13:54:14 RRSAgent has joined #wpwg 13:54:18 logging to https://www.w3.org/2023/03/28-wpwg-irc 13:54:20 Meeting: Web Payments Working Group 13:54:35 Agenda: https://github.com/w3c/webpayments/wiki/Remote-Agenda-202303 13:54:37 Chair: NickTR 13:54:46 Scribe: Ian 13:54:51 agenda+ GNAP and SPC for payments 13:54:54 agenda+ PIX 13:56:49 Bastien has joined #WPWG 13:57:04 present+ 13:57:08 present+ Bastien_Latge 13:57:20 present+ Clinton_Allen 13:59:32 Takashi has joined #wpwg 14:01:04 Anne has joined #wpwg 14:01:04 present+ Anne_Pouillard 14:01:10 present+ Carey_Ferro 14:01:10 present+ Derek 14:01:10 present+ Holger_Kunkat 14:01:10 present+ Jean-Luc_di_Manno 14:01:10 present+ Praveena 14:01:11 present+ Solai 14:01:11 present+ Soumya 14:01:16 derek has joined #wpwg 14:01:19 present+ Juan_Pablo_Marzetti 14:01:23 present+ Haribalu 14:01:27 praveenas has joined #wpwg 14:01:31 cferro has joined #wpwg 14:01:33 present+ Takashi_Minamii 14:01:39 presnet+ Nick_Telford-Reed 14:01:40 present+ nicktr 14:01:48 present+ Justin_Richer 14:01:49 JeanLuc has joined #WPWG 14:01:55 jpmarzetti has joined #wpwg 14:02:21 present+ David_Benoit 14:02:33 present+ Christian_Aabye 14:02:45 SameerT has joined #wpwg 14:02:45 present+ Gustavo_Kok 14:02:50 present+ Sameer_Tare 14:02:53 Solai has joined #wpwg 14:02:58 present+ Tony_England 14:03:09 present+ Omer_Talha_Ozdemir 14:04:11 present+ Victor_Thomazetti_Machado_Silva 14:04:22 present+ Doug_Fisher 14:04:37 present+ Gokhan_Tekkaya 14:04:45 zakim, take up item 1 14:04:45 agendum 1 -- GNAP and SPC for payments -- taken up [from Ian] 14:05:04 present+ Stephen_McGruer 14:05:20 present+ Adrian_Hope-Bailie 14:05:29 zakim, who is here? 14:05:29 Present: Ian, Bastien_Latge, Clinton_Allen, Anne_Pouillard, Carey_Ferro, Derek, Holger_Kunkat, Jean-Luc_di_Manno, Praveena, Solai, Soumya, Juan_Pablo_Marzetti, Haribalu, 14:05:33 ... Takashi_Minamii, nicktr, Justin_Richer, David_Benoit, Christian_Aabye, Gustavo_Kok, Sameer_Tare, Tony_England, Omer_Talha_Ozdemir, Victor_Thomazetti_Machado_Silva, Doug_Fisher, 14:05:33 ... Gokhan_Tekkaya, Stephen_McGruer, Adrian_Hope-Bailie 14:05:33 On IRC I see Solai, SameerT, jpmarzetti, JeanLuc, cferro, praveenas, derek, Anne, Takashi, Bastien, RRSAgent, Zakim, pea1358, canton, AdrianHB_, hober, dlehn, benoit, TimCappalli, 14:05:34 Justin: Hi all. I'll introduce GNAP today 14:05:37 ... Github, npd, smcgruer_[EST], rowan_m, ljharb, Travis, tobie, hadleybeeman, rbyers, Dongwoo, nicktr, slightlyoff, weiler, jeffh, wanderview, Ian 14:06:00 present+ Nick_Burris 14:06:10 present+ Steve_Cole 14:06:15 present+ Sue_Koomen 14:06:30 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 14:06:53 Justin: Gnap (pronounced Guh-nap) 14:07:06 [Ian does not plan to scribe details of presentation] 14:07:19 ChristianAabye has joined #wpwg 14:07:49 Justin: This is not "OAuth 3" 14:08:19 zakim, who's here? 14:08:19 Present: Ian, Bastien_Latge, Clinton_Allen, Anne_Pouillard, Carey_Ferro, Derek, Holger_Kunkat, Jean-Luc_di_Manno, Praveena, Solai, Soumya, Juan_Pablo_Marzetti, Haribalu, 14:08:23 ... Takashi_Minamii, nicktr, Justin_Richer, David_Benoit, Christian_Aabye, Gustavo_Kok, Sameer_Tare, Tony_England, Omer_Talha_Ozdemir, Victor_Thomazetti_Machado_Silva, Doug_Fisher, 14:08:23 ... Gokhan_Tekkaya, Stephen_McGruer, Adrian_Hope-Bailie, Nick_Burris, Steve_Cole, Sue_Koomen 14:08:23 On IRC I see ChristianAabye, Solai, SameerT, jpmarzetti, JeanLuc, cferro, praveenas, derek, Anne, Takashi, Bastien, RRSAgent, Zakim, pea1358, canton, AdrianHB_, hober, dlehn, 14:08:27 ... benoit, TimCappalli, Github, npd, smcgruer_[EST], rowan_m, ljharb, Travis, tobie, hadleybeeman, rbyers, Dongwoo, nicktr, slightlyoff, weiler, jeffh, wanderview, Ian 14:08:50 Justin: Fundamentally, GNAP is a protocol (rather than a framework) 14:09:30 Gerhard has joined #wpwg 14:09:32 ...protocol for negotiating access; methods for interacting with humans; validating and verifying client software; methods for binding keys to message requests; data model for what's being requested 14:09:36 present+ Gerhard_Oosthuizen 14:09:44 present+ Erhard_Brand 14:09:45 Steve_C has joined #wpwg 14:09:54 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 14:10:15 q? 14:10:16 TonyE has joined #wpwg 14:10:31 Justin: GNAP is a delegation protocol. Client gets a