DOCSLIB.ORG

Guessing Human-Chosen Secrets

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Guessing Human-Chosen Secrets Guessing human-chosen secrets Joseph Bonneau University of Cambridge Churchill College April 2012 This dissertation is submitted for the degree of Doctor of Philosophy Declaration This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration except where specifically indicated in the text. No parts of this dissertation have been submitted for any other qualification. This dissertation does not exceed the regulation length of 60; 000 words, including tables and footnotes. In memory of Fletcher (1998-2012). I wish you were around to see this dissertation and fall asleep on it. |Joseph Bonneau, April 2012 Acknowledgements I am grateful to my supervisor Ross Anderson for help every step of the way, from answering my emails when I was a foreign undergraduate to pushing me to finally finish the dissertation. He imparted countless research and life skills along the way, in addition to helping me learn to write in English all over again. I was also fortunate to be surrounded in Cambridge by a core group of \security people" under Ross' leadership willing to ask the sceptical questions needed to understand the field. In particular, I've benefited from the mentorship of Frank Stajano and Markus Kuhn, the other leaders of the group, as well as informal mentorship from Richard Clayton, Bruce Christianson, Mike Bond, George Danezis, Claudia Diaz, Robert Watson and Steven Murdoch amongst many others. I thank Arvind Narayanan for his support and mentorship from afar. I am most appreciative of the personal mentorship extended to me by Saar Drimer through my years in the lab, which always pushed me to be more honest about my own work. I am grateful to all of my collaborators, particularly my fellow students Andrew Lewis, S¨oren Preibusch, Jonathan Anderson, Rubin Xu and Ekaterina Shutova. I was also fortunate to be able to collaborate remotely with Cormac Herley and Paul van Oorschot, senior researchers who always treated me as an equal. I owe special thanks to Hyoungshick Kim, thanks to whose patience and positivity I spent thousands of hours peacefully sharing a small office. My research on passwords would not have been possible without the gracious cooperation and support of many people at Yahoo!, in particular Richard Clayton for helping to make the collaboration happen, Henry Watts, my mentor, Elizabeth Zwicky who provided extensive help collecting and analysing data, as well as Ram Marti, Clarence Chung, and Christopher Harris who helped set up data collection experiments. My research on PINs depended on many people's help, including Alastair Beresford for assistance with survey design, Daniel Amitay for sharing data, and Bernardo B´atiz-Lazofor comments about ATM history. I never would have made it to Cambridge without many excellent teachers along the way. From Stanford, I thank Ilya Mironov, Dan Boneh, and John Mitchell for inspiring me to pursue computer security research as an undergraduate. I thank Robert Plummer for his 4 mentorship of me while at Stanford, for inspiring me to love teaching and encouraging me to study at Cambridge. From earlier on, I thank all of the teachers who showed me how to learn: Mike Kelemen, Steve Hettleman, David Goldsmith, David Goldman, Michael Collins, and David Nelson. My research depended on a large suite of free software. I am indebted to the entire free soft- ware movement, in particular the developers of the GNU, Linux, Ubuntu, GNOME, Mozilla, TEX/LATEX, Python, matplotlib, SciPy, NumPy, and R projects. My time in Cambridge was supported financially by the Gates Cambridge Trust. I am par- ticularly grateful to Gordon Johnson and James Smith for personal help and encouragement, as well as all the officers of the Gates Scholars' Council during my time as president. I thank all of my friends in Cambridge for helping me adjust to life in a new country and the frustrations of life as a graduate student. I'll particularly remember my housemates An- drew Marin, Niraj Lal and Matt Warner, as well as Andra Adams, Marianne Bauer, Lindsay Chura, Justine Drennan, Molly Fox, Talia Gershon, Simone Haysom, Stella Nordhagen, Ade- line Oka, Sri Raj, Megan Sim, Jessica Shang, Brian Spatocco, Elsa Trevi~no,and Cleo Tung for close friendships, all of which turned a day around for me at some point during my time in Cambridge. Thanks to modern technology I also received considerable support from friends overseas which kept my spirits up throughout my time in England. I thank my friends Alexandra Bowe, Dave Emme, Alissa Chow and Brent Newhouse for being there when I wanted to talk to a familiar voice, as well as the entire Smitty league of Keegan Dresow, Will Helvestine, Tyler Jank, Jon Levine, Bobby Simon and Steve Zabielskis for listening to my rants and