X9.59 mailing list
x959 Postings and Posting Index,
previous
- home
- Four Corner model. Was: Confusing Authentication and Identification? (addenda)
- Confusing business process, payment, authentication and identification
- Confusing business process, payment, authentication and identification
- Confusing business process, payment, authentication and identification
- Confusing business process, payment, authentication and identification
- Law aims to reduce identity theft
- Know Your Enemy Automated Credit Card Fraud (automated, forwarded)
- Bugwatch: Know your security onions
- Know your security onions (or security proportional to risk)
- New privacy rules could mean headaches for financial services IT
- Feds Want Banks to Warn of ID Theft
- Net Worm Heightens Security Concerns
- Identity theft rockets 80 per cent
- Hacker's compromise Navy purchase card
- Technology and Crime, Criminal Intelligence Service Canada - 2003
- Yodlee offers standard interface to smooth the electronic bill payment process
- Bahrain Takes Swipe Into the Future With News Smart ID Cards
- Solving the payment problem for open source and P2P file sharing
- DNS inventor says cure to net identity problems is right under our nose
- Tech firms band together on ID theft
- Federal agenciesÂ’ banking system moves online
- FTC Says ID Theft Greater Problem Than Originally Thought
- some X9.59 (and little FSTC) ... from crypto mailing list ... fyi
- Police smash UK's biggest credit card fraud ring
- More on the ID theft saga
- Cyber Security In The Financial Services Sector
- Bank One Calls Attention to ID Theft
- A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging
- Carnegie Mellon to host first US-based intl'l conference on electronic commerce
- Cashing In With E-Payments
- ID Theft Often Goes Unrecognized
- End of the line for Ireland's dotcom star
- Internet Fraud & Attacks on the rise
- Microsoft, Sterling Aid SWIFT Users
- Retail wireless security: a few considerations
- Citibank customers hit with e-mail scam
- DNS, yet again
Four Corner model. Was: Confusing Authentication and Identification? (addenda)
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/26/2003 07:55 PM
To: Anders Rundgren <anders.rundgren@xxxxxxxx>
cc: internet-payments@xxxxxxxx, epay@xxxxxxxx
Subject: Re: Four Corner model. Was: Confusing Authentication and Identification? (addenda)
There is possible serious confusions over the four corner model
basically a client walks into a relying-party and says that they want
something and that their consumer financial institution will certify
that there will be an exchange of value .... aka the merchant will be
payed.
the relying-party/merchant sends off an online request to certify the
consumer's assertion. It winds it thru various places and gets back to
the merchant as either certified or not certified.
The certification part is exactly as in the stale, static certificate
based model, the consumer or public key owner, the consumer's
financial institution (or certification body), and the merchant (or
relying party). The business aspects are identical to the stale,
static certificate based model, except it uses a online, realtime
certification.
So what is the purpose of the fourth entity? In the credit card
processing model, the 4th entity is the merchant's financial
institution that has signed up to be legally liable for their
merchants. In effect, when the consumer executes a credit card
transaction with a merchant, it is in some sense actually being
executed with the merchant's financial institution .... with the
merchant effectively acting as an agent of their financial
institution. The credit card associations have their relationships
with financially liable financial institutions (both on the consumer
side and on the merchant side). In the consumer/merchant
transactions, both are effectively acting as agents of their
respective financial institutions which carry the ultimate financial
liability.
The traditional industry scenario is the bankrupt airline. If the
ticket had been bought and paid for ahead of time with cash or debit
card, the consumer is pretty much out of luck. If the ticket had been
bought and paid for by credit card, then if the airline goes bankrupt,
the airline's (merchant) financial institution is legally liability for
restitution to the consumer. Merchant financial institutions are quite
ambivalent about airlines as merchants; on one hand they tend to get a
percentage of bigger ticket transactions and on the other hand some of
them had to make good on several tens of millions in outstanding
airline tickets when there was a bankruptcy. The transaction flows
through the (4th corner) merchant's financial institution because the
merchant's financial institution is legally liable for the transaction
and it happens to implement things like its own fraud detection and
handling process. There are some infrastructures where credit type
operations have been implemented using only a three corner model. In
those situations, individual merchants have signed contracts directly
with every issuing consumer financial institution. However it scales
extremely poorly, imagine possibly hundreds of thousands or millions
of merchants, each signing individual contracts with tens of thousands
of consumer financial institutions (aka on the order of four million
times thirty thousand equals 120 billion contracts).
The four corner model is a valid business model with all four parties
filling a valid business role .... totally independent of whether the
delivery vehicle involves offline, stale, static certificates.
As repeatedly stated, the requirement given the X9A10 working group
for the X9.59 standard was to preserve the integrity of the financial
infrastructure for all electronic retail payments.
The X9.59 standard applies to whether it is a
1) two-corner model; relying-party-only (as in most of the
stored-value in the US),
2) three-corner model (as in debit transactions, which doesn't involve
a financial institution having legal liability for their merchants)
3) four-corner model (where there is consumer and relying party
... and both have legally liable financial institutions)
As implied in the authentication and identification subject line it is
possibly to totally confuse the issue of authentication and
identification.
Just as easily, it appears to be equally possible to totally confuse
the certification business process with the mechanism for delivering
the certification (aka online, realtime, as opposed to offline, stale,
static certificates)
And then it seems that it is equally possible to confuse the
underlying business model with the implementation of the certification
business process.
It is possible in the X9.59 implementation to have account-based
operations with digital signature authentication for the operation
involving absolutely no stale, static certificates, and the same exact
protocol apply to the two-corner (stored value), three-corner (debit)
and four-corner (credit) transaction process.
Also, as has previously pointed out that the account-based model not
only applies to the financial account infrastructure (where the value
of doing a online, realtime authentication and authorization easily
outweighs the costs) but is also essentially the identical
implementation for the majority (possibly 99.9999999 percent) of the
world-wide ISP internet access (authentication and authorization).
misc. references:
https://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
https://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#67 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#69 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#70 Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#71 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
anders.rundgren@xxxxxxxx on 6/26/2003 3:187 pm wrote:
A somewhat related issue is how banks currently take the lead in
Europe as CAs. [Offering stale certificates that though are on-line
verifiable at least]. Unfortunately banks have converted PKI into a
new form of payment system (a.k.a. Four-corner Model), in spite of PKI
not requiring transferal of anything between banks, as the relation
(and transaction) is between the client and the relying party.
Fortunately at least the Swedish authorities begin to see that this is
maybe not such a good thing for them.
http://www.x-obi.com/OBI400/e-government-ID-A.Rundgren.pdf
I doubt that the cost for OCSP-services of a large CA even accounts
for 10% of the total.
Confusing business process, payment, authentication and identification
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/28/2003 02:27 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Confusing business process, payment, authentication and identification
You may be absolutely correct that the Four Corner model is the single
biggest inhibitor to the wide-scale deployment of PKI.
The Four Corner model actually requires a legally binding chain of
trust (somewhat analogous to chain of evidence in legal proceedings)
as the fundamental basis for a real live, sound business-based, trust
network.
The majority of the PKIs are technical descriptions that wave their
hands about trust networks but absolutely fail to provide any legally
binding and/our sound business basis for trust operations and
contractual recourse.
Having a valid, real-live sound business trust network as a
counter-example to some artifact that just waves its hands about being
a trust network (w/o any sound business basis) is probably a real
downer.
Before continuing the description, I wonder if we can come to an
agreement that we aren't talking about authentication and payment as
purely academic, theoretic concepts totally unrelated to any useful
purpose? Furthermore, can we agree that the majority of the people in
the world aren't going out every day, entering retail establishments
and performing random acts of payment and/or random acts of
authentication unrelated to any useful business activity (aka they
aren't at the retail establish to obtain goods or services, they are
purely there to perform random acts of payment and
authentication). That the payment and authentication constructs being
discussed are occurring within the context of some business operation
or purpose (nominally some exchange of value is occurring .... aka
somebody buys something as opposed to giving away money for no reason
what so ever).
Furthermore, the traditional four corner model is slightly more than
the guy trying to sell the brooklyn bridge and saying trust me, there
are financially responsible parties for both the consumer and merchant
with contracts and legal recourse (w/o the N times M scale-up problem
requiring 120 billion independent contracts). The four corner model
isn't trivial payment system for the enjoyment of people wanted to
perform random acts of payment.
