SCA and SSCA

We’re seeing a lot about strong customer authentication (SCA) at the moment because of the requirement of the Second Payment Services Directive (PSD2) that comes into force next week on Black Friday (Friday 13th September). That’s because there’s a lot of fraud online, it’s getting worse and the strong authentication of people (in this case, online customers) is seen as being a way to tackle it. PSD2 demands SCA, and this means that European banks and Payment Service Providers (PSPs) have had to up their game.

Strong authentication, in this context, means “two factor authentication” (2FA). What 2FA means is that you must present two “factors” to demonstrate you are who you say you are. The three factors you can choose from are something you have, something you are and something you know (or, in my case, something I had, something I was and something I’ve forgotten). When you buy something in a shop, for example, you present a credit card (something you have) and put in a PIN (something you know). When you enter the country, you present something you have (a passport) and show your face (something you are). SCA is already being implemented by the UK banks, although in an unpredictable manner. Some banks send a code via their mobile banking app, some send a text, some allow you to choose e-mail instead, some will call a landline and some require the use of a card-reader dongle-thingy. As far as I can tell, none of them use a common app such as Microsoft Authenticator.

I’m actually quite surprised to see that some of them are still using text messaging to send a “one time password” (OTP) to customers for authentication. It’s not because, as the British newspapers were quick to point out, people who can’t get a mobile signal or don’t own a mobile phone face, as The Guardian put, it being “frozen out of internet shopping as banks are increasingly insisting that online payments are verified by text”. This is indeed a valid concern, but what I find most disturbing about this report is that anyone is verifying online payments, or indeed any other important online transaction, by insisting that they are authenticated by text messages! With the explosion of “smishing” (ie, phishing attacks via SMS) and the daily tales of account takeover, bitcoin theft and payment fraud carried out via SMS, you really do have to wonder why text messaging is still being used in this context.

This is hardly a new issue. More than a decade ago I wrote about the comments of Charles Brookson, then the head of the GSMA security group who, when talking about the use of SMS for financial services, made the point that SMS has, to all intents and purposes, no security whatsoever. Structurally, it has always seemed to me to be irresponsible for financial institutions to rely for security on something that is not secure and over which they have no control. Given the prevalence of smart phones, you would think that SMS would be long gone, but it is only now that German banks, for example, are giving up on SMS OTP in response to the PSD2 requirements for SCA.

How will this SMS-less strong authentication be implemented? For payments it will be through the new version of the scheme’s “Three Domain Security” (3DS). 3DS version 2 introduces “frictionless authentication” and will be the main card authentication method used to deliver SCA in Europe. It works by allowing retailers and their PSP to send many more data elements with each transaction. These data elements – such as the shipping address, customer’s device identity and their transaction history – mean that the issuer can carry out more sophisticated risk management.to decide whether SCA is needed or not. In most cases, I would guess (since the issuers will use sophisticated risk management platforms with machine learning and all that sort of thing), no further authentication will be needed. But where it will be needed, Barclaycard (for example) can send a message to the Barclaycard app on my phone and ask me to authenticate myself.

(As it happens, Barclaycard have just sent me another “PINsentry” card reader together with an instructional pamphlet, so I will make every effort to use my Barclaycard online just so I can see how it works. Of course it means I’ll will have to carry the card reader and my Barclaycard around with me at all times in case I want to buy something online, but remember I do this so you don’t have to.)

Barclaycard PSD2 SCA 2FA

In my opinion, the best way forward now is through the bank apps themselves. Google found in their research on authentication for account recovery that whereas 2FA SMS stopped three-quarters of targeted attacks, in-app solutions stopped 90% (and 99% of bulk phishing attacks). It would be good if this approach was adopted across the board – not only for retail payments but for logging in to bank accounts, authorising transfers and everything else. But if customers get mixed up between expecting an e-mail or getting a text, seeing an in-app message sometimes but not other times, then fraudsters will be quick to exploit the situation. In which case (as I suspect) the introduction of strong authentication will actually leader to more fraud. We need both a better and more consistent approach to authentication for financial services. We need to standardise on the approach and the execution and the UX so that consumers can be confident that they are communicating with their bank or whoever.