giving me a reason to laugh just about every day. Above all I am grateful for support from my family, who may be few in number and small in stature but have remained a big presence in my life through it all: my cousins Selim and Sinan, uncle Turhan and aunt Phyllis for welcoming me in Turkey after my years-delayed trip, my aunt Amy for chocolate and weekly trivia questions, my grandmother Anne for making sure I keep warm, my grandmother Margaret for teaching me to love words, my siblings Buzzy and Alissa for making sure I can laugh at myself, and my mother and father for giving me so much and teaching me to always appreciate it. I love you all. Guessing human-chosen secrets Joseph Bonneau Summary Authenticating humans to computers remains a notable weak point in computer security despite decades of effort. Although the security research community has explored dozens of proposals for replacing or strengthening passwords, they appear likely to remain entrenched as the standard mechanism of human-computer authentication on the Internet for years to come. Even in the optimistic scenario of eliminating passwords from most of today's authentication protocols using trusted hardware devices or trusted servers to perform federated authenti- cation, passwords will persist as a means of \last-mile" authentication between humans and these trusted single sign-on deputies. This dissertation studies the difficulty of guessing human-chosen secrets, introducing a sound mathematical framework modeling human choice as a skewed probability distribution. We introduce a new metric, α-guesswork, which can accurately models the resistance of a dis- tribution against the full range of possible guessing attacks. We also study the statistical challenges of estimating this metric using empirical data sets which can be modeled as a large random sample from the underlying probability distribution. This framework is then used to evaluate several representative data sets from the most im- portant categories of human-chosen secrets to provide reliable estimates of security against guessing attacks. This includes collecting the largest-ever corpus of user-chosen passwords, with nearly 70 million, the largest list of human names ever assembled for research, the largest data sets of real answers to personal knowledge questions and the first data published about human choice of banking PINs. This data provides reliable numbers for designing security systems and highlights universal limitations of human-chosen secrets. Contents 1 Introduction 11 1.1 Model of authentication and guessing attacks 12 1.2 Outline of this dissertation 14 1.3 Prerequisites 15 1.4 Mathematical notation 16 1.5 Previous publications and collaboration 17 1.6 Statement on research ethics 18 2 Background 19 2.1 History 19 2.2 Practical aspects of password authentication 21 2.3 Improvements to passwords 26 2.4 Password cracking 34 2.5 Evaluating guessing difficulty 36 3 Metrics for guessing difficulty 43 3.1 Traditional metrics 43 3.2 Partial guessing metrics 46 3.3 Relationship between metrics 52 3.4 Application in practical security evaluation 56 4 Guessing difficulty of PINs 57 4.1 Human choice of other 4-digit sequences 57 4.2 Surveying banking PIN choices 63 4.3 Approximating banking PIN strength 64 4.4 Security implications 67 5 Estimation using sampled data 68 5.1 Naive estimation 68 5.2 Known negative results 70 5.3 Sampling error for frequent events 71 5.4 Good-Turing estimation of probabilities 72 5.5 The region of stability for aggregate metrics 75 5.6 Parametric extension of our approximations 79 6 Guessing difficulty of passwords 82 6.1 Anonymised data collection 82 6.2 Analysis of Yahoo! data 86 6.3 Comparison with other password data sets 90 6.4 Comparison with natural language patterns 93 7 Guessing difficulty of personal knowledge questions 94 7.1 Sources of data 95 7.2 Analysis of answers 97 7.3 Security implications 101 8 Sub-optimal guessing attacks 103 8.1 Divergence metrics 103 8.2 Applications 106 9 Individual-item strength metrics 112 9.1 Strength metrics 113 9.2 Estimation from a sample 115 9.3 Application to individual passwords 116 9.4 Application to small data sets 118 10 Conclusions and perspectives 120 Bibliography 147 A Glossary of symbols 148 B Additional proofs of theorems 151 B.1 Lower bound on G1 for mixture distributions 151 B.2 Bounds between G~α andµ ~α 151 B.3 Non-comparability of λ~β with G~1 and H1 153 B.4 Non-additivity of partial guessing metrics 154 B.5 Expected value of index strength metric σI(x) for a uniform distribution 156 C PIN survey detail 157 D List of password data sets 159 E Sources of census data 162 Computers are useless. They can only give you answers. |Pablo Picasso, 1968 Chapter 1 Introduction Secret knowledge stored in human memory remains the most widely deployed means of human- computer authentication.