As outlined in the original post, the merchant financial institution
is the legally liable party for the merchant and the consumer/issuer
financial institution is the legally liable party for the
consumer. There are specific contractual and business relationships
based on exchange of value that are the basis for this
relationships. Asserting that the fourth party does nothing but add
cost is like saying that the insurance business process does nothing
but add cost. The four corner model is providing contractual legal
recourse trust operating in both directions .... a contractual trust
chain for the merchant to the consumer, and a contractual trust chain
for the consumer to the merchant.
The reference post and the URL pointers to ones with similar content
go to some great length to describe valid, recognized legally liable,
contractual relationships. And as further explained that it is
typically only governments that can pass laws that create legal
liabilities when there is no business foundation for such to exist.
A trust network is an artificial construct that has actual business
relationship between all parties (or some fictional business
relationship created by government mandate). In the normal, offline,
stale, static certificate based infrastructure, there is no valid
business relationship that exists between the certifying body and the
relying-party. In all of the existing online scenarios (like the
credit network), the online transaction directly between the
certifying body and the relying party creates a contractual
relationship (where none exists in the stale, static certificate
paradigm).
As been repeatedly been pointed out in similar past discussions of
this subject, the GSA created the facade of the business
infrastructure relationship by contractual relationships between all
the TTP CAs as a legal agent of the GSA and all the relying
parties having contracts with the GSA with regard to the acceptance of
certificates. That provided the basis for contractual relationship and
recourse between the relying-parties and the TTP CAs .... by having a
third party (the GSA) have a valid contract with each of the
relying-parties (and the TTP CAs having contracts with the GSA such
that they effectively operated as a GSA legal agent).
The GSA infrastructure created a legally binding relationship with
four corners (the certificate owner, the certifying TTP CA, the GSA,
and all the relying parties) that doesn't exist at all in the
traditional 3-corner trust network stale, static certificate
paradigms. The example of some places in the world trying to deal with
establishing valid business and contractual relationship (where none
actually exists in the traditional trust network description)
results in N times M set of bilateral contracts which scales poorly
(i.e. four million merchants and thirty thousand financial
institutions results in 120 billion contracts).
A real trust network is sort of like chain of evidence in legal
proceedings. In real live business world, there has to be some real
live basis for legal liability and recourse, normally this is a valid
contract. In some cases, governments can create artificial legal
liability and resource when there is no direct business basis for it.
Ok, in the financial four corner model there is actually two totally
independent trust operations occurring simultaneously.
1) the consumer has contract with their financial institution that
they can trust, the consumer financial institution (effectively) has a
contract with the merchant financial institution (that they can
trust), and the merchant financial institution has contract with the
merchant. That means that there is direct contractual relationship,
the consumer trusts their bank, their bank trusts the merchant bank,
and the merchant bank trusts the merchant. If the chain of trust is
broken with regard to the consumer trusting the merchant, the merchant
bank stands in.
2) the merchant has contract with their financial institution that
they can trust, the merchant financial institution (effectively) has a
contract with the consumers financial institution (that they can
trust), and the consumer's financial institution has a contract with
the consumer. That means that there is a direct contractual
relationship, the merchant trusts their bank, their bank trusts the
consumers bank, and the consumer bank trusts the consumer. If the
chain of trust is broken with regard to the merchant trusting the
consumer, the consumer bank stands in.
In the majority of the existing TTP CAs implementation, there is a
contractual basis for trust based on exchange of value between the
consumer (public key owner) and the TTP CA (certifying body) based on
exchange of value, the consumer pays for buying the certificate. There
is absolutely no legally, valid chain of trust that establishes a
trust network between the TTP CA and the merchant (relying party).
There is no basis for it from a business perspective. THERE IS
ABSOLUTELY NO BUSINESS RELATIONSHIP BETWEEN THE MERCHANT AND THE TTP
CA THAT ESTABLISHES THE BASIS OF TRUST so there is no chain of trust
and there is no trust network. A government can pass legislation
claiming there is, but there is no business basis for one. GSA
fabricated one with contracts with the TTP CAs, making them agents of
the GSA and direct contracts between the GSA and all the relying
parties (somewhat mitigating the N times M scale-up problem requiring
every possible relying party to have a separate contract directly with
every possible TTP CA).
In the financial four corner model there is actually a step-by-step
process that establishes the individual trust chain links which form a
chain of trust resulting in a trust network. Furthermore, there are
actually simultaneously two trust operations going on, one in each
direction .... the merchant trusting the consumer and the consumer
trusting the merchant.
So, who is legally liable if the merchant goes bankrupt and/or skips
town if the acquirer doesn't exist? Unless the merchant has a legally
binding contract with the consumer's financial institution, the
consumer's financial institution has no contractual relationship for
acting on the behalf of the consumer. Furthermore, the merchant
doesn't have any basis for acting against the consumer's financial
institution, if the consumer doesn't pay.
So, in the previous posts & examples, X9.59 was shown as equally
applying to the two-corner model, the three-corner model, and the
four-corner model. As you pointed out payments and authentication are
different issues. Authentication and payments are applicable to a
range of business environments.
The four corner model represents independent agents financially
representing their respective clients. The four corner model is
somewhat analogous to civil litigation where both parties have their
respective lawyers to represent their individual interests. One of the
parties is not participating in civil litigation and is assuming that
their opponents lawyer can be replied upon to represent their
interests (as opposed to their opponents interests).
some past discussion of GSA contractual infrastructure necessary to establish PKI trust network:
https://www.garlic.com/~lynn/aadsm12.htm#22 draft-ietf-pkix-warranty-ext-01
https://www.garlic.com/~lynn/aadsm12.htm#41 I-D ACTION:draft-ietf-pkix-sim-00.txt
https://www.garlic.com/~lynn/aadsm12.htm#42 draft-ietf-pkix-warranty-extn-01.txt
https://www.garlic.com/~lynn/aadsm14.htm#37 Keyservers and Spam
https://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
random refs:
https://www.garlic.com/~lynn/aadsm14.htm#41 certificates & the alternative view
https://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
https://www.garlic.com/~lynn/aepay11.htm#66 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#67 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#69 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#70 Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#71 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay11.htm#73 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay12.htm#0 Four Corner model. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/aepay7.htm#3dsecure 3D Secure Vulnerabilities? Photo ID's and Payment Infrastructure
https://www.garlic.com/~lynn/2002m.html#19 A new e-commerce security proposal
https://www.garlic.com/~lynn/2002n.html#25 Help! Good protocol for national ID card?
anders.rundgren@xxxxxxxx on 6/28/2003 7:59 am wrote:
"The four corner model is a valid business model with all four parties
filling a valid business role .... totally independent of whether the
delivery vehicle involves offline, stale, static certificates."
On the contrary. If the TTP (credential issuer) is a part of a
rust-network, the fourth corner (acquirer) is redundant as there is
nothing a fourth party can add but costs[1]. That is, if we talk
about authentication, and not about the transferal of money.
1] Including:
- Subscription fees,
- Transaction fees,
- Proprietary trust network software,
- Relying party credential issuance and configuration
- Trust network arbitration software
I claim that the Four Corner model is the single most hampering thing
to wide-scale PKI-deployment because it makes receivers' possibly pay
for messages that they maybe did not even wanted!
In paper-based messaging (excluding all kinds of payment systems), the
"sender" typically puts on a stamp on a letter to get it distributed.
This makes sense, four-corner does not.
By confusing payments with authentication, the finical industry have
shot themselves in the foot. Have anybody heard about a
receiver-financed authentication trust network that actually makes
money?
Or have you recently SWIFT TrustActed? I don't think so.
May I end this letter citing an interview with Bill Gates?
Q: In 1995, you wrote in your book, "The Road Ahead," that IT will
realize friction-free capitalism by excluding middlemen and directly
connecting buyers and sellers. Do you still believe in the idea?
A: Oh absolutely. I believe there should be no markup in any area of
the B2B marketplace. If you want to buy and sell from anyone in the
world, you should just get very inexpensive software. They'll let you
see every seller and let you do complex transactions without anybody
marking up the cost of what you're buying. XML Web services are needed
for that, and that's what we're doing. It's a key building block of
friction-free capitalism.
Anders
Confusing business process, payment, authentication and identification
Refed: **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/28/2003 08:33 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
Ok, non-payment situation .... right out of previous email. in court
of law ... involving civil litigation ... both parties have their own
lawyers
ok, from SSL/TLS with TTP CA .... and mutual authentication; both
parties have a TTP CA and both parties have certificates from their
respective TTP CAs. Just as in the financial four corner model
... there are situations where the merchant bank and the consumer bank
may be the same financial institution; in which case they refer to the
transaction as "on us". The four corner model doesn't absolutely
preclude a financial institution being the same for both parties
.... but it operates in such a way that it allows that the merchant
can be certified by one entity and the consumer can be certified by
another entity ... and it isn't required as part of mutual
authentication ... that the certifying agency be the same for both the
merchant and the customer.