Standard Strong Customer Authentication

My Consult Hyperion colleague Tim Richards recently set out this problem in a very clear way [The Paypers, 27th August 2019]. He asks us to imagine what would have happened if SCA had been mandated for face-to-face commerce but, as with PSD2, no technological solution was provided. In that case, instead of our EMV-standard chip and PIN payment system we would have had each bank creating its own solution. Then, as has happened online, every time a consumer went into a shop to buy something they would face a different authentication depending on their bank! Tim’s good advice is that regulators need to take a step back, “temporarily drop anti-competition laws and insist that banks come up with a minimum standard for SCA” to support growth in online commerce that is accompanied by real security because customers know what to expect and retailers aren’t disadvantaged by variable SCA experiences leading to cart abandonment.

He’s right, of course. And it terms of implementation it has long been clear that the best architecture for what I am now labelling Standard Strong Customer Authentication (or SSCA) is biometric authentication against a revocable token stored in tamper-resistant local storage. We all carry a device capable of implementing this design at a manageable cost: the mobile phone.

(As an aside, since the mobile phone operators control a standard item of tamper-resistant hardware in all phones — the SIM — why we are not all using a standard authentication from our mobile operators already is a mystery, but that’s a different point and I don’t want to get diverted by Mobile ID Connect here.)

This point is that with really strong authentication, your bank shouldn’t be sending you a text message or an e-mail or whatever, it should be using real cryptography to send a message to the bank app on your mobile phone. So, when you ty to buy something online with your Barclaycard your Barclaycard app pops up on your phone and asks you to authenticate.

If the bank (or anyone else) cannot reach the mobile app then there should be a standard fallback across all service providers which would probably be a voice call thus opening up the use of voice recognition and authentication. And if you are online buying something or transferring money to someone or closing an account and you can’t be reached via the mobile app or by a voice call well… then what are you doing buying things online in the first place?

Surely this is the most practical way forward now that the Financial Conduct Authority (FCA) has confirmed that it will not take enforcement action against businesses who do not implement SCA until March 2021, there is now some time to prepare a mobile-centric SSCA pathway for UK banks and businesses.

Signatures, Sergio and standardising the payment experience

According to The Daily Telegraph, “written signatures are dying out amid a digital revolution”. I’m going to miss them. Of course I know that when it comes to making a retail transaction, my signature is utterly unimportant. This is why transactions work perfectly well when I either do not give a signature (for contactless transactions up to £30 in the UK, for example, or for no-signature swipe transactions in the US) or give a completely pointless signature as I do for almost all US transactions.

“Fears are growing that this is potentially leaving people open to the risk of identity theft and fraud as their signatures are more easily imitated.”

From “Traditional signatures are dying out amid digital revolution”.

If I do have to provide a signature, then for security purposes I never give my own signature and for many years have always signed in the name of my favourite South American footballer who plays for Manchester City. Now it turns out that this is sound legal advice, since according to Gary Rycroft, a solicitor at  Joseph A. Jones & Co. it is an increasing problem that people people order things online but sometimes they do not show up so to acknowledge receiving something “I always sign my initials, for example, so I could prove if it wasn’t me” (because, presumably, a criminal would try to fake Gary’s signature).

Untitled

Now the issue of signatures and the general use of them to authenticate customers for credit card transactions in the US has long been a source of amusement and anecdote. I am as guilty as everybody else is using the US retail purchasing experience to poke fun at the infrastructure there (with some justification, since as everybody knows the US is responsible for about a quarter of the world’s card transactions but half of the world’s card fraud) but I’ve also used it to illustrate some more general points about identity and authentication. My old friend Brett King wrote a great piece about signatures a few years ago in which he also made a more general point about authentication mechanisms for the 21st-century, referring to a UN/ICAO commissioned survey on the use of signatures in passports. A number of countries (including the UK) recommended phasing out theme-honoured practice because it was no longer deemed of practical use.

