DOCSLIB.ORG

Td Bank on the Case for Real-Time Digital Id Verification

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Td Bank on the Case for Real-Time Digital Id Verification MARCH 2021 TD BANK ON THE CASE FOR REAL-TIME DIGITAL ID VERIFICATION Page 7 (Feature Story) Just 16 percent of U.S. and Canadian banks use tools needed for secure online account opening 10 Page 10 (News and Trends) Why banks must optimize their identity verification strategies 14 Page 14 (Deep Dive) © 2021 PYMNTS.com All Rights Reserved WHATʼS INSIDE A look at the most recent digital identity 03 developments, including why banks must overhaul their customer verification measures during the pandemic and how biometric technologies and other emerging tools could help them do so FEATURE STORY An interview with Angel Kadelski, head of U.S. 07 mobile banking platforms for TD Bank, on why the banking space must adapt customer verification processes for the digital realm, such as by leveraging biometrics to ease the onboarding process without compromising security NEWS AND TRENDS 10 The latest headlines from the space, including METHODOLOGY how many financial institutions are missing the The companies on top and how they got there mark on using biometric solutions to the fullest 18 extent and a new partnership between Jumio and Bahrain-based Al Baraka Islamic Bank SCORECARD DEEP DIVE The results are in — see the highest-ranked An in-depth examination of digital banking’s 19 companies in a provider directory featuring 14 current state and how FIs are leveraging more than 200 major digital identity players innovative identity verification tools to modernize their onboarding processes and prevent users from abandoning account setup ABOUT 93 Information about PYMNTS.com and Jumio ACKNOWLEDGMENT The Digital Identity Tracker® is done in collaboration with Jumio, and PYMNTS is grateful for the companyʼs support and insight. PYMNTS.com retains full editorial control over the following findings, methodology and data analysis. WHATʼS INSIDE Digital banking has been a boon to consumers This is not to say that adopting digital verifica- who are avoiding brick-and-mortar branch vis- tion solutions will be a light lift for banks. Know its during the pandemic, but financial institutions your customer (KYC), anti-money laundering (AML) (FIs) are still facing several challenges as more and nation-specific data privacy rules can make it customers take their financial habits online. One challenging for FIs to determine which measures significant friction plaguing many banks is their will work best for their organizations, but invest- lack of digital verification solutions — especially ing in robust digital ID solutions is likely to be well when it comes to account setup. A recent FICO worth it in the long run. report revealed that 51 percent of FIs in the United States and Canada still require customers to prove Around the digital ID space their identities by visiting bank branches or provid- Digital ID and biometric technologies hold great ing physical documents to open accounts online, promise for banks looking to streamline their dig- for example. ital verification measures, but a recent survey revealed just how important it is for FIs to en- There are several innovative solutions that can help sure that they are getting the most out of these banks change course on their digital ID strategies, tools. It found that 30 percent of FIs, even those however. The same shift that is prompting many that are using digital ID solutions, are still requiring consumers to seek cutting-edge digital and mo- customers opening additional accounts to com- bile banking experiences is also making them more plete applications wholesale rather than relying comfortable with new technologies like biometrics. on streamlined authentication measures to simpli- Seventy-one percent of consumers in a recent fy the process. This illustrates that many banks survey said they would be comfortable upload- can still do more to ease account opening for their ing selfies, scanning their fingerprints or providing customers. voice-based biometrics to their banks, for exam- ple, and just 13 percent felt FIs should not be able Some banks are turning to partnerships as they to access their biometrics. work to upgrade their digital banking experiences. © 2021 PYMNTS.com All Rights Reserved 3 WHATʼS INSIDE Executive Insight Bahrain-based Al Baraka Islamic Bank recent- ly announced that it would team up with digital Many U.S. FIs continue to rely on paper-based ID verification solution provider Jumio to boost its ID verification procedures that complicate the mobile onboarding procedures, for example. The FI customer onboarding experience. What are said Jumio’s facial recognition technology would some of the key reasons that have stopped allow mobile banking app users to take selfies for FIs from digitizing their ID verification proce- comparison with official photo IDs during account dures and what kinds of ID verification tools sign-up. The solution uses liveness detection to hold the most promise to improve the on- ensure that legitimate customers