“Personal” computers weren’t

Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.

it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.

[From Mobile first — Benedict Evans]

I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.

The study also showed that four in ten users could manage without the call-making capability on their handset.

[From Soft cell: 40% of Brits don’t make calls on smartphones – report — RT UK]

I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.

So what is the smartphone for?

We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.

a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.

[From Mobile first — Benedict Evans]

We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.

Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.

#IDIoT is a serious business

The Gartner hype cycle is jolly bullish on autonomous vehicles, which I’m really looking forward to. According to Jerry Kaplan’s fascinating “Humans need not apply”, switching to autonomous vehicles in the US will save thousands of lives and billions of dollars every year. Personally, I couldn’t care less if I never drive a car for myself ever again, and I hope that Woking will become an autonomous vehicle only zone as soon as possible. Sadly, this won’t be for a while.

While autonomous vehicles are still embryonic, this movement still represents a significant advancement, with all major automotive companies putting autonomous vehicles on their near-term roadmaps.

[From Gartner’s 2015 Hype Cycle for Emerging Technologies Identifies the Computing Innovations That Organizations Should Monitor]

Gartner are even more bullish on what they call autonomous field vehicles (which I think means drones, combine harvesters and such like) and predict that these will be around in 2-5 years time, just like enterprise 3D printing and cryptocurrency exchanges. I couldn’t help but notice, though, that their very same hype cycle puts digital security at least 5-10 years out. So they are forecasting that there will be vehicles running around for some years before we are able to secure them, 3D printers inside organisations printing things for years before we are able to protect them and people trading money years before we can stop hackers from looting them. Actually, I agree with Gartner’s prediction, as it’s entirely congruent with my own #IDIoT line of thinking, which is that our developments in connection technologies are accelerating past our developments in disconnection technologies. And if you don’t care what I think about it, you probably do care what Vint Cerf thinks about it.

“Sometimes I’m terrified by it,” he said in a news briefing Monday at the Heidelberg Laureate Forum in Germany. “It’s a combination of appliances and software, and I’m always nervous about software — software has bugs.”

[From Vint Cerf: ‘Sometimes I’m terrified’ by the IoT | ITworld]

We’re busy going round connecting vehicles, equipment and money to the internet with having any sort of strategy in place for disconnecting them, which is much more difficult (doors are easy, locks are hard, basically). And with chips that we don’t even understand being built into everyday devices, the complexity of managing security is escalating daily. Look at the recently-launched “21” idea.

Its core business plan it turns out will be embedding ASIC bitcoin mining chips into everyday devices like USB battery chargers, routers, printers, gaming consoles, set-top boxes and — the piece de resistance — chipsets to be used by internet of things devices.

[From Meet the company that wants to put a bitcoin miner in your toaster | FT Alphaville]

Really? Chips in everything? What could possibly go wrong? Oh wait, it already has. There’s something missing here: an identity layer. Hardly a new idea and I’m not the only person going on about it.

Everyone and everything will have an identity… We can’t scale a world that we can’t talk to, can’t control and can’t secure. Everything, including your toaster, you fridge and your car, will have an identity.

[From Facing the new Big Bang: The IoT’s identity onslaught — Tech News and Analysis]

Yet nothing much is getting done, despite that fact that we already have plenty of case studies as to how bad the situation is already. Never mind smart fridges that give away your personal details or televisions that spy on you there are issues about the maintenance and upkeep of things in the field that create an identity management environment utterly different to anything are used to dealing with in the worlds of OIX, Mobile Connect, SAML and so on. 

Did you buy a smart TV or set-top box or tablet any time before January 2013? Do you watch YouTube on it, perhaps through an app? Bad news: Google has shut down the feed that pushed content into the app.

[From You buy the TV, Google ‘upgrades’ its software and then YouTube doesn’t work … | Technology | The Guardian]

It’s issues like this that make me want to focus on identity in the internet of things (or #IDIoT, as I call it) in the near term, so I was really flattered to be asked along by the good people at ForgeRock to talk about this at their London Identity Summit tomorrow. Really looking forward to exploring some of these ideas and getting feedback from people who know what they’re talking about. What’s more, Consult Hyperion and the Surrey Centre for the Digital Economy (CoDE) will be delivering a highly interactive workshop session designed specifically for the University of Surrey’s 5G Innovation Centre SME Technology Pioneer Members on 30th November 2015. This will include “business lab sessions” interleaved with presentations and discussion. We’ll be putting forward the #IDIoT structure to explore identity, privacy and security issues using our ‘3 Rs’ of Recognition, Relationship and Reputation. The event will be an opportunity to establish contacts with companies interested in the IoT space, as well as connecting with the broader University community and a select group of large enterprises so I’m really looking forward to it and, as you might imagine, you’ll read all about it here!