Well, signatures have gone the way of all things. In April, the US schemes stopped requiring signatures.

They were sort of defunct anyway. According to the New York Times, Walmart considers signatures “worthless” and has already stopped recording them on most transactions. Target has stopped using them too. I completely understand why, but to be honest I think I’ll miss signing for purchases in America.

Money 2020 Signature

No more signing Sergio Aquero for US credit card transactions, hello to signing Sergio Aquero for the Amazon lady who calls at my house with monotonous regularity.

If you are interested in the topic of signatures at all, there was a brilliant NPR Planet Money Podcast (Episode number 564) on the topic of signatures for payment card transactions a couple of years ago, in which the presenters asked why were we still using this pointless authentication technique.

Ronald Mann (the Colombia law professor interviewed for the show) noted that card signatures are not really about security at all but about distributing liabilities for fraudulent transactions and called signatures “eccentric relics”, a phrase I love. His point was that the system doesn’t really care whether I sign my transaction Dave Birch or Sergio Aquero: all it cares is that it can send the chargeback the right way (bank or merchant, essentially) when it comes in.

In addition to the law professor, NPR also asked a Talmudic scholar about signatures.

(The Talmud is the written version of the Jewish oral law and the rabbinic commentary on it that was completed in its current form some time in the fifth century. There are two parts to it: the oral law itself, which is known as the Mishnah, and the record of the rabbis arguing about it and what it meant, which is known as the Gemara.)

The scholar made a very interesting point about the use of these eccentric relics when he was talking about the signatures that are attached to the Jewish marriage contract, the Ketubah. He pointed out that it is the signatures of the witnesses that have the critical function, not the signatures of the participants, because of their role in dispute resolution. In the event of dispute, the signatures were used to track down the witnesses so that they can attest as to the ceremony taking place and as to who the participants were. This is echoed in that Telegraph article, where it notes that the use of signatures will continue for important documents such as wills, where a witness is required.

(The NPR show narrator made a good point about this, which is that it might make more sense for the coffee shop to get the signature of the person behind you in the line than yours, since yours is essentially ceremonial whereas the one of the person behind you has that Talmudic forensic function.)

The Talmudic scholar also mentioned in passing that according to the commentaries on the text, the wise men from 20 centuries ago also decided that all transactions deserved the same protection. It doesn’t matter whether it’s a penny or £1000, the transaction should still be witnessed in such a way as to provide the appropriate levels of protection to the participants. Predating PSD2 by some time, the Talmud says that every purchase is important and requires strong authentication.

So, my interpretation of the Talmud is that it is goodbye to contactless and goodbye to stripe and goodbye to chip and PIN and hello to strong authentication (which may be passive or active) and secure elements: we have the prospect of a common payment experience in store, on the web and in-app: you click “pay” and if it’s for a couple of quid the phone will just figure hey it’s you and authenticate, if it’s for a few quid your phone will ask you to confirm and can use your finger or your face and then if it’s for a few million quid you’ll get a callback for voice recognition and a retinal scan. The same purchase experience for everything: the cup of coffee and the pair of shoes and the plane ticket. It turns out that once again we can go back to the future in the design of our next retail payments system.

Brazil? Ah, I get it…

I was as alarmed as I am sure all of you were to read a story in Computing telling how EMV cards could be cloned with malware. Now, as you might imagine, were this to be true it would be a matter of the highest priority in the world of card issuers. If EMV cards could be cloned (spoiler alert: they can’t) then the whole world of payment cards would collapse. Since my I spend some of my time in that world, yet hadn’t heard anything about this catastrophic turn of events, I was naturally curious as to the accuracy of the report. Delving further into the “news” story, I found the interesting qualification that the fake cards work “on virtually any Brazilian POS system”.