right of access from an authorization server in order to get something from a resource server. This is done after permission from the resource owner (who may or may not be the end user) 14:10:51 vasilii has joined #wpwg 14:11:05 ...one thing that's new in GNAP compared to other protocols is clarity on grant request lifecycle 14:11:33 present+ Vasilii_Trofimchuk 14:12:37 Justin: GNAP allows conversation -- negotiation about what is wanted; conversations can be augmented over time; users can get involved when needed 14:13:00 ...of import to today's discussion is indicating different ways to authenticate the user 14:14:16 ...what you can protect with GNAP is expressive right out of the box 14:14:32 ...in GNAP there is no assumption that client is pre-registered 14:15:01 ...the client always introduces itself; sometimes the authorization server knows it (pre-registration) but sometimes it does not; it's a policy decision 14:15:56 Sue has joined #wpwg 14:16:40 ...implications: (1) no need for complex pre-confirmation...but can be used when makes sense (2) all requests start the same way (3) systems can adapt at run time based on what's possible and what's needed 14:18:31 ...GNAP does not assume end user and resource owner are the same people. 14:18:45 [On interacting with users] 14:18:58 Justin: There's a negotiation "what I can do" and subsetting "what works in this context" 14:19:19 ...the client doesn't necessarily need to know the server's full list of capabilities at the start of negotiation 14:19:29 ...this allows for dynamic negotiation when needed 14:19:51 s/subsetting/subsetting by the authorization server/ 14:20:47 Justin: The authorization server (AS) makes decision based on context. This differs from OAuth where the AS holds the user account and that information is used to mint the token. In GNAP, this is more of a *process* 14:21:16 Justin: Client instances in GNAP are identified by keys; this is enabled by key-proofing mechanisms 14:21:42 ...you can add to an HTTP message to prove you are the client holding a key 14:22:02 [Types of Data] 14:22:26 Justin: Client can ask for information about user, can provide information about the user, can ask about APIs the client wants to access, etc. 14:22:30 ...sometimes the client knows more about the user than the AS does (initially). 14:22:40 ...we don't assume the client is smarter than the AS, but we allow for it. 14:23:27 Justin: There are ways in GNAP to use "shortcuts" (for frequent operations) 14:23:47 ...you can also request multiple access tokens to do different things at the same time (instead of sequentially getting a set of tokens) 14:24:15 q? 14:24:28 clinton has joined #WPWG 14:24:44 q+ 14:24:44 ack clinton 14:24:56 clinton: Is there a concept in GNAP of distributed access server? 14:25:17 justin: You can deploy your AS in a distributed fashion; does not need to be a single web server 14:25:27 ..but there is a single URL and HTTP request 14:25:32 q+ 14:25:55 NickTR: When you get multiple tokens for a single request...can those multiple tokens have different lifecycles? 14:25:57 Justin: Yes 14:26:35 ...access tokens all have independent lifetimes, and can be managed independently 14:26:57 NickTR: The reason I ask ... you touched on the topic of recurring transactions. 14:27:25 ...was wondering whether you could get a single token for an initial amount, and then a longer-lived token for a smaller repeating amount (e.g., 100 up front; 10 monthly thereafter) 14:27:32 Justin: Yes, absolutely 14:27:57 s/Derek/Derek_Tong/ 14:28:44 Can one token be issued contingent on the successful issuance of another token? 14:29:10 Justin: You can also get a token for an initial amount; and that can stick around for a long time. You could develop your system so that when you need to do the smaller payment, you could poke the AS again and say "hey, remember me, I need another small token to do this amount"....the AS can say "ok, that's within limits, here's a short-lived token" 14:29:21 Token lifetime can be short but the grant lifetime is long. i.e. Grant = mandate and token is access token for payment under mandate 14:29:46 NickTR: Is persistence managed between client and AS? 14:29:55 Justin: yes. There's a whole API for managing grants 14:30:15 ...you can make create requests to the API and then update requests 14:30:19 ack Jean 14:30:34 q+ steve_c 14:30:54 JeanLuc: I used to work with DPOP; does GNAP mean we no longer need to use additional layers? 