Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Passwords & The Future Of Identity: Payment Networks?
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/19/2014 | 1:19:06 PM
Re: cards vs devices
The issue of concentration risk comes up a lot. I agree that a simple app on a phone is not a great way to go. A trust model has to go with it. The app is simple, but the security model is sophisticated. If you take out the word mobile and substitute in the word debit card in your argument, you might make the assertion that consumers would face great peril in payment networks. Experience shows that is not true. Users are careful with their payment cards, as they are with their mobile phones. Possession of the payment card alone is insufficient - a PIN is also required. On mobile a PIN can be used and now a fingerprint on iOS and Android can be used as well. Payment cards outside the US use EMV - an order of magnitude more secure than magstripe cards. Similar techniques are emerging for mobile and consumer devices to do the same thing - FIDO is an example here. Also important is the layered security model in place for cards which will also be used for identity management - risk based assessment of every transaction helps protect users. Revocation for cards and phones is already easy for users - remote wipes for modern smart phones is pretty easier for users to accomplish.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
7/18/2014 | 12:10:58 PM
Re: cards vs devices
Gev,

I agree with you on this point.  If the identification method is simply an app on a mobile phone then it is only a matter of time before it is hacked.  Also, if someone leaves their phone unattended while they go to lunch their co-workers can access their facebook, banking account, and make some purchases on amazon.  

Something needs to be done, but at this point in time I am not comfortable with the idea of using my phone as my identification method.
James McCloskey
50%
50%
James McCloskey,
User Rank: Apprentice
7/17/2014 | 4:35:45 PM
Banks vs ... postal services?
Excellent post, Andre.  I agree that there ultimately needs to be some "payment card-like" (common, trusted, highly-usable) approach to identity services, but I also agree with gev's implicit distrust of a bank-centric model.

You noted the USPS FCCX initiative, and I think that's not a bad concept to pursue.  After all, when it comes right down to it, national postal services' core function is the secure delivery of information: you put something in the mail for me, and after some period of time, it arrives.  As government agencies (or at least affiliated), and with points of presence located across each country already, I think that there is a good argument to be made for having a federation of national postal services providing the basis for intra- and inter-nation identity services.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:53:47 PM
Re: interesting idea
My own perspective is this story, while it may be embarassing, is really not endightment of the whole banking system. Incidents like this are rare for banks in Canada. 

Banks, and especially banks in Canada, are globally regarded as well managed and good stewards of trust and a pillar for the economy. 

 

 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:46:21 PM
Re: interesting idea
yes it does, since we are talking about financial institutions, standards and trust.

if Canada's financial institution is allowed to be so woofoly lacking in securing its own atms how can we trust it to maintain our identities?
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:42:45 PM
Re: interesting idea
I think I found the story you are talking about. 

http://news.nationalpost.com/2014/06/10/two-boys-show-bmo-how-to-hack-into-atms-branch-manager-sends-note-excusing-them-for-being-late-to-class/

This story has nothing to do with cards. The access for the ATM for operations staff was secured by a simple password with no card required at all. 

Actually, had a card been required by operaitons personnel to access ATM admin functions then there would not have been a story. 

 
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:34:17 PM
Re: interesting idea
I recall reading an article here about a month ago about school kids hacking BOM ATM partly because the password was exactly 6 char long.

I realise that Montreal is not in BC, but still it is in Canada. I wonder in the attitude to bank security is the same though.

If so, this discussion sounds a bit funny.
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 2:32:06 PM
Re: cards vs devices
Hi Gev

 

I am not sure I understand your comment - can you elaborate?
gev
50%
50%
gev,
User Rank: Moderator
7/17/2014 | 2:24:40 PM
cards vs devices
there is a huge difference between cards and devices. cards are not connected. that is what makes them a good identity instrument. as soon as you connect something to the outside world - it is just the matter of time before it gets hacked.

 
andre.boysen
50%
50%
andre.boysen,
User Rank: Author
7/17/2014 | 1:34:48 PM
Re: interesting idea
Authentication standards are vital to overcoming the problems with the current model. Users are being asked to learn access behaviors everyday. Passwords, OTP, SMS, finger scan, or look at the camera and say "boo!" - this will normalize the noise and make it harder for users to recognize attack vectors. 

Cars work well because the steering, gas pedal, brake and turn signals are all in the same place. So to with payment rituals - all the card schemes do it the same way. 
Page 1 / 2   >   >>


Commentary
What the FedEx Logo Taught Me About Cybersecurity
Matt Shea, Head of Federal @ MixMode,  6/4/2021
Edge-DRsplash-10-edge-articles
A View From Inside a Deception
Sara Peters, Senior Editor at Dark Reading,  6/2/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31811
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-31812
PUBLISHED: 2021-06-12
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
CVE-2021-32552
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-16 package apport hooks, it could expose private data to other local users.
CVE-2021-32553
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the openjdk-17 package apport hooks, it could expose private data to other local users.
CVE-2021-32554
PUBLISHED: 2021-06-12
It was discovered that read_file() in apport/hookutils.py would follow symbolic links or open FIFOs. When this function is used by the xorg package apport hooks, it could expose private data to other local users.