are present when boarding experience? snapping their selfies. “Most traditional financial institutions and Biometric solutions are also catching on for ap- banks will leverage a variety of tools and plications outside the banking sector. The U.S. third-party databases to corroborate the iden- Customs and Border Protection (CBP) agency re- tity and risk assessment of a new customer. In cently reported that it conducted facial recognition fact, some larger banks use as many as 70 dif- scans on 23 million travelers in 2020 — a 21 per- ferent solutions that are cobbled together to cent increase from the 19 million scanned in 2019. help address those fundamental questions of The agency said that the scans achieved a match identity and risk. This can prove daunting when rate of more than 97 percent last year and noted trying to digitize the process. According to that its officers have used the technology to spot Gartner, by 2023, 75 percent of organizations seven impostors at airports and 285 in other set- will be using a single vendor with strong iden- tings since 2018. tity orchestration capabilities and connections For more on these stories and other digital ID to many other third parties for identity proof- headlines, read the Trackerʼs News and Trends ing and affirmation, an increase from fewer section (p. 10). than 15 percent today. Rather than having in- dividual solutions pieced together, financial How real-time digital ID verification helps TD institutions should be looking for an identi- Bank strike the seamless and secure balance ty proofing platform — like the Jumio KYX Many banks in the U.S. and Canada still believe Platform — that combines services and tech- customer onboarding and new account opening nology like identity verification, biometrics, are best-suited for in-branch interactions, but the fraud signals, AML monitoring and authenti- pandemic has forced FIs to reassess as more con- cation to accurately establish, maintain and sumers turn to digital channels for their banking reassert trust from account opening to ongo- activities. Biometric tools, such as facial recogni- ing transaction monitoring.” tion, fingerprint scans and voiceprints, are just a PHILIPP POINTNER Chief product officer at Jumio © 2021 PYMNTS.com All Rights Reserved 4 WHATʼS INSIDE few methods banks can deploy not only to ease and mobile banking solutions, but more than half customer onboarding but also to offer real-time of banks in the U.S. and Canada still request that ID scoring and frictionless security, according to consumers prove their identities when opening Angel Kadelski, head of U.S. mobile banking plat- new accounts online by visiting branches in per- forms for TD Bank. In this month’s Feature Story son or submitting paper documents. This month’s (p. 7), Kadelski discusses why the future of digital Deep Dive (p. 14) examines how banks can opti- ID verification in the banking space will involve a mize digital ID verification during the onboarding combination of solutions to meet customer identi- process to both modernize the banking experi- fication program (CIP) and KYC requirements. ence for users and deter them from abandoning account setup. Deep Dive: How banks can leverage innovative ID verification tools to modernize onboarding The pandemic has caused more consumers than ever to seek the convenience and safety of online © 2021 PYMNTS.com All Rights Reserved 5 WHATʼS INSIDE Portion of consumers who use 50% mobile banking apps Share of consumers who are dissatisfied with their 31% account opening experiences Portion of mobile banking app users who use their apps Five Fast Facts 88% to check their account balances Segment of mobile banking app users who want more 90% control over their identity authentication measures Share of mobile banking app users who say they 28% would use them more if they had transaction-specific authentication controls © 2021 PYMNTS.com All Rights Reserved 6 FEATURE STORY FEATURE TD Bank On The Case For Real- Time Digital ID Verification © 2021 PYMNTS.com All Rights Reserved 7 FEATURE STORY When The New Yorker published its most reprinted The timing is right to accelerate the adoption of cartoon in the magazine’s history by cartoonist these tools to confirm consumers’ identities with Peter Steiner in 1999, the internet — and digital one or more biological traits. Digital ID solutions identity — was still in its infancy. The cartoon fea- have become essential to onboarding for new ac- tured a dog sitting at a desk, paw on a computer, count openings, though a survey by FICO found saying, “On the Internet, nobody knows you’re a that only 49 percent of U.S. and Canadian banks dog.” More than two decades later, the pandemic use digital ID verification methods for these pro- has created the perfect storm for shady cyber- cesses. The study further showed that just 16 criminals to hide behind online anonymity to exact percent of these banks use integrated, real-time their schemes, with more consumers moving to digital validation tools for consumers to securely digital channels for their daily activities than ever open financial accounts online.