14:31:02 Justin: Yes, that's correct. 14:31:11 Challenge with payments is resource related limits. I.e. AS should apply policy around what is "allowed" and RS should also apply policy when a request comes in to check that resource usage under the grant hasn't exceeded limits 14:31:14 Justin: ...the signing methods in GNAP are directly inspired by the DPOP work 14:31:49 ...the TLS binding in GNAP is lifted from another RFC 14:31:56 q? 14:32:18 JeanLuc: Does GNAP allow use of DIDs? 14:32:26 Justin: There can be; we don't talk about it directly. 14:32:42 ....you can use them as identification for users and client software and key addressing 14:32:45 E.g. A Grant allows making $10/month in payments. AS can issue a token for a single payment <$10 but RS needs to check how many payments have already been made under the grant for the current month. 14:33:22 Justin: The other way to use DIDs (IMO more interesting) relates to the notion of the AS as factory 14:33:54 ..the user shows up at an authorization server and pushes a button to turn the light on; in GNAP the notion of "what is an interaction" is abstracted up a layer 14:34:22 ...you could very easily say as a client: "I have a verifiable claims wallet that I can point you at. If you have a way to talk to this, you can figure out who the user is." 14:34:24 @AdrianHB_ what's the user experience if the payment exceeds the grant? 14:34:36 ...so you could connect a wallet and AS through whatever fabric the wallet is running on. 14:34:59 JeanLuc: So I am hearing DIDs can be used (1) when client sends info to the AS and (2) when there's a third party (e.g., wallet) on which the AS can rely go get information. 14:35:14 Justin: Yes 14:35:16 q? 14:35:35 @nicktr that is outside the scope. The client should get the token from the AS and then attempt the payment before it tells the user it is able to make the payment 14:35:36 Justin: There is one other case where the AS can issue verifiable credentials to the client software; but that more or less amounts to API access 14:35:58 ...the AS CAN store information in that format, but isn't required to 14:36:14 ...what's important is the pattern of sending user to the AS, have them push a button, and send them back 14:36:24 JeanLuc: So AS could be used as ID provider for third parties 14:36:27 Justin: Yes 14:36:44 @AdrianHB_ so the client here might be a payment handler? 14:37:03 Steve_C: Regarding Nick's scenario of tokens: can one token be issued contingent on success of issuing another token>? 14:37:07 Justin: Can you say more? 14:37:15 zakim, close the queue 14:37:15 ok, Ian, the speaker queue is closed 14:37:22 @nicktr - I think it could be 14:37:41 Steve_C: If token issuance for $100 token, for example AS does not issue smaller value token? 14:38:19 Justin: You're supposed to treat the multiple parts of a token request as "independent" in the sense that they represent different rights of access, etc BUT related in the sense that the same client is asking for these at the same time. 14:38:25 ...so they could be contingent on the same authorization 14:38:42 ..so an AS can say "no" to all parts of a request 14:38:56 ...but for some protocols you may wish to say "no" to one thing but "yes" to other parts 14:39:15 ...e.g., client might need to provide more information for one of the tokens, or maybe the client can just live with lesser access 14:39:45 [Adrian on SPC] 14:40:49 -> https://www.ietf.org/archive/id/draft-ozdemir-gnap-spc-extension-00.html GNAP Secure Payment Confirmation Extension 14:41:02 AdrianHB_: Thanks to Justin for the helpful intro; I'll speak about extensions and the use of SPC 14:41:21 ...Omer (on this call) has put together the IETF draft "GNAP Secure Payment Confirmation Extension" 14:41:54 ...the draft explains how to use SPC as an interaction mode; will presented at the IETF meeting (in Japan) on Friday 14:42:36 [Slide on how SPC works with GNAP] 14:42:53 AdrianHB_: 14:43:01 * Client tests if SPC is possible 14:43:14 * Client request a grant to perform a payment from the authorization server 14:43:34 ...that request also provides