The whole point of the detailed discussion of the merchant and the
consumer in the four corner model was to show the chain of trust going
in both direction.
The chain of trust goes in both directions .... one for the merchant
and one for the consumer .... in the financial four corner model
The chain of trust tries to go in both directions .... one for the
server and one for the client ... in the SSL/TLS mutual authentication
four corner model.
The problem in the TTP CA SSL/TLS (almost) PKI for mutual
authentication .... is the server doesn't actually have any business
relationship with the client's certifying body and the client doesn't
actually have any business relationship with the server's certifying
body, without valid business relationship and recourse ... there is
only the facade of a trust network but one doesn't actually exist (in
either direction).
The TTP CA business model with stale, static certificates is actually
even worse (note that a TTP CA model with online certification doesn't
suffer from this horribly inverted business model). The client is
paying the TTP CA for the client's certificate .... which exists for
the benefit of the server (and in some cases the existence of a client
certificate can actually be to the detriment of the client). The
server is paying the TTP CA for the server's certificate .... which
exists for the benefit of the client. Not only does the stale, static
certificate paradigm have the exchange of value occur between the
wrong parties .... but the exchange of value between the wrong parties
lends itself to precluding a real network of trust being implemented.
When the client pays for their own certificate to the client's TTP CA,
for the server;s benefit, it precludes there being a valid business
relationship and chain of trust between the server and the client's
TTP CA. When the server pays for their own certificate to the server's
TTP CA, for the client's, it precludes there being a valid business
relationship and chain of trust between the client and the server's
TTP CA.
In the online (financial) four corner model, the server pays the
client's TTP CA for certification of the client; that creates the
basis for legal obligation between the client's TTP CA and the server
for a valid chain of trust.
The real, major difference between a 3-corner TTP CA and a four corner
TTP CA .... isn't whether it is financial or not, it is whether there
is mutual authentication/certification or only single
authentication/certification.
The real, major problem with TTP CAs implemented with stale, static
certificates ... is it fails to create a legal relationship between
the certification authorities and the relying parties. The server's
TTP CA has no obligation to the client, and the client's TTP CA has no
obligation to the server. Therefore there is no chain of trust,
therefore it is just a pure fabrication about any real trust network.
As previously noted. GSA attempted to overcome this total lack of the
TTP CA model to any resemblance of valid business proposition by all
of their contracts.
It has been pretty well shown that any entity can sue any other entity.
A merchant can sue a customer for fraud and a customer can sue a
merchant for fraud. The issue is can a merchant sue a certifying body
for anything at all with regard to what a customer does. Typically a
merchant suing a certifying body with regard to some customer's
action is only to the extent that the certifying body has some
obligation to a merchant. In a simple TTP CA stale, static certificate
model, without a business relationship between the merchant and the
consumer's TTP CA , no business relationship has been created between
the consumer's TTP CA and the merchant. Therefore there is no grounds
to sue.
Similarly, a client suing a certifying body with regard to some
merchant's action is only to the extent that the certifying body has
some obligation to the client. In a simple TTP CA stale, static
certificate model, without a business relationship between the
consumer and the merchant's TTP CA, no business relationship has been
created between the merchant's TTP CA and the consumer. Therefore there
is no grounds to sue.
All four corners exist in all situations when there is any kind of
mutual certifying process between two parties; aka
1) PARTY A,
2) PARTY A's certification institution,
3) PARTY B,
4) PARTY B's certification institution.
The horrendous problem in the traditional TTP CA stale, static
certificate business model is that
1) no obligation is created between PARTY A's certification
institution and PARTY B
2) no obligation is created between PARTY B's certification
institution and PARTY A
so no trust network ever actually exists. As been repeated
pointed out in the past several posts, that is possibly one of the
motivating factors in all of the GSA contracts with TTP CAs and
relying-parties ... creating a valid basis for a trust network.
Possibly there is some other assumptions that aren't being clearly
understood. In general, certifying bodies exist when there is little
or no reason for two totally complete strangers (that might have some
business opportunity) for trusting each other. Two entities that have
some past business relationship may not feel they need independent
certification authority. However, whether a certifying process is used
or not doesn't preclude either party from performing some fraudulent
act. This goes back to the whole original concept of these
certification bodies in the first place, which is to establish trust
when there is usually no other basis for trust. Trust doesn't
eliminate fraud but it possibly lowers its probability.
In the four corner, credit model there is quite a bit that is
guaranteed. As previously pointed out, the merchant's financial
institution is actually on the hook for merchant delivering contracts
goods or services or refunding money (as per the bankrupt airlines
example).
I don't understand the issue about the four corner model and identity
fraud. A business model and obligations don't preclude fraud. They may
somewhat lower its probability but it doesn't lower it. As been
repeatedly mentioned in the past several posts, quite a bit of
identity fraud is a shared-secret issue. X9.59 is specifically
targeted at
1) strongly authenticated transactions
2) elimination of the account number as a shared-secret (and therefore
as a subject of identity fraud)
3) elimination of additional identity information or shared-secret
information as a means of authenticating the transaction
X9.59 is agnostic with respect to identification .... only performing
authentication.
However, X9.59 can contribute significantly to reduction in identity
fraud by eliminating any requirement for shared-secret and/or identity
information as part of the financial transaction.
Furthermore, the X9.59 characteristic applies to 2-corner model,
3-corner model, and 4-corner model
The issue of somebody's use of a 4-corner model as opposed to choosing
a 2-corner model or a 3-corner model seems to have nothing at all to
do with identity fraud issues. The business issues of 2-corner,
3-corner, and 4-corner business process implementations is almost
totally orthogonal to the business issues related to identity fraud.
The design of the transactions and the selection of what kind of
information is required for the transactions can have a significant
effect on identity fraud.
My assertion is that the prevalence of identity fraud is at least
partially a characteristic of the significant reliance on
shared-secrets and identity related information in much of the
deployed infrastructures today (totally independent of how many
corners they may have). The further assertion (as in the X9.59 case),
if it is possible to steal every piece of information in the
transaction and still not perform a fraudulent transaction based on
that information, several types of existing fraudulent activity would
be eliminated.
x9.59 references:
https://www.garlic.com/~lynn/x959.html#x959
repeated references to gsa contract:
https://www.garlic.com/~lynn/aadsm12.htm#22 draft-ietf-pkix-warranty-ext-01
https://www.garlic.com/~lynn/aadsm12.htm#41 I-D ACTION:draft-ietf-pkix-sim-00.txt
https://www.garlic.com/~lynn/aadsm12.htm#42 draft-ietf-pkix-warranty-extn-01.txt
https://www.garlic.com/~lynn/aadsm14.htm#37 Keyservers and Spam
https://www.garlic.com/~lynn/aadsm14.htm#47 UK: PKI "not working"
https://www.garlic.com/~lynn/aepay12.htm#1 Confusing business process, payment, authentication and identification
anderrs.rundgren@xxxxxxxx on 6/28/2003 3:32 pm wrote:
I believe we are in agreement with what the fourth corner does in a
trust network, it is like the relying party's insurance, link to the
law, etc.
A problem as I see it is what the fourth corner (or TPP CA) is
prepared to vouch for in an non-payment situation. It can surely not
make any warranties (in contrast to payments) about the value and
credibility of the client, only that it has performed an RA and
certification process according to some written practice statements.
Does the RP need a business relation with the trust network in order
to be able to sue a misbehaving client who is repudiating its actions?
Some people claim that, I don't. If the signature can be technically
derived to the client's key, the client is toast. Is the fourth
corner is supposed to protect the RP from client key misuse/theft? I
would say that this would be a very bad idea as the key may have been
used to open information banks of incredible value that no insurance
will cover and is not possible to rollback either. Authentication <>
Payments!
But if the faulty operation is due to certification errors, probably
due to identity fraud? Then we enter the real CA liability scene. RP
contracts have the same function as US SW licenses: To make you aware
that nothing is really guaranteed, it is sold "as is". Is this
acceptable? This is hard to say, it is rather depending on how
frequent errors are and the consequences of those.
A problem is that a fourth corner can do nothing about identity fraud
which in my opinion makes it less viable regardless of its possible
legal value.
So of course it is good to have business relations between parties in
a trust network, but don't expect to get compensation when things go
REALLY wrong. It is also rather hard to run court trials regarding
information theft as it is hard to put a value on copied information.
