I have spent several days reading the Feds documentation and trying to summarize their documentation. Please let me know if this is incorrect.

Erik Anderson
Bloomberg R&D

Key takeaways from Federal Reserve Secure Payments Taskforce inaugural meeting.

Presentation link: https://fedpaymentsimprovement.org/wp-content/uploads/060415_secure_payments_task_force_teleconference.pdf

There is a lot of valuable documentation listed in the above PDF.

Key takeaways and notes from the documentation

• Identity & Authorization
  • Identity Management
    • Important to meeting cybersecurity goals. Identity Framework will provide better coverage than an authentication solution.
  • Significant advancements in technology allow for devices and mechanisms to identify their owner
  • Standards, approaches and solutions that could be tailored to address an individual organization’s priorities
  • Did the user authorized the transaction, sharing of his information, opening of personal records?
  • Data breaches resulted in identity theft. Utilize approaches to protect users data in transit or at rest.
  • Realtime indicator and notification when information is accesses or shared.
  • Consumer Identity solution must be strengthened against events leading to identity theft, both personal and corporate.
  • Due to technologies advancements, counterfeit of payment instruments is nearly impossible. Theft of sensitive data and private keys are the key factor enabling many methods of payment fraud. These thefts enable misrepresentation of authority, counterfeit cards and checks, compromise security protocols at financial institutions resulting in account takeover, or to create a new-account fraud in the victim’s name.
  • If digital signature mechanisms become a norm they will also become part of the attack vector for the identity thief.
  • Geographic tailoring of location input is an important factor to identity to thwart many instances of fraud.
• Authentication
  • Authentication is to reduce risks but provides no guarantee of whom the user is.
  • Make use of advances in authentication technology to help reduce risks
  • Authentication by itself is not enough
  • Enhanced authentication does not directly help prevent data breaches or identity theft. Only enhanced encryption does that.
• Data Security
  • Many lessons learned from data breaches.
    • Authentication did nothing to protect the information.
    • Many of these breaches are national or superregional in scope, affecting consumers in many states and, frequently, across the country.
    • Identification of privacy risk in information systems is very hard and double so due to non-standard approaches to securing the information. Most information is secured in bulk vs smaller layers that segregate & isolate information loss to anonymized elements that are unusable without being associated with the whole. Example: Breaking the key securing the birthdate of one individual without compromising the individuals name nor all consumer's birthdates.
    • Data anonymization has been an successful strategy for preventing identity theft.
      • NOTE: This is an illusion because data mining can be applied to stolen data to identify the individual even though the individual is not directly referenced in the data.
    • A another great strategy has been bulk storage of a user's historical credit profile but the profile is broken into anonymized elements that are cryptographically separated from their whole. This particular strategy can be easily applied to data in transit to prevent the whole of the data from being loss even if the message containing such data is captured.
    • Current data security approaches are still leaning to securing the network. This is leading to overall security depending on the security of each element of a network. Furthermore, these weak links can change as the security preferences or makeup of payment participants change over time. The only solution is to end-to-end secure the data itself and let the network/channel independently evolution.
    • Using a standardized end-to-end data security mechanism will prevent even a rogue authorized agent/node from accessing information they dont need to access.
      • Example: Users bulk data was accidentally sent for age verification yet no unnecessary information was disclosed due to access controls only allowed opening the anonymized age record.
    • To minimize risk one times keys are necessary to prevent an authorized party of one anonymized record from elevating their permissions by combining a historical static keys from other parties.
    • Identity based authentication combined with revocable roles & time based access controls to information would allow immediate tangible actions to be executed even after the occurrence of an information-exposing event.
    • Users records were stolen resulting in disclosure, publication, and unauthorized reuse of their personal data resulting in identity theft at a massive scale.
    • Separation of the data security from the application security was viewed as a giant leap forward in event the application or operating system was compromised. This mechanism should be applied on consumer premise as well.
    • Consumer confidence in electronic payment systems is at an all time low. Millennials trust Bitcoin more than fiat.
    • Financial institutions must accept the consequence of a fraud & security failure but that does not always match who has the ability to correct those security gaps.
      • Example: Financial institution has no control over browser security mechanisms, Financial Institution have no control over zero day vulnerabilities in software applications written by 3rd parties. Financial Institutions will have no control of the network security as future payments transition between closed loop systems and open loop system (ie public internet).