Load more

Recommended publications
  • IBM Multi-Factor Authentication for Z/OS
    Multi Factor Authentication for Linux on IBM Z using a centralized z/OS LDAP infrastructure Dr. Manfred Gnirss Thomas Wienert Z ATS IBM Systems IBM Germany R & D Boeblingen, 18.7.2018 © 2018 IBM Corporation 2 Trademarks The following are trademarks of the International Business Machines Corporation in the United States, other countries, or both. Not all common law marks used by IBM are listed on this page. Failure of a mark to appear does not mean that IBM does not use the mark nor does it mean that the product is not actively marketed or is not significant within its relevant market. Those trademarks followed by ® are registered trademarks of IBM in the United States; all others are trademarks or common law marks of IBM in the United States. For a complete list of IBM Trademarks, see www.ibm.com/legal/copytrade.shtml: *BladeCenter®, DB2®, e business(logo)®, DataPower®, ESCON, eServer, FICON, IBM®, IBM (logo)®, MVS, OS/390®, POWER6®, POWER6+, POWER7®, Power Architecture®, PowerVM®, S/390®, System p®, System p5, System x®, System z®, System z9®, System z10®, WebSphere®, X-Architecture®, zEnterprise, z9®, z10, z/Architecture®, z/OS®, z/VM®, z/VSE®, zSeries® The following are trademearks or registered trademarks of other companies. Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc.
    [Show full text]
  • 2018-07-11 and for Information to the Iso Member Bodies and to the Tmb Members
    Sergio Mujica Secretary-General TO THE CHAIRS AND SECRETARIES OF ISO COMMITTEES 2018-07-11 AND FOR INFORMATION TO THE ISO MEMBER BODIES AND TO THE TMB MEMBERS ISO/IEC/ITU coordination – New work items Dear Sir or Madam, Please find attached the lists of IEC, ITU and ISO new work items issued in June 2018. If you wish more information about IEC technical committees and subcommittees, please access: http://www.iec.ch/. Click on the last option to the right: Advanced Search and then click on: Documents / Projects / Work Programme. In case of need, a copy of an actual IEC new work item may be obtained by contacting [email protected]. Please note for your information that in the annexed table from IEC the "document reference" 22F/188/NP means a new work item from IEC Committee 22, Subcommittee F. If you wish to look at the ISO new work items, please access: http://isotc.iso.org/pp/. On the ISO Project Portal you can find all information about the ISO projects, by committee, document number or project ID, or choose the option "Stages search" and select "Search" to obtain the annexed list of ISO new work items. Yours sincerely, Sergio Mujica Secretary-General Enclosures ISO New work items 1 of 8 2018-07-11 Alert Detailed alert Timeframe Reference Document title Developing committee VA Registration dCurrent stage Stage date Guidance for multiple organizations implementing a common Warning Warning – NP decision SDT 36 ISO/NP 50009 (ISO50001) EnMS ISO/TC 301 - - 10.60 2018-06-10 Warning Warning – NP decision SDT 36 ISO/NP 31050 Guidance for managing
    [Show full text]
  • Guidelines on Cryptographic Algorithms Usage and Key Management
