DOCSLIB.ORG

Technology Landscape for Digital Identification

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Technology Landscape for Digital Identification © 2018 International Bank for Reconstruction and Development/The World Bank 1818 H Street, NW, Washington, D.C., 20433 Telephone: 202-473-1000; Internet: www.worldbank.org Some Rights Reserved This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, or of any participating organization to which such privileges and immunities may apply, all of which are specifically reserved. Rights and Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http:// creativecommons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution—Please cite the work as follows: World Bank. 2018. Technology Landscape for Digital Identification, Washington, DC: World Bank License: Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO) Translations—If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by The World Bank and should not be considered an official World Bank translation. The World Bank shall not be liable for any content or error in this translation. Adaptations—If you create an adaptation of this work, please add the following disclaimer along with the attribution: This is an adaptation of an original work by The World Bank. Views and opinions expressed in the adaptation are the sole responsibility of the author or authors of the adaptation and are not endorsed by The World Bank. Third-Party Content—The World Bank does not necessarily own each component of the content contained within the work. The World Bank therefore does not warrant that the use of any third-party-owned individual component or part contained in the work will not infringe on the rights of those third parties. The risk of claims resulting from such infringement rests solely with you. If you wish to reuse a component of the work, it is your responsibility to determine whether permission is needed for that reuse and to obtain permission from the copyright owner. Examples of components can include, but are not limited to, tables, figures, or images. All queries on rights and licenses should be addressed to World Bank Publications, The World Bank, 1818 H Street, NW, Washington, DC, 20433; USA; email: [email protected]. Contents 1. Introduction 1 2. Understanding the Identity Lifecycle 4 2.1. Registration (Identity Proofing) 4 2.2. Issuance (Credential Management) 6 2.3. Identity Authentication 6 2.4. Authorization 7 2.5. Identity Management (Identity Maintenance) 7 2.6. Example of a User’s Journey through the Identity Lifecycle 7 3. Introducing the Technology Assessment Framework 9 3.1. Six Assessment Parameters 9 3.2. A Three-Point Scale 10 3.3. Assessing Technologies Used in Identification and Authentication 12 3.4. Mapping Technologies to the Identity Lifecycle 12 4. Credential Technologies 14 4.1. Biometrics 15 4.2. Cards 31 4.3. Supporting Technologies for Cards 40 4.4. Mobile 46 5. Authentication and Trust Frameworks: Technologies and Protocols 62 5.1. Blockchain 65 5.2. FIDO Universal Authentication Framework (UAF) 67 5.3. FIDO Universal Second Factor (U2F) 69 5.4. OAuth 2.0 70 5.5. OpenID Connect 71 5.6. SAML 72 5.7. Key Trends in Authentication and Trust Frameworks: Technologies and Protocols 73 6. Analytics Technologies 75 6.1. Risk Analytics 77 6.2. Predictive Analytics 78 6.3. Business Activity and Operations Analytics 78 6.4. Biographic Matching (Fuzzy Search) 79 6.5. Key Trends in Analytics Technologies 80 7. Other Considerations 82 7.1. Privacy and Data Protection 82 i 7.2. Open Standards and Vendor Neutrality 82 7.3. Demographics 83 7.4. Culture 83 7.5. Service-Level Requirements 83 7.6. Economic Feasibility 84 7.7. Infrastructure Constraints 84 7.8. Conclusion 84 Appendix 1. Other Design Considerations 85 Application Programming Interfaces (APIs) 85 Microservices 86 In-Memory Databases 87 NoSQL Databases 87 Distributed Systems 88 DevOps 88 Appendix 2. 