Mass market biometrics – convenience and trust

Back in 2002, biometrics seemed futuristic to say the least. Minority Report was released in that year and I vaguely recall a scene where Tom Cruise trades-in his eyes (yes, his eyes!) to fool, what was supposed to be a retinal scanner.

We’re now in 2015 and biometrics do not seem that sci–fi anymore. Biometrics are insidiously creeping in our lives, via a plethora of services and solutions. But whilst I do passionately follow how widespread biometrics are getting, I still remain very sceptical when it comes to saying that biometrics are the ultimate answer to security.

Let’s take fingerprints for example. Granted, fingerprints are truly efficient when it comes to authentication. They are part of you, and they are unique. Unless I am in serious, serious trouble, I would not be ready to have new fingerprints stitched, were that procedure to be available.

Fingerprints are unique:

A fingerprint is the representation of dermal ridges of a finger. Dermal ridges form a combination of genetic and environmental factors; the genetic code in DNA gives general instructions on the way the skin should form in a developing fetus, but the specific way it forms is the result of random events such as the exact position of the fetus in the womb at a particular moment. This is the reason why even the fingerprints of identical twins are different.

[From Encyclopedia of Biometrics, Stan Z.Li, Anil Jain : Fingerprint Recognition, Overview.]

But, this perceived uniqueness is not without some loopholes:

Doddington et al developed a statistical framework based on the matching performance of individual users.[…]. Their work focused on determining user-induced variability. In particular, they identified four categories of users:

(sheep) users who are easily recognized,

(goats) users who are particularly difficult to be recognized,

(lambs) users who are easy to be imitated,

(wolves) users who are particularly successful at imitating others.

[From Revisiting Doddington’s Zoo: A Systematic Method to Access User-dependent Variabilities]

Fine then, my fingerprints are supposed to be unique. What if there was a “wolf” out there who knows he can access my biometrically locked services, consciously, not by hacking, but simply by the trick of his finger? I’d be having a “finger twin” (remember Joey in Friends in the hand twin episode), albeit an evil one.

This situation, though infinitesimally probable (and even more improbable when it comes to me, with my abnormally high number of minutiae, but that is another story!), does pose a pertinent question. Should I be able to repudiate a service which was authenticated biometrically?

The straightforward answer would be no. However, there have been, in the past, numerous cases in which innocent people have been wrongly singled out by means of fingerprint evidence.

In 2004, Brandon Mayfield was wrongly linked to the Madrid train bombings by FBI fingerprint experts in the United States.

Shirley McKie, a Scottish police officer, was wrongly accused of having been at a murder scene in 1997 after a print supposedly matching hers was found near the body.

[From “Why your fingerprints may not be unique” The Telegraph 21 April 2014]

These cases do prove one thing: An unlucky string of circumstances, though highly unlikely, could be enough to repudiate the alleged non-repudiable: fingerprints.

Mind you, I have not even stepped into the “conventional” debate – Tsutomu Matsumoto, the Japanese guy who made fake fingerprints out of gelatine – nor started a discussion on the challenges facing biometrics – varying physiological aspects in population and environmental effects on both the biometrics to be sensed and the sensor used. And I am miles away from two three-letter acronyms: FAR and FRR.

Mass market biometrics are currently only about convenience, not security. Not having to remember PINs is nice (particularly if you collect bank cards like I do), but relying solely on biometrics is hazardous.

Security is added, or rather implemented, by combining other factors (something you have, something you know), but here is the catch – the more you secure, the less convenient is the solution. Phone + fingerprint + PIN definitely imply that my evil twin finger would have to get hold of my phone, know my PIN to access my services, but would I, as a lazy client, be bothered if I had to have the phone on me, key in a PIN and place my finger on the reader for each access to a service?

But besides this well-known trade-off between convenience and security, there is another crucial aspect in biometrics: sustainability. Unlike “conventional” credentials which can be revoked and changed in case of attack, revoking compromised biometrics is certainly more difficult. Revocable biometric algorithms may be the answer, but I prefer make abstraction of it in this article. In view of ensuring the viable trust of future biometric solutions, emphasis should be laid on zero-flaw in current roll-outs.