      • Example: A large percentage of data breaches occurred from authorized vendors and service providers. Vendors are outside the immediate vision of the legally responsible organizations yet have the same or better access to information as the organization to whom they are providing the services. Many vendors provide & maintain critical security components of that organizations information networks. The legally responsible organizations can be held responsible even for the security or process flaws of the vendor.
    • Information about the quality of commercial security products is imperfect and causes incorrect investment decisions
    • Current security depends on the security of each element of a network.
    • Studies conducted since 2009 show that hackers are migrating toward attacking private data over payment instruments themselves. Having access to data is allowing the fraudsters to conduct large volumes of smaller value transactions. Smaller transactions and new accounts may go unnoticed by consumers. Depending on the half-life (ie. value decay over time) of the information these breaches can affect consumers for 10+ years. Payment instruments can be immediately cancelled but the lifetime of private data can be measured in decades having severe long term consequences for victims.
    • Analysis of data breaches show serious weaknesses in data security at merchants, Vendors & Service Providers, Depository Financial Institutions, and payment processors. Despite emphasizing larger merchants and recently imposing a system of fines for failing to comply with PCI standards, the PCI process has not prevented security weaknesses that allow large data breaches. Strengthening public oversight and adoption of data security techniques in nonfinancial organizations would supplement improvements to the financial systems.
    • While many breaches have not exposed large quantities of sensitive data, what is exposed is particularly useful for identity theft.
    • Data breaches cause a massive loss of consumer confidence. It is unlikely but possible a breach will cause an immediately shifted to alternative means of payment, but doing so could create substantial operational challenges for those payment systems. To allow for efficient payment substitution in support of a smoothly functioning economy, there must also be multiple reliable ways to make and receive electronic payments.
    • Every data breach makes it harder to conduct internet commerce due to the legislative responses to data breaches and information security failures at local, state, and federal levels.
    • There has been a massive investment, coordination, information sharing, and management of incentives in securing payment card systems but this is not adequate to confront the threats arising from modern data breaches.
    • Data breaches have "indirect" costs that can be substantial. These costs can be many times greater than the fraud itself. Its estimates $200 per breached record. Verizon breach totalled $1+ billion.
    • In many of these cases, breaches are not detected at the time of intrusion into the system, in part because the hackers wait for an opportune time to monetize the compromised information. But when they do act, recent experience suggests that they move quickly and, at times, employ a sophisticated criminal organization. Recent data breaches are particularly notable for the sophistication of techniques employed by criminals.
  • All data must be protected at all times from UI entry/display to the very databases that information is stored.
  • Mechanism to measure threat intelligence of information. Threat intelligence must have context if its to be actionable.
  • Data security technology mechanisms must be integrated into an organization’s workflow and risk management practices.
  • The size and sophistication of an organization, to a large extent, indicates the threat information that contains and must protect.
  • Sharing private sector information with government still has many legal hurdles. Authorization mechanisms must be put into the data itself to authorized sharing of information with the government yet limit regulatory snooping.
  • Cyber threat due to information storage, transit, and sharing mechanisms are serious issues and must be addresses.
  • Consumer use of corrective financial protection mechanisms, such as Fraud Alerts and Credit Freeze systems, has been very low (<10%) and unsuccessful. Consumers don't use these particular types of identity theft protections and by the time the alert or freeze occurs the damage has been done. When consumers use those systems it ends up costing several days of time. Must protect the data around identity (ie credentials) with better access controls and protection mechanisms. It should be infeasible to defeat the authentication, identification, and access control mechanisms to expose the data even on a compromised PC or at a compromised consumer data collection facility.
  • Identity theft and fraud is drastically increasing (25-50% per year) because of personal data sharing mechanisms, data breaches, password/account recovery mechanisms, malware, phising, etc.
  • Currently, the Federal Trade Commission and the Consumer Finance Protection Bureau have jurisdiction to enforce data security measures that deter payment fraud at merchants and processors. Legislators have proposed giving the FTC authority not only to enforce data security standards but to set them as well. Federal financial institution regulators may need to speed implementation of their new cybersecurity assessments of financial institutions and strongly emphasize data security.
