- From: Erik Anderson <eanders@pobox.com>
- Date: Sun, 7 Jun 2015 22:55:37 -0400
- To: <public-webpayments-ig@w3.org>
- Message-ID: <0b5201d0a196$99996e40$cccc4ac0$@pobox.com>
Sorry, I am by far not done with digesting all of the materials the Federal Reserve Secure Payments Taskforce inaugural meeting. The contents of this email is also reflected at the bottom of https://github.com/w3c/webpayments-ig/blob/master/latest/requirements/requir ements_draft.txt Sorry, there is a lot of condensed information below. I wont likely have time to provide individual responses this will generate. I will send out a followup once I am done digesting the other 1/2 of the Feds documentation. Feds Presentation link: https://fedpaymentsimprovement.org/wp-content/uploads/060415_secure_payments _task_force_teleconference.pdf There is a lot of valuable information listed in the reference material of the above PDF. Key takeaways and notes from the presentation and followup documentation: - Identity & Authorization - Identity Management - important to meeting cybersecurity goals. Identity Framework will provide better coverage than authentication solutions. - Significant advancements in technology allow for devices and mechanisms to identify their owner - Standards, approaches and solutions that could be tailored to address an individual organization's priorities - Did the user authorized the transaction, sharing of his information, opening of personal records? - Data breaches resulted in identity theft. Utilize approaches to protect users data in transit or at rest. - Realtime indicator and notification when information is accesses or shared. - Consumer Identity solution must be strengthened against events leading to identity theft, both personal and corporate. - Due to technologies advancements, counterfeit of payment instruments is nearly impossible. Theft of sensitive data and private keys are the key factor enabling many methods of payment fraud. These thefts enable misrepresentation of authority, counterfeit cards and checks, and take over or create new payment accounts. - If digital signature mechanisms become a norm they will also become part of the attack vector for the identity thief. - Geographic tailoring of location input is an important factor to identity to thwart many instances of fraud. - Authentication - Authentication is to reduce risks but provides no guarantee of whom the user is. - Make use of advances in authentication technology to help reduce risks - Authentication by itself is not enough - Data Security - Many lessons learned from data breaches. - Many of these breaches are national or superregional in scope, affecting consumers in many states and, frequently, across the country. - Identification of privacy risk in information systems is very hard and double so due to non-standard approaches to securing the information. Most information is secured in bulk vs smaller layers that segregate & isolate information loss to anonymized elements that are unusable without being associated with the whole. Example: Breaking the key securing the birthdate of one individual without compromising the individuals name nor all consumer's birthdates. - Data anonymization has been an immensely successful strategy for storing of data at rest. - A another great strategy has been bulk storage of a user's historical credit profile yet encrypted anonymized elements that are cryptographically separated from their whole. This particular strategy can be easily applied to data in transit to prevent the whole of the data from being loss even if the message containing such data is captured. - Current data security approaches are still leaning to securing the network. This is leading to overall security depending on the security of each element of a network. Furthermore, these weak links can change as the security preferences or makeup of payment participants change over time. The only solution is to end-to-end secure the data itself and let the network/channel independently evolution. - Using a standardized end-to-end data security mechanism will prevent even a rogue authorized agent/node from accessing information they dont need to access. Example: Users bulk data was accidentally sent for age verification yet no unnecessary information was disclosed due to access controls only allowed opening the anonymized age record. - To minimize risk one times keys are necessary to prevent an authorized party of one anonymized record from elevating their permissions by combining a historical static keys from other parties. - Identity based authentication combined with revocable roles & time based access controls to information would allow immediate tangible actions to be executed even after the occurrence of an information-exposing event. - Users records were stolen resulting in disclosure, publication, and unauthorized reuse of their personal data resulting in identity theft at a massive scale. - A large percentage of data breaches occurred from password/account recovery mechanisms of authorized vendor accounts. - Separation of the data security from the application security was viewed as a giant leap forward in event the application or operating system was compromised. This mechanism should be applied on consumer premise as well. - Consumer confidence in electronic payment systems is at an all time low. Millennials trust Bitcoin's more than fiat. - Financial institutions must accept the consequence of a security failure but that does not always match who has the ability to correct those security gaps. Example: Financial institution has no control over browser security mechanisms, Financial Institution have no control over zero day vulnerabilities in software applications written by 3rd parties. - Information about the quality of commercial security products is imperfect and causes incorrect investment decisions - Current security depends on the security of each element of a network. - All data must be protected at all times from UI entry/display to the very databases that information is stored. - Mechanism to measure threat intelligence of information. Threat intelligence must have context if its to be actionable. - Data security technology mechanisms must be integrated into an organization's workflow and risk management practices. - The size and sophistication of an organization, to a large extent, indicates the threat information that contains and must protect. - Sharing private sector information with government still has many legal hurdles. Authorization mechanisms must be put into the data itself to authorized sharing of information with the government yet limit regulatory snooping. - Cyber threat due to information storage, transit, and sharing mechanisms are serious issues and must be addresses. - Consumer use of corrective financial protection mechanisms, such as Fraud Alerts and Credit Freeze systems, has been very low (<10%) unsuccessful. Consumers don't use these particular types of identity theft protections and by the time the alert or freeze occurs the damage has been done. When consumers use those systems it ends up costing several days of time. Must protect the data around identity (ie credentials) with better access controls and protection mechanisms. It should be infeasible to defeat the authentication, identification, and access control mechanisms to expose the data even on a compromised PC or at a compromised consumer data collection facility. - Identity theft and fraud is drastically increasing (25-50% per year) because of personal data sharing mechanisms, data breaches, password/account recovery mechanisms, malware, etc. - Security Framework - Security Framework should recognize the global nature of technology yet avoid guidance based on country of origin, which would impede international commerce. National cybersecurity concerns can be addressed in alignment with international standards. - A data security standard/framework should wrap the details of the underlying technologies yet be flexible to let the industry define how the framework protects the assets within their organizations based on their overall risk management plans. Avoid developing a conformity assessment program, confidence before conformity. - Industry should define how the Framework should be adopted in their organizations based on their overall risk management plans. That approach has generally been well received. - Framework must address privacy and civil liberties methodology. Identity and privacy technology must be integrated with cybersecurity technology. Layer cybersecurity technologies into identity and privacy so identity theft and violation of privacy becomes infeasible. - Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection. - Framework must address protection of the data itself. A payment and information networks consists of many components-computers, communication channels, software, and users-each subject to attack and requiring defense. The weakness of each component will vary, and attackers will strike vulnerabilities with the highest expected payoff. You cant protect all the components so we must work on protecting the data.
Received on Monday, 8 June 2015 02:57:19 UTC