Download - Stu w25 a
![Page 1: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Paul Simmonds Co-founder & Board of Management, Jericho Forum
STU-W25A
Intermediate
Sorry? Who Did You Say You Were?
Exploiting Identity for Fun and Profit
![Page 2: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/2.jpg)
Ever had one of those days?
![Page 3: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/3.jpg)
Ever had one of those days?
Hello, my name is
Clive from Microsoft
we’ve identified a
problem with your
computer
Why do I need to
install this
software?
Sorry?
Why do you need
my credit card
number?
![Page 4: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/4.jpg)
SPAM
Jan. 24, 2004 World Economic
Forum
Bill Gates:
"two years
from now,
spam will be
solved."
![Page 5: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/5.jpg)
Global SPAM rates since 2006
Source: Symantec Intelligence Report: November 2012
![Page 6: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/6.jpg)
CNP Fraud costs $21bn / year*
Card Not Present Fraud
* Estimated from: • $10 Trillion global Credit Card transactions • Amex, Discover, MasterCard, Visa, will process more than $10 Trillion in payments in 2012 • Approx 3% of CC transaction are Internet • Approx 7% CNP Fraud Source: http://www.executiveboard.com/towergroup-blog/card-not-present-fraud-rising-problem-lagging-solution/
![Page 7: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/7.jpg)
Follow the money
Because its
easy to
pretend to be
someone else
![Page 8: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/8.jpg)
There is no good,
standard way,
for entities to assert
their identity
Identifying an Entity
![Page 9: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/9.jpg)
Users Devices
Organizations Code
Agents
Entities
![Page 10: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/10.jpg)
Peter Steiner, July 5, 1993 issue of The New Yorker, (Vol.69 (LXIX) no. 20)
Identity on the Internet
![Page 11: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/11.jpg)
Concerns When Selling Internationally
Source: LexisNexis® 2012 True Cost of Fraud
![Page 12: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/12.jpg)
Because people use faces
![Page 13: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/13.jpg)
Because people use faces
![Page 14: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/14.jpg)
Humans use facial recognition
“Good to see you”
“It’s nice to finally
meet you”
“They are two-faced”
“Put on a brave face”
“One face for the world”
“Go out and face them
tomorrow. I will be with
you”*
*Bible: 2 Chronicles 20:17
“Put your cards face
up”
![Page 15: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/15.jpg)
There is no good,
standard way,
for entities to assert
identity on the Internet
Extending to the Internet
![Page 16: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/16.jpg)
Passwords are dead
![Page 17: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/17.jpg)
More Secure?
My Password 162738
![Page 18: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/18.jpg)
Less Risk?
Limited to lower-value transactions Less than €20 (or a local equivalent)
Above that, normal chip and PIN
“Visa payWave means you may never be short changed again. Instead,
payment instructions are securely exchanged
between the card and the terminal using the
highest level of cryptography.”*
* http://www.visaeurope.com/en/cardholders/visa_paywave/benefits.aspx
![Page 19: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/19.jpg)
The flaw in the machine . . .
If you put tomfoolery in a computer nothing comes out but
tomfoolery.
But this tomfoolery, having passed through a very expensive
machine, is somehow enobled and none dare criticize it.
Pierre Gallois
![Page 20: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/20.jpg)
The problem?
Who is using the
token?
![Page 21: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/21.jpg)
If the foundation is not solid....
Photo Credit: Michael Halminski
![Page 22: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/22.jpg)
Only as good as it’s weakest link
![Page 23: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/23.jpg)
How do we fix this?
Architect it to
operate as people
operate
Assert the binding
between device
and entity
Design for
Personas
Immutable
Binding
![Page 24: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/24.jpg)
One entity, multiple Personas
Village Town
![Page 25: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/25.jpg)
Immutable Binding
Core
Identity
Core
Identifier
Immutable
binding
Can assert
binding to
enable trust
Anonymity
of entity
guaranteed
Issuer
assures
binding
Binding
biometric only
on the device
![Page 26: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/26.jpg)
Personas limit attribute aggregation
![Page 27: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/27.jpg)
Operating with Personas
My Core
Identity
Banking
Persona
Voting
Persona
Anonymous
Persona
Government
Identifier
Employee
Persona
Citizen
Persona
Employer
Identifier
My Core
Identifier
Bank
Identifier
Reputational
Trust Only
Immutable
Linking Indicates one-way trust
Trusted Persona
with trusted
attributes
Trusted anonymous
persona - no
personal attributes
Trusted Persona
with trusted
attributes
Trusted Persona with
trusted attributes
![Page 28: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/28.jpg)
Core Identity
(Core Identifier) Immutable binding of Core
Identifier to an Entity
Government
Identifier
Local authority
Identifier
Citizen / Address Persona
with Identifier
VISA
Identifier
Credit Card Persona
with Identifier
Assertions:
Purchase: 62in OLED screen @ $60,000
Assert: This is my Amazon account
Assert: This is my delivery address
Assert: This is my Visa payment reference
High Value Transaction
(high risk transaction)
eCommerce Persona
with Identifier
Amazon
Identifier
Multiple (tied) Assertions
![Page 29: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/29.jpg)
Distributed Personas are Good
![Page 30: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/30.jpg)
“Super Repositories” are Bad
![Page 31: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/31.jpg)
Making a risk-based decision
About access to data and/or systems
Based on the trusted identity and attributes
Of all the entities and components in the
transaction chain
Entitlement
![Page 32: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/32.jpg)
Identity Source #1
Identity Source #2
Attribute Source #1
Attribute Source #3
Access Management
Netw
ork
Access
Syste
m A
ccess
Applic
atio
n A
ccess
Pro
cess A
ccess
Data
Access
Authorization
Entitlement Rules
Entitlement Process
Source: Cloud Security Alliance: Guidelines v3.0
Entitlement
![Page 33: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/33.jpg)
The trust comes
from being able to assert the
“immutable binding” of the Entity
(Core Identity) to the Core Identifier
Trust in the foundation
![Page 34: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/34.jpg)
In conclusion – How it looks
Core Identifier
Banking Persona
E-Commerce Persona
Family Persona
Corporate Persona
Citizen Persona
My Corporate
Personal Social Media
E Commerce Store
Citizen Services
I’m Tom
No, I’m Tom
H Drat... Foiled again
![Page 35: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/35.jpg)
Global Identity Foundation
www.globalidentityfoundation.org
►Primacy
►Global Standard
►Open Standard
►Open Implementation
►Works Universally
Join us on “Global Identity Foundation”
![Page 36: Stu w25 a](https://reader033.vdocuments.fr/reader033/viewer/2022042908/58ee32b21a28abd47f8b457b/html5/thumbnails/36.jpg)
Jericho Forum
Commandments Jericho Forum
Identity Commandments
Freely available at www.jerichoforum.org