Wednesday , December 11, 2024

Security Notes: Post-Covid Payment Security Hangs on Getting Identity Right

The horrible global pandemic has created a massive shift towards e-commerce, and the fraudsters could not be happier.  Online, the only difference between a legitimate transaction and a fraudulent one is the possession of a small piece of data which the bona fide trader holds, and the fraudster presumably does not.

All that the fraudster has to do, then, is to get hold of this tiny piece of data and—bingo!

Most shoppers are gratified when a site announces it is protected by “secure mode.” Indeed, this indicates a strong measure of security. Yet, a technique called “man in the middle” defeats it, and so will the coming quantum computers. Besides, this so-called Diffie Hellman solution only guarantees that the two parties who started an online conversation are the ones who continue it. It does not, per se, identify one party to the other.

Such identification is relegated to a shared secret. Hackers hunt this shared secret, and owners hide it the best way they can. A merchant or a bank keeps a repository of these shared secrets for all their customers, so this repository is a prime target for cyber pirates.

A recent technique (U.S. Patent No. 10,395,053) defeats this attack by maintaining a subtle difference between the version of the secret on the customer’s phone and the version kept at the merchant’s database. If the latter is hacked and the spoils are used to steal identities, then the merchant will quickly see that the credentials submitted are the ones on its database. They will lack that expected, subtle difference. This finding will implicate the hack.

A very basic defense of identity credentials is to make these credentials short-lived. Thereby, the hacker soon enough will hold a useless piece of data. Historically, this strategy was very expensive. It involved lots of moving parts, so such data was longer-lived than it should be. But recent technologies now offer silent replacement of identity credentials, so they have a very short lifespan. Neither the shopper nor the store is aware of it. Computers do the talking.

We now envision more and more payment activity because of the Internet of Things. But here technology is ready for the hackers with powerful tools based on quantum randomness.

And growing in popularity is a third approach: behavior. An elaborate privacy-invading database tracks consumers’ behavior, and if a consumer appears to shop from an unusual location, or buys something unlike what she usually buys, a flag is raised. Vendors love it because it is not a “buy-once” tool, but rather a “pay-forever” service. Alas, with this solution merchants suffer from positive and negative errors, rejecting bona fide customers and admitting fraudsters.

The ultimate solution is on its way: identity-circumventing payment. Remember the old days when you tossed cash on the counter, collected your change and your merchandise, and walked off? Nobody knew who you were. This scenario has all but disappeared. Even Bitcoin is identity-based. The identity is encrypted but it’s there—and breakable.

Banks in China built the solution: digital money, BitMint style. You pay with verifiable digital money, with or without disclosing the identity of the payer, and with or without the Internet. If the merchant gets his money’s worth for his merchandise, then he is good, so far as money liability is concerned. Of course, for large payments, identity must be disclosed.

Another weapon in this battle for the  good guys is taking shape as a new field emerges: “cyber chemistry”—tying cyber clouds to material reality. We are on it! (U.S. Patent No. 10,754,326).

— Gideon Samid, gideon@bitmint.com

Check Also

The Next Era for ATMs; SurgePays’s Clover Marketing Tie-in; Fee Cap Injunction Remains

Restaurant server tips averaged 18.8% in the third quarter, unchanged from the second quarter, according …

Digital Transactions