Due to these problems I believe the fourth corner is something that
bank-operated trust networks should not take for granted.
Particularly if it causes business parties to pay for received
messages rather than (or in addition to) for sending messages.
Confusing business process, payment, authentication and identification
Refed: **, - **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/29/2003 10:27 AM
To: "Anders Rundgren" <anders.rundgren@xxxxxxxx>
cc: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
as in previous posts ... there would seem to be two ways that legal
obligations are created,
1) contracts
2) gov. regulations
for the most part, value exchange can occur to help fund a business
operation (aka can a TTP CA operate on no funds and no revnue?,
salaries, electricity, communication, etc):
1) by value exchange (ala some reason for an entity to purchase a
certificate, either because they see some benefit or because it is
mandated by the government)
2) government subsidies
3) industry subsidies
we had a little bit of experience related to TTP CAs in support of SSL
trusting webservers and the whole thing is the client really talking
to the merchant that they think they are talking to. Originally it was
thot to be in use generally for e-commerce .... but possibly somewhat
because of the expense of the operation it was reduced more & more to
just secrecy hiding of credit card numbers. slight reference
https://www.garlic.com/~lynn/aadsm5.htm#asrn2
https://www.garlic.com/~lynn/aadsm5.htm#asrn3
it has now been nine years since we started the work on the above
... as well as some detailed investigation (diligence) of the
prominent TTP CAs at the time (operationally and business).
The stale, static certificates were being doing done to certify the
domain name of the webserver that the client was talking to. There was
no real PKI .... which is the reason we coined the term certificate
manufacturing (as an aid in distinquishing it from real PKI).
or is the idea that every ten years .... we hold a party to decide
that PKIs haven't found a purpose in life yet ... and we decide to
again take a new look 3-5 years from now to again see what really
happened.
so, we actually have a past comparison of drivers license. For a long
time the drivers license was used in an offline world. You get
stopped, the officer looks at the drivers license, and then either
writes a ticket or doesn't write a ticket. Traditional TTP CA stale,
static certificate offline paradigm. Currently, if would appear that
there has been a major transition to the online world for anything of
value. The number off the driver's license is used to perform an
online transaction which can bring up real-time and aggregated
information, including image and physical description.
The assertion was never that stale, static certificates were totally
useless. The assertion was that stale, static certificates were
better than nothing in an offline evironment. In the transition to a
ubiquitous, online connectivity, the issue becomes a value trade-off
of having direct, realtime, online access to the real information
.... or relying on a stale, static copy of the real information that
was manufactured at some point in the past.
The issues aren't payment; the issues are offline vis-a-vis online and
the importance or value of having or not having the informatioin.
The assertion is in an offline world, that a stale, static certificate
is possibly viewed as better than having no information.
The assertion that something of value is involved, or it wouldn't even
be a consideration that something better than nothing is
required. If nothing of value was involved, then it would be possible
to get by w/o having either online access or a stale, static
certificate copy of the online information.
The assertion is that it becames a value trade-off, the better quality
information of online, real-time, and/or aggregated information
against the poorer quality of stale, static information manufactured
at some time in the past vis-a-vis the incremental cost of online.
The assertion is that the payment industry made the trade-off decision
in the early '70s that the higher quality online, real-time,
aggregated information more than justified the online access.
The assertion is that the ubiquitous and pervasive deployment of
online world is drastically narrowing the market segment for stale,
static offline world.
It IS NOT a question of payment vis-a-vis other infrastructures. it is
purely a question does the value of the operation justify the
incremental cost of online. As the pervasiveness of online spreads and
the costs continue to decline, the market niche for offline gets
smaller and smaller.
It IS NOT a question of payment vis-a-vis other infrastructures. Right
now today, transit payment is almost totally offline, the assertion is that
because the value of the individual transactions, the timing
constraints at transit turnstyles, and the relative cost of online
create a market segment for low-valued payment to still be an offline
operation. There is assertion that declining costs of online will
erode this market segment as an offline infrastructure.
It isn't payment vis-a-vis other stuff; it is purely value of the
operation, increased beneift of online, realtime, aggregated vis-a-vis
offline, stale, static, and costs of online vis-a-vis offline.
past threads on drivers license and/or aggregated information
https://www.garlic.com/~lynn/aadsm11.htm#39 ALARMED ... Only Mostly Dead ... RIP PKI .. addenda
https://www.garlic.com/~lynn/aadsm11.htm#40 ALARMED ... Only Mostly Dead ... RIP PKI ... part II
https://www.garlic.com/~lynn/aadsm12.htm#26 I-D ACTION:draft-ietf-pkix-usergroup-01.txt
https://www.garlic.com/~lynn/aadsm12.htm#27 Employee Certificates - Security Issues
https://www.garlic.com/~lynn/aadsm12.htm#32 Employee Certificates - Security Issues
https://www.garlic.com/~lynn/aadsm12.htm#52 First Data Unit Says It's Untangling Authentication
https://www.garlic.com/~lynn/aadsm13.htm#2 OCSP value proposition
https://www.garlic.com/~lynn/aadsm13.htm#3 OCSP and LDAP
https://www.garlic.com/~lynn/aadsm13.htm#4 OCSP and LDAP
https://www.garlic.com/~lynn/aadsm13.htm#5 OCSP and LDAP
https://www.garlic.com/~lynn/aadsm13.htm#20 surrogate/agent addenda (long)
https://www.garlic.com/~lynn/aadsm14.htm#17 Payments as an answer to spam (addenda)
https://www.garlic.com/~lynn/aadsm14.htm#20 Payments as an answer to spam (addenda)
https://www.garlic.com/~lynn/aepay10.htm#73 Invisible Ink, E-signatures slow to broadly catch on
https://www.garlic.com/~lynn/aepay10.htm#74 Invisible Ink, E-signatures slow to broadly catch on (addenda)
https://www.garlic.com/~lynn/aepay10.htm#75 Invisible Ink, E-signatures slow to broadly catch on (addenda)
https://www.garlic.com/~lynn/aepay11.htm#68 Confusing Authentication and Identiification?
https://www.garlic.com/~lynn/aepay11.htm#72 Account Numbers. Was: Confusing Authentication and Identiification? (addenda)
https://www.garlic.com/~lynn/96.html#17 middle layer
https://www.garlic.com/~lynn/98.html#41 AADS, X9.59, & privacy
https://www.garlic.com/~lynn/99.html#238 Attacks on a PKI
https://www.garlic.com/~lynn/2000.html#86 Ux's good points.
https://www.garlic.com/~lynn/2000e.html#39 I'll Be! Al Gore DID Invent the Internet After All ! NOT
https://www.garlic.com/~lynn/2001.html#67 future trends in asymmetric cryptography
https://www.garlic.com/~lynn/2001e.html#76 Stoopidest Hardware Repair Call?
https://www.garlic.com/~lynn/2001f.html#77 FREE X.509 Certificates
https://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip Market
https://www.garlic.com/~lynn/2001n.html#56 Certificate Authentication Issues in IE and Verisign
https://www.garlic.com/~lynn/2002h.html#27 Why are Mainframe Computers really still in use at all?
https://www.garlic.com/~lynn/2002m.html#20 A new e-commerce security proposal
anders.rundgren@xxxxxxxx on 6/29/2003 1:45 am wrote:
Lynn!
Before wasting too much list bandwidth, lets conclude that the TTP CA
business and legal models are still to be determined by establishing practices.
Not a single case have to my knowledge reached a court yet so [all] this
is just "theory", "habits", and "speculation", albeit rather interesting such :-)
The following lines show that TTP CAs may have a long way to go:
"In a simple TTP CA stale, static certificate model, without a
business relationship between the merchant and the consumer's TTP CA
, no business relationship has been created between the consumer's
TTP CA and the merchant. Therefor there is no grounds to sue."
An odd thing is that a major reason Identrus use a four-corner model is
to have the relying party sign a contract freeing Identrus from liability!
I.e. this is like accepting a typical US SW contract which says "AS IS",
"NOT FIT FOR MISSION-CRITICAL USE", etc.
Without having RP-contracts TPP CAs are (they claim so at least), potentially
liable for whatever bad things the consumer does. I'm not the one to
tell if this is wrong or not. Frankly, I don't _anybody_ with certainty
can claim that something is right or wrong based on no practical
experience at all, as this kind of TTP activity (unlike payments),
is totally different from anything else we know. Drivers' licenses or
passports are not comparable in any way as there is no physical
appearance supporting the identification process.
Lets take a new look in 3-5 years from now and see "what really happened".
It will be a truly Darwinian process....
