Session ID:
Session Classification:
Paul Simmonds Co-founder & Board of Management, Jericho Forum
STU-W25A
Intermediate
Sorry? Who Did You Say You Were?
Exploiting Identity for Fun and Profit
Ever had one of those days?
Ever had one of those days?
Hello, my name is
Clive from Microsoft
we’ve identified a
problem with your
computer
Why do I need to
install this
software?
Sorry?
Why do you need
my credit card
number?
SPAM
Jan. 24, 2004 World Economic
Forum
Bill Gates:
"two years
from now,
spam will be
solved."
Global SPAM rates since 2006
Source: Symantec Intelligence Report: November 2012
CNP Fraud costs $21bn / year*
Card Not Present Fraud
* Estimated from: • $10 Trillion global Credit Card transactions • Amex, Discover, MasterCard, Visa, will process more than $10 Trillion in payments in 2012 • Approx 3% of CC transaction are Internet • Approx 7% CNP Fraud Source: http://www.executiveboard.com/towergroup-blog/card-not-present-fraud-rising-problem-lagging-solution/
Follow the money
Because its
easy to
pretend to be
someone else
There is no good,
standard way,
for entities to assert
their identity
Identifying an Entity
Users Devices
Organizations Code
Agents
Entities
Peter Steiner, July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20)
Identity on the Internet
Concerns When Selling Internationally
Source: LexisNexis® 2012 True Cost of Fraud
Because people use faces
Because people use faces
Humans use facial recognition
“Good to see you”
“It’s nice to finally
meet you”
“They are two-faced”
“Put on a brave face”
“One face for the world”
“Go out and face them
tomorrow. I will be with
you”*
*Bible: 2 Chronicles 20:17
“Put your cards face
up”
There is no good,
standard way,
for entities to assert
identity on the Internet
Extending to the Internet
Passwords are dead
More Secure?
My Password 162738
Less Risk?
Limited to lower-value transactions Less than €20 (or a local equivalent)
Above that, normal chip and PIN
“Visa payWave means you may never be short changed again. Instead,
payment instructions are securely exchanged
between the card and the terminal using the
highest level of cryptography.”*
* http://www.visaeurope.com/en/cardholders/visa_paywave/benefits.aspx
The flaw in the machine . . .
If you put tomfoolery in a computer nothing comes out but
tomfoolery.
But this tomfoolery, having passed through a very expensive
machine, is somehow enobled and none dare criticize it.
Pierre Gallois
The problem?
Who is using the
token?
If the foundation is not solid....
Photo Credit: Michael Halminski
Only as good as it’s weakest link
How do we fix this?
Architect it to
operate as people
operate
Assert the binding
between device
and entity
Design for
Personas
Immutable
Binding
One entity, multiple Personas
Village Town
Immutable Binding
Core
Identity
Core
Identifier
Immutable
binding
Can assert
binding to
enable trust
Anonymity
of entity
guaranteed
Issuer
assures
binding
Binding
biometric only
on the device
Personas limit attribute aggregation
Operating with Personas
My Core
Identity
Banking
Persona
Voting
Persona
Anonymous
Persona
Government
Identifier
Employee
Persona
Citizen
Persona
Employer
Identifier
My Core
Identifier
Bank
Identifier
Reputational
Trust Only
Immutable
Linking Indicates one-way trust
Trusted Persona
with trusted
attributes
Trusted anonymous
persona - no
personal attributes
Trusted Persona
with trusted
attributes
Trusted Persona with
trusted attributes
Core Identity
(Core Identifier) Immutable binding of Core
Identifier to an Entity
Government
Identifier
Local authority
Identifier
Citizen / Address Persona
with Identifier
VISA
Identifier
Credit Card Persona
with Identifier
Assertions:
Purchase: 62in OLED screen @ $60,000
Assert: This is my Amazon account
Assert: This is my delivery address
Assert: This is my Visa payment reference
High Value Transaction
(high risk transaction)
eCommerce Persona
with Identifier
Amazon
Identifier
Multiple (tied) Assertions
Distributed Personas are Good
“Super Repositories” are Bad
Making a risk-based decision
About access to data and/or systems
Based on the trusted identity and attributes
Of all the entities and components in the
transaction chain
Entitlement
Identity Source #1
Identity Source #2
Attribute Source #1
Attribute Source #3
Access Management
Netw
ork
Access
Syste
m A
ccess
Applic
atio
n A
ccess
Pro
cess A
ccess
Data
Access
Authorization
Entitlement Rules
Entitlement Process
Source: Cloud Security Alliance: Guidelines v3.0
Entitlement
The trust comes
from being able to assert the
“immutable binding” of the Entity
(Core Identity) to the Core Identifier
Trust in the foundation
In conclusion – How it looks
Core Identifier
Banking Persona
E-Commerce Persona
Family Persona
Corporate Persona
Citizen Persona
My Corporate
Personal Social Media
E Commerce Store
Citizen Services
I’m Tom
No, I’m Tom
H Drat... Foiled again
Global Identity Foundation
www.globalidentityfoundation.org
►Primacy
►Global Standard
►Open Standard
►Open Implementation
►Works Universally
Join us on “Global Identity Foundation”
Jericho Forum
Commandments Jericho Forum
Identity Commandments
Freely available at www.jerichoforum.org