Load more

Recommended publications
  • Digital Identity Roadmap Guide
    Digital Identity Roadmap Guide International Telecommunication Union Place des Nations CH-1211 Geneva 20 Switzerland ISBN: 978-92-61-27821-2 9 7 8 9 2 6 1 2 7 8 2 1 2 Published in Switzerland Geneva, 2018 Digital Identity Roadmap Guide Some Rights Reserved This work is a publication of the International Telecommunication Union (ITU). The findings, interpre- tations and conclusions expressed in this work do not necessarily reflect the views of the International Telecommunication Union or its governing bodies. The International Telecommunication Union does not guarantee the accuracy of the data included in this work. The boundaries, colours, denominations, and other information shown on any map in this work do not imply any judgment on the part of the International Telecommunication Union concerning the legal status of any territory or the endorse- ment or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of the International Telecommunication Union, all of which are specifically reserved. Rights & Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http:/ / creativecommons .org/ licenses/by/ 3 .0/ igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution — Please cite the work as follows: International Telecommunication Union, Digital Identity Roadmap Guide. Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO). Translations — If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by the International Telecommunication Union (ITU) and should not be considered an official translation.
    [Show full text]
  • Digital Identity in Banking What Ceos Need to Know About Best Practices and Future Directions
    Digital Identity In Banking What CEOs Need to Know About Best Practices and Future Directions RON SHEVLIN Director of Research Cornerstone Advisors TABLE OF CONTENTS 1 Digital Identity: A Challenge As Old As The Internet 3 Technology Developments In Digital Identity Management 7 Five Forces Shaping Digital Identity Management 15 Best Practices In Digital Identity Management For Today 17 Conclusion 19 About Cornerstone Advisors 19 Avoka (now Temenos) 20 Endnotes © 2018 Cornerstone Advisors. All rights reserved. Reproduction of this report by any means is strictly prohibited without written permission. DIGITAL IDENTITY: A CHALLENGE AS OLD AS THE INTERNET Although the topic of digital identity gets daily attention today in 2018, it’s hardly a new topic. In 1993, The New Yorker published what has become one of the most—if not the most—iconic cartoons about the Internet (Figure 1). In it, one dog says to another, “On the Internet, nobody knows you’re a dog.” Twenty-five years ago, many people saw the ability FIGURE 1: New Yorker Cartoon on Digital Identity to remain anonymous as a feature of the Internet, not a liability. Despite a quarter century of techno- logical advances that include e-commerce, social media, and the smartphone: “There is still no easy way to prove online that you are not a dog, are over 18, live at a certain address, graduated from a certain school, work at a specific company, or own a specific asset. These kinds of assertions about ourselves are difficult to trust because they are nearly impossible to verify.” 1 Source: The New Yorker WHY IS DIGITAL IDENTITY STILL A PROBLEM? If we’ve seen 25 years of technological advances, then why is digital identity still a problem? Three reasons: 1) There are no standardized formats for digital credentials; 2) There are no standardized methods to verify the source and integrity of digital credentials; and 3) The technological advances that have occurred over the past 25 years have exasperated the problem—not alleviated it.
    [Show full text]
  • Everything You Need to Know About Crypto Management Contents
    Everything you need to know about Crypto Management Contents The New Data Security Landscape ......................................................................................3 Encryption ..........................................................................................................................3 What About the Cryptographic Keys? ................................................................................4 Building a Crypto Foundation ............................................................................................4 The Four V’s Model ............................................................................................................5 1. Crypto Processing and Acceleration ..............................................................................6 Gemalto Integration Ecosystem ........................................................................................6 2. Key Storage .......................................................................................................................7 Centralized key storage (keys stored in hardware) ..........................................................7 Distributed key storage (keys stored at the endpoints) ....................................................8 3. Key Lifecycle Management .............................................................................................9 Key generation and certification ......................................................................................9 Key distribution ..................................................................................................................9
    [Show full text]
  • Digital Identity
    Building Trusted & Resilient DIGITAL IDENTITY JULY 2019 Business Roundtable CEO members lead companies with more than 15 million employees and $7.5 trillion in revenues. The combined market capitalization of Business Roundtable member companies is the equivalent of over 27 percent of total U.S. stock market capitalization, and Business Roundtable members invest nearly $147 billion in research and development — equal to over 40 percent of total U.S. private R&D spending. Our companies pay $296 billion in dividends to shareholders and generate $488 billion in revenues for small and medium-sized businesses. Business Roundtable companies also make more than $8 billion in charitable contributions. Learn more at BusinessRoundtable.org. Copyright © 2019 by Business Roundtable Building Trusted & Resilient DIGITAL IDENTITY JULY 2019 CONTENTS Introduction 2 Digital Identity Today: Promise & Challenges 3 A Vision for the Future: Objectives for Improving Digital Identity 6 An Action Plan to Establish Trust & Resiliency in Digital Identity 8 Conclusion 13 Appendix: Primer on Digital Identity 14 Endnotes 18 Building Trusted and Resilient Digital Identity 1 Introduction The ability of individuals to recognize and use creative and sophisticated tools to stay a step ahead. As a result, illegitimate identity may trust each other plays a fundamental role in well be the likeliest path for fraud and other cybersecurity intrusions. economic and social interactions. Yet having a digital identity is more than a data Before the digital age, identification systems protection and security mechanism — it enables relied upon physical documents and face-to-face individual users and institutions to establish an interactions. The internet and the proliferation appropriate level of trust to transact and interact of internet-enabled devices have dramatically in the digital world, including activities ranging changed the interplay between individuals and from banking to health care to social media.