L’Observatoire appelle également les acteurs à être vigilants durant les phases d’expérimentation de solutions fondées sur la biométrie, la compromission d’empreintes biométriques utilisées par celles-ci pouvant mettre en cause le déploiement de solutions futures à plus grande échelle.

The panel also calls on players to be vigilant during the experimental phases of solutions based on biometrics. The use of compromised fingerprint may seriously challenge the deployment of future solutions on a larger scale.

[From 2014: Rapport annuel de l’observatoire de la sécurité des cartes de paiement]

Trust, once shattered might be hard, impossible even, to rebuild, especially if the same client pool has been compromised. A case in point here is the Mauritian Biometric Identity Card Scheme. The fingerprints enrolled were stored on the chip, which is secure enough, and a not-so-secure centralised database. A couple of years, frenzied passion against biometrics and doubt-instilling database procedure malfunctions, were enough to convince legal authorities to destroy the much controversial biometric database. The Mauritians are paying the high price of a rapid and not sufficiently prepared solution. I’m not sure they’ve gauged the extent of the problem though.

Les empreintes digitales de 947 000 citoyens, collectées pour la nouvelle carte d’identité, ont été supprimées de la base de données. […]Les données biométriques seront désormais sauvegardées uniquement sur la puce insérée dans la carte.

The fingerprints of 947 000 Mauritian citizens previously collected for the new identity card scheme, have been deleted from the database. […] The biometric data shall be saved only on the identity card chip. 

[From Carte d’identité : Les empreintes digitales de 947000 citoyens détruites” L’express.mu: 1st September 2015]

Were I to be one those 947 000 enrolled, the court’s order to destroy the biometric database, limiting the credential to the chip, would not reassure me at all. There has been a point in time where the database was operational with people behind accessing them. Damage could already have been done, and leaving my fingerprint data on the identity card chip is like having a key in a safe when the duplicate key is either destroyed or lost somewhere.

Our approach to biometrics needs to change rapidly. The stars are getting lined up for biometrics. Demand for new authentication methods, enhanced reliability as well as more affordable price ranges are starting to build up a huge potential for future solution deployments. It is up to us to develop new archictectures. Assessing the expected convenience levels and maintaining the high levels of trust will ensure consistency in the security of biometric solutions.

It’s the convenience and trust, convenience and trust only. Security is the outcome of it.

 

 

 

App and pay is where it’s at

A few weeks ago, I said that Apple Pay isn’t disruptive (for retail payments) and I made the point that its real impact will be “in-app”. I want to explore and emphasis this point in the light of more recent developments. Specifically…

The big news is that it will expand to the UK market next month

[From Apple Pay to be available in UK – Business Insider]

Apple Pay is coming to the UK. Now, when Apple Pay was first announced in the USA, our basic analysis of it for our clients was that it was an incredibly important development in the payment world, but not because of the use of the NFC. The fact that Apple had decided to use tokenisation, we told people, makes tokenisation as big a deal as chip and PIN. It will change the way business gets done, because it brings chip and PIN security to online and mobile transactions. In fact, I bored a number of people on this topic, to the point where it became part of my spoof write-up of Money2020 in Las Vegas last year

“Well, for the big merchants it’s not about tap-and-pay it’s about app-and-pay” he told Osama Bedier from Poynt.

[From Casino Royale-with-Cheese, Part 7]

At the end of the year, we made “in-app” one of our “live five” areas for our clients to explore in 2015 (along with the blockchain, as it happens) and started trying to persuade people to pay attention to it as area of massive opportunity.

Much of the discussion around ApplePay, tokenisation, NFC and retail has naturally focused on the “tap and pay” simplicity of the proposition. However, there are lots of reasons for thinking that this will be a sideshow rather than the main event.

[From Live Five for Fifteen]

The good people of the GSMA invited me to Mobile World Congress in Barcelona earlier in the year to explain this point to a general audience, where I predicted that tokenisation would accelerate a shift away from the check out and the conventional POS terminal as the nexus between the consumer and the merchant drifts away from physical space and into the mobile phone.

while much of the talk at the Congress was about what I’ve previously called the “last millimetre” using NFC, RFID (and now Loop) to link the phone to the point of sale (POS) in the store, the really disruptive impact of the Apple Pay, tokenisation and strong authentication via mobile would be away from the “traditional” POS because bringing chip-and-PIN levels of security and convenience to in-app transactions will change the way that we pay pretty quickly.