    EPC342-08 Version 7.0 4 November 2017 [X] Public – [ ] Internal Use – [ ] Confidential – [ ] Strictest Confidence Distribution: Publicly available GUIDELINES ON CRYPTOGRAPHIC ALGORITHMS USAGE AND KEY MANAGEMENT Abstract This document defines guidelines on cryptographic algorithms usage and key management. Document Reference EPC342-08 Issue Version 7.0 Date of Issue 22 November 2017 Reason for Issue Maintenance of document Produced by EPC Authorised by EPC Document History This document was first produced by ECBS as TR 406, with its latest ECBS version published in September 2005. The document has been handed over to the EPC which is responsible for its yearly maintenance. DISCLAIMER: Whilst the European Payments Council (EPC) has used its best endeavours to make sure that all the information, data, documentation (including references) and other material in the present document are accurate and complete, it does not accept liability for any errors or omissions. EPC will not be liable for any claims or losses of any nature arising directly or indirectly from use of the information, data, documentation or other material in the present document. Conseil Européen des Paiements AISBL– Cours Saint-Michel 30A – B 1040 Brussels Tel: +32 2 733 35 33 – Fax: +32 2 736 49 88 Enterprise N° 0873.268.927 – www.epc-cep.eu – [email protected] © 2016 Copyright European Payments Council (EPC) AISBL: Reproduction for non-commercial purposes is authorised, with acknowledgement of the source Table of Content MANAGEMENT SUMMARY ............................................................. 5 1 INTRODUCTION .................................................................... 7 1.1 Scope of the document ...................................................... 7 1.2 Document structure .......................................................... 7 1.3 Recommendations ............................................................ 8 1.4 Implementation best practices .........................................
    [Show full text]
  • Introducing the IBM Z15 - the Enterprise Platform for Mission-Critical Hybrid Multicloud
    IBM United States Hardware Announcement 119-027, dated September 12, 2019 Introducing the IBM z15 - The enterprise platform for mission-critical hybrid multicloud Table of contents 2 Overview 26 Product number 3 Key requirements 57 Publications 3 Planned availability date 60 Technical information 4 Description 72 Terms and conditions 22 Product positioning 74 Prices 24 Statement of general direction 117Order now 118Corrections At a glance Announcing the IBM(R) z15 Today's announcement extends the IBM Z(R) position as the industry-leading platform for mission-critical hybrid cloud, with new innovations across security, data privacy, and resilience. Data privacy and security Pervasive encryption easily encrypts all data associated with an application, database, or cloud service -- whether on premises or in the cloud, at rest or in flight. The IBM z15 extends this beyond the border of the IBM Z environment. • The new IBM Z Data Privacy Passports, in conjunction with IBM z15 and available via an IBM z15 only PID, is being designed to enforce security and privacy protections to data not only on Z, but across platforms. It provides a data-centric security solution that enables data to play an active role in its own protection. For more information about IBM Z Data Privacy Passports V1.0 beta program, see Software Announcement 219-452, dated September 12, 2019. • IBM Z Data Privacy for Diagnostics provides clients with the capability to protect sensitive data that may be included in diagnostic dumps. Now sensitive data can be tagged such that it can be identified in dumps with no impact to dump capture times.