    [Show full text]
  • A Guide to Optimizing Digital Identity Risk and Experience with Adaptive Access
    A Guide to Optimizing Digital Identity Risk and Experience with Adaptive Access Phone Numbers Email Addresses The Power of Identity Name Our digital identities are fundamental to how we interact with each other and the online world. [ 1 ] The ability to prove who we are provides us with control and allows access to people, information and economies. Digital trust in those identities is Device Usage power. Geo Data But creating a trusted digital identity can be difficult. It’s a complex network of traditional instruments of ID such as name, address, birthday and social security Search Habits number and data points like email address, username and password, search habits, purchasing behavior and so on. This personally identifiable information (PII) is made up of the unique attributes Biometric Da associated with an individual and is the gateway to every online exchange. These actions rely on context to understand identity. Mouse speed [2] As the exchanges increase, however, so do vulnerabilities. Bad actors are Purchase Behavior constantly finding new ways to exploit PII for identity theft or to hack businesses for valuable data. In 2018, the number of consumer records exposed containing sensitive PII shot up to 126%. [ 3 ] In 2019, the cost of a data breach increased to nearly $4 million.[4] Typing speed Address SSN# Kicking the Can The problem is people don’t exactly understand cybersecurity, [ 5 ] and many KEY POINT organizations are still protecting critical applications through username and password alone when there’s a better way. Multi-factor authentication (MFA) can add another layer of security and makes it much more difficult for unauthorized persons Despite a predicted increase and greater to gain access.
    [Show full text]
  • Digital Identification: a Key Identification: Todigital Inclusive Growth
    Digital identification: A key to inclusive growth inclusive Digital to identification: key A Digital identification A key to inclusive growth April 2019 McKinsey Global Institute Since its founding in 1990, the McKinsey Global Institute (MGI) has sought to develop a deeper understanding of the evolving global economy. As the business and economics research arm of McKinsey & Company, MGI aims to provide leaders in the commercial, public, and social sectors with the facts and insights on which to base management and policy decisions. MGI research combines the disciplines of economics and management, employing the analytical tools of economics with the insights of business leaders. Our “micro-to-macro” methodology examines microeconomic industry trends to better understand the broad macroeconomic forces affecting business strategy and public policy. MGI’s in-depth reports have covered more than 20 countries and 30 industries. Current research focuses on six themes: productivity and growth, natural resources, labor markets, the evolution of global financial markets, the economic impact of technology and innovation, and urbanization. Recent reports have assessed the digital economy, the impact of AI and automation on employment, income inequality, the productivity puzzle, the economic benefits of tackling gender inequality, a new era of global competition, Chinese innovation, and digital and financial globalization. MGI is led by three McKinsey & Company senior partners: Jacques Bughin, Jonathan Woetzel, and James Manyika, who also serves as the chairman of MGI. Michael Chui, Susan Lund, Anu Madgavkar, Jan Mischke, Sree Ramaswamy, and Jaana Remes are MGI partners, and Mekala Krishnan and Jeongmin Seong are MGI senior fellows. Project teams are led by the MGI partners and a group of senior fellows and include consultants from McKinsey offices around the world.