90 Figures Figure 1: Identity Lifecycle 4 Figure 2: Rachel’s Journey through the Identity Lifecycle 8 Figure 3: Example Output from the Technology Assessment Framework 11 Figure 4: Identification and Authentication Technologies 12 Figure 5: Technologies Mapped to the Identity Management Lifecycle 13 Figure 6: Biometric Sub-Technologies 15 Figure 7: Biometric Capture and Matching Assessment 16 Figure 8: Cards 31 Figure 9: Cards Assessment 32 Figure 10: Supporting Technologies for Cards 40 Figure 11: Supporting Technologies for Cards Assessment 41 Figure 12: Mobile Sub-Technologies 46 Figure 13: Mobile Technologies Assessment 48 Figure 14: Authentication and Trust Frameworks: Technologies and Protocols 63 Figure 15: Assessment of Authentication and Trust Frameworks, Technologies, and Protocols 63 Figure 16: Trust Framework 66 Figure 17: Analytics Sub-Technologies 75 Figure 18: Analytics Sub-Technologies Assessment 76 Figure 19: Other Design Considerations as Spotlights 85 ii TECHNOLOGY LANDSCAPE FOR DIGITAL IDENTIFICATION About ID4D The World Bank Group’s Identification for Development (ID4D) initiative uses global knowledge and expertise across sectors to help countries realize the transformational potential of digital identification systems to achieve the Sustainable Development Goals. It operates across the World Bank Group with global practices and units working on digital development, social protection, health, financial inclusion, governance, gender, legal, and among others. The mission of ID4D is to enable all people to access services and exercise their rights, by increasing the number of people who have secure, verifiable, and officially recognized identification. ID4D makes this happen through its three pillars of work: Thought leadership and analytics to generate evidence and fill knowledge gaps; Global platforms and convening to amplify good practices, collaborate and raise awareness; and Country and regional engagement to provide financial and technical assistance for the implementation of robust, inclusive and responsible digital identification systems that are integrated with civil registration. The work of ID4D is made possible through support from the World Bank Group, the Bill & Melinda Gates Foundation, the UK Government, the Australian Government and the Omidyar Network. To find out more about ID4D, visit worldbank.org/id4d. iii Acknowledgments This report was prepared as part of the Identification for Development (ID4D) initiative, the World Bank Group’s cross-sectoral effort to support progress toward identification systems using 21st century solutions. It was made possible through the generous support of Digital Impact Alliance (DIAL) and the partners of the ID4D Multi-Donor Trust Fund (Bill & Melinda Gates Foundation and Omidyar Network). The Accenture team who contributed to this paper as authors or reviewers include: Dan Bachenheimer, Dan Baker, Sebabrata Banerjee, Craig Chatfield, Ilkka Hyvonen, Akshay Iyer, Mrinal Jha, Suneeta Kudaravalli, Christine Leong, Sabareesh Madhav, Rahul Malik, Nilanjan Nath, Juhi Saxena, Luca Schiatti, and Srijan Singh. This report benefited greatly from the inputs by Anita Mittal and reviews of the World Bank Group staff including Seth Ayres, Luda Bujoreanu, Susan David Carevic, Kamya Chandra, Tina George, Jonathan Marskell, Anna Zita Metz, and David Satola under the supervision of Vyjayanti Desai. The findings in the report are based on the research, consultations, and detailed assessments of identification and authentication technologies during late 2017. As a result, the information presented here represents a snapshot of technologies at the time the report was written, and may not reflect recent developments. The report would not have been possible without the insights and reviews by Dr. Joseph Atick, ID4Africa & Identity Counsel; Jérôme Buchler, HSB identification; Dasha Cherepennikova, One World Identity; Sanjay Dharwadker, WCC; Rebecca Distler, Element Inc; Alan Gelb, Centre for Global Development; Marta Ienco, GSMA; Sanjay Jain, iSprit; Brett McDowell, FIDO Alliance; Monica Monforte, GSMA; C. Maxine Most, Acuity Market Intelligence; Wameek Noor, DIAL; Adam Perold, Element Inc; Kris Ranganath, NEC; Yiannis Theodorou, GSMA; Don Thibeau, The Open Identity Exchange; Colin Wallis, Kantara Initiative; Anne Wang, Gemalto; Dr. Jim Wayman, San Jose State University (Director of Biometric Identification Research Program); Matt Wilson, GSMA; and Jeff Wishnie, DIAL. iv TECHNOLOGY LANDSCAPE FOR DIGITAL IDENTIFICATION Key Terms and Definitions Authentication: The process of proving an identity. Occurs when subjects provide appropriate credentials, often as a prerequisite to receiving access to resources.1 Biometrics: A measurable physical characteristic
Recommended publications
  • Cloud App Security Administration Guide For

