Session ID:

Session Classification:

Paul Simmonds Co-founder & Board of Management, Jericho Forum

STU-W25A

Intermediate

Sorry? Who Did You Say You Were?

Exploiting Identity for Fun and Profit

Ever had one of those days?

Ever had one of those days?

Hello, my name is

Clive from Microsoft

we’ve identified a

problem with your

computer

Why do I need to

install this

software?

Sorry?

Why do you need

my credit card

number?

SPAM

Jan. 24, 2004 World Economic

Forum

Bill Gates:

"two years

from now,

spam will be

solved."

Global SPAM rates since 2006

Source: Symantec Intelligence Report: November 2012

CNP Fraud costs $21bn / year*

Card Not Present Fraud

* Estimated from: • $10 Trillion global Credit Card transactions • Amex, Discover, MasterCard, Visa, will process more than $10 Trillion in payments in 2012 • Approx 3% of CC transaction are Internet • Approx 7% CNP Fraud Source: http://www.executiveboard.com/towergroup-blog/card-not-present-fraud-rising-problem-lagging-solution/

Follow the money

Because its

easy to

pretend to be

someone else

There is no good,

standard way,

for entities to assert

their identity

Identifying an Entity

Users Devices

Organizations Code

Agents

Entities

Peter Steiner, July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20)

Identity on the Internet

Concerns When Selling Internationally

Source: LexisNexis® 2012 True Cost of Fraud

Because people use faces

Because people use faces

Humans use facial recognition

“Good to see you”

“It’s nice to finally

meet you”

“They are two-faced”

“Put on a brave face”

“One face for the world”

“Go out and face them

tomorrow. I will be with

you”*

*Bible: 2 Chronicles 20:17

“Put your cards face

up”

There is no good,

standard way,

for entities to assert

identity on the Internet

Extending to the Internet

Passwords are dead

More Secure?

My Password 162738

Less Risk?

Limited to lower-value transactions Less than €20 (or a local equivalent)

Above that, normal chip and PIN

“Visa payWave means you may never be short changed again. Instead,

payment instructions are securely exchanged

between the card and the terminal using the

highest level of cryptography.”*

* http://www.visaeurope.com/en/cardholders/visa_paywave/benefits.aspx

The flaw in the machine . . .

If you put tomfoolery in a computer nothing comes out but

tomfoolery.

But this tomfoolery, having passed through a very expensive

machine, is somehow enobled and none dare criticize it.

Pierre Gallois

The problem?

Who is using the

token?

If the foundation is not solid....

Photo Credit: Michael Halminski

Only as good as it’s weakest link

How do we fix this?

Architect it to

operate as people

operate

Assert the binding

between device

and entity

Design for

Personas

Immutable

Binding

One entity, multiple Personas

Village Town

Immutable Binding

Core

Identity

Core

Identifier

Immutable

binding

Can assert

binding to

enable trust

Anonymity

of entity

guaranteed

Issuer

assures

binding

Binding

biometric only

on the device

Personas limit attribute aggregation

Operating with Personas

My Core

Identity

Banking

Persona

Voting

Persona

Anonymous

Persona

Government

Identifier

Employee

Persona

Citizen

Persona

Employer

Identifier

My Core

Identifier

Bank

Identifier

Reputational

Trust Only

Immutable

Linking Indicates one-way trust

Trusted Persona

with trusted

attributes

Trusted anonymous

persona - no

personal attributes

Trusted Persona

with trusted

attributes

Trusted Persona with

trusted attributes

Core Identity

(Core Identifier) Immutable binding of Core

Identifier to an Entity

Government

Identifier

Local authority

Identifier

Citizen / Address Persona

with Identifier

VISA

Identifier

Credit Card Persona

with Identifier

Assertions:

Purchase: 62in OLED screen @ $60,000

Assert: This is my Amazon account

Assert: This is my delivery address

Assert: This is my Visa payment reference

High Value Transaction

(high risk transaction)

eCommerce Persona

with Identifier

Amazon

Identifier

Multiple (tied) Assertions

Distributed Personas are Good

“Super Repositories” are Bad

Making a risk-based decision

About access to data and/or systems

Based on the trusted identity and attributes

Of all the entities and components in the

transaction chain

Entitlement

Identity Source #1

Identity Source #2

Attribute Source #1

Attribute Source #3

Access Management

Netw

ork

Access

Syste

m A

ccess

Applic

atio

n A

ccess

Pro

cess A

ccess

Data

Access

Authorization

Entitlement Rules

Entitlement Process

Source: Cloud Security Alliance: Guidelines v3.0

Entitlement

The trust comes

from being able to assert the

“immutable binding” of the Entity

(Core Identity) to the Core Identifier

Trust in the foundation

In conclusion – How it looks

Core Identifier

Banking Persona

E-Commerce Persona

Family Persona

Corporate Persona

Citizen Persona

My Corporate

Personal Social Media

E Commerce Store

Citizen Services

I’m Tom

No, I’m Tom

H Drat... Foiled again

Global Identity Foundation

www.globalidentityfoundation.org

►Primacy

►Global Standard

►Open Standard

►Open Implementation

►Works Universally

Join us on “Global Identity Foundation”

Jericho Forum

Commandments Jericho Forum

Identity Commandments

Freely available at www.jerichoforum.org