    [Show full text]
  • Enabling Digital Identity
    Enabling Digital Identity David Recordon Innovator for Advanced Products & Research DC PHP Conference 2006 Overview + Web 2.0 + Identity…so what? + Identity 2.0 + “Competitive” Overview + Digging into OpenID + Example Relying Party What is Web 2.0? Web 2.0 + Users in Control + Data Sharing + Social Networking + Collaboration Tools + Lightweight Business Models + Perpetual Beta + The Long Tail + Application Platform What is Identity? “The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.” -Dictionary.com Offline Identity + David Recordon + 09/04/1986 + Oregon + Black Hair and Brown Eyes + Central Pocket Loop + Size 12 Shoes + Drive a Subaru + Work for VeriSign + Star Alliance Gold + AOW Scuba Diver + CPR / AED / First Aid Trained + etc Online Identity + David Recordon + Daveman692 + recordond + http://daveman692.livejournal.com + [email protected] + [email protected] + [email protected] + [email protected] Identity…why do we need technology? + Accuracy ▪ Biometrics + Convenience ▪ Verification + Security ▪ Authorization + Privacy ▪ Limited Disclosure + Portability ▪ HSPD-12 Identity 1.0 on the Web + Proprietary ▪ AOL ▪ Yahoo! ▪ Microsoft ▪ Google + Segregated + Federation + Little User Choice + Many Usernames + Few Passwords Identity 2.0 + Internet Scale ▪ Decentralized + Privacy Protecting ▪ Disclose only as much as is needed + Easy to Adopt ▪ Add to your application in a weekend + Community Driven ▪ Open Source development and that means… + User Choice ▪ Who hosts
    [Show full text]
  • Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals
    Attack Tree for Modelling Unauthorized EMV Card Transactions at POS Terminals Dilpreet Singh, Ron Ruhl and Hamman Samuel Information System Security and Management Department, Concordia University College of Alberta, 7128 Ada Blvd NW, Edmonton, AB, Canada Keywords: EMV, EMV Transaction Process, Attack, Attack Tree Methodology, Point of Sale Terminal, PCIDSS. Abstract: Europay, MasterCard and Visa (EMV) is a dominant protocol used for smart card payments worldwide, with over 730 million cards in circulation. One goal of the EMV protocol is to secure debit and credit transactions at a point-of-sale (POS) terminal, but still there are vulnerabilities, which can lead to unauthorized disclosure of cardholder data. This research paper will provide the reader with a single document listing the vulnerabilities leading to various possible attacks against EMV payment card transaction process at a POS terminal. Attack tree methodology will be used to document these vulnerabilities. This research will also provide the countermeasures against various possible attacks. 1 INTRODUCTION 2.1.1 Application Selection For 25 years, EMV has implemented payment cards EMV cards may contain multiple applications which initially used a magnetic stripe only but now (Debit/Credit/ATM) and files supporting the contain a chip microprocessor which processes applications. On inserting the EMV card into the payments at POS devices. This research examines POS terminal, the terminal requests to read the EMV when the card is present at a POS terminal and will file “1PAY.SYS.DDF01” listing the applications use attack tree methodology to describe the security that the chip card contains. After successful of dynamic data authentication and combined data application selection, the card sends the Processing authentication (DDA/CDA) EMV cards.
    [Show full text]
  • Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, Oauth and Openid Connect
    Securing Digital Identities in the Cloud by Selecting an Apposite Federated Identity Management from SAML, OAuth and OpenID Connect Nitin Naik and Paul Jenkins Defence School of Communications and Information Systems Ministry of Defence, United Kingdom Email: [email protected] and [email protected] Abstract—Access to computer systems and the information this sensitive data over insecure channels poses a significant held on them, be it commercially or personally sensitive, is security and privacy risk. This risk can be mitigated by using naturally, strictly controlled by both legal and technical security the Federated Identity Management (FIdM) standard adopted measures. One such method is digital identity, which is used to authenticate and authorize users to provide access to IT in the cloud environment. Federated identity links and employs infrastructure to perform official, financial or sensitive operations users’ digital identities across several identity management within organisations. However, transmitting and sharing this systems [1], [2]. FIdM defines a unified set of policies and sensitive information with other organisations over insecure procedures allowing identity management information to be channels always poses a significant security and privacy risk. An transportable from one security domain to another [3], [4]. example of an effective solution to this problem is the Federated Identity Management (FIdM) standard adopted in the cloud Thus, a user accessing data/resources on one secure system environment. The FIdM standard is used to authenticate and could then access data/resources from another secure system authorize users across multiple organisations to obtain access without both systems needing individual identities for the to their networks and resources without transmitting sensitive single user.
