(This is the second of two parts. Read Part 1 here.)
In the first half of this series, I reported the announcement from Visa that will drive the switch to EMV smart chip banking cards in the U.S., and why these cards are so powerful. In this half, lets look at the implications of this and how it could effect the world of identity.
Why do EMV bank cards change the world of identity?
Several factors make EMV bank cards so important:
- Eventually every Internet user in the world will have one or more.
- They are very secure.
- They work well with personal computers, mobile devices, and even physical lock systems.
- The global banking payment network can easily authenticate them and collect fees based on the value of the authentication.
How would EMV bank cards work for identity?
The payment card networks could easily add another transaction for authentication to the dozens of EMV bank card transactions already implemented.
EMV chips can operate in two modes: offline and online. In offline mode, the chip is used to generate one-time passwords or to sign manually entered data. This is how Visa’s DPA (MasterCard/JCB CAP) devices work. VASCO makes the popular DIGIPASS 800 readers. Several other vendors also make these readers. For higher-value transactions, going online has many aspects that enhance security and that ease implementation. In either case, the user would enter their PIN just like in a normal EMV bank card transaction.
Since the payment card network is built on the business concept of charging fees for transactions, relying parties - for the first time - can request a level of assurance (LOA) based on a monetary loss value if the authentication turns out to be fraudulent. The issuing bank charges a fee to the cardholder to accept the risk for that LOA.
The replying party will set a field in the transaction to indicate how much insurance they want. The card issuer validates the card, the PIN and the terminal before approving the transaction. The card issuer would charge the cardholder an agreed upon amount for that much insurance. A simple login with $0 recourse might be done for free or for some small fixed amount such as $0.001. Purchasing a $50,000 Lexus automobile would be more, based on the evaluation of risk.
What’s so special about EMV?
In a word, it’s ubiquity. Developed 20 years ago, the EMV system has evolved to address deployment issues and security threats. Hundreds of millions of EMV bank cards have been issued. The EMV system is the largest public key infrastructure that has ever been deployed. EMV transactions are routed over the standard global payment card network so EMV bank cards can be issued and used anywhere. And most importantly, the bank card network has a business model for exchanging cash for value.
What alternatives are there to EMV for hardware cryptography?
There are only a few alternatives. Issuing other specialized smart cards is a possiblity, like the U.S. Department of Defense Common Access Card or the national ID card used in Hong Kong. Another candidate is the Subscriber ID Module (SIM) used in GSM phones, such as offered by AT&T and T-Mobile in the U.S, and by most European telecoms. Finally a third choice is the Trusted Platform Module (TPM) chip deployed in PCs from Dell and others.
The problem with all these is weaving them into a ubiquitous system that works globally, has a secure key distribution framework, and has a way to monetize risk so there are incentives by all the parties in the system to use it securely.
What about fraud?
There is always the risk of fraud in any transaction. The goal of payment cards is to reduce this to a small enough level that users of the system are willing to include the cost in the price of the transaction. EMV bank cards have been attacked in many ways. Recently Ross Anderson and his band of merry cryptographers at Cambridge did a terrific hack on EMV bank cards from several banks, tricking the cards into thinking no PIN was necessary, and the banking system into thinking that a PIN had been entered. However, the system made a few adjustments and now this attack is rendered obsolete. This kind of attack and response has greatly hardened the security of EMV bank cards. And at this years Defcon, two Italian researchers sowed the usual FUD about lousy implementations. Well implemented systems for high-value transactions can prevent these problems.
What needs to happen to make EMV card authentication a reality?
There are a number of key events:
- The rest of the payment card industry (PCI) needs to follow Visa’s lead. The PCI includes MasterCard, American Express, Discover, and JCB.
Since Visa is the largest payment network in the world and always leads, the rest of the PCI is expected to follow shortly.
- The payment card networks need to define an authentication transaction and a business model for paying for authentication. Then this needs to get implemented throughout the processing nodes for issuing banks, networks, acquiring banks, and replying parties.
The technology part of this is very easy, since it would be just another EMV bank card transaction. The hard part is figuring out how to price it, although this is something the PCI has mastered.
- A standard reader implementation, user experience, and protocol needs to be defined.
Fortunately, this would look a lot like the current EMV point-of-sale system and user experience.
- Issuing banks need to offer authentication services. Relying parties need to offer EMV card authentication as on option.
This is a chicken and egg problem. The key is always to start with a small or closed population or a killer app that attracts lots of users. Car dealers, medical record holders, and the governments all are candidates.
- The concept of using EMV embedded in phones needs to be defined so that bank cards can be replaced by NFC phones.
This is not well-defined, but there is intense activity and innovation in this area, including by Visa and the other payment card networks.
In summary, EMV bank cards could usher in a whole new class of applications, where strong identity can be assumed and monetized. The risk of fraudulent authentication can be reduced to an affordable level.