Discussion on:

Identity Ecosystem: How the government is trying to stop online-payment fraud

The U.S. government wants to setup an identity framework that guarantees everyone is who they say they are. Is it possible? Is this the "much talked about" Internet ID?

If the banks each made their own PayPal-like services it would go a long way towards protecting the customers. With all transactions redirected to the bank's site for approval, financial data stays private between the customer and their bank.

The next best thing is to insist on trusted third-party payment services like Amazon Payments and Google Checkout. That way you're only giving you information to one company instead of everyone you do business with.

Of course, the best online payment system in the world isn't going to help much if your computer has malware on it, so a bit of paranoia about what programs you run is also helpful. Basically, only download software from trusted sources (like download.cnet.com or any major Linux distribution's repositories) and make sure it's digitally signed.

In sum:
1. Make sure you trust everyone you share you financial details with.
2. Make sure you trust everyone you download/run software from.
3. Trust as few people/businesses as possible.

This works great for online transactions and computer security, but I still haven't come across anything comparable for the offline world.

How would having a PayPal account be any different if someone stole your credentials?

Many times I am not even out of the store before PayPal has emailed me regarding my purchase. I appreciate the way PayPal treats my card as cash so if (forbid!!!) my credentials are stolen I know about it almost in real time and can deal with it. No easy answers, just intelligent solutions.

Another member mentioned PayPal as well. Is this what you use:

https://www.paypal.com/helpcenter/main.jsp;jsessionid=ywyQN2VhGZmgG4LkCpPzz1mQdnpmvr5w7GyzQLPjHGLjnHnnmHzv!59728215?t=solutionTab&ft=homeTab&ps=&target=_parent&solutionId=162662&locale=en_US&_dyncharset=UTF-8&countrycode=US&cmd=_help&bn_r=h

That's the idea. In my case, my phone simply reflects my regular email. I have yet to use my "smart phone" to make web purchases.

I appreciate the heads up about PayPal.

Merchants cannot steal your credentials if they are never given access to them. If your computer and wallet are secure and you only share your credentials with one or two payment processors like PayPal, then the only way left for someone to steal your credentials is by breaking into your bank or payment processor's system.

In theory this eliminates the problem of stolen credentials, but in practice it turns into a balance between long-term security and short-term convenience. For every cool product that cannot be bought with PayPal there's a choice between missing out or risking your data with that merchant. Similarly, for computers there's the choice between missing out on a cool app or risking your security. There are workarounds like one-time credit card numbers and sandboxes, but they aren't yet convenient enough for most users, so credentials will be stolen.

Once the credentials are stolen it comes down to the protections offered by your bank and payment processor. First, you have to notice that the information was stolen in the first place. For example, I have alerts set up with my bank so that I get emails whenever purchases exceed $0.00, so I'm alerted of every little thing. I also have my Gmail set to auto-label messages from my bank and to hide labels with no unread messages, so when I have messages from my bank the label stands out.

I don't know what the procedure is with PayPal, but any decent financial institution should have a procedure something like this:
1. User notices problem with account
2. User notifies institution of problem
3. Account is locked/suspended until issue is dealt with
4. User resecures computer
5. User provides proof of account ownership that goes well beyond the information stolen
6. Institution sends user a one-time code to access account again and reset password, etc
7. User and institution negotiate unauthorized transactions that happened before step 2
8. User is more careful next time

The process can be streamlined somewhat, but it is intrinsically more complicated to regain security than to maintain it in the first place. It's either paranoia now or paperwork later.

But, what you suggest really only applies to online activities. I have been trying to determine the percentages of online versus physical loss and have not been successful yet.

The other problem is that most criminals sit on the CC numbers for months. Then sell them out of the country. I suspect that is what happened to me.

Firstly, another great article Mike. Through reading your and your readers posts over the last couple of years I've grown to consider this column to be a great way of keeping those of us outside the US across current thinking over there .

My take on this is possibly controversial in places, but fairly simple (perhaps too simple?):

Governments seem to consistently, (and I'd argue deliberately), miss the point on this in always trying to attack it from the consumer side. It's my view that this is because it's easier for them to do that than force large, heavily influential, corporations to take some responsibility. Evidence of this being a trend in their approach to the finance industry is found through the systematic failures we have experienced during the GFC (largely caused by lack of regulation) and the abject lack of any significant re-addressing of real protection to the consumer through governance and regulation since.

I don't think it's way off mark to consider that the vast majority of on-line fraud is essentially a means of finance for organised crime and terrorism. However whilst governments are very willing to fight very visible wars on terror, drugs, people trafficking etc., (arguably because a by-product of this is the growth of domestic industries that are associated with these "wars"), they appear reluctant to take simple measures which would hit the target organisations' hip pocket at source, because it means a bit of regulation of the finance industry.

