Blog posts by John Tolbert
The European Banking Authority released the final draft of the Regulatory Technical Specifications for PSD2 this week. It contains several improvements and clarifications, but there are still a few areas that fall short of industry expectations.
After the release of the initial drafts, EBA received a multitude of comments and discussion from many organizations and software vendors. One of the top concerns was on the mandate for Strong Customer Authentication (SCA), which was defined traditionally as something you have, something you know, or something you are. Originally it was conceived to apply to any transaction over €10. The limit has been raised to €30, which is better, but still less than the recommended €50.
The revision also takes into account the innovations and benefits of risk-adaptive authentication. Risk-adaptive authentication encompasses several functions, including user behavioral analytics (UBA), two- or multi-factor authentication (2FA or MFA), and policy evaluation. Risk-adaptive authentication platforms evaluate a configurable set of real-time risk factors against pre-defined policies to determine a variety of outcomes. The policy evaluation can yield permit, deny, or “step-up authentication” required.
PSD2 RTS stipulates that banks (Account Servicing Payment Service Providers, or ASPSPs) must consider the following transactional fraud risk detection elements on a per-transaction basis:
- lists of compromised or stolen authentication elements;
- the amount of each payment transaction;
- known fraud scenarios in the provision of payment services;
- signs of malware infection in any sessions of the authentication procedure
Items 1-3 are commonly examined in many banking transactions today. The prescription to look for signs of malware infection is somewhat vague and difficult to achieve technically. Is the bank responsible for knowing the endpoint security posture of all of its clients? If so, is it responsible also for helping remediate malware on clients?
Furthermore, in promoting “continuous authentication” via risk-adaptive authentication, EBA states:
- the previous spending patterns of the individual payment service user;
- the payment transaction history of each of the payment service provider’s payment service user;
- the location of the payer and of the payee at the time of the payment transaction providing the access device or the software is provided by the payment service provider;
- the abnormal behavioural payment patterns of the payment service user in relation to the payment transaction history;
- in case the access device or the software is provided by the payment service provider, a log of the use of the access device or the software provided to the payment service user and the abnormal use of the access device or the software.
The requirements described above, from the PSD2 RTS document, are very much a “light” version of risk-adaptive authentication and UBA. These attributes are useful in predicting the authenticity of the current user of the services. However, there are additional attributes that many risk-adaptive authentication vendors commonly evaluate that would add value to the notion and practice of fraud risk reduction. For example:
- IP address
- Time of day/week
- Device ID
- Device fingerprint
- Known compromised IP/network check
- User attributes
- User on new device check
- Jailbroken mobile device check
Now that limited risk analytics are included in the PSD2 paradigm, the requirement for SCA is reduced to at least once per 90 days. This, too, is in line with the way most modern risk-adaptive authentication systems work.
The PSD2 RTS leaves in place “screen-scraping” for an additional 18 months, a known bad practice that current Third Party Providers (TPPs) use to extract usernames and passwords from HTML forms. This practice is not only subject to Man-in-the-Middle (MITM) attacks, but also perpetuates the use of low assurance username/password authentication. Given that cyber criminals now know that they only have a limited amount of time to exploit this weak mechanism, look for an increase in attacks on TPPs and banks using screen-scraping methods.
In summary, the final draft of PSD2 RTS does make some security improvements, but omits recommending practices that would more significantly and positively affect security in the payments industry, while leaving in place the screen-scraping vulnerability for a while longer.
Consumer identity and access management solutions are bringing value to the organizations which implement them, in terms of higher numbers of successful registrations, customer profiling, authentication variety, identity analytics, and marketing insights. Many companies with deployed CIAM solutions are increasing revenue and brand loyalty. Consumers themselves have better experiences interacting with companies that have mature CIAM technologies. CIAM is a rapidly growing market segment.
CIAM systems typically collect (or at least attempt to collect) the following attributes about consumers: Name, email address, association with one or more social network accounts, age, gender, and location. Depending on the service provider, CIAM products may also pick up data such as search queries, items purchased, items browsed, and likes and preferences from social networks. Wearable technology vendors may collect locations, physical activities, and health-related statistics, and this data may be linked to consumers’ online identities in multiple CIAM implementations. To reduce fraud and unobtrusively increase the users’ authentication assurance levels, some companies may also acquire users’ IP addresses, device information, and location history.
Without the EU user’s explicit consent, all of this data collection will violate the EU’s General Data Protection Regulation (GDPR) in May of 2018. Penalties for violation can be up to €20M or 4% of global revenue, whichever is higher.
Consider a few definitions from the GDPR:
(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
(4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
(4) ‘third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
(5) ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
This means that companies that are currently deriving benefit from CIAM must:
- Perform a privacy data assessment
- Create new privacy policies as needed
- Plan to clean and minimize user data already resident in systems
- Implement the consent gathering mechanisms within their CIAM solutions
If your deployed CIAM solution is not yet fully GDPR compliant, talk with your vendor about their product roadmaps. Find out when they will release a GDPR compliant version, and determine how to work that into your own release schedule.