    [Show full text]
  • Year 2010 Issues on Cryptographic Algorithms
    Year 2010 Issues on Cryptographic Algorithms Masashi Une and Masayuki Kanda In the financial sector, cryptographic algorithms are used as fundamental techniques for assuring confidentiality and integrity of data used in financial transactions and for authenticating entities involved in the transactions. Currently, the most widely used algorithms appear to be two-key triple DES and RC4 for symmetric ciphers, RSA with a 1024-bit key for an asymmetric cipher and a digital signature, and SHA-1 for a hash function according to international standards and guidelines related to the financial transactions. However, according to academic papers and reports regarding the security evaluation for such algorithms, it is difficult to ensure enough security by using the algorithms for a long time period, such as 10 or 15 years, due to advances in cryptanalysis techniques, improvement of computing power, and so on. To enhance the transition to more secure ones, National Institute of Standards and Technology (NIST) of the United States describes in various guidelines that NIST will no longer approve two-key triple DES, RSA with a 1024-bit key, and SHA-1 as the algorithms suitable for IT systems of the U.S. Federal Government after 2010. It is an important issue how to advance the transition of the algorithms in the financial sector. This paper refers to issues regarding the transition as Year 2010 issues in cryptographic algorithms. To successfully complete the transition by 2010, the deadline set by NIST, it is necessary for financial institutions to begin discussing the issues at the earliest possible date. This paper summarizes security evaluation results of the current algorithms, and describes Year 2010 issues, their impact on the financial industry, and the transition plan announced by NIST.
    [Show full text]
  • Technical Standards Catalogue VERSION 6.2
    e-Government Technical Standards Catalogue VERSION 6.2 FINAL September 2005 Technical Standards Catalogue / version 6.2 final / September 2005 1 CONTENTS 1 INTRODUCTION ...........................................................................................................................3 2 CHANGES FROM PREVIOUS VERSION..................................................................................4 3 ISSUES UNDER CONSIDERATION............................................................................................5 4 INTERCONNECTION ...................................................................................................................7 TABLE 1 SPECIFICATIONS FOR INTERCONNECTIVITY.......................................................................7 TABLE 2 SPECIFICATIONS FOR WEB SERVICES ..............................................................................10 5 DATA INTEGRATION ................................................................................................................16 TABLE 3 SPECIFICATIONS FOR DATA INTEGRATION ...........................................................................16 6 CONTENT MANAGEMENT METADATA ...............................................................................19 TABLE 4 SPECIFICATIONS FOR CONTENT MANAGEMENT METADATA .................................................19 TABLE 5 SPECIFICATIONS FOR IDENTIFIERS .......................................................................................20 7 E-SERVICES ACCESS.................................................................................................................23
    [Show full text]
  • Bachelor Thesis Sommersemester 2010
    Development of an Android App for One-Time Password Generation & Management Bachelor Thesis Sommersemester 2010 Bearbeitet von: Michael Barth (Matrikelnummer: 26206) Betreuer: Prof. Dr. Christoph Karg Hochschule f¨urTechnik und Wirtschaft Aalen Fakult¨atElektronik und Informatik Studiengang Informatik Abstract This work covers the development of an Application for the Android platform for One-Time Password Management and Creation, including all fundamentals that are necessary to do this. One-Time Passwords are introduced in general. Their benefits and drawbacks are discussed and their usage is illustrated with a practical example. Concluding, a specific OTP implementation (OTPW) is introduced. Following is an introduction on the topic of Random Number Generation in the context of cryptography. An overview over attacks on Pseudo Random Number Generators (PRNGs) is given, as well as some design guidelines to prevent them. The Android platform is introduced in detail to establish a basic understanding of the target platform, describing its architecture and application framework. An extensive introduction to development for Android is given in the next chapter, including installation and setup, general guidelines on developing for mobile devices and practical examples of the most important components with source code. The application developed over the course of this thesis will then be described in detail, including its architecture, design decisions and an elaboration on the imple- mentation details. A conclusion, including an evaluation of the Android platform and the application, summarises this work. This work was done within the scope of the Hochschule f¨urTechnik und Wirtschaft Aalen, Germany, as a bachelor thesis over the course of the 8th semester.