Anders
Confusing business process, payment, authentication and identification
Refed: **, - **, - **, - **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 06/29/2003 04:28 PM
To: epay@xxxxxxxx
cc: internet-payments@xxxxxxxx
Subject: Re: Confusing business process, payment, authentication and identification
i was not so much seeing this part of the thread as what to build
.... but what were some of the constitute components and driving
factors of the operational infrastructures (aka was it possible for
government to mandate stale, static certificates even if it made no
economic sense in a rapidly evolving online world).
we've had somewhat related activity in the standards privacy working
group. the surface analysis was to take the existing privacy
regulation and legislation and codify it.
the behind the scenes analysis from 1999 was that driving factors in
privacy related regulatory and legislative activity was
1) identity theft and
2) (institutional) denial of service.
There would continue to be a lot of regulatory and legislative
activity as long as there was identity theft and/or denial of service
happening (basically some fundamental economic driving issues). Some
amount of this activity suspended in the wake of 9/11 but didn't
disappear. In the recent march timeframe, the prediction was a lot of
the regulatory and legislative privacy related activity would start to
see a lot more action by the summer .... which appears to be coming to
pass.
Which then somewhat gets things back to the subject line of confusing
all kinds of things with identification.
The x9.59 scenario with respect to being agnostic with respect to
privacy is that the integrity of a payment transaction can be
significantly raised at the same time removing any ancillary need for
shared-secrets and/or privacy information in conjunction with the
payment.
There was a reference to GSA (a government entity) resorting to
bilaterial contracts with all of the individual entities (TTP CAs and
relying parties) in attempt to provide stale, static certificates some
legal foundation. Rather than forcing all relying parties to have
individual contracts with each and every TTP CA ... they effectively
made all of the TTP CAs agents of the GSA (via contract) and then
every relying party had contract with GSA. This addressed the
requirement for N times M individual contracts (as in the discussion
of some parts of the world ... which scales poorly in situation where
N times M equals 120 billion).
t.c.jones@xxxxxxxx 6:29/2003 12:51 pm wrote:
I would not try to build a single system that could handle value
transfers for regular business use and for government payments.
The major reason is the legal liability. Business contracts typically
involve civil penalties. Government mandates, and our responses to
them, typically involve criminal penalties. In the business case
identity is seldom necessary for transactions that do not involve
real-estate. In fact the increasing concern for privacy somewhat
mandates that user's can limit the data transfered about themselves.
This is where account-based transactions should be targeted. In the
government case identity is nearly always required by law or
regulation, and privacy is typically not available.
I believe that payments from purchasers to merchants is the problem
that we have some chance of solving here. Government payments will be
mandated and will probably not be designed for any of the purposes
that business desires.
Let's focus on what we can effect.
Law aims to reduce identity theft
From: Lynn Wheeler
Date: 06/30/2003 11:56 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Law aims to reduce identity theft
http://news.com.com/2100-1019_3-1022341.html
Law aims to reduce identity theft
By Robert Lemos
Staff Writer, CNET News.com
June 30, 2003, 2:41 PM PT
A California law that requires e-commerce companies to warn consumers
when their personal information may have been stolen could provide a
boost for security firms.
The Security Breach Information Act (S.B. 1386), which goes into
effect Tuesday, requires companies that do business in California or
that have customers in the state to notify consumers whenever their
personal information may have been compromised.
Companies that fail to properly lock down information or to notify
consumers of intrusions could be sued in civil court.
... snip ...
also ... text of bill
http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html
Know Your Enemy Automated Credit Card Fraud (automated, forwarded)
From: Lynn Wheeler
Date: 07/10/2003 01:07 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Know Your Enemy Automated Credit Card Fraud (automated, forwarded)
Patrick McCarty <mccartyp@xxxxxxxx> wrote:
Subject Know Your Enemy - Automated Credit Card Fraud
The Honeynet Project is excited to announce the release of a new paper
in the Know Your Enemy series, "Automated Credit Card Fraud." The
paper describes how a certain criminal community, who call themselves
carders, have established sophisticated tools and methods that perform
such functions as
* Providing a stolen credit card and personal information upon request
* Verifying that a credit card is currently valid
* Determining the security code (CVV2) associated with a credit card
* Determining the available credit remaining on a credit card
These tools also identify retailers vulnerable to credit card fraud,
exploits that can compromise inadequately defended e-commerce sites,
and means of concealing on-line identity during criminal activity.
The related criminal activity is global in scope, significant in
volume, and conducted largely in open IRC channels. Despite policing
by operators of some IRC networks, and shutdown of some high-activity
channels, several IRC networks and many IRC channels continue to
provide automated support of credit card fraud. One of the most
disturbing aspects of this activity is just how simple and pervasive
this has become.
Know Your Enemy Automated Credit Card Fraud
http://www.honeynet.org/papers/profiles/cc-fraud.pdf
Bugwatch: Know your security onions
From: Lynn Wheeler
Date: 08/07/2003 07:05 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Bugwatch: Know your security onions
http://www.vnunet.com/News/1142875
Bugwatch: Know your security onions
The biggest ever cyber-crime involved the theft of more than a million
credit card numbers from online banks and retailers across 20
countries.
... snip ...
Know your security onions (or security proportional to risk)
From: Lynn Wheeler
Date: 08/07/2003 07:37 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: re:: Know your security onions (or security proportional to risk)
On 8/7/2003, 7:27 pm, lynn.wheeler@xxxxxxxx wrote:
http://www.vnunet.com/News/1142875
Bugwatch: Know your security onions
The biggest ever cyber-crime involved the theft of more than a million
credit card numbers from online banks and retailers across 20
countries.
note that this is somewhat related to the tale about trust documents
from the most recent risks-forum ... archived at:
http://catless.ncl.ac.uk/Risks/22.83.html
current weeks copy at:
http://www.csl.sri.com/users/risko/risks.txt
and an old discussion about security proporitional to risk:
https://www.garlic.com/~lynn/2001h.html#61
One of the issues in x9.59 was to remove the account number as a
vulnerability .... since it is in such widespread use .... that it
would be practically impossible to cover the earth in sufficient
layers of security and encryption to eliminate the
vulnurabilities. some discussions about the difficulty of protection
for paradigms involving widely distributed shared-secrets that
happen to be extensively used in lots of business processes:
https://www.garlic.com/~lynn/aadsm14.htm#33 An attack on paypal
New privacy rules could mean headaches for financial services IT
From: Lynn Wheeler
Date: 08/12/2003 09:01 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: New privacy rules could mean headaches for financial services IT
http://www.computerworld.com/securitytopics/security/privacy/story/0,10801,83877,00.html
New privacy rules could mean headaches for financial services IT
A ballot initiative and a judge's ruling may reach beyond California
By JAIKUMAR VIJAYAN
AUGUST 11, 2003
A consumer-privacy-related ballot initiative by a political group in
California could complicate matters for financial services companies
that are already scrambling to comply with other regional and federal
privacy mandates.
And just like the recently instituted California state privacy law SB
1386 (see story), the proposed ballot measure will have a nationwide
reach, privacy experts said.
.. snip ...
Feds Want Banks to Warn of ID Theft
From: Lynn Wheeler
Date: 08/13/2003 01:31 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Feds Want Banks to Warn of ID Theft
http://www.internetnews.com/fina-news/article.php/2248241
August 13, 2003
Feds Want Banks to Warn of ID Theft
By Roy Mark
Federal bank and thrift regulatory agencies issued proposed guidelines
Tuesday to require financial institutions to develop programs to
respond to incidents of unauthorized access to customer information,
including procedures for notifying customers under certain
circumstances.
.. snip ...
Net Worm Heightens Security Concerns
From: Lynn Wheeler
Date: 08/16/2003 06:26 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Net Worm Heightens Security Concerns
http://www.washingtonpost.com/wp-dyn/articles/A60273-2003Aug14.html
a number of quotes in the above about financial related crimes ... one such
McNevin said stolen financial data, such as credit card numbers, often ends
up for sale or auction on Web sites.
One such site promises that stolen credit card data includes birth dates
and Social Security numbers. Prices are based on the credit limits of the
cards.
"These are not thugs," McNevin said of the worm developers. "These are
astrophysicists and computer scientists who have been brought in to take
down or compromise systems."
Experts said the financial industry often keeps such attacks quiet, for
fear of upsetting customers and giving publicity to the hackers.