  • Countries that adopted chip-n-pin carts have noticed that fraudsters shifted their efforts to identity fraud, taking over or creating new accounts, and IMOTO (Internet and Mail Order and Telephone Order) causing a dramatic rise in associated fraud losses. History shows that new payment instruments & technologies lack adequate protective measures, such as Web enabled mechanisms, causing a major influx of fraudsters. Adopting chin&pin in the US will have unintended consequences such as flocking to internet based payment methods. There are countless consumer warnings sent per week to avoid the internet payment mechanisms.
  • To keep the costs low, the optimal control point should use a least-cost method to enhance security. Meaning the payer’s bank, for example, can best determine whether the payer’s signature on a check is genuine, and the payee’s bank can best determine whether the payee’s endorsement on the check is genuine. Example: We dont need a massive government based KYC physical & Biometric signature verification platform when the existing Banks can perform these tasks. Over doing the security, identity, KYC/AML, & legal/regulatory structure will create misaligned incentives that are not socially optimal nor justified. A browser based security framework can accomplish this and keep down the costs to consumers and institutions.
• Security Framework
  • Security Framework should recognize the global nature of technology yet avoid guidance based on country of origin, which would impede international commerce. National cybersecurity concerns can be addressed in alignment with international standards.
  • Its not possible for any single Government or even entities within one Government to have an exclusive, comprehensive regulatory, or supervisory jurisdiction over such a security framework. Framework must allow security layer(s) that allows access to data within their jurisdiction yet not allow snooping & information leakage outside their sandbox.
    • US Examples:
      • The Board of Governors of the Federal Reserve System issues certain retail payment regulations, especially regarding checks.
      • The Consumer Financial Protection Bureau (CFPB) has jurisdiction over most federal consumer protection regulation for electronic payment transactions.
      • The Federal Reserve Board, as well as other federal financial supervisors, conducts exams, and these exams can entail a review of the financial institution’s payment system security precautions, including those of its business partners.
      • Worse yet, there are many 3rd party organizations involved in operating networks and providing payment services to the public are banks, but many are not.
      • Additional regulators can be involved like nonbanks operating under state money-transmitter licenses are subject to state agency supervision.
      • In addition, the CFPB may determine, by rule, that certain nonbanks in markets for consumer financial products and services are larger participants and therefore subject to CFPB supervision.
      • A variety of state laws also address consumer rights in instances of identity theft or a data breach. Small and large business can be legally liable for a data breach leading to identity theft.
        • Example: Lets use the Target data breach as an example. All that KYC information is a honeypot for fraudsters seeking to exploit identity data or sell that information on the black market. Target's data breach revealed a worldwide network for selling card data and private information. The data was sold in batches with geographic tailoring to thwart location as an indicator of potential fraud and the mass production of counterfeit. The findings suggested a decentralized "virtual fraud factory" organized through the Internet, using specialized agents and with a worldwide scope.
  • A data security standard/framework should wrap the details of the underlying technologies yet be flexible to let the industry define how the framework protects the assets within their organizations based on their overall risk management plans. Avoid developing a conformity assessment program, confidence before conformity. A good framework will hide the underlying technology specifics so users can solve business cases vs struggling with advanced security systems and challenging cryptographic API's.
  • Industry should define how the Framework should be adopted in their organizations based on their overall risk management plans. Rather, in striving to achieve efficiency, organizations must balance the security costs to prevent and mitigate fraud against the full set of costs that fraud generates. That approach has generally been well received.
  • Framework must address privacy and civil liberties methodology. Identity and privacy technology must be integrated with cybersecurity technology. Layer cybersecurity technologies into authentication, authorization, identity, message exchange, and private information sharing mechanisms so identity theft and violation of privacy becomes infeasible.
  • Framework should be directly referenced as "public policy" to prevent against misaligned incentives. Policymakers cant craft a policy that addresses constantly changing threats, complex interdependencies of todays information networks, nor provide enough details to implement adequate cybersecurity protection. Under some assumptions, strategic uncertainty may lead to more effort to protect than is socially optimal.