    Cloud App Security Administration Guide For

    Cloud App Security Administration Guide for Office 365 and Microsoft 365 Contents Understanding Cloud App Security 6 Understanding Email Security 6 Using Data Leak Protection 7 Understanding Anomalies 8 Understanding Click-Time Protection 8 Configuring Cloud App Security 10 Subscribing to Cloud App Security 10 Activating Cloud Applications for Cloud App Security 11 Activating Office 365 and Microsoft 365 Cloud Applications 13 Manually Configuring Office 365 and Microsoft 365 Cloud Applications During Activation 17 Managing Quarantine for Office 365 and Microsoft 365 29 Setting Up a Quarantine Mailbox for Office 365 and Microsoft 365 Email (Exchange Online) 29 Setting Up a Quarantine Folder for Office 365 and Microsoft 365 OneDrive 30 Setting Up a Quarantine Folder for Office 365 and Microsoft 365 SharePoint 30 Using the Quarantine View for Office 365 and Microsoft 365 Email (Exchange Online) 31 Using the Quarantine Page 32 Using the Quarantined File Creator Dashboard 33 Using the User Dashboard for Office 365 and Microsoft 365 34 Managing Restore Requests 35 Using the SonicWall Cloud App Security Dashboard 36 Using the Security Events Widgets 37 Changing a Security Event Widget to an Alert or Custom Query 38 Resetting a Security Event Widget 38 Hiding a Security Event Widget 39 Configuring Security Event Widget Custom Queries 39 Adjusting the Time Scale 40 Viewing the Summary of Security Events 40 Viewing Login Events 42 Viewing Secured Applications 44 Viewing the Scanned Files Summary 45 Managing Security Events 46 Using the Security
  • Aiding Surveillance an Exploration of How Development and Humanitarian Aid Initiatives Are Enabling Surveillance in Developing Countries

    Aiding Surveillance an Exploration of How Development and Humanitarian Aid Initiatives Are Enabling Surveillance in Developing Countries

    Privacy International Aiding Surveillance An exploration of how development and humanitarian aid initiatives are enabling surveillance in developing countries Gus Hosein and Carly Nyst 01 October 2013 www.privacyinternational.org Aiding Surveillance — Privacy International Contents Executive Summary 04 Section 1 Introduction 05 Section 2 Methodology 15 Section 3 Management Information Systems 17 and electronic transfers Section 4 Digital identity registration and biometrics 28 Section 5 Mobile phones and data 42 Section 6 Border surveillance and security 50 Section 7 Development at the expense of human rights? 56 The case for caution Endnotes 59 03/80 Aiding Surveillance — Privacy International Executive Summary Information technology transfer is increasingly a crucial element of development and humanitarian aid initiatives. Social protection programmes are incorporating digitised Management Information Systems and electronic transfers, registration and electoral systems are deploying biometric technologies, the proliferation of mobile phones is facilitating access to increased amounts of data, and technologies are being transferred to support security and rule of law efforts. Many of these programmes and technologies involve the surveillance of individuals, groups, and entire populations. The collection and use of personal information in these development and aid initiatives is without precedent, and subject to few legal safeguards. In this report we show that as development and humanitarian donors and agencies rush to adopt new technologies that facilitate surveillance, they may be creating and supporting systems that pose serious threats to individuals’ human rights, particularly their right to privacy. 04/80 Section 1 Aiding Surveillance — Privacy International Introduction 1.0 It is hard to imagine a current public policy arena that does not incorporate new technologies in some way, whether in the planning, development, deployment, or evaluation phases.
  • Everything You Need to Know About Crypto Management Contents

    Everything You Need to Know About Crypto Management Contents

    Everything you need to know about Crypto Management Contents The New Data Security Landscape ......................................................................................3 Encryption ..........................................................................................................................3 What About the Cryptographic Keys? ................................................................................4 Building a Crypto Foundation ............................................................................................4 The Four V’s Model ............................................................................................................5 1. Crypto Processing and Acceleration ..............................................................................6 Gemalto Integration Ecosystem ........................................................................................6 2. Key Storage .......................................................................................................................7 Centralized key storage (keys stored in hardware) ..........................................................7 Distributed key storage (keys stored at the endpoints) ....................................................8 3. Key Lifecycle Management .............................................................................................9 Key generation and certification ......................................................................................9 Key distribution ..................................................................................................................9
  • St Sar Eid Whitepaper 101007Fi