some user identity hints and/or assertions 14:43:36 q+ to ask if the client is the merchant here? Or their PSP? 14:43:41 zakim, open the queu 14:43:41 I don't understand 'open the queu', nicktr 14:43:44 zakim, open the queue 14:43:44 ok, nicktr, the speaker queue is open 14:43:48 q+ to ask if the client is the merchant here? Or their PSP? 14:43:52 ack steve 14:43:53 ack Steve_C 14:44:21 AdrianHB_,: AS determines SPC is preferred interaction and user has enrolled (SPC) credentials 14:45:00 ...AS sends challenge and candidate credentials and requests that the client perform SPC 14:45:30 ...a future refinement might be for the client to provide additional data (fingerprint?) to allow AS to send back more specific credentials 14:45:34 ...Client then calls SPC 14:45:41 ...User authenticates 14:45:52 ...Client sends assertion back to the AS 14:46:01 ...AS returns a grant, or rejects request, or requests a different interaction 14:46:50 [Prerequisites] 14:47:56 * Is SPC supported? Cf isSecurePaymentConfirmationAvailable; would imply changes to extension appendix 14:48:05 * User hints and attestations 14:48:17 * Device identification 14:48:19 q+ 14:48:24 q+ to ask about TLS binding 14:50:10 q- 14:50:15 AdrianHB: How do we pass context on client if not a software instance but relies on backend software 14:50:58 ...I note that "frictionless flow" is possible here; AS can simply return a token based on context or previous information 14:51:25 ...or under the hood there is some level of device detection 14:51:53 ...the AS would only use SPC as an authorization method if the user has enrolled credentials 14:53:06 Ian: Any new news on device id protocols? 14:53:35 Justin: That keeps coming up. Device identification has largely been used so far in the commercial sector (e.g., signed binaries in the app store) 14:53:54 ...there has been some discussion on generalizing that type of stuff in mobile and embedded scenarios 14:54:00 ...e.g., supply chain (SCITT) 14:54:25 ...e.g., to be sure that information about crate location has not been tampered with 14:54:34 ...but I've not seen a generic solution yet that would be applicable. 14:54:57 ...this is something that we've considered to be important, but we (in GNAP) did not want to invent a solution 14:55:02 ..we've left this work to extensions 14:55:57 Ian: Our interest is knowing "same card on this device as last week" 14:56:26 AdrianHB_: I think that can be done with a FETCH request that contains whatever cookies are available; essentially giving the AS a direct link back to the client context 14:56:39 ...GNAP has nice hooks for something like this, but we'd need to define what's going to happen 14:56:46 q? 14:56:50 ack Ian 14:56:50 Ian, you wanted to ask about TLS binding 14:57:48 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 14:58:15 AdrianHB_: Note that when AS says "no matching credential" we can use GNAP for fallback authorization experiences 14:58:30 ...but one thing the client needs to do is to know how to resolve the AS URL 14:58:43 ...(in our case we are using payment pointers) 14:59:15 ...there might be a variety of ways (e.g., directories to convert strings to URLs) 15:00:08 [AHB talks about GNAP and SRC] 15:00:27 AHB: There are a lot of topics that 3DS and SRC seek to address and there's overlap with GNAP functionality 15:00:34 [Next steps] 15:00:56 AHB: We'll continue to evolve our extension spec as SPC evolves. One thing we've not looked at in detail is that the grant request should map nicely to the SPC request 15:01:34 ...we'd also like to support returning instrument details for SPC invocation 15:01:44 ...there is a GNAP implementation in the Rafiki project 15:01:50 zakim, close the queue 15:01:50 ok, Ian, the speaker queue is closed 15:02:15 AHB: We are building implementations of all this into our Fynbos wallet; will share progress in the next few months 15:02:16 q+ 15:02:48 clinton: +1 to analysis of separation of concerns among these various technologies 15:03:14 NickTR: Thank you both for this presentation 15:04:06 zakim, close item 1 15:04:06 agendum 1, GNAP and SPC for payments, closed 15:04:07 I see 1 item remaining on the agenda: 15:04:07 2. PIX [from Ian] 15:04:13 zakim, take up item 2 15:04:13 agendum 2 -- PIX -- taken up [from Ian] 15:04:46 