Brazilian POS systems? What? Ah, wait… Now I know that they are talking about. Sadly, this yonks old hack won’t work in most places any more. But it does work in a few remaining places, and Brazil is one of them. Why? Well because Latin America, an early adopter of EMV, is still heavily reliant on “static data authentication chips”, which allow the criminals exploiting them to create usable new chip cards with the data that they can extract.

Thus problem isn’t that “EMV cards” can be cloned. They can’t. The problem is the use of Static Data Authentication (SDA) in EMV. We all knew about this many years ago. In fact, although lots of people knew about this, at the time we thought it would have been irresponsible to blog about it, so I put it to one side until stimulated by an enquiry from Brazil, I finally wrote about it back in 2014, explaining in detail what the problem was, how it was fixed and why it was no longer a worry.

So, no need to panic. Having put your mind at rest (unless you are a Brazilian card issuer, in which case my colleagues at Consult Hyperion stand ready to answer your call) I cannot resist re-telling the story that explains what the “malware” does…

Many years ago, when my colleague at Consult Hyperion were testing SDA cards in the UK, we used to make our own EMV cards. To do this, we essentially we took valid card data and loaded it onto our own Java cards. These are what we in the business call “white plastic”, because they are a white plastic card with a chip on it but otherwise completely blank. Since our white plastic do-it-yourself EMV cards could not generate the correct cryptogram (because you can’t get the necessary key out of the chip on the real card, which is why you can’t make clones of EMV cards), we just set the cryptogram value to be “SDA ANTICS” or whatever (in hex). This is what the criminals referred to in the story are doing. Now, if the card issuer is checking the cryptograms properly, they will spot the invalid cryptogram and reject the transaction. But if they are not checking the cryptograms, then the transaction will go through.

Untitled

You might call these cards pseudo-clones. They act like clones in that they work correctly in the terminals, but they are not real clones because they don’t have the right keys inside them. Naturally, if you make one of these pseudo-clones, you don’t want to be bothered with PIN management so you make it into what is called a “yes card” – instead of programming the chip to check that the correct PIN is entered, you programme it to respond “yes” to whatever PIN is entered.

We used these pseudo-clone cards in a number of shops in Guildford as part of our testing processes to make sure that issuers were checking the cryptograms properly. Not once did any of the Guildford shopkeepers bat an eyelid about us putting these strange blank white cards into their terminals. But I heard a different story from a Brazilian contact. He discovered that a Brazilian bank was issuing SDA cards and he wanted to find out whether the bank was actually checking cryptograms properly (they weren’t). In order to determine this he made a white plastic pseudo-clone card and went into a shop to try it out.

Untitled

When he put the completely white card into the terminal, the Brazilian shopkeeper stopped him and asked him what he was doing and what this completely blank white card was, clearly suspecting some misbehaviour.

The guy, thinking quickly, told him that it was one of the new Apple credit cards!

Cool” said the shopkeeper, “How can I get one?”.

Voter ID is back, and this time it’s in Woking

Well, Woking is in the news. It is going to be part of a pilot scheme at the forefront of the UK’s non-existent identity non-strategy to not introduce a working digital identity infrastructure to our great nation at any time in the foreseeable future The government has decided that voters in five areas in England will be asked to take identification to polling stations at local elections next year, and Woking is one of those areas. The report doesn’t mention just how the entitlement to vote is to be established but we already know what array of high technology machine learning AI super intelligent giant killer robot world brain quantum neuro-computing systems are to be deployed, because local authorities will be invited to apply to trial different types of identification, including forms of photo ID such as driving licences and passports, or formal correspondence such as a utilities bill.

Wait, what? It’s pointless enough showing a trivially counterfeitable physical identity document to someone who can’t verify it anyway, but come on… a utilities bill? That’s where we are in 2017 in the fifth richest country in the world? In Scott Corfe’s recent Social Market Foundation report A Verifiable Success—The future of identity in the UK he highlighted what he calls the “democratic opportunity” for electronic identity verification to facilitate internet voting thereby increasing civic engagement. Well, I agree. But that’s a long way from showing a gas bill to a polling station volunteer.

