystemtoseparatea genuine transaction, with a valid SIN, from downloading of fraudulent applications,malwareorviruses,allofwhichlackavalidSIN.
This a patented process. However, individual users are granted a free usage license.Anyoneelseshouldcontactsmartcard@sprynet.comforalowcostlicense.Foracompletedescriptionof theprocess, includingprotectionof importantdatasuchassocialsecuritynumbers,contactus.
ASPARCSecuritySolutionsGlossaryPurpose:Providethedefinitionofnewterms
Action:Providethetermsusedinanewapplicationarea.
SPARCSecuritySolutionsReportUsedTerms:
ApplePay:AnAppleCorporationprovidedsmartdeviceusingNFCcommunicationstoinitiatesecurepayments.
Attributes:Aqualityorfeaturesregardedasacharacteristicofsomething.
Bit Stream: A sequence of binary digits sent over a communications path, such as atelevisionshow.
BYODSecure:Securingyourownprovideddevice.
Cardware:Astyleofsoftwaredistribution.
Cloud:AdatacenterconnectedtotheInternet.
Cyber attacks: An unauthorized security attack on a computer or communicationsnetwork.
Databasedcontrol:Usingcumulativeaccountactivitytoassessaccountsecuritystatusortransactionvalidity.
De-Identification:Removalofelementsconnectingdatawith its source.Patentedby theUSGovernment.
DualControl:Asecurityprocessrequiringtwoprocessesoractionstogainauthorizationortoenableaprocess.
Easypay:Adigitalpaymentsdeviceorprogram.
Fraudulentapplication:Asmartdeviceprogramdesignedtoperpetrateanillegalpurpose.
Hacker:OnewhousessoftwaretogainaccesstoortocausedamagetoacomputersystemorviatheInternet.
IdentificationInsurance:Financialprotectionagainstidentificationtheft.
iDoctor:Asetofdigitaltoolsforusebyaphysician.(AccessibleusingUTube).
Ipal6:AnAppleCorporationprovidedSmartDevice.
Malware: A smart device program designed to be harmful, usually delivered via theInternet.
Marketingmanager:Acustomerdefinitionorsalesbasedactionplandirector.
Pay:Togivevalue.
PIN:Apersonalidentificationnumberof4digits.
Powerpoint:Asoftwareprogramtoprovideamultiplescreenpresentation.
Productmanager:Adevicedefinitionorfamilyofdevicesplandirector.
Security:Protectionfromdistortion,abuseoranytypeofattack.
SIN:SPARCIdentificationNumber.ConfomstotheInternationalstandardfortransactionaccountnumber(TAN).
SPARCPIN:Asixalphabeticalcharacterscodeforsecureapplicationaccess.
Things:SmartdevicesthatinterfacetotheInternet.Usuallywithtwodevicesinteracting.
Viruses: A smart device program capable of copying itself and corrupting a computersystemordestroyingdata.
SPARCReporttermsNOTused:
Authentication:Asecurityprocessusingtwomeansofidentification.
Encryption:Akeydrivendataencodingprocess.
Multiple factor authentication: A security process using more than one means ofidentification.
Tokenization:UsingarandomnumbertoreplaceaTrueAccountNumber.