    St Sar Eid Whitepaper 101007Fi

    Edition1 /2007 The SECURE Application Review No portion of this publication may be is a Silicon Trust Program reproduced in part or in whole without publication, sponsored by the express permission, in writing, from Infineon Technologies AG. the publisher. All product copyrights Editorial Team and trademarks are the property of their Wendy Atkins, Rainer Bergmann, respective owners. All product names, Dr. Detlef Houdeau, Nicole Mountain specifications, prices and other infor- mation are correct at the time of going Project Development to press but are subject to change Krowne Communications GmbH, without notice. The publisher takes no Berlin, Germany responsibility for false or misleading This copy of SECURE Application information or omissions. Review is Copyright 2007 by Infineon Technologies AG. Further Information can be found at: Any comments may be addressed to www.silicon-trust.com [email protected] SECURE Application Review: CITIZEN CARDS C O NTENT S Definitions .................................................................................................................................4 Part 1 – Overview & market dynamics Change and citizen empowerment ......................................................................................7 Part 2 – Applications A smart way to deal with government applications ........................................................12 Partner Inputs: Precise Biometrics .....................................................................................21 Part 3 – Form factors Matching
  • SEACHILL (UK) Ltd. CASE STUDY

    SEACHILL (UK) Ltd. CASE STUDY

    SEACHILL (UK) Ltd CASE STUDY • Zero shipping errors • Complete supply chain visibility • Visual guidance for corrective actions • Rapid, automated handling of fresh fish products • Negligible tag costs • Fast deployment & ROI SEACHILL (UK) Ltd. VISIDOT CHOSEN FOR HIGHLY EFFECTIVE AUTOMATION AND 100% SHIPPING ACCURACY Seachill, now part of the Icelandic Group, was outbound products – became a bottleneck that formed in 1998 to become one of the UK’s could potentially limit throughput on large product leading fresh fish processors. Seachill sup- volumes. plies fresh fish to Tesco, the UK’s foremost food retailer. The company has demonstrated “Dispatch was having a hard time handling the strong and rapid growth, coinciding with both influx of data during shipping peaks,making it the development of the fresh fish market and very clear that we needed to research potential Tesco’s increasing share of that market. scanning and shipping automation solutions.” Seachill presently employs more than 600 employees at its Grimsby production plant, A number of options were considered, including which ships and delivers hundreds of fresh RFID. However, the prohibitive cost of RFID fish pallets a week. tags, especially in the context of high volumes of relatively low-cost products, and concern In early 2006, increasing customer demand for re- over RFID’s potential sensitivity to the cold and duced lead time and faster shipping turnaround damp conditions dominating the dispatch area prompted Seachill to seek a solution that would deemed the technology impractical for Seachill’s enable it to automate its dispatch area and speed needs. “After taking all of our requirements into up its shipping and dispatching processes.
  • Katoen Natie Opts for a Zetes Print & Apply Solution

    Katoen Natie Opts for a Zetes Print & Apply Solution

    Katoen Natie opts for a Zetes Print & Apply solution 11/02/2009 The Spanish subsidiary of the Belgian group Katoen Natie is automating its labelling and dispatch control process with a P&A solution developedby MD, the Barcelona-based Zetes division specialising in this segment. This solution covers the needs of the Katoen Natie packaging and order preparation departments in line with the two objectives of eliminating labelling errors and boosting the productivity of the logistics centre. Barcelona, 11th of February 2009 - Zetes (Euronext Brussels: ZTS), the leading European integrator of solutions for the automatic identification of goods and people, has successfully completed the installation of a made-to- measure solution for the Spanish logistics centre of Katoen Natie, situated in Azuqueca de Henares (Guadalajara).Katoen Natie is therefore today working with a labelling and dispatch control system based on an automatic labelling solution (P&A) developed by Zetes. Katoen Natie is a company specialising in logistics for the petro-chemical, industrial, consumer goods and port operations sectors. The logistical centre that is hosting the solution includes 3000 square metres of warehouses occupied by an audiovisual company. Thousands of DVDs are sent from Azuqueca de Henares every day. Zetes’ brief was to develop a tailor-made solution that met three basic functions: the printing and application of labels showing the price of each DVD on an automated packing line; the application, on these same DVDs, of the pre-printed labels (also on an automated packing line) and finally, the subsequent control of each product to ensure the compliance of the labelling.
  • Digital Identification: a Key Identification: Todigital Inclusive Growth