The problem with the current system of payment processing is that it's (almost) completely self-regulated. Banks have clubbed together to create their own inter-bank payments systems, the members collectively agreeing on certain requirements to be a member of the club (such as interchange traffic encryption etc). The big players in the credit payment processing industry (e.g. Visa, Mastercard) also have a reasonably substantial set of regulations which financial institutions have to meet (and are regularly audited on) in order to be authorised to process payments on their behalf.

However, all of these self regulation mechanisms are essentially geared toward protecting payments in transit (from institution to institution) not necessarily at creation, and arguably - protecting the financial institution from commercial losses, not necessarily the consumer. As an example, whilst Visa might have strict instructions on how PINs, account details and transaction details are encrypted over the wire and/or from the EFTPOS machine, there's very little mandated on how the financial institution stores or captures data from the consumer.

Your posts in the past have discussed the merits and problems with various forms of 2FA. Whilst the exact method that delivers the best security is still (and probably will remain) a matter for debate, it's my view that through legislatively imposing a simple requirement on any bank involved in any international payment clearing system to require ANY transaction be authenticated with an approved clientless 2FA method (FDIC & FFIEC approved for you guys in the US), a dramatic reduction in fraud would result.

Sure, this proposal has an immediate flaw in that the discussion on what sort of 2FA is the right one could continue forever! But I'm sure that if the G8 or G20 collectively could decided to legislate their nation's clearing banks to require their members to do the above, the commercial reality of such a potential sale would cause all the major players significantly step up, and also drive such economies of scale that remove the potential for banks to whine about the costs associated with such a proposal!

What do you think?

To read comments like yours. This article was particularly difficult to pull together.

You have a good grasp of what is happening. At least in my view, you do. My favorite choice for multifactor authentication is the Dynamic card. You may remember this article:

http://blogs.techrepublic.com.com/security/?p=4451

Two members have pointed out to me that PayPal has a new system that uses the mobile phone as the second factor. It seems like a viable solution:

https://www.paypal.com/helpcenter/main.jsp;jsessionid=ywyQN2VhGZmgG4LkCpPzz1mQdnpmvr5w7GyzQLPjHGLjnHnnmHzv!59728215?t=solutionTab&ft=homeTab&ps=&target=_parent&solutionId=162662&locale=en_US&_dyncharset=UTF-8&countrycode=US&cmd=_help&bn_r=h

Does Australia use the Chip and PIN method currently?

Also, if you have any topics from down under that you would like to see discussed, please PM and I will check them out.

Yes Mike, the good news is that Chip and PIN is being rolled out on our major bank issued credit cards (with varying degrees of speed). However, the option to sign is still there for the time being which obviously still leaves the door open for fraud at POS.

On the 2FA side currently there are a couple of banks here which issue RSA style tokens with retail on-line bank accounts, and a few which issue them for business accounts. Most of the "big four" banks (who hold market share in Oz) have opted for mobile / SMS transaction authentication as a standard for retail users, with hardware token or "smart-card" being offered to high volume users (usually business banking), despite heavy criticism in Aussie tech press about the vulnerabilities associated with the SMS method. Some (e.g. NAB) are looking at voice print biometrics as another service (and have reportedly tried to call it 3FA?!), but again for me this smells more like maybe the marketing dept. getting involved in product choice as opposed to opting to use existing, hold in your hand style "something I own" 2FA options.

The Dynamic Card solution fits this bill perfectly and looks like it could be effective for both POS and online transactions, and is particularly attractive given it's compatibility with current card readers. Do we know any more on how they're tracking?

It must be said that over here most banks seem to have no problem in passing charges on to consumers in the form of surcharges for transactions or monthly fees, and consumers seem to be happy to accept them (I'm originally from the UK and was frankly appalled at the cost of retail banking when I arrived here). Given that card issuing and POS & ATM replacement are not cheap, I do think it's on this basis (passing on some of the cost) that rolling out Chip and PIN and perhaps something like Dynamic Card in the future, is more palatable to the banks here than the impression I'm getting from reports in the states (population / market size difference aside!)

it is obvious the credit card companies are passing the cost to the vendor, and often rightly so. But at the same time the vendors should be doing something about it too. I've been a victim a couple of times, but only once has the item shipped. The address it shipped to was in the USA. So the vendor should get in touch with the local police and have them file a complaint. Shipping companies have gotten really good at delivering on time, so the PD will not waste time waiting for the delivery and seeing who picks it up. You only need to catch a few folks before the other stop doing it. My guess, based on the items purchased with my CC, are that these were kids and they will scare easily.

Look at this URL. It is in Romanian. Not at all. Click on the language drop down resource placed in the upper right corner, choose English. Et voil?. This article can be read in many languages.
The article is not in connection with the topic. It refers to Oct. 28th, 2011 vs Dec. 21st, 2012.