.. snip ...
slightly related from a couple months ago:
http://www.w3w3.com/CSSB.htm
Identity theft rockets 80 per cent
From: Lynn Wheeler
Date: 08/16/2003 08:36 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Identity theft rockets 80 per cent
http://www.vnunet.com/News/1142517
Identity theft rockets 80 per cent
By Robert Jaques [23-07-2003]
And the danger isn't only on the internet, warns analyst
Identity theft in the US has leapt by 79 per cent over the last year,
with only a one in 700 chance of thieves being caught, industry
watchers have warned.
According to analyst firm Gartner, seven million American adults - 3.4
per cent of all US consumers - were victims of identity theft during
the 12 months ending June 2003.
.. snip ...
"Many banks, credit card issuers, cell phone service providers and
other enterprises that extend financial credit to consumers don't
recognise most identity theft fraud for what it is," Litan said.
"Instead they mistakenly write it off as credit losses, causing a
serious disconnect between the magnitude of identity theft that
innocent consumers experience and the industry's proper recognition of
the crime."
"This causes a disincentive to fix the problem with the urgency it
requires."
.. snip ...
Hacker's compromise Navy purchase card
From: Lynn Wheeler
Date: 08/21/2003 03:32 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Hacker's compromise Navy purchase card
http://www.gcn.com/vol1_no1/daily-updates/23217-1.html
08/21/03
Hackers compromise Navy purchase cards
By Dawn S. Onley
Hackers recently broke into a Navy system and gained access to 13,000 Navy
purchase cards, according to Defense Department officials who are
investigating the incident.
The DOD Purchase Card Program Management Office has issued a release
stating that the Navy has cancelled all of its purchase card accounts
(about 22,000) to minimize the number of unauthorized purchases, and is
working closely with the issuing company, Citibank.
.. snip ...
Technology and Crime, Criminal Intelligence Service Canada - 2003
From: Lynn Wheeler
Date: 08/25/2003 11:51 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Technology and Crime, Criminal Intelligence Service Canada - 2003
http://www.cisc.gc.ca/AnnualReport2003/Cisc2003/technology2003.html
... snip ...
As technologies for conducting on-line commercial transactions evolve,
so do opportunities for fraud. Identity theft and payment card fraud
are among the most frequently occurring types of fraud in Canada
according to Phonebusters, a fraud reporting agency administered by
the Ontario Provincial Police in cooperation with the RCMP. Identity
theft provides opportunities for criminals and/or members of organized
crime groups to assume a false identity and obtain funds
illegally. The use of sophisticated peripherals such as laser
printers, digital cameras, scanners, and desktop publishing software
can also offer the opportunity to facilitate the production of false
identities and counterfeit documents.
Asian-based and Eastern European-based organized crime groups are
reported to be extensively involved in large-scale elaborate payment
card fraud schemes as well as other fraud-related criminal activity
throughout the country.
There are instances in which the modification and/or enhancement of
existing technology may also allow criminals to facilitate
fraud-related crimes. In March 2003, Ontario-based individuals with
suspected ties to organized crime persuaded unsuspecting merchants
into using modified point-of-sale machines. These machines, fitted
with a "skimming" device, would sit for a period of time
capturing payment card information until the device was retrieved by
the criminals. In December 2002, several individuals were charged with
debit card fraud and fraud over $5,000 after participating in an
elaborate automated teller machine fraud scheme orchestrated by
members of an Eastern European-based organized crime group. This
scheme, which stretched across the country, had an attributed loss of
over $1.2 million. Electronic mail is also used to facilitate schemes
such as stock market manipulation, frequently referred to as pump and
dump or slump and dump schemes, telemarketing schemes, as well as
proliferating malicious code programs such as the SLAMMER worm in
January 2003.
... snip ...
Yodlee offers standard interface to smooth the electronic bill payment process
From: Lynn Wheeler
Date: 08/26/2003 02:10 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Yodlee offers standard interface to smooth the electronic bill payment process
http://www.informationweek.com/story/showArticle.jhtml?articleID=13100935
An offering from financial-services software vendor Yodlee Inc. will
provide a standardized interface for connecting to "biller-direct" Web
sites of nearly 2,500 lenders, credit-card, and mortgage companies, as
well as nonfinancial billers such as mobile-phone, cable-TV, and
long-distance companies. The service, dubbed BillDirect, is being
tested at one of the vendor's large clients. It's based on an upcoming
upgrade of Yodlee's account-aggregation software that's focused on
helping users manage their billing.
.. snip ...
Bahrain Takes Swipe Into the Future With News Smart ID Cards
From: Lynn Wheeler
Date: 8/26/2003 02:19 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Bahrain Takes Swipe Into the Future With News Smart ID Cards
http://www.informationweek.com/story/showArticle.jhtml?articleID=13900098
.. snip ...
Users will be able to pay bills, withdraw cash, transfer money check
their bank balances and conduct Internet transactions with a swipe of
the card, and use the same card to votes in municipal and
parliamentary elections
.. snip ...
Solving the payment problem for open source and P2P file sharing
From: Lynn Wheeler
Date: 08/26/2003 02:23 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Solving the payment problem for open source and P2P file sharing
http://newsforge.com/newsforge/03/08/26/143247.shtml?tid=3
.. snip ...
Another option is to allow users to bill downloads to their cellular
phones. Again, the idea is to make payment seamless, so that the
consumer is focused on enjoying the art, and not the act of
payment. If he's online, the user simply types in his phone number
(with some additional added security to prevent unauthorized charging
of downloads to a third-party account), and gets the music (with the
cell phone company managing payment to the record or movie label on
the back end). If he's offline but using his cell phone, I can
envision Johnny sending Jane a download of Audioslave's newest "love
song," routing it to her IP address for immediate download the next
time she logs on to her computer.
.. snip ...
DNS inventor says cure to net identity problems is right under our nose
Refed: **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 08/27/2003 07:41 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: DNS inventor says cure to net identity problems is right under our nose
slightly related from past thread
https://www.garlic.com/~lynn/aepay11.htm#43 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
https://www.garlic.com/~lynn/aepay11.htm#45 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
http://www.business-standard.com/ice/story.asp?Menu=119&story=20692
DNS inventor says cure to net identity problems is right under our nose
Published : August 13, 2003
Meet Paul Mockapetris. He may not be an industry celebrity like Bill
Gates, Michael Dell, Richard Stallman, Eric Raymond, or Linus
Torvalds, but he should be.
Mockapetris was a key figure in the development of the Domain Name
System, the Internet protocol that maps domain names like zdnet.com to
IP addresses like 206.16.6.208.
.. snip ...
Tech firms band together on ID theft
From: Lynn Wheeler
Date:09/02/2003 09:12 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Tech firms band together on ID theft
http//news.com.com/2100-1019_3-5070601.html?tag=fd_top
Tech firms band together on ID theft
By Alorie Gilbert
Staff Writer, CNET News.com
September 2, 2003, 7:10 PM PT
Some of the biggest names in e-commerce, including Amazon.com, eBay
and Microsoft, have formed a coalition to curb online identity theft.
The Coalition on Online Identity Theft, announced Tuesday, said it
plans to launch a public education campaign and encourage its members
to work more closely with law enforcement officials in an effort to
fight a crime that has emerged as a major concern among politicians
and consumers in recent years. The group is being organized by the
Information Technology Association of America, a trade group
representing the high-tech industry.
"We all agree we want to do something about this and nip this in the
bud," said Greg Garcia, vice president of information security at
ITAA, claiming a small percentage of identity theft cases actually
begin online. Statistics show that identity theft has moved well past
the bud stage to reach the level of full-blown weed infestation in
recent years. The number of U.S. consumers that complained about some
sort of identity theft nearly doubled to 162,000 last year, according
to the Federal Trade Commission. And government figures only scratch
the surface, technology analyst firm Garter said. Gartner estimates
that 3.4 percent of U.S. consumers--about 7 million adults--have been
victims of identity theft of some form in the past year.
.. snip ...
Federal agenciesÂ’ banking system moves online
From: Lynn Wheeler
Date: 09/02/2003 09:15 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Federal agenciesÂ’ banking system moves online
http://www.gcn.com/vol1_no1/daily-updates/23387-1.html
09/02/03
Federal agenciesÂ’ banking system moves online
By Mary Mosquera
GCN Staff
The Treasury DepartmentÂ’s new Internet-based cash management system,
CashLink II, went into operation today for deposit reporting and bank
management information.
The financial data system from TreasuryÂ’s Financial Management Service
collects and manages government funds and provides deposit information
to federal agencies.
This latest version of CashLink connects agencies, financial
institutions, Federal Reserve banks and Treasury fund managers through
an electronic network.
... snip ...