  • Framework must address protection of the data itself. A payment and information networks consists of many components—computers, communication channels, software, and users—each subject to attack and requiring defense. The weakness of each component will vary, and attackers will strike vulnerabilities with the highest expected payoff. Engineers who protect these components make judgements about their vulnerability and prioritize each component to determine which weakness to correct. These assessments are difficult, costly, and uncertain, and some weaknesses will likely remain due to undetected vulnerabilities or imprecise assessments (such as underestimates of potential damages). Engineers cant protect all the components all the time so we must work on protecting the underlying data. This requires a data protection framework that spans the UI to the very data storage. A proper framework will allow the web/internet to be used as the payment pipes. Without such a data protection framework it will be impossible to safely use the web/internet because of the uncertainty of security of each network node a transaction goes through.
  • Without a proper framework the Engineers will protect a handful of weak network links but not all of them. Over time, the set of weak links will change. A mild amount of uncertainty can lead to additional protection of weaker links where expected losses are high and countermeasures are justified. On the other hand, high uncertainty can lead to no protection: the defender may not know which link is weakest and thus leave all links unprotected.
  • Installation of 'corporate malware' is a norm for financial institutions. They install this malware to allow them to follow misaligned compliance incentives. Without protecting the data itself, this approach to following compliance becomes the weakest link in the institutions security and the point of attack.
• Financial institution priorities:
  • Short-term priority: protect payment and other sensitive data
  • Medium-term priority: protect electronic cash letters and improve authorization in card payments
  • Long-term priorities: effective security standards and improved incentives
    • One key long-run principle to ensure efficient processing and strong security would be to standardize security protocols embedded in and around the electronic payment messages. An example would be to segregate anonymized elements in every message in its own security layer such that each element is individually encrypted but also unusable without attacking and reassembling the whole.
    • Standardization is critical for this because transactional value needs to move internationally and processors can adapt their systems to a limited set of protocols.
    • For example, there are a number of efforts to develop tokens for e-commerce transactions to replace card numbers in processing. The tokenization schemes work similarly, and if they all go to market, much of the processing chain will need costly upgrades to integrate with token systems that address the same security weakness.
    • While proprietary standards may be quick to develop, research suggests that an inclusive and cooperative development process, such as that provided by the ANSI, improves motivation to comply with standards. In any large and diverse payment system, even well-designed security standards will be adopted unevenly across participants, so it is critical to motivate participants to comply. To 'encourage' adoption statutory rules allow a basic principle that the entity in the best position to deter fraud will bear the losses for a payment it processes. This principle of assigning liability to the control point best suited to prevent fraud provides strong incentive to detect and deter fraud in a cost-effective manner.
    • As security for transactions becomes more standardized and adopted you can objectively measure the security and risk of a transaction to allow independent insurance to be cheaply added to cover those transactions.
    • The right security framework will allow internet based commerce to attain low fraud rates without a central authority implementing significant rules or oversight.
    • Applying the same principle to data will help protect sensitive data on home computers. Malware, such as key loggers installed on desktop computers or malicious browser plugins, gives fraudsters credentials of consumer or business payment accounts. Stolen credentials allow unauthorized access to online banking systems and thus the ability to initiate fraudulent payments. Privacy laws and regulations require strong security measures over credentials and other personally identifiable information.
    • In an extreme form of account takeover, identity theft, fraudsters use a person’s credentials to create a new account under their control. Identity theft often results in large fraud losses because the victim is unaware of transactions on the new account. The U.S. Department of Justice estimated that 1.125 million persons in the United States suffered new account fraud in 2012, totalling several billion in out-ofpocket losses to victims both merchants and consumers.
    • Improving the security of home computers would significantly reduce fraud on all forms of payments.
      • NOT TRUE: "Implementation of security on home requires changing laws concerning liability over damage due to malware and creating institutions to coordinate efforts to prevent and remediate malware." Most users dont know how to protect their home computer against the plethora of malware that comes in through the browser.
      • That malware infects personal computers with key loggers that harvest online banking credentials, which are then used to generate fraudulent wire, check, credit card, bitcoin, or ACH payments. If the enhanced security is added to the browser all PC's, Mac's, Mobile devices, laptops, and tablets get the enhanced security. A simple hardware token could be used as an unlocking mechanism to protect the sensitive data even after the data has been relayed to fraudsters. Home users are protected from themselves and everyone benefits. Browser enabled security protocols would effect a system-wide approach to payment security and be further enhanced by immediate acceleration of public & private efforts not even related to payments. This will further push payment participants to adopt effective security protocols.