    Digital Identification: a Key Identification: Todigital Inclusive Growth

    Digital identification: A key to inclusive growth inclusive Digital to identification: key A Digital identification A key to inclusive growth April 2019 McKinsey Global Institute Since its founding in 1990, the McKinsey Global Institute (MGI) has sought to develop a deeper understanding of the evolving global economy. As the business and economics research arm of McKinsey & Company, MGI aims to provide leaders in the commercial, public, and social sectors with the facts and insights on which to base management and policy decisions. MGI research combines the disciplines of economics and management, employing the analytical tools of economics with the insights of business leaders. Our “micro-to-macro” methodology examines microeconomic industry trends to better understand the broad macroeconomic forces affecting business strategy and public policy. MGI’s in-depth reports have covered more than 20 countries and 30 industries. Current research focuses on six themes: productivity and growth, natural resources, labor markets, the evolution of global financial markets, the economic impact of technology and innovation, and urbanization. Recent reports have assessed the digital economy, the impact of AI and automation on employment, income inequality, the productivity puzzle, the economic benefits of tackling gender inequality, a new era of global competition, Chinese innovation, and digital and financial globalization. MGI is led by three McKinsey & Company senior partners: Jacques Bughin, Jonathan Woetzel, and James Manyika, who also serves as the chairman of MGI. Michael Chui, Susan Lund, Anu Madgavkar, Jan Mischke, Sree Ramaswamy, and Jaana Remes are MGI partners, and Mekala Krishnan and Jeongmin Seong are MGI senior fellows. Project teams are led by the MGI partners and a group of senior fellows and include consultants from McKinsey offices around the world.
  • Enhanced Functionality Brings New Privacy

    Enhanced Functionality Brings New Privacy

    2018] T. Szádeczky: Enhanced Functionality Brings New Privacy ... 3 DOI 10.5817/MUJLT2018-1-1 ENHANCED FUNCTIONALITY BRINGS NEW PRIVACY AND SECURITY ISSUES – AN ANALYSIS OF EID* by TAMÁS SZÁDECZKY** As compared with traditional paper-based versions and the standard username- -password login to e-Government services, the new electronic identity and travel documents have made on-site electronic and on-line authentication of citizen more comfortable and secure. The biometric passport was introduced in Hungary in 2006. A decade later the electronic identity card (eID) was implemented. The reason for the improvement of such documents is twofold: enhancing security features and performing new functions. The development is certainly welcome, but it also generates new types of risks, with which governments and citizens must take into account. In this paper, I will first analyze the most widespread technologies of data storage cards from the passive elements to the chipcards, including the biometric passport. The objective is to provide an overview of the technical development as a background to my paper. I will then proceed to an analysis of the relevant EU and national legal background, data elements, data protection and the functions (ePASS, eID, eSIGN) of the new Hungarian and German identity card, as well as the security risks and protection properties of the eID-type documents. The paper concludes with a summary of the lessons learned from and the risks involved in the current solutions in Hungary and Germany. * The work was created in commission of the National University of Public Service under the priority project KÖFOP-2.1.2-VEKOP-15-2016-00001 titled „Public Service Development Establishing Good Governance” in the Miklós Zrínyi Habilitation Program.
  • Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals

    Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals

    Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals Dilpreet Singh, Ron Ruhl and Hamman Samuel Information System Security and Management Department, Concordia University College of Alberta, 7128 Ada Blvd NW, Edmonton, AB, Canada Keywords: EMV, EMV Transaction Process, Attack, Attack Tree Methodology, Point of Sale Terminal, PCIDSS. Abstract: Europay, MasterCard and Visa (EMV) is a dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. One goal of the EMV protocol is to secure debit and credit transactions at a point-of-sale (POS) terminal, but still there are vulnerabilities, which can lead to unauthorized disclosure of cardholder data. This research paper will provide the reader with a single document listing the vulnerabilities leading to various possible attacks against EMV payment card transaction process at a POS terminal. Attack tree methodology will be used to document these vulnerabilities. This research will also provide the countermeasures against various possible attacks. 1 INTRODUCTION 2.1.1 Application Selection For 25 years, EMV has implemented payment cards EMV cards may contain multiple applications which initially used a magnetic stripe only but now (Debit/Credit/ATM) and files supporting the contain a chip microprocessor which processes applications. On inserting the EMV card into the payments at POS devices. This research examines POS terminal, the terminal requests to read the EMV when the card is present at a POS terminal and will file “1PAY.SYS.DDF01” listing the applications use attack tree methodology to describe the security that the chip card contains. After successful of dynamic data authentication and combined data application selection, the card sends the Processing authentication (DDA/CDA) EMV cards.
  • Der Personalausweis Der the German Identity Card Identity German The