But if you read carefully, I find out the decaying of dollar.
Sincerely,
Dan

I have heard that iris scanning technology can verify your identity from 30+ feet away and without your consent. Once there are enough cameras in place at important places and Point of Sale it will not be so easy to commit fraud. the whole notion of privacy is going to be challeneged, as Scott McNealy once said, "forget about it, you don't have any privacy". Or something to that effect.

Not interested in letting the Fed manage this. They will mandate a back door for themselves, a security risk in of it self. Not to mention they are lousy at managing their own systems.

Do you have any suggestions? I am hoping to gather up some.

I like one-time use codes. It's like a blank check. There is only one and it is controlled. You at least know what day it was issued and who you gave it to. It is important that we don't end up with a system that is unforgiving. For example if I want to allow my wife to use my credit card or if I am given a bussiness card by my boss to make a purchase. I would need to allow temporary purchasing authority.

This is not a system that should be controlled by the goverment unless you are banking with them. Perhaps NIST could define requirements that must be met by financial institutions in order to be compliant with a new secure payment system. This would create a baseline security model allowing banks to make their systems even more secure if they choose and thus competative.

I have a Discover card with one-time CC numbers. The problem is that not all businesses take it.

The inconvenience of looking it up on the website is a problem as well.

I am hoping a CC like the one I wrote about gains traction soon:

http://blogs.techrepublic.com.com/security/?p=4451

That solution looks cost prohibative. I prefer a simple reactive solution like the PayPal SMS pin system. Whenever a request for payment is issued, I would receive an SMS message on my cell phone with a 6 digit one time use code. This then must be given to the retailer to complete the transaction. I like this solution becuase it would notify you every time the card is used.

Here is what PayPal has now:
https://www.paypal.com/helpcenter/main.jsp;jsessionid=ywyQN2VhGZmgG4LkCpPzz1mQdnpmvr5w7GyzQLPjHGLjnHnnmHzv!59728215?t=solutionTab&ft=homeTab&ps=&target=_parent&solutionId=162662&locale=en_US&_dyncharset=UTF-8&countrycode=US&cmd=_help&bn_r=h

Of that service. I thought they still used the SecurID approach. This appears to be much better. Does it work everywhere?

Thanks for pointing it out.

the Obama/Democrat Liberals, though overall it should not be any government involvement except to make sure it gets done and done best.

What you suggest may be what the government decides to to. They seem to want all involved parties at the table.

I keep enjoying your articles and their appropriateness to the issues at hand. Keep up the good work Michael.

I cant beleive we have stuck with the retailer charging your bank/Visa, instead of the retailer sending us the invoice, and us authorizing payment from our bank to the retailer.

This is how it would work. You checkout. The retailer sends the invoice to you with a unique id. IR to your smartphone? You end the authorization to your bank with the unique id, and the bank sends the payment to the retialer with the unique id. The cash register says "Yup, I am paid!" and your done.

Your card is stolen and the bad person just does not forward it to the financial institution?

There aren't any cards. Think of it as the cashier asking for you to pay by sending you a list of the stuff you just bought along wih cost and such, and a transaction number.

The retailer is paid by the bank instantly. If you dont have funds, he doesn't get paid, and you dont get your goods. The payments happen real time.

The retailer is releived of the risk.

The same model could be used for online transactions.

as there are presently no hardware connections for banks from the POS device of the merchant. Of course in online transactions a lot of this is already happening. Some of my vendors already ask for direct check payment using my bank routing and account number data. However this still doesn't account for the security problems here.

It is even worse when your account at the bank gets cracked, opposed to you simply using a credit card. The credit card industry is far more compliant in taking the losses than the banking industry.

In a retail outlet, there is already a connection to a credit auth authority. The back office software usually takes care of that.

Notification advices for payments already exists in EDI, and other protocols. Any one of them could be used for this.

Security is using SSL that is already available. Both ways, client and server.

As far as losses, I think the banks already cover this. Otherwise, there would be no value over a check.

I had this idea 10 years ago. Online payments are the same. It is like PayPal. The credit card companies will fight this because they make percentages, and we should only be charged transaction fees.

I will pass it along to the SMEs I was working with.

The proper government role is to apply pressure to the card industry. With motivation in the form of regulations, fines for non-compliance, etc., I think the larger players could manage to develop a cooperative solution, similar to the development of the PCI standards. Single-use card numbers work in some situations, say when shopping at home or work. A more comprehensive solution will require real-time analysis of online payment transactions, i.e. those coming from untrusted networks, and possibly multiple forms of added authentication, whether one-time pads (think RSA-generated token appended to the CC number) and out-of-band confirmation, such as a phone call or SMS message to the cardholders registered cell phone. In other words, require the use of multi-factor authentication for CC transactions for risky transactions, similar to online banking solutions. The challenges are in providing such solutions to merchants and scaling the transaction processing systems to handle the analysis.

especially since they make enough money off of it's use. It would seem to be the wisest for them to take action and the government's role should be what you said, to get them going, requiring them to take action responsibly.

