IAB Technical Plenary Debates the Opportunities and Challenges of Internet Payment Systems

By: Carolyn Duffy Marsan

Date: July 1, 2014

line break image

In response to an increase in the number of financial transactions being conducted over the Internet, the Internet Architecture Board held a technical plenary discussion about the challenges facing Internet-scale payment systems such as Bitcoin at the IETF 89 meeting in London.

Malcolm Pearson, director of development for e-commerce at Microsoft China, said Internet payment systems are in a similar situation to that of email 25 years ago, with each vendor having its own standards until the Simple Mail Transfer Protocol (SMTP) and Secure/Multipurpose Internet Mail Extensions (S/MIME) protocols emerged.

“I’m hoping we get the same kinds of benefits out of the convergence of protocols around payments,” he added.

Pearson pointed out that online payment systems face many challenges, including the fact that countries have their own currencies, as well as cultural differences regarding how people make gifts and payments, and whether they prefer cash or credit. Internet-based payment systems need to take these differences into account, as well as complex scenarios such as subscriptions, usage-based pricing, consumer-to-consumer payments, returns and cash settlements, and tax and financial reporting.

“Another very interesting tension is between security and convenience,” Pearson said. “In North America, I can supply a credit card to a merchant I trust, and they will even keep track of this for me, and they’ll make it very easy for me to make subsequent charges on this… But in China, if you provide that kind of experience, many users will reject it and feel that you’re not providing enough security.”

Pearson said he sees many productivity advantages to having standards for online payment systems that can provide secure interactions between merchants, users and payment sources. This is especially true in countries where large portions of the population don’t have bank accounts or credit cards.

“There are statistics that say that in a lot of these emerging markets, without an e-commerce system, people spend two working days a month just dealing with bringing cash to family members or paying bills, which is a big load,” Pearson said. “There’s some good we can potentially do by solving this problem.”

Pearson pointed out that online payment systems have to deal with varying timeframes, from several days to reconcile a subscription service to a few minutes to handle a restaurant bill to an immediate response for online gaming.

One scenario that’s on the rise is mobile billing, which allows a customer to purchase an item from a website or store and use their mobile device as an e-wallet. Some mobile billing networks use Short Message Service (SMS) for authentication, while others use the mobile network or Subscriber Identification Module (SIM) card in the device to authenticate the transaction. Quick Response (QR) codes offer another layer of protection as they provide the mobile network operator with some validation that the user was present when the purchase was made.

“Authentication can be tied around the mobile device and then transferred to the carrier,” Pearson said. “The carrier has good ways to be able to trust the mobile device and then pass on strong proof to the merchant that funds are available.”

Issues to consider with mobile billing include whether possession of a device is enough to authenticate a transaction given that devices can be stolen or hacked. Another issue is the popularity in some countries of cash kiosks and retail centers, where customers pay for online purchases rather than using credit cards.

Pearson said e-wallets have the potential to address these issues because they behave like a bank account and can be funded through cash kiosks, mobile networks, and credit cards. “E-wallets could be relevant in North America as well as emerging markets,” he added.

Pearson said there are opportunities for standardization within the online payments area where the IETF might contribute. These include invoices, user authentication, source payment authorization, cash reconciliation, and financial reporting.

“One place where we’ve been applying pressure is just to do cash reconciliation protocols, just getting the file formats converged,” he said. “We actually have found that the participants are pretty willing to play. So there is, in fact, hope that the parties do want to work towards convergence.”

Next up at the plenary was Steve Kirsch, Founder and CEO of OneID, who gave a talk in which he debunked 15 myths in the area of secure payment authentication.

“Authentication and secure payment authorization are almost the same thing,” Kirsch said. “So we can use the same protocols, and it is just what we sign that’s different. So I’m going to be talking about identity and about secure authorization. But they’re really interrelated.”

Kirsch’s first myth is that there is no way to fix mass password and credit card breaches. The problem, he said, is that both passwords and credit cards are shared secrets. Further, half of Internet users have one password for all of their accounts.