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:05:07 Gustavo: Today we'll talk about PIX, faster payments system in Brazil 15:05:37 ...I am head of payments fraud at Netflix; we've been paying close attention to SPC 15:06:08 ...we are interested in SPC authentication experience for a variety of payment methods 15:08:13 ...one rationale for PIX is grounded in inflation; people needed faster payments so that money would not lose value during delays 15:08:33 ...at the same time there are numerous fraud challenges..."Brazil is not for amateurs" 15:09:03 ...we also have 5 World Cup titles 15:09:16 Victor: +1 to FIFO World Cup titles; Itau is a sponsor ;) 15:09:34 Victor: Itau is largest bank in LatAm and Brazil 15:09:46 ....we are the biggest issuer of credit cards to our 70M customers 15:10:15 ...I work on risk management (first at Citibank, then ELO, then Itaú) 15:11:10 Gustavo: I've been working on fraud for many years; also member of the US faster payments council fraud WG 15:11:21 one of the best introduction slides I have seen 15:11:32 +10 :) 15:11:43 Gustavo: PIX is new but gaining traction rapidly 15:12:09 ..it was first announced only about 5 years ago 15:12:25 q? 15:12:27 ...it was built by looking at experience in other places 15:12:37 ...they found key stakeholders in the market to ensure success 15:12:45 ...lots of public consultations and involving experts 15:12:55 ...there was a lot of pressure to get it out quickly. 15:13:02 ...officially launched at the end of 2020 15:13:16 ...it's been a bumpy road but huge adoption now. 15:13:26 ...we are looking now at more business use case 15:13:29 s/case/cases 15:13:46 Gustavo: Goals (1) real-time (2) 24/7/265 15:14:16 ....other goals: no cost to end user 15:15:03 ...to spur adoption focused on large banks, then small banks joined, then rest of ecosystem joined in 15:15:28 ...central bank wanted to increase innovation / competition (in part to reduce costs and prices) 15:16:24 ...account numbers are not super sensitive in Brazil (e.g., TAX ID); these keys are used to make landscape easier to use 15:16:40 ...there are a variety of initiation mechanisms (e.g., QR codes) 15:16:45 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:17:16 Gustavo: Scheduled payments are also possible. 15:17:32 q+ 15:17:41 ack clinton 15:17:50 q+ to ask how the identifier mapping is governed 15:18:00 Clinton: How do TAX IDs work for people who are not Brazil residents? 15:18:42 Gustavo: I don't know the exact answer. I think it's not hard to get a TAX ID (since they want you to pay taxes), but there are also other payment identifiers. 15:18:56 Victor: You can open an account without a TAX ID but it's bank specific 15:19:05 q+ Anne 15:19:24 ack AdrianHB_ 15:19:25 AdrianHB_, you wanted to ask how the identifier mapping is governed 15:19:58 AdrianHB_: A big challenge always with pay-by-proxy systems is how is mapping managed? How do you prevent SIM swap or people claiming identifiers that aren't theirs? 15:20:16 Gustavo: the Brazil Central Bank created a centralized repository with rules 15:21:08 ...e.g., bank incurs liability if there is fraud because they are responsible for ID&V 15:21:53 Victor: We have some interacts with phone numbers related to sim cards; in short we have sim swap detection 15:22:05 ....the central bank built in a lot of controls to avoid bad usage of credentials 15:22:28 ...the companies that are connected to the central bank are regulated; there are controls for accessing APIs (e.g., thresholds for accessing information) 15:23:04 Gustavo: If I have a link to a bank account, I have to authorize with a TAX ID 15:23:05 Liability is a big motivator 15:23:25 q+ to ask about confirmation of payee 15:23:26 Victor: We also have a regulation to apply multi factor authentication for non-payment events like moving credential from one bank to anotehr 15:23:32 s/anotehr/another 15:24:04 Gustavo: Regarding brute force attacks; the threshold for access is designed to limit risk of brute force attacks 15:24:39 q? 15:24:44 ack Anne 15:25:43 ack Anne 15:25:45 ack nicktr 15:25:45 nicktr, you wanted to ask about confirmation of payee 15:25:59 NickTR: in open banking UK there is a concept of "confirmation of payee" 15:26:15 ....in the push payment, authorized push payment fraud is high 15:26:30 ...this is where bad actors convince you to make a payment to a fraudster 15:26:41 ...they've introduced a "confirmation of payee" thing 15:26:55 ...do you have something like that in PIX? 15:27:14 ...and, are you seeing this same kind of fraud (recipients giving out fraudulent credentials)? 