    Der Personalausweis Der the German Identity Card Identity German The

    The German identity card Der Personalausweis On 2 August 2021, the new design of the German Ab dem 2. August 2021 wird der Personalausweis im national identity card will be launched. The new neuen Design eingeführt. Äußerlich erkennbar ist design is distinguished by an EU flag, in line with Der Personalausweis das neue Design an der EU-Flagge, welche ab dem Regulation (EU) 2019/1157. 2. August 2021 ebenso auf allen Personalausweisen der The German identity card EU Mitgliedstaaten eingeführt wird. Damit setzt This leaflet explains the key security features of the Deutschland die Vorgaben der Verordnung (EU) new ID card. Many familiar features have been brought 2019/1157 um. into line with the latest technology and some new high-security features have been added. These In diesem Flyer werden die wesentlichen improvements continue to enable the reliable detection Sicherheitsmerkmale erläutert. Viele bekannte of misuse, counterfeiting or forgery of the ID card. Merkmale wurden auf den neuesten Stand der Technik weiterentwickelt sowie um weitere, hochsichere The online ID function (eID) remains an integral part Merkmale ergänzt. Damit können Missbrauch, of the ID card. Furthermore, two fingerprints are Verfälschung oder Totalfälschung auch weiterhin stored in the chip. As soon as the card is issued, the zuverlässig erkannt werden. fingerprints are deleted from the records of the issuing authority and the card producer, as usual. With Die Online-Ausweisfunktion (eID) bleibt unveränderter fingerprints as an additional biometric feature, it is Bestandteil des Personalausweises. Ferner werden im easier for the competent authorities to detect misuse of Chip des Ausweises zwei Fingerabdrücke gespeichert. cards by persons of similar appearance to cardholders.
  • Industry Perspectives on the Evolution of EMV Payment Tokenization

    Industry Perspectives on the Evolution of EMV Payment Tokenization

    Industry Perspectives on the Evolution of EMV Payment Tokenization Revised May 6, 2019 [Original release date September 24, 2018] Susan Pandy, Ph.D. and Marianne Crowe, Federal Reserve Bank of Boston Marianne Crowe is Vice President and Susan Pandy is Director in the Payments Strategies Group at the Federal Reserve Bank of Boston. The views expressed in this paper are solely those of the authors and do not reflect official positions of the Federal Reserve Banks of Boston or the Federal Reserve System. Mention or display of a trademark, proprietary product or firm in this report does not constitute an endorsement or criticism by the Federal Reserve Bank of Boston or the Federal Reserve System and does not imply approval to the exclusion of other suitable products or firms. The authors would like to thank members of the MPIW and other industry stakeholders for their engagement and contributions to this report. Table of Contents Executive Summary ...................................................................................................................................... 3 I. Introduction ............................................................................................................................................ 4 II. Changes between EMV Payment Tokenisation Specification v1.0 versus v2.0 .................................... 5 III. Impacts of Evolution of Payment Tokenization on the Mobile Payments Landscape ........................... 7 A. Emergence Third Party Token Service Providers (TSPs) ...............................................................
  • Smartcards and RFID

    Smartcards and RFID

    Smartcards and RFID IPA Security Course Lejla Batina & Erik Poll Digital Security University of Nijmegen 1 Overview • example uses • (security) functionality • smartcard technicalities • RFID technicalities • attacks Smartcard & RFID uses 3 Example smartcard & RFID uses • bank cards • SIMs in mobile phone • public transport – eg OV chipkaart in NL • identity documents – modern passports and national ID cards contain (contactless) chip • access cards – to control access to buildings, computer networks, laptops,... – eg Rijkspas for government personnel – eg UZI pas for medical personnel to access EPD – pay TV 4 (Security) functionality 5 Differences? Commonalities? With respect to functionality or security 6 Differences & Commonalities • all provide data storage • for reading and/or writing • but secured to different degrees & in different ways – different aims of securing: • confidentiality • integrity/authenticity – different ways of securing • integrity by physical characteristics vs digital signatures • access control (eg PIN code, password, crypto protocol) possible on smartcard, not on a magstripe 7 Differences? Commonalities? 8 Smartcard vs other computers No fundamental difference ! smartcard does not only offer data storage but also processing power Btw, smartcards outnumber normal computers such as PCs and laptops Smartcard is restricted in its possibilities How, for example? Smartcard can offer security that PC cannot What, for example? eg you cannot remove the hard drive 9 Smartcard technicalities 10 What is a smartcard? • Tamper-resistant computer, on a single chip, embedded in piece of plastic, with very limited resources – aka chip card or integrated circuit card (ICC) • capable of “securely” – storing data – processing data • This processing capability is what makes a smartcard smart; stupid cards can store but not process • NB processing capabilities vary a lot...