FTC Says ID Theft Greater Problem Than Originally Thought
From: Lynn Wheeler
Date: 09/03/2003 04:10 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: FTC Says ID Theft Greater Problem Than Originally Thought
as well as a couple new URLs today (followup on posting yesterday):
TheftBusters: Coalition to Combat Online ID Fraud
http://www.internetnews.com/ec-news/article.php/3071701
Tech Giants Join Forces Against ID Theft
http://itmanagement.earthweb.com/secu/article.php/3071761
and the FTC ref:
http://dc.internet.com/news/article.php/3072091
September 3, 2003
FTC Says ID Theft Greater Problem Than Originally Thought
By Roy Mark
WASHINGTON -- Identity theft is an even greater problem than initially
thought by federal officials, but Internet sites that collect personal
information are not a significant contributing factor, according to a
new report released Wednesday by the Federal Trade Commission (FTC).
.. snip ...
some X9.59 (and little FSTC) ... from crypto mailing list ... fyi
From: Lynn Wheeler
Date: 09/09/2003 01:19 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: some X9.59 (and little FSTC) ... from crypto mailing list ... fyi
Basically leading up to this discussion was the use of SSL on the
internet .... and was its predominant use for securing credit card
transactions. Some of the early history (as referenced background
threads leading up to this one) was SSL for the complete shopping
experience (and somewhat got cut back to just credit card because
there was about a factor of five difference between number of SSL
sessions and the number of non-SSL sessions that could be supported by
the same webserver hardware).
Subject of X9.59 in crypto mailing list:
https://www.garlic.com/~lynn/aadsm15.htm#6 X9.59
background posts leading up
https://www.garlic.com/~lynn/aadsm15.htm#0 invoicing with PKI
https://www.garlic.com/~lynn/aadsm15.htm#2 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#3 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#4 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#5 Is cryptography where security took the wrong branch?
Police smash UK's biggest credit card fraud ring
From: Lynn Wheeler
Date: 09/09/2003 02:42 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Police smash UK's biggest credit card fraud ring
the initial "847" seems a little inconsistent 2m to 20m in fraud
... maybe it was 8 thousand or 80 thousand ... not 847
http://www.theregister.co.uk/content/55/32704.html
Police smash UK's biggest credit card fraud ring
By Drew Cullen
Posted: 08/09/2003 at 13:14 GMT
Three men are facing long jail sentences after pleading guilty, Friday
(Sept. 5) to running the UK's biggest ever credit card fraud at
Middlesex Guildhall Crown Court.
The trio stole details of 847 cards of Heathrow Express rail
passengers who had paid for their journey by credit cards. They passed
on the infor a gang of forgers who cloned 8,790 credit cards for use
in the UK and on the Continent. The cloners were able to use only 10
per cent of the numbers, pocketing £2m for the gang. Police estimate
that the gang could have gained £20m if all the credit card numbers
had been used.
... snip ...
More on the ID theft saga
Refed: **, - **, - **
From: Lynn Wheeler
Date: 09/09/2003 03:17 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: More on the ID theft saga
At least part of this breaks out account fraud numbers (primarily
credit card fraud) separate from other kinds of ID theft fraud
ID theft hits 10m Americans a year
http://www.theregister.co.uk/content/55/32688.html
Database gaps make ID fraud easier, GAO says
http://www.gcn.com/vol1_no1/daily-updates/23446-1.html
FTC Release Survey of Identity Theft in US
http://www.ftc.gov/opa/2003/09/idtheft.htm
Cyber Security In The Financial Services Sector
Refed: **, - **, - **, - **, - **
From: Lynn Wheeler
Date: 09/10/2003 03:55 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Cyber Security In The Financial Services Sector
http://www.imn.org/2003/a555/
... from above:
Attend the Largest Gathering of FiServ InfoSec executives on Wall
Street!! IMN's SECOND ANNUAL CYBER SECURITY IN THE FINANCIAL
SERVICES SECTOR EXECUTIVE SUMMIT. October 9-10, 2003, Puck Building,
N.Y.C. Over 25 cutting edge solution provider demos... ISS, VeriSign,
Symantec and many more... Participating companies include Bank of NY;
Bear Stearns; BNP Paribas; Chicago Board of Trade; Citibank; Credit
Lyonnais; Credit Suisse; Deutsche Bank; Fleet Boston; ING; JP Morgan
Chase; Morgan Stanley; Prudential; Raymond James; US Treasury; The
World Bank and many more. What you will learn Latest regulations and
policies Learn the latest in Cyber threats Viruses, Worms, and
System Intrusions System Vulnerabilities & Weaknesses Security
Valuation & Budgets Outsourcing Wall Street - Governmental
Partnership and much more
home page:
http://www.imn.org/
-------------------------------------------------------------------
... also recent report on Financial Critical Infrastructure
Despite Notable Security Advances, Financial Sector Still Vulnerable
http://www.dartmouth.edu/%7Enews/releases/2003/09/10a.html
Survey and Analysis of Security Issues in the U.S. Banking and Finance
Sector
http://www.ists.dartmouth.edu/ISTS/ists_docs/secfin0903.htm
full report:
http://www.ists.dartmouth.edu/ISTS/ists_docs/secfin0903.pdf
Bank One Calls Attention to ID Theft
From: Lynn Wheeler
Date: 09/16/2003 07:44 PM
To: epay@xxxxxxxx
Subject: Bank One Calls Attention to ID Theft
http://www.internetnews.com/ec-news/article.php/3078191
September 16, 2003
Bank One Calls Attention to ID Theft
By Mark Berniker
Bank One is partnering with the US Postal Inspection Service and other
government entities for a new national crime prevention campaign to
raise awareness among business and consumers facing the specter of
identity theft. "Today's initiative is a coming of together of a
number initiatives concerning the growing problem of identity theft,"
said Chris Conrad, senior vice president of fraud management for Bank
One.
Conrad told internetnews.com more than three million brochures will be
mailed to individuals in areas of the country where identity theft has
been most prevalent.
... snip ...
A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging
From: Lynn Wheeler
Date: 09/18/2003 02:34 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: A Uniform Resource Name (URN) Namespace for SWIFT Financnail Messaging
RFC 3615
Title: A Uniform Resource Name (URN) Namespace for SWIFT
Financial Messaging
Author(s): J. Gustin, A. Goyens
Status: Informational
Date: September 2003
Mailbox: jean-marc.gustin@xxxxxxxx, andre.goyens@xxxxxxxx
Pages: 5
Characters: 7352
Updates/Obsoletes/SeeAlso: None
I-D Tag: draft-gustin-goyens-urn-id-02.txt
URL: ftp://ftp.rfc-editor.org/in-notes/rfc3615.txt
This document describes a Uniform Resource Name (URN) namespace that
is managed by SWIFT for usage within messages standardized by SWIFT.
Carnegie Mellon to host first US-based intl'l conference on electronic commerce
From: Lynn Wheeler
Date: 09/18/2003 06:37 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Carnegie Mellon to host first US-based intl'l conference on electronic commerce
http://www.eurekalert.org/pub_releases/2003-09/cmu-cmt091803.php
Carnegie Mellon to host first U.S.-based int'l conference on
electronic commerce
PITTSBURGH--Carnegie Mellon University will host the Fifth
International Conference on Electronic Commerce (ICEC) Sept. 30 -
Oct. 3 at the Hilton Hotel in downtown Pittsburgh. It is the first
time this leading eBusiness research conference is being held in the
United States.
"ICEC provides an interdisciplinary forum where researchers and
practitioners can come together, present their latest findings, and
engage in discussions aimed at charting the future of this fascinating
and ever expanding area," said conference general chairman Norman
M. Sadeh, associate professor of computer science at Carnegie Mellon.
"Despite the doom and gloom of the post-bubble years," he said,
"e-Business innovation has not stopped. Adoption of electronic
business practices are continuing to rise and, with annual worldwide
transaction volumes poised to pass the trillion-dollar mark, it is
clear that e-Business is here to stay."
Sadeh cited the emergence of Web services, the mobile Internet, agent
technologies, wireless computing, automated trading and negotiation
techniques and P2P as just a few examples of technologies spawned by
this new way of doing business. Unlike more specialized conferences,
ICEC2003 will include tracks in technology, management, and law and
policy.
Keynote speakers include:
Glen Meakem, founder and chairman of Pittsburgh-based Freemarkets,
Inc. speaking on the Global Supply Management Revolution;
Jeffrey B. Ritter, partner, Kirkpatrick and Lockhart, LLP, speaking on
Defining Systems Law;
James A. Hendler, professor of computer science, University of
Maryland, speaking on Dynamic Service Choreography on the Web.