[From In-app and on-message in Barcelona]

I made exactly this point again a couple of weeks ago, when I was interviewed by the BBC in connection with the UK Apple Pay launch [audio, starts at 30 minutes in]. On the whole, I think. Consult Hyperion got a consistent message out to our clients and then to the wider marketplace. But is it the right message?

It is. I was interested to note some comments by people far more important and influential than I, comments that might be taken to mean that I may have perhaps been too conservative in my proclamations, around the announcement of Apple coming to the UK.

John Collison, one of the cofounders of $3.5 billion (£2.25 billion) payment processing startup Stripe, says this feature, not the contactless mobile payments, is getting businesses most excited… John Lunn, senior global director for the mobile-payment company Braintree, which was bought by Paypal for $800 million (£512.18 million) in 2013, also thinks Apple Pay’s in-app element is the most exciting thing about it.

[From Apple Pay in-app purchase power could be its most important feature, say Stripe, Braintree – Business Insider]

Well when people like John Lunn, who I can personally testify is a very smart guy, go on to say that “everybody’s talking about the in-store stuff, but actually when you look at the presentation when they launched it, the merchants that were sitting behind Tim Cook were online” I think that tell us the direction of travel pretty accurately.

As my colleague Tim Richards pointed out earlier in the week, tokenisation is a really big deal. App-and-pay changes industry dynamics in a way that tap-and-pay does not.

The Turing Wars have begun

On the internet, as they used to say, no-one knows you’re a dog. That’s not, as far as I can tell, too much of a problem at the moment because dogs have quite poor keyboard skills and little interest in most kinds of internet fraud. The real problem, as things have turned out, is that on the internet no-one knows you’re a bot. Now, I see this emergent property of Moore’s Law and Metcalfe’s Law as fascinating and chaotic and there are some environments in which it is jolly amusing as well. Fake social media fans, for example.

Today, he says he manages 10,000 robots for roughly 50 clients, who pay Mr. Vidmar to make them appear more popular and influential.

[From Inside a Twitter Robot Factory – WSJ.com]

Rappers fighting over fake fans is funny but, as is easy to imagine, there are environments (almost all of them as far as I can see) in which there is no humour, only havoc. A very good current example of this is Bitcoin trading.

Bots control/contribute more than 70% of the volume on OKCoin Futures.

[From Further lies at OKCoin, where does it end? : BitcoinMarkets]

There’s no problem with this, as far as I know, and I don’t see why we should stop bots on Bitcoin exchanges when we allow them on Wall Street, especially when they might offer an accelerated evolutionary path by exploring different strategies.

The exchanges are already rife with trading bots; these are shark infested waters. Bots dance around each other in a chaotic swirl. They employ so many diverse strategies. It’s like so many microbes competing in the primordial ooze.

[From High Frequency Trading on the Coinbase Exchange]

Another environment that, unlike Bitcoin, I see as a fantastically useful economic model of the “real” world is World of Warcraft. This is infested with bots. If you want to see this for yourself, take a look at this amusing (but not suitable for work) YouTube clip of a guy playing WoW only to discover that he’s the only human playing. Last month, there was a WoW crackdown that saw more than 100,000 bots kicked out so I suppose Bitcoin exchanges could have a crackdown try to kick them out too if they want to, but in the absence of a working identity infrastructure the arms race may already be lost. The WoW bot maker had revised their technology to be undetectable. WoW revised their technology to detect it. And so it goes on.

The Turing Wars, as I call them, are only just beginning. These Turing Wars will not be limited to fun and games, to fintech bloggers battling over influence leaque tables or investment banks battling over bonds. There are considerable real-world implications as to possession or otherwise of the IS_A_PERSON credential and without it I can see a likely international cyberwar battleground that will replace WoW battlefields at the epicentre of bot vs. bot evolution, turning the Internet of Things into a wasteland.

In March, two students at the Technion, the Israel Institute of Technology, created a swarm of bots that caused a phony traffic jam on Waze, the navigation software owned by Google… The Waze software, believing that the bots were on the road, started to redirect actual traffic down different streets, even though there was no traffic jam to avoid.

[From Friends, and Influence, for Sale Online – NYTimes.com – NYTimes.com]

When you don’t know who IS_A_PERSON and who IS_A_DOG and who is neither, you cannot interact online in a functional way. We must grasp the nettle, so to speak, and actually do something about this. Who is better placed, right now, to determine whether I am a person or a dog or a bot? Surely it must be my bank and surely this must give my bank a key role in the future? All my bank needs to do is to issue me with some kind of digital passport that I can show to WoW or Waze or Wall Street? Right?