If your organization is considering deploying CIAM in the near future, make sure that GDPR compliant consent mechanisms and storage schemes are on your RFP requirements list.
This article is not intended to provide detailed technical or legal advice. For more information, see the full text of GDPR at the link above, and visit www.kuppingercole.com. Over the next few months, we will examine other aspects of GDPR and what it entails for business, IAM, and IT infrastructure.
KuppingerCole just concluded our first Consumer Identity Summit in Paris. In fact, this was the first Consumer focused digital identity event of its kind. The event was very well attended, and featured excellent expert speakers from all across the globe. The popularity of the event and enthusiasm for dialogue among attendees demonstrates the need for treating Consumer Identity differently than traditional Enterprise Identity. The technology has been evolving significantly, to meet rapidly changing business requirements and encompass newly developed technologies.
Businesses and public sector organizations are finding that they need to “Know Your Customer” (KYC) better for a number of reasons. Consumer Identity and Access Management (CIAM) services can help meet these objectives. For example, retail and media outlets can provide better experiences to registered users. These companies can offer incentives, special sales, and other features to increase loyalty to their brands. Banks and financial institutions can better comply with Anti-Money Laundering (AML) regulations by establishing digital relationships via CIAM, and provide competitive advantages.
Consumer identity is becoming more than just a competitive advantage though. Katryna Dow, CEO of Meeco, said “Consumer Identity is the new channel”. What this means is that digital service providers are in many cases beginning to bypass traditional distribution channels to directly engage and sell to consumers. This will have increasingly profound effects on business models. Consider, for example, the changes in entertainment media and its prior distribution channels. Where consumers once bought movies and programs on VHS or DVD at stores such as Blockbuster and Hollywood Video, consumers are now streaming content straight from Amazon, Hulu, Netflix, Sony, and more. The same can be said for online retailers: those utilizing consumer identity solutions have ways to alert interested buyers, solicit feedback, and create revenue streams that others can’t.
Allan Foster, VP of Community at ForgeRock and President of Kantara Initiative, described the difference between enterprise IAM and CIAM: “with enterprise IAM, IT provides the identities; in CIAM, IT provides the means for consumers to build their own identities.” This saves administrative effort, and puts control over which attributes to share back into the consumers’ hands, making them a participant in the process.
Ian Glazer, Senior Director at Salesforce Identity, highlighted the need for improved user experiences, showing how effective consumer identity management promotes a much better user journey. He stated that businesses must reduce friction for consumers by using social logins, progressive profiling, and progressive proofing. Logins should not require “Yet Another Username & Password”, or YAUP. Consumer identity should work across multiple channels, including tying users to their IoT devices.
Several speakers touched on the importance of preparing for the EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018. GDPR contains language which governs the treatment and handling of information gathered and used by CIAM systems. GDPR defines what personally identifiable information (PII) is: name, email, photos, posts on social networks, medical information, and financial information are examples. Some of the most important provisions include explicit consent for PII data usage, localized processing (EU citizen data must be housed and processed within the EU itself), data portability (EU citizens must be able to export their data from systems), and the right to be forgotten (data deletion). CIAM solutions must be able to meet all these requirements to be viable within the EU in the post-GDPR regulatory schema. For more information on GDPR, follow KuppingerCole’s updates, and to see the full text, go to http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf.
To meet the privacy objectives of GDPR, Dr. Maciej Machulak discussed Kantara Initiative’s User Managed Access (UMA) specification. UMA provides a framework for web applications to obtain user’s consent for use of their data. KuppingerCole believes that UMA will be a major enabler for GDPR compliance. For more information on UMA, see https://kantarainitiative.org/confluence/display/uma/Home.
We also presented the results of our CIAM Leadership Compass at the Summit. For this paper, ForgeRock, Gigya, IBM, iWelcome, Janrain, LoginRadius, Microsoft, Okta, PingIdentity, Saleforce, SAP, and SecureAuth participated. Each company has products that serve the CIAM needs of their own customers, with different strength, challenges, and target markets. For the full report, see https://www.kuppingercole.com/report/lc71171.
Lastly, our own Martin Kuppinger weighed in on the ownership aspect of CIAM deployments. There are a variety of ways that CIAM can be implemented and maintained. In some companies, marketing takes the lead. In others, IT is completely responsible. The hybrid ownership approach works best: IT owns the deployment, but operates it as a service for the business as a whole. This promotes tight integration with enterprise IAM, without being encumbered by enterprise IAM limitations. It also allows businesses to efficiently promote regulatory compliance and security, while offering consistent and feature-rich solutions for sales and marketing.