David J. Farber, Carnegie Mellon distinguished career professor of
computer science and public policy, speaking on Digital Rights
Management: Nightmare or Blessing.
The conference will also feature paper presentations and panels,
including a plenary panel discussion on Next Generation Search
Infrastructure for e-Commerce, chaired by Carnegie Mellon Computer
Science Professor Jaime Carbonell, a panel on the ML Rule Initiative,
chaired by Said Tabet, and a third on The New Supply Chain Trading
Agent Competition, chaired by North Carolina State University
Assistant Professor Peter Wurman.
For more details on ICEC2003, see: http://www.icec03.org
Caching In With E-Payments
From: Lynn Wheeler
Date: 09/18/2003 06:38 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Cashing In With E-Payments
http://www.techweb.com/tech/ebiz/20030918_ebiz
Cashing In With E-Payments
By Don St. John
Like everything else in the Internet era, the hype preceded the
reality. But as with so many other sectors plodding along regardless
of bubble or burst, e-payments both at the business-to-business and
consumer levels are slowly but steadily taking hold as everyone
becomes used to the idea.
... snip ...
ID Theft Often Goes Unrecognized
From: Lynn Wheeler
Date: 09/24/2003 07:43 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: ID Theft Often Goes Unrecognized
http://www.internetnews.com/ec-news/article.php/3081881
September 24, 2003
Study: ID Theft Often Goes Unrecognized
By Mark Berniker
The theft of personal information has become an immense problem
particularly for individuals and companies. A new study claims that
many financial institutions are frequently mistaking credit losses,
not aware that identity theft is rampantly taking place.
ID Analytics Inc., performed the identity theft study, which involved
a number of major companies, including Citibank (Quote, Chart), Dell
Computer (Quote, Chart) and Bank of America (Quote, Chart).
In the study of 200 million new credit cards, checking account and
cell phone accounts that were opened in 2001, seven out of eight
identity thefts were incorrectly categorized as simple credit losses
by lenders.
..snip..
End of the line for Ireland's dotcom star
From: Lynn Wheeler
Date: 09/24/2003 10:07 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: End of the line for Ireland's dotcom star
part of thread on subject in cryptography mailing list:
https://www.garlic.com/~lynn/aadsm15.htm#16 End of the line for Ireland's dotcom star
also:
http://theregister.co.uk/content/55/32954.html Baltimore sells 'crown jewels'
..
http://www.guardian.co.uk/print/0,3858,4759214-103676,00.html
End of the line for Ireland's dotcom star
Software firm saw boom and bust; now the core business is sold
Geoff Gibbs
Tuesday September 23, 2003
The Guardian
Baltimore Technologies, the Irish software concern whose spectacular rise
and fall epitomised the boom and bust of the dotcom era, reduced itself to
little more than a cash shell yesterday by selling off the core business on
which its fortunes were founded.
The internet security company, which failed to find a buyer after putting
itself up for sale this year, said it was selling its loss-making public
key infrastructure, or PKI, operation to the American-controlled business
beTRUSTed for £5m.
... snip ...
Internet Fraud & Attacks on the rise
From: Lynn Wheeler
Date: 10/14/2003 12:33 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Internet Fraud & Attacks on the rise.
Study: Internet fraud and attacks rise in tandem
The number of security incidents almost doubled between May and August
of this year
http://www.computerworld.com/securitytopics/security/story/0,10801,86025,00.html?SKC=security-86025
... snip ...
Verisign sees Internet fraud and attacks rise in tandem
Almost one in 16 transactions are attempts at fraud, company estimates
http://www.infoworld.com/article/03/10/14/HNfraud_1.html
... snip ...
Microsoft, Sterling Aid SWIFT Users
From: Lynn Wheeler
Date: 10/20/2003 08:30 PM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Microsoft, Sterling Aid SWIFT Users
http://www.eweek.com/article2/0,4149,1358167,00.asp
Microsoft, Sterling Aid SWIFT Users
By Renee Boucher Ferguson
October 20, 2003
Microsoft Corp. and Sterling Commerce Inc. both are offering banks and
financial services companies new connectivity and messaging options
when using the Society for Worldwide Interbank Financial
Telecommunications' SWIFTNet network.
Microsoft, at the Sibos 2003 conference in Singapore on Monday,
announced its BizTalk Accelerator for SWIFT, which provides
integration with legacy systems through a fairly comprehensive set of
connectivity interfaces. The new Accelerator supports both FIN,
SWIFT's X.25-based store-and-forward financial messaging service, and
XML-based SWIFT messaging.
... snip ...
Retail wireless security: a few considerations
From: Lynn Wheeler
Date: 10/21/2003 08:56 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Retail wireless security: a few considerations
http://www.computeruser.com/articles/daily/8,10,1,1020,03.html
October 20, 2003
Retail wireless security: a few considerations
Wireless computing can make your retail operation run more smoothly and quickly.
By Ben Bradley
Retailers worldwide are making the move to wireless computing, both
for the flexibility it brings to in-store operations and the speed it
adds to business processes. Mobile platforms and wireless networks
allow retailers to complete transactions and authorizations while
collecting data from any location, at any time, with a variety of
devices. The information gathered from these wireless devices allows
retail managers at all levels to know sooner, decide smarter, and
respond faster when it comes to market opportunities and changing
customer preference. Today's independent retailers are facing
increased competition from not only from their brick-and-mortar
competitors, but also from online services.
... snip ...
Citibank customers hit with e-mail scam
From: Lynn Wheeler
Date: 10/25/2003 08:43 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: Citibank customers hit with e-mail scam
http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,86453,00.html
Citibank customers hit with e-mail scam
The spoofed bank site is actually hosted by a company in Moscow
Story by Linda Rosencrance
OCTOBER 24, 2003 ( COMPUTERWORLD ) - Citibank customers are being
targeted by scam artists trying to get their confidential bank card
numbers. The scam is perpetrated via an e-mail that includes a link
that apparently directs users to a Citibank Web site, where they are
greeted with a pop-up box asking them for their full debit card
numbers, their personal identification numbers (PIN) and their
expiration dates.
... snip ...
DNS, yet again
Refed: **, - **, - **, - **
From: Lynn Wheeler
Date: 10/25/2003 08:54 AM
To: epay@xxxxxxxx, internet-payments@xxxxxxxx
Subject: DNS, yet again
slightly related past reference:
https://www.garlic.com/~lynn/aepay11.htm#43 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
https://www.garlic.com/~lynn/aepay11.htm#45 Mockapetris agrees w/Lynn on DNS security - (April Fool's day??)
and some more recent threads:
https://www.garlic.com/~lynn/aadsm15.htm#4 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#7 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#8 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#9 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#10 Is cryptography where security took the wrong branch?
https://www.garlic.com/~lynn/aadsm15.htm#11 Resolving an identifier into a meaning
https://www.garlic.com/~lynn/aadsm15.htm#14 Resolving an identifier into a meaning
https://www.garlic.com/~lynn/aadsm15.htm#25 WYTM?
https://www.garlic.com/~lynn/aadsm15.htm#26 SSL, client certs, and MITM (was WYTM?)
https://www.garlic.com/~lynn/aadsm15.htm#27 SSL, client certs, and MITM (was WYTM?)
https://www.garlic.com/~lynn/aadsm15.htm#28 SSL, client certs, and MITM (was WYTM?)
https://www.garlic.com/~lynn/aadsm15.htm#29 SSL, client certs, and MITM (was WYTM?)
http://www.computerworld.com/securitytopics/security/story/0,10801,86457,00.html?SKC=security-86457
Q&A: DNS inventor Paul Mockapetris on Internet security
The critical DNS system is more robust at the top, he said
Story by Jaikumar Vijayan
OCTOBER 24, 2003 ( COMPUTERWORLD ) - Paul Mockapetris invented the
Internet's core Domain Name System (DNS), which is a highly
distributed hierarchical database that translates Web names into
Internet Protocol addresses, and vice versa. Without it, the Internet
as it's structured today wouldn't work. In an interview this week with
Computerworld, he talked about the state of the DNS a year after the
first distributed denial-of-service attack on the system (see story).
Why is DNS security such a concern? There was a cybersecurity report
that came out of the U.S. government that said the two biggest
security issues were DNS and BGP [Border Gateway Protocol]. Part of it
is that this is just the place where an attacker has the most
leverage. ... If you can get to control either the traffic lights or
change the street signs, you can create chaos on the road system.
... snip ...
x959 Postings and Posting Index,
previous
- home