Identifying with your Bank

Sid Sidner, Ping IdentityIIW 13 - October, 2011

EMV Smart Chip Banking Cards Are Coming to the U.S.

● Visa has created financial incentives that should drive issuers to issue EMV bank cards and merchants to accept them, by 2015

● The U.S. has been the last holdout in worldwide EMV bank card deployment

● These cards will support NFC● This event offers new possibilities in identity● The banks could offer a global, strong identity system, with

fees proportionate to the risk● I want to know what you think!

○ Feasibility?○ Risks?○ Desirability?

Why are chips so important?

● S/w is only good for low value transactions due to malware● You need hardware crypto w/ dedicated display and user

input that can't be corrupted by software

Tamper Resistant Security Module Architecture

IBM ZTIC

VASCO 865Commercial ZTIC implementation

Why do EMV bank cards change the world of identity?Several factors make EMV bank cards so important:

● Eventually every Internet user in the world will have one or more.

● They are very secure.● They work well with personal computers, mobile devices,

and even physical lock systems.● The global banking payment network can easily

authenticate them and collect fees based on the value of the authentication.

Bank Card Network Links

How would EMV bank cards work for identity?

● The global bank card network adds a new identity transaction to the payment network (ISO 8583, ISO 20022)

● The fee for the transaction is scaled, based on the risk associated with using the authentication (E.g. ordinary login, $0.001; $50,000 purchase, $5.00)

● Relying parties use their existing interface to the payment network

● Readers added to PCs and mobile devices (and door locks)

What’s so special about EMV?

Ubiquity!● 20 years: security & deployment● Hundreds of millions EMV bank cards have been issued.● Largest public key infrastructure that has ever been

deployed● EMV transactions are routed over the standard global

payment card network so EMV bank cards can be issued and used anywhere.

● A business model for exchanging cash for value

Alternatives?

● Specialize smart cards: DoD CAC card, Hong Kong national ID card

● SIMs used in GSM mobile phones (AT&T, T-Mobile, European telcos)

● SD cards: memory + crypto● TPM (Trusted Platform Module): widely deployed in Dells

and others None of them have all the key attributes

● Global● Secure key distribution framework● Monetization of risk to incent secure behavior among

stakeholders

What about fraud?

● There is risk of fraud in any transaction - goal: drive is small enough to include in transaction fees

● EMV has been hacked to bits. See the most recent Cambridge one in the Links page - amazing. But it gets addressed, which is what makes EMV so strong

What needs to happen?

1. The rest of the PCI needs to follow Visa2. The PCI networks need to add an authentication

transaction into the transaction set3. Standard reader implementation, UX, and

protocol need to be defined4. Issuers need to offer these authN services;

relying parties need to use them5. "EMV in a phone" needs to be defined, to replace

bank cards

Links

PingTalk blog entries● https://www.pingidentity.com/blogs/pingtalk/index.

cfm/2011/9/27/Identifying-with-your-bank--part-1-of-2● https://www.pingidentity.com/blogs/pingtalk/index.

cfm/2011/9/28/Identifying-with-your-bank--part-2-of-2 Visa announcement: http://corporate.visa.com/media-center/press-releases/press1142.jspEMV: http://www.emvco.com/NFC: http://arstechnica.com/gadgets/guides/2011/02/near-field-communications-a-technology-primer.ars/Sid's InfoCard/3DSecure idea: http://tootallsid.blogspot.com/2006/12/infocard-and-e-commerce.html

More Links

Zeus: http://en.wikipedia.org/wiki/Zeus_(trojan_horse)ZitMo: http://www.hackprotector.com/tag/zitmo-malware/ZTIC: http://www.zurich.ibm.com/ztic/VASCO: http://www.vasco.com/products/digipass/digipass_readers/connectable/digipass_865.aspxDoD CAC: http://www.cac.mil/SIM: http://en.wikipedia.org/wiki/Subscriber_Identity_ModuleTPM: http://en.wikipedia.org/wiki/Trusted_platform_moduleCambridge EMV hack: (watch video!) http://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/ISO 8583: http://en.wikipedia.org/wiki/ISO_8583ISO 20022: http://www.iso20022.org/