Authentication yes, identification… hhmmm…

I had the great good fortune to be asked by the GSMA to chair the Mobile Identity session at this year’s Mobile World Congress in Barcelona. During the absolutely excellent session, which featured input from Telesign, Payfone, Early Warning, Telenor, the UK Cabinet Office and Nok Nok, I happened to mention in passing that I thought that a global mobile-centric authentication push (perhaps using FIDO) was possible and that it would make life easier for many people, but that it wasn’t clear to me at all that a global identification platform was getting any closer.

B_GKGYvWwAANwkz

A couple of people asked me about this afterwards, and so I thought it would make an interesting blog topic to look at real-world, population-scale identification as discussed in the session. I’ll use Pakistan as an example. Pakistan has very strong identification laws around mobile and rigorously-enforced mandatory SIM registration.

[Pakistanis] have to show their IDs and fingerprints. If the scanner matches their print with the one in a government database, they can keep their SIM card. If not, or if they don’t show up, their cellphone service is cut off.

[From Pakistanis now need to be fingerprinted to have a cellphone – Business Insider]

This will help to stop criminals and terrorists from obtain mobile phones and operating with impunity in Pakistan because it depends on the integrity of the national identity register. Oh, wait…

The famous green-eyed ‘Afghan girl’ immortalised by the National Geographic magazine on its 1985 cover has been living in Pakistan on fake documents, prompting authorities to launch a probe. Four officials were suspended on Wednesday for allegedly issuing fake Computerised National Identity Card (CNIC) to Sharbat Gula and her two ‘sons’.

[From National Geographic Afghan Girl living on fake identity card in Pak : World, News – India Today]

National identity registers are a single source of failure and a natural honeypot for crime and corruption, as Pakistan has discovered.

The National Database and Registration Authority [NADRA] reports that it has deployed a state-of-the-art facial matching system with the capabilities to stop fraud and forgery in identity documents, yet people are still able to obtain forged identity cards. This was very puzzling to understand given the supposed surety, accuracy and privacy of NADRA database that such a scam was still happening even after the introduction of new chip-based identity cards.

[From Identity theft persists in Pakistan’s biometric era | Privacy International]

It’s not “puzzling” as at all as far as I am concerned.

Identity theft is more common in single reference systems such as centralised national population registers, as they create a single point of failure, and centralisation increases rather than reduces the potential for fraud. Doppelganger matches also become more likely in large scale databases.

[From Biometric Smart ID Cards: Dumb Idea :: SACSIS.org.za]

So while it makes sense for service providers to rely on biometric authentication to digital identities that they themselves will bind to virtual identities (with attributes), it is not so clear that it makes sense for service providers to rely on biometric identities established by third parties. In fact, when it comes to mobile phones, in this case I might go even further and say that it is not at all clear to me that we should be attempting to stop the bad guys from using mobile identities at all!

Surely it would be better to have criminals running around with iPhones, sending money to each other using mobile networks and generally becoming data points in the internet of things than to set rigorous, quite pointless identity barriers to keep them hidden.

[From Search Results SIM registration]

There’s a further point to make here, away from the exigencies of national security and the war on terror and in the world of business. As the banks have long understood, the issue of identification is inextricably linked to liability. There’s a world of difference between me as an operator saying to a service provider that “this is subscriber XYZ and it’s the same person who logged in last time and it’s still the same handset and SIM” and saying to a service provider that “this is Dave Birch”. I know I sound like a broken record on this, but it the overwhelmingly majority of interactions, who you are is not the point. The point is whether you are allowed to do something, whether you have credit, whether you are a subscriber or whatever. Trying to work out who someone “really” is means a world of legal pain.

According to the Post, “…sources say Instagram, owned by Facebook, ran into “serious legal problems” over its verification process and has been forced to pause it. Some suspect Twitter, which also has a verification system, had an issue with Instagram’s.”

[From Instagram is no longer verifying accounts – Business Insider]

Therefore it seems to me that in business terms, it makes sense for service providers to rely on bank identification since banks already have to comply with know-your-customer regulation. For this work, however, there must be a kind of identity “safe harbour” (i.e., if the person turns out to be using a false identity that the liability rests with the bank but if the bank has followed KYC procedures then it has no liabilty) from zealous prosecutors otherwise the wheels of commerce will become gummed up with identity junk.