15:27:33 Victor: We have this kind of fraud, but do not yet have this kind of security feature 15:27:47 ...we are mitigating this problem by not allowing new PISPs to perform transactions 15:28:06 ack Anne 15:28:10 ...we are not yet enlarging our open financing environment yet 15:28:20 ...and are taking inspiration from UK experience and also SIBA flows 15:28:26 s/SIBA/CIBA 15:28:47 q? 15:29:22 [Diagram of PIX system] 15:29:37 Victor: Central bank holds database of keys 15:29:45 ...the "scheme owner" for PIX is the central bank 15:30:07 ...only huge financial institutions directly access the central bank. 15:30:25 ...there is another class of entities called "indirect partners" who connect to the "direct partners" who connect to the central bank 15:31:27 ...we basically copied open finance and instant payments from UK model 15:32:13 ...in addition to internal faster payments, the Brazil central bank would like to extend functionality to cross-border transactions (when all partners are ready) 15:32:22 ...we are using QR codes today, with lots of P2P transaction 15:32:34 ...we'd like to discuss QR codes in e-commerce with this WG 15:33:04 bryanpenny has joined #WPWG 15:33:08 Gustavo: PIX launched in 2021 officially; number of keys is now at about 600M 15:33:16 present+ Bryan_Penny 15:33:22 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:33:46 q+ to ask if senders have any way to verify payee details before sending? 15:34:03 Gustavo: More than 100M individuals have used PIX at least once 15:34:15 ...there are almost 400M accounts 15:34:32 @AdrianHB_ - that's the question I just asked - Victor said not yet 15:34:50 ...and about 3B transactions monthly 15:35:09 ...majority relates to P2P 15:35:21 @nicktr - that's not what I heard :( Happy to clarify 15:35:57 @AdrianHB_ ask away! 15:36:08 Gustavo: PIX mostly P2P initially; growing P2B transaction volume 15:36:13 ack AdrianHB_ 15:36:13 AdrianHB_, you wanted to ask if senders have any way to verify payee details before sending? 15:36:50 AdrianHB_: I'd like to ask a clarifying question: if I'm a regular bank user like an Itau customer and I want to send a payment to someone and I use their email address... 15:37:02 ...is there any way to verify that the email address is the person I expect? 15:37:22 Gustavo: You'll get a confirmation of the name of the person with whom that address is registered, and you'll get a partial of their TAX ID 15:37:32 ...risk is social engineering when sharing information 15:37:52 AdrianHB_: The mitigation you have here, presumably, in terms of privacy protection, is that only direct participants can make those queries? 15:38:10 ...so not easy for third parties to scrape 15:39:38 Gustavo: There are risks still with fraudsters accessing large amounts of information, but after a few episodes risk was taking much more seriously. 15:40:01 Victor: In practice we monitor "strange behavior" (e.g., enumeration) with controls in place 15:40:18 ...in the end you have a repression strategy; the central bank will punish bad behavior 15:40:29 ...it's not bullet proof but different layers help add friction 15:40:45 ...we've not had any new cases of enumeration in the past year or so 15:40:56 ...that is : no new breaches of the central database 15:41:04 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:41:24 [Risk overview of PIX] 15:41:56 Gustavo: One attractive feature of the protocol is availability, as well as real-time settlement 15:43:30 ...another risk had to do with lack of knowledge by users, especially newly banked 15:44:32 Victor: On day one of the PIX launch there was fraud; the major problem we see today is social engineering 15:45:00 Victor: We have a database of bad URLs 15:45:05 ...lots of SMS phishing 15:45:33 ...user follows a link, calls a (fake) bank 15:45:43 ...user gives away credentials to fraudster 15:46:02 ...70% of loss today is due to social engineering 15:47:16 0.005% fraud is absolutely extraordinary 15:47:45 s/0.005% fraud is absolutely extraordinary// 15:47:51 This is very interesting information, thanks for sharing! 