    [Show full text]
  • Hardware Security Modules: Attacks and Secure Configuration
    Hardware Security Modules: Attacks and Secure Configuration Graham Steel Graham Steel April 2014 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 2/ 56 Secure Hardware History Military: WW2 Enigma machines - captured machines used to help break codes NSA devices with explosive tamper resistance - http://www.nsa.gov/about/cryptologic_heritage/museum/ Commercial: IBM: Cryptoprocessors for mainframes - tamper-resistant switches on case ATMs (cash machines) - Encrypted PIN Pads (EPPs) and Hardware Security Modules (HSMs) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 3/ 56 Secure Hardware History - 2 Cryptographic Smartcards - chip contains cryptoprocessor and keys in memory - used in SIM cards, credit cards, ID cards, transport::: Authentication tokens - generate One-Time Passwords, sometimes USB connection Trusted Platform Module (TPM) - now standard (but unused) in most PC laptops The future.. - Secure Elements in mobile phones, cars,::: Graham Steel - HSM Attacks and Secure Configuration April 2014 - 4/ 56 Example - Cash Machine Network I Introduced in the UK in the late 1960s I First modern machines (with DES) in the 70s and 80s I More than 2 million ATMs worldwide I Network is now global and ubiquitous (at least in cities) Graham Steel - HSM Attacks and Secure Configuration April 2014 - 5/ 56 Simplified Network Schematic ATM Maestro UK SocGen HSBC Graham Steel - HSM Attacks and Secure Configuration April 2014 - 6/ 56 HSMs I Manufacturers include IBM, nCipher, Thales, Utimaco, HP I Cost around $20 000 Graham Steel - HSM Attacks and Secure Configuration April 2014 - 7/ 56 A Word About Your PIN IBM 3624 method: 1. Write account number (PAN) as 0000AAAAAAAAAAAA 2. 3DES encrypt under a PDK (PIN Derivation Key), decimalise first digits 3.
    [Show full text]
  • A Summary of Control System Security Standards Activities in the Energy Sector
    U.S. Department of Energy Office of Electricity Delivery and Energy Reliability A Summary of Control System Security Standards Activities in the Energy Sector Prepared for the U.S. Department of Energy Office of Electricity Delivery and Energy Reliability October 2005 NSTB National SCADA Test Bed Enhancing control systems security in the energy sector NSTB ABSTRACT This document is a compilation of the activities and initiatives concerning control system security that are influencing the standards process in the development of secure communication protocols and systems. Also contained in this report is a comparison of several of the sector standards, guidelines, and technical reports, demonstrating standards coverage by security topic. This work focuses on control systems standards applicable to the energy (oil, gas, and electric, but not nuclear) sector. A Summary of Control System Security Standards Activities in the Energy Sector i NSTB ii A Summary of Control System Security Standards Activities in the Energy Sector NSTB AUTHOR CONTACTS Rolf E. Carlson Sandia National Laboratories1 Phone: 505.844.9476 E-mail: [email protected] Jeffery E. Dagle Pacific Northwest National Laboratory2 Phone 509.375.3629 E-mail: [email protected] Shabbir A. Shamsuddin Argonne National Laboratory3 Phone 630.252.6273 E-mail: [email protected] Robert P. Evans Idaho National Laboratory4 Phone 208.526.0852 E-mail: [email protected] 1 Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear Security Administration under contract DE-AC04-94AL85000. 2 The Pacific Northwest National Laboratory is operated by Battelle for the U.S.