KuppingerCole will continue to track with CIAM solution developers and customers to provide the most up-to-date information on CIAM, KYC, and the regulatory drivers in this space.
GlobalPlatform recently held their annual conference in Santa Clara, California. GlobalPlatform is an international standards organization that defines specifications for the Trusted Execution Environment (TEE), or the secure virtual operating system within the OSes of mobile devices. It also specifies requirements for Secure Elements (SE), the protected storage components within mobile devices. Used together, Trusted Apps run inside the TEE, protected from rogue apps and malware. Trusted Apps control access to data stored in SE. The use of TEE also protects confidentiality and integrity between the user input and display. The specifications are becoming widely used in the protection of premium content (digital media), financial apps, telecommunications, automotive components, healthcare devices, and transit systems.
TEE is being used to secure processing and messaging in many IoT scenarios already today, such as parking meters, food monitoring, and "smart cities" street light monitoring. On the consumer side, TEE is implemented in watches, home automation, and even cars. Remote monitoring of manufacturing, logistics, agriculture, and environments is increasingly being performed by IoT sensors. The number of Internet connected devices is rapidly rising.
Given the recent spate of record-breaking DDoS attacks launched from compromised IoT devices, expect to see greater emphasis and consumer demand for security and privacy on IoT manufacturers. Most consumers do not want their webcams and refrigerators to be involved in illegal activities, such as knocking websites off the air, or sabotaging food production.
Beyond providing specifications for execution and storage, GlobalPlatform can help with IoT security by adopting device identity standards. The IoT devices that have unwittingly participated in attacks have done so because bad actors took control using default usernames and passwords. In most cases, users aren't directly involved, so having a username/password identity scheme does not even make sense for IoT sensors.
The lifecycle for IoT device identities is quite different from human users. Some devices are designed to last a few hours, such as passive WiFi concrete hardening sensors. Some agricultural sensors are designed to last a growing season. However, in other cases, Internet-enabled durable goods and medical devices are expected to last from several years to perhaps decades. Thus, the identity lifecycle and difficultly associated with modifying attributes pose new security risks. Time will tell, but ultimately a PKI-lite certificate-based device identity paradigm may emerge, if revocation issues can be sufficiently addressed. IoT device vendors and third party service providers will likely find that device identity and access management could generate long-term subscription and fee revenues.
With regard to user authentication, GlobalPlatform and the FIDO Alliance will be cooperating with cross-certification and joint testing programs. The FIDO Alliance is an international Standards Development Organization (SDO) focused on multi-factor and mobile authentication technologies. GlobalPlatform currently provides test tools and certified test labs to perform independent security testing of TEEs. This yields qualified products. Many vendors are already building and certifying TEEs. FIDO authenticators and clients are being deployed in the TEE. Apps that run in the open, or "Rich OS" can request authentication from the FIDO client/authenticator, running securely in the TEE.
FIDO is also adding security certification. The first priority is protecting the authenticator’s keys. Security certification for FIDO will re-use other organizations’ standards, such as FIPS 140-2 and GlobalPlatform TEE. FIDO security certification will look for and confirm the use of TEE by FIDO components. FIDO certification will then include functional certification by FIDO (as it is today), and Global Platform TEE certification as a component of security.
GlobalPlatform and FIDO are planning to synchronize certification processes. Independent certified test labs will provide the testing services for both organizations. OEMs will be able to get both needed certifications much more quickly. Such an approach is a "win-win" for the mobile IAM community, as there are many common members between FIDO and GlobalPlatform, and this should reduce the cost and time needed to obtain security certifications from both organizations.
As we know, IoT devices are proliferating but security is severely lacking. The number of FIDO certified products is also beginning to grow. GlobalPlatform’s TEE will add needed runtime and I/O security to both IoT and FIDO applications. KuppingerCole recommends that both IoT device manufacturers and FIDO implementers utilize TEE to:
- improve the overall security posture of IoT devices and FIDO authenticators
- reduce the risk of malware taking over IoT devices and turning them into DDOS botnets
- increase integrity of key generation, storage, and use in FIDO authenticators
- add credibility to IoT and FIDO products in the marketplace.
KuppingerCole will continue to monitor developments in the mobile and IoT security space.
GlobalPlatform TEE specifications can be found at https://www.globalplatform.org/specificationsdevice.asp.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
Today, the Security Operations Center (SOC) is at the heart of enterprise security management. It is used to monitor and analyze security alerts coming from the various systems across the enterprise and to take actions against detected threats. However, the rapidly growing number and sophistication of modern advanced cyber-attacks make running a SOC an increasingly challenging task even for the largest enterprises with their fat budgets for IT security. The overwhelming number of alerts puts a huge strain even on the best security experts, leaving just minutes for them to decide whether an [...]