15:48:05 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:49:08 Victor: Multifactor auth is mandatory to keep fraud down 15:49:08 ...all PIX transactions involve multi factor auth 15:49:08 ...you have a token on your device; 15:49:08 ...biometrics common in Brazil 15:49:08 ...but we have attacks on facial recognition 15:49:44 ...we chat with the Central Bank on a weekly basis to keep up on fraud attacks and solutions 15:49:56 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:50:37 Victor: the central bank convened the big banks to create this fraud committee 15:50:50 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian 15:51:04 Victor: A bit on context and why we're here today 15:51:32 (1) We have LGPD (similar to GDPR), so we need user consent to collect information 15:51:49 (2) FIDO; Itaú is already using FIDO for some app-focused solutions 15:52:03 (3) Low confidence in the Web channel due to several different types of attacks 15:52:35 Victor: We are implementing FIDO in open finance and other protocols as well 15:52:48 Victor: Web channel in Brazil today is considered "weak" 15:53:06 ...we are influencing our business partners to NOT USE WEB for critical or high-risk transactions 15:53:21 ...but we have a lot of clients that want to use the Web; we just don't have a solution (YET) 15:54:07 (4) On the corporate side, bank as a service initiatives are surfacing, but weakness of web holding us back 15:54:18 ...corporate clients using web; we need to solve the web channel problem 15:54:52 (5) Hardware keys are used today (e.g., Yubikeys) but we'd like to enhance the approach to use platform authenticators (especially for corporate use cases) 15:55:35 (6) We have a good connection with the central bank; we are showing them fraud cases and building with them the security protocols we are using with PIX; so solutions adopted with PIX may migrate to other payment methods 15:55:41 Victor: Questions for group today: 15:55:56 a) Can we use SPC and FIDO2 to enable security for PIX P2M Web transactions in Brazil? 15:56:17 b) Can we use SPC and FIDO2 to enable security for PIX corporate Web/Baas channels transitions in Brazil? 15:56:56 Victor: I am interested in the GNAP+SPC approach, for example. 15:57:11 NickTR: Thank you both for the presentation!! 15:57:26 ...it would be great to see some experimentation 15:57:34 q+ 15:57:48 Answer: Yes! 15:57:49 ack smcgruer_[EST] 15:58:13 smcgruer_[EST]: We've been looking at PIX from Chrome. One thing we heard is that for Web transactions that are happening involve this flow: 15:58:15 a) get a PIX code 15:58:22 b) Go to a bank app to proceed 15:58:35 smcgruer_[EST]: there are Android intent Url schemes; is there a reason those aren't used? 15:58:46 Gustavo: is this similar to UPI (in India)? 15:58:56 smcgruer_[EST]: Don't know. But you could have bank say "We handle PIX URLs" 15:59:16 Gustavo: Bank was not as comfortable with that those links (when first considered) 15:59:22 ...so they came out with copy-paste PIX 15:59:48 ...I'm not sure how the thinking evolved; I know they were talking with platform providers about apps and maintaining a safe list (and cost of doing so) 16:00:15 Victor: Basically the speed of implementation of PIX and complexity of understanding how to use the method in a security way led to this initiative landing in a parking lot 16:00:34 ...copy/paste solved the problem and was "easy enough" even if not a great uX 16:01:08 Gustavo: copy/paste approach was familiar to people via Boleta 16:01:17 ...there are some ongoing discussions about topics like recurring payments 16:01:23 q? 16:01:43 s/get a PIX code/copy a PIX code from the merchant page 16:01:59 s/Go to a bank app to proceed/Switch to a bank app, paste the code, and proceed 16:02:10 SRC topic.. please 16:02:39 @clinton - absolutely. #1 on the agenda as we bumped you from Monday 16:02:49 Ian: Any obstacles you already know to using SPC with PIX? 16:03:17 Gustavo: Different regions have different views of privacy requirements. Do you foresee a way to support different levels of privacy? 16:03:44 q? 16:04:05 I have made the request to generate https://www.w3.org/2023/03/28-wpwg-minutes.html Ian