    [Show full text]
  • Privacy by Design: Current Practices in Estonia, India, and Austria
    Privacy by Design: Current Practices in Estonia, India, and Austria © 2018 International Bank for Reconstitution and Development/The World Bank 1818 H Street, NW, Washington, D.C., 20433 Telephone: 202-473-1000; Internet: www.worldbank.org Some Rights Reserved This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Nothing herein shall constitute or be considered to be a limitation upon or waiver of the privileges and immunities of The World Bank, or of any participating organization to which such privileges and immunities may apply, all of which are specifically reserved. Rights and Permission This work is available under the Creative Commons Attribution 3.0 IGO license (CC BY 3.0 IGO) http:// creativecommons.org/licenses/by/3.0/igo. Under the Creative Commons Attribution license, you are free to copy, distribute, transmit, and adapt this work, including for commercial purposes, under the following conditions: Attribution—Please cite the work as follows: World Bank. 2016. Privacy by Design: Current Practices in Estonia, India, and Austria, Washington, DC: World Bank License: Creative Commons Attribution 3.0 IGO (CC BY 3.0 IGO) Translations—If you create a translation of this work, please add the following disclaimer along with the attribution: This translation was not created by The World Bank and should not be considered an official World Bank translation.
    [Show full text]
  • Industry Perspectives on the Evolution of EMV Payment Tokenization
    Industry Perspectives on the Evolution of EMV Payment Tokenization Revised May 6, 2019 [Original release date September 24, 2018] Susan Pandy, Ph.D. and Marianne Crowe, Federal Reserve Bank of Boston Marianne Crowe is Vice President and Susan Pandy is Director in the Payments Strategies Group at the Federal Reserve Bank of Boston. The views expressed in this paper are solely those of the authors and do not reflect official positions of the Federal Reserve Banks of Boston or the Federal Reserve System. Mention or display of a trademark, proprietary product or firm in this report does not constitute an endorsement or criticism by the Federal Reserve Bank of Boston or the Federal Reserve System and does not imply approval to the exclusion of other suitable products or firms. The authors would like to thank members of the MPIW and other industry stakeholders for their engagement and contributions to this report. Table of Contents Executive Summary ...................................................................................................................................... 3 I. Introduction ............................................................................................................................................ 4 II. Changes between EMV Payment Tokenisation Specification v1.0 versus v2.0 .................................... 5 III. Impacts of Evolution of Payment Tokenization on the Mobile Payments Landscape ........................... 7 A. Emergence Third Party Token Service Providers (TSPs) ...............................................................
    [Show full text]
  • Smartcards and RFID
    Smartcards and RFID IPA Security Course Lejla Batina & Erik Poll Digital Security University of Nijmegen 1 Overview • example uses • (security) functionality • smartcard technicalities • RFID technicalities • attacks Smartcard & RFID uses 3 Example smartcard & RFID uses • bank cards • SIMs in mobile phone • public transport – eg OV chipkaart in NL • identity documents – modern passports and national ID cards contain (contactless) chip • access cards – to control access to buildings, computer networks, laptops,... – eg Rijkspas for government personnel – eg UZI pas for medical personnel to access EPD – pay TV 4 (Security) functionality 5 Differences? Commonalities? With respect to functionality or security 6 Differences & Commonalities • all provide data storage • for reading and/or writing • but secured to different degrees & in different ways – different aims of securing: • confidentiality • integrity/authenticity – different ways of securing • integrity by physical characteristics vs digital signatures • access control (eg PIN code, password, crypto protocol) possible on smartcard, not on a magstripe 7 Differences? Commonalities? 8 Smartcard vs other computers No fundamental difference ! smartcard does not only offer data storage but also processing power Btw, smartcards outnumber normal computers such as PCs and laptops Smartcard is restricted in its possibilities How, for example? Smartcard can offer security that PC cannot What, for example? eg you cannot remove the hard drive 9 Smartcard technicalities 10 What is a smartcard? • Tamper-resistant computer, on a single chip, embedded in piece of plastic, with very limited resources – aka chip card or integrated circuit card (ICC) • capable of “securely” – storing data – processing data • This processing capability is what makes a smartcard smart; stupid cards can store but not process • NB processing capabilities vary a lot...
    [Show full text]