You hit on the crux of the problem. Getting everyone to play nice and buy into a common process.

and his points. What if we made every PC a POS device? You would only be able to input data by credit card through a sealed hardware POS imbedded in all new PCs. These devices would be separated by firmware that could not be flashed except by previously mentioned authority, and would only communicate out to the web by VPN.

I'm sitting here wondering if this would actually require a separate data line; and it probably would. However, as I peruse the local phone directory, I notice almost 1/3 of the listed phone subscribers have a separate data line.

If the industry could subsidize this huge change themselves, it would probably pay for itself in quick order, by the simple fact that losses would go down.

Incentive for folks to join the POS community could be had by offering discounts on merchant trade goods. The only stick in the mud would be getting the ISPs to allow discounts for installing all those separate data lines. I would think it could be done in dial up, if that would make it any cheaper; and dedicated phone line is better for security than VPN anyday.

Please shoot down my theories; I'm sure there is a gaping hole in my idea here somewhere.

Hardware costs shouldn't be an issue - look how many of the new PCs now have built-in wireless and high def video! What is one more gizmo going to hurt? I saw a cellphone with a card swiper on it quite a while ago.

But, what makes this approach different from a PoS at a store or typing in your CC number? Would you require another form of authentication?

That is just it. The POS industry has tried hard to develop simple swipe and authorize systems that are hard wired and use the dial up dedicated phone lines to communicate to the servers. This has worked well, over all. What has not worked well is after this information gets to the individual server services the merchant maintains for keeping records or tracking customer data; these are what I read are getting cracked. Of course there are always the slick criminals who find ways to fiddle with the hardware device to steal data, but that takes some very difficult slight of hand, let alone the hard ware improvements of the credit card industry.

Since there is such a ubiquitous use of card swipers in all brick and mortar stores now, it would be nothing to build millions of these in an embedded motherboard design that had a swiper built into the system unit box or keyboard, etc.

As we have previously discussed on other articles you've written, the base design of the magnetic or chip'n pin tech of the regular plastic card, is not dead yet, so as a brain storming idea, it is not necessarily a bad idea to begin with here - IMHO.

Basically it is the idea of a sealed hardware and dedicated phone land line with all avenues sealed from the regular internet as much as possible. New technology can add to this idea of course. We regularly revisit the cost side of this equation, so using some present technology could reduce costs considerably.

Telcos are losing business to the cellphone folks at an alarming rate, I would think something like this would be a welcome solution to them as well.

Here directly IBM is going to mount a challenge using AI on the television show Jeopardy! Perhaps it is time to visit the artificial intelligence side of this issue. If the system could analyze the purchases for what would be obviously fraudulent circumstances, this could be used to augment the plan even more. In fact, it might work over the internet with a margin of safety.

Just like the example of the guy buying gas in the US but purchasing something in a brick and mortar store in Europe at the same time - this kind of thing would be stopped cold in it's tracks. Especially if it is something the customer would probably never normally use (like server space on a Ukrainian server host).

But, something else will be required to verify that the person who is swiping the card is the card's owner.

This also has to work at more than just the home location.

instead of an ID?
Preferably so, that a vendor has a key too, and customer provides a key that combines both. Then the vendor can check with the database if it's legit, but no data will be kept in the database... it will only hold the ID.

By explaining what combining the vendor key with the customer's key does.

maybe that's not necessary... but it could help safeguard against vendor impersonation; if the key doesn't check with both databases (the vendor key should ID the bank account registered with the company), the customer sees it before authorizing the transaction. The customer can see that this is indeed the bank account of the shop he means to buy from, and not a shop of the same name, but with a different bank account.

https://www.paypal.com/helpcenter/main.jsp;jsessionid=ywyQN2VhGZmgG4LkCpPzz1mQdnpmvr5w7GyzQLPjHGLjnHnnmHzv!59728215?t=solutionTab&ft=homeTab&ps=&target=_parent&solutionId=162662&locale=en_US&_dyncharset=UTF-8&countrycode=US&cmd=_help&bn_r=h

Member Spitfire pointed it out to me. This has merit.

I of course look at the "free for a limited time" in fine print.
This sort of thing has to be the free-of-charge baseline security... and it shouldn't be an opt-in either, most people will not think of that on their own.
It doesn't help against impersonation though - that might not be as widespread, but is potentially more difficult to handle in legal terms. After all, if you buy something on your own accord, and the shop simply doesn't send it to you... how easy is it think to examine the account numbers for potential fraud?

Have to steal the phone.

Cost is relative. We pay the cost for anything the company considers overhead, whether the charge is visible or not.