“The solution to this breach problem is that we just get rid of all the shared secrets… and replace them with digital signatures,” he said, adding that digital signature technology has been available for many years but that companies and individuals are not motivated enough to adopt them despite major losses from data breaches.

The second myth is that adopting two-factor authentication eliminates password breaches. Kirsch said that while this technology prevents keylogging attacks, it is not a remedy against mass breaches because it ends up being another shared secret. “Users hate it,” he added.

Myth number three is that out-of-band two-factor authentication must be safe because banks use it. “The problem is that it’s in-band two-factor authentication,” Kirsch said. “You’re entering code on the same computer as user name and password. If I compromise that computer, you’re done.”

Kirsch also debunked the myth that biometrics will solve this problem. While they are useful locally, he said, the reader has to be controlled at all times.

Another myth Kirsch addressed is that it’s impossible to store credit cards in a secure manner. He argued that there are secure Payment Card Industry (PCI) compliant vaults that use a crypto secret on the user’s device to encrypt the card. When a purchase is made, the user’s device asks for encrypted card data, decrypts it, and passes it to the merchant.

Kirsch argued that passwords are not inherently bad; they just aren’t used appropriately. What’s wrong about today’s Internet security systems is that passwords are used as shared secrets, which leaves them open to a breach.

“The right way to use passwords is to never disclose them and never share them off your local device,” he said, adding that passwords should be combined with random data and then used as a signing key.

Additionally, Kirsch argued that popular crypto methods such as Public Key Infrastructure (PKI), RSA Crypto, and EMV (Europay, MasterCard, and Visa) standards aren’t as safe as Internet engineers believe. Instead, Kirsch recommends using elliptic curve cryptography (ECC) and its companion digital signature algorithm (ECDSA).

Kirsch debunked the idea that the FIDO (Fast IDentity Online) Alliance will solve this problem because it is developing online identity technology that addresses authentication only and not authorization of transactions. “If you lose your device, you’re screwed,” he said.

Further, Kirsch argued that Internet users should not trust most federated identity providers, including Facebook, Google and LinkedIn. However, Kirsch said that there are trustable federated identity providers where security is guaranteed by the architecture and ECDSA replaces shared secrets.

“There is no single point of compromise because it uses multiple digital signatures,” Kirsch said.

Another myth that Kirsch debunked is that trustable federated identity service is too hard to use and not as safe as proprietary identity systems. He argued that these services are as easy to use as Facebook and are immune to all known threats.

Kirsch argued that an IETF standard is not necessarily the best way to fix the online security problem. He pointed out that the IETF itself is using computer security technologies that are outdated, such as passwords for its mailing lists.

As far as Bitcoin is concerned, Kirsch said that nothing on the horizon looks lethal for this technology, but that there is also no evidence that it is going to be the future of online payments.

“The winner will be digitally signed end-to-end secure transactions,” he said, adding that he favors open application programming interfaces (APIs) and a simple technique for transferring money.

Kirsch concluded that it is likely Bitcoin will be regulated in the future. But until then, he warns against storing Bitcoins in services that use in-band two-factor authorization because these systems are a type of shared secret and are susceptible to mass breach and malware.

Applied Networking Research Prize Nominations Increase by 36 Percent

In other news, the Internet Research Task Force (IRTF) reported that it received the largest-ever number of nominations for its Applied Networking Research Prize, a three-year-old program supported by the Internet Society.

The IRTF received 46 nominations—up from 36 last year—for the prize, which is given to academic researchers to recognize the best new ideas in networking, and bring them to the IETF and IRTF meetings. The IRTF chose six winners for 2014, and two winners spoke at the London meeting: Kenny Paterson from the University of London discussed new attacks on Transport Layer Security (TLS); and Keith Winstein from Massachusetts Institute of Technology spoke about a new transport protocol to support interactive applications over cellular networks.