(And what does ‘local authorities will be invited to apply’ really mean anyway?  They’ve already been ‘invited’ to adopt the national Gov.UK Verify identity service. Very few did, and fewer still continue, so five might be ambitious. And where they do, are we disenfranchising voters who don’t feel like forging documents if they don’t come from the mainstream demographic — a point also made in the SMF report — thus distorting the outcomes).  

Now, I’ve written before that I am in favour of electronic voting of some kind but I’m very much against internet voting, because I think that in a functioning democracy voting must remain a public act and if it is allowed in certain remote conditions then we cannot be sure that a voter’s ballot is either secret or uncoerced. I think it is possible to imagine services where trusted third parties or electoral observers of some kind use mobile phones to go out and allow the infirm or otherwise housebound to vote, but that’s not the same thing as just allowing people to vote using mobile phones. I think internet voting is a really bad idea, but I take Scott’s point about the need for digital identity. However, since we don’t have one and I don’t see any prospect of Government producing a robust one in the foreseeable future, we’re stuck with gas bills until someone gets to grip with issue.

(I should explain here for any baffled overseas readers of this blog that the United Kingdom has no national identification scheme or identity card or any other such symbol of continental tyranny, so our gold standard identity document is the gas bill. The gas bill is a uniquely trusted document, and the obvious choice for a government concerned about fraud. By the way, if for some reason you do not have a gas bill to attest to your suitability for some purpose or other, you can buy one here for theatrical or novelty use only.)

Woking Polling Station

Why is it that the government never ask me about this sort of thing? Since they don’t have an identity infrastructure, why don’t they use other people’s? I would have thought that for a great majority of the population, especially the more transient and younger portion of the electorate (e.g., my sons) social media would provide a far better means to manage this entitlement. I’ve written before that I judge it to be far harder to forge a plausible Facebook profile than a plausible gas bill, so if I turn up at the polling station and log in to the Facebook profile for David Birch (if there is a Facebook profile for a David Birch, incidentally, I can assure you that it isn’t me) then they may as well let me vote.

None of this will make the slightest difference to the central problem, of course, because the main source of electoral fraud in the UK is not personation at the polling station but fraudulently-completed postal ballots, a situation that led one British judge to call it “a system that would disgrace a banana republic”. Indeed, this is precisely what has been going on in my own dear Woking, where four people were jailed recently for electoral fraud. As far as I can understand it from reading the various reports, including the source reports on electoral fraud in the UK, the main problem is that postal votes are being completed by third parties, sometimes in bulk. No proof of identity is going to make any difference to this and so long as we allow people to continue voting by post I can’t see how the situation will improve. So: it is not beyond the wit of man to come up with alternatives to the postal vote. But that’s not what is being proposed. The UK government is not currently proposing an app or any other kind of electronic voting here, it is merely proposing to add a basic test of entitlement at the ballot box.

When this scheme was originally announced, the minister in charge of voting (Chris Skidmore) was quoted by the BBC as saying that “in many transactions you need a proof of ID” which is not, strictly speaking, true. In almost all transactions that we  take part in on a daily basis we are not proving our identity, we are proving that we are authorised to do something whether it is to charge money to a line of credit in a shop, ride a bus or open the door to an office. In these cases we are using ID as a proxy because we don’t have a proper infrastructure in place for allowing us to keep our identities safely under lock and key while we go about our business.

If we are to implement the kind of electronic identity verification envisaged by the Social Market Foundation, then what you should really be presenting at the polling station is an anonymised entitlement to vote that you can authenticate your right to use. It is nobody at the polling station’s business who you are and, in common with many other circumstances, if you are required to present your identity to enable a transaction then we have created another place where identity can be stolen from. The real solution is, of course, not about using gas bills or indeed special-purpose election ID cards, but about introducing a general-purpose National Entitlement Scheme (NES). If memory serves, I think this is what my colleagues at Consult Hyperion and I first proposed in response to a government consultation paper on a national identity scheme a couple of decades ago. Oh well.