    [Show full text]
  • Analysis of Applicability of ISO 9564 PIN Based Authentication to Closed-Loop Mobile Payment Systems
    Analysis of Applicability of ISO 9564 PIN based Authentication to Closed-Loop Mobile Payment Systems Amal Saha* Tata Institute of Fundamental Research (TIFR), Mumbai, INDIA, Email: [email protected] Sugata Sanyal Tata Consultancy Services (TCS), Mumbai, INDIA Email: [email protected] *Corresponding Author ————————————Abstract———————————————— Payment transactions initiated through a mobile device are growing and security concerns must be ad- dressed. People coming from payment card industry often talk passionately about porting ISO 9564 PIN standard based authentication in open-loop card payment to closed-loop mobile financial transactions and certification of closed-loop payment product or solution against this standard. In reality, so far this standard has not been adopted in closed-loop mobile payment authentication and applicability of this ISO standard must be studied carefully before adoption. The authors do a critical analysis of the applicability of this ISO specification and makes categorical statement about relevance of compliance to closed-loop mobile payment. Security requirements for authentication in closed-loop mobile payment systems are not standardised through ISO 9564 standard, Common Criteria [3], etc. Since closed-loop mobile payment is a relatively new field, the authors make a case for Common Criteria Recognition Agreement (CCRA) or other standards organization to push for publication of a mobile device-agnostic Protection Profile or standard for it, incorporating the suggested authentication approaches. Keywords: ISO 9564 PIN Based Authentication, Card-Present and Card-Not-Present Transactions, Open-Loop and Closed-Loop Payments, Mobile Payment, Stored-Value-Account, Common Criteria Pro- tection Profile, Device Fingerprinting, m-PIN (mobile PIN), One Time Password (OTP), Android Applica- tion component called Service, backend service.
    [Show full text]
  • ISO Focus, July-August 2007.Pdf
    ISO Focus The Magazine of the International Organization for Standardization Volume 4, No. 7/8, July/August 2007, ISSN 1729-8709 Enabling e-business • Marc Carletti : “ The financial industry is a major user of ISO standards ” • ISO 14001 – the video clip ! Contents 1 Comment Robert Blair, Vice Convenor of the Payment Standards Evaluation Group (SEG) of ISO/TC 68 2 World Scene Highlights of events from around the world 3 ISO Scene Highlights of news and developments from ISO members 4 Guest View Marc Carletti, CEO Telekurs Financial Information Ltd ISO Focus is published 11 times a year (single issue : July-August). 7 Main Focus It is available in English. Annual subscription 158 Swiss Francs Individual copies 16 Swiss Francs Publisher ISO Central Secretariat (International Organization for Enabling -business Standardization) 1, ch. de la Voie-Creuse CH-1211 Genève 20 Switzerland Telephone + 41 22 749 01 11 Fax + 41 22 733 34 30 E-mail [email protected] • Working together for interoperability – Web www.iso.org The MoU on e-business standards • Standardization to combat money laundering and terrorism Manager : Roger Frost • SWIFT – Secure and reliable message exchange between Editor : Elizabeth Gasiorowski-Denis banks and other financial institutions Assistant Editor : Dale Campbell • ISO develops PIN standards to prick Artwork : Pascal Krieger and Pierre Granier purchasing fraud bubble • A foundation for e-engineering and e-commerce ISO Update : Dominique Chevaux • UN/CEFACT and ISO – cooperation for the common good Subscription enquiries : Sonia Rosas Friot ISO Central Secretariat • ebXML – Cutting costs and simplifying processes Telephone + 41 22 749 03 36 for business Fax + 41 22 749 09 47 • Regulation and standards development in payments E-mail [email protected] • Securing an e-business world • ISO standard offers iron-clad protection © ISO, 2007.
    [Show full text]
  • Canadian Data Governance Standardization Roadmap B
    Canadian Data Governance Standardization Roadmap b Canadian Data Governance Standardization Roadmap Table of contents Acknowledgements ................................................................................................................. 2 Message from the Co-Chairs of the Data Governance Standardization Collaborative .............................................................................................. 3 Message from the CEO, Standards Council of Canada .................................................. 4 Executive Summary ................................................................................................................ 5 How to Use this Report ............................................................................................................7 About Standards and Conformity Assessment ..................................................................................7 About the Collaborative ................................................................................................................................... 8 Reading the Roadmap ..................................................................................................................................... 8 Standardization and Data Governance in Canada ..........................................................10 State of Play ........................................................................................................................................................10 Tackling the Challenges and Identifying the Opportunities
    [Show full text]