On October 17, President Obama signed an executive order entitled “Improving the Security of Consumer Financial Transactions” at the offices of the Consumer Financial Protection Bureau, as the first part of the administration’s simultaneously announced “BuySecure Initiative”. The purpose of the executive order is to promote the adoption of more secure payment and authentication mechanisms and to improve remediation options in cases of fraud and identity theft. The executive order requires agencies to take steps that will support the deployment and market penetration of payment cards that use enhanced security features, to specifically include “chip-and-PIN” technology, in government-owned payment processing terminals and government-issued payment cards. It also provides improved identity theft monitoring and remediation measures, and requires agencies to support multi-factor authentication and identity proofing for digital applications that provide access to personal data.
In support of securing government payments, section one of the executive order identifies a number of specific steps that agencies shall be required to take, including the following activities (all required by January 1, 2015):
“Chip-and-PIN” refers to a particular option within the Europay-Mastercard-Visa (EMV) standard. EMV is a global financial payments standard initially developed by financial institutions and card issuer associations and currently maintained by EMVCo, LLC. As of October 2014, the currently ratified version of the standard is version 4.3. It builds on ISO/IEC 7816 standard for contact chips and ISO/IEC 14443 for contactless cards and in the chip-and-PIN mode, it requires cardholders to enter a 4 to 6 digit PIN when authorizing a purchase at supporting terminals.
As is evident in the action plan within the executive order, switching to chip-and-PIN is a matter of upgrading both payment terminals and the issued cards. This chicken-and-egg problem may have contributed to the persistent lack of adoption of the technology within the United States, which lags behind the rest of the world in the use of enhanced security technology. In addition to this executive order, commercial entities such as payment processors have announced a number of liability shiftsalso intended to promote the adoption of the technology. Most consumers are accustomed to the current approach in which card issuers are liable for fraudulent transactions, but after a liability shift, the policy becomes that if a merchant or ATM owner does not implement EMV then they become liable for any fraudulent transactions. For example, Visa’s EMV Migration Roadmap states that by October 1, 2015, “the party that has made investment in EMV deployment is protected from financial liability for card-present counterfeit fraud losses on this date. If neither or both parties are EMV-compliant, the fraud liability remains the same as it is today. This date excludes automated fuel dispensers.”
Section two of the executive order is directed at reducing the effects of identity theft through better detection, monitoring and communications, and remediation options. The Attorney General and Department of Homeland Security are required to issue guidance that promotes the submission of reports of compromised credentials to the Internet Fraud Alert (IFA) system operated by the non-profit National Cyber-Forensics and Training Alliance. The IFA system offers a clearinghouse for notification of compromised credentials and issues alerts to “the appropriate financial institutions and service providers”. It is not clear how actively managed the IFA system is – for example, readers are currently advised to visit an out-of-date link called https://www.IFraudAlert.org for more information.
Notification of compromised credentials is an important concept that is explored in NIST Interagency Report (NISTIR) 7817, A Credential Reliability and Revocation Model for Federated Identities. In that document, NIST scientist Hildegard Ferraiolo describes a notional model for improving the capacity of federated identity systems to detect and respond to fraudulent actions. The document makes a number of recommendations including for service providers to report malicious incidents to identity providers, and describes a role for an agent that aggregates reports from service providers and provides information about credential risk to potential relying parties and service providers. The document calls this agent the Uniform Reliability and Revocation Service (URRS) with responsibilities including:
We at Electrosoft believe that NISTIR 7817 is an excellent model to consider as government agencies prepare to comply with section two of the executive order, and hope that commercial entities will also consider the need for sharing credential status and reliability information.
Finally, section three provides a plan for appropriate use of trusted identities to access government systems. By February 23, 2015, the National Security Council (NSC), the Office of Science and Technology Policy (OSTP) and the Office of Management and Budget (OMB) are required to provide a plan that ensures that agencies which make personal data available to citizens require multiple factors of authentication and “effective identity proofing, as appropriate.” Agencies are required to complete implementation of the plan within 18 months, by July 3, 2016. This plan is required to be consistent with the guidance of the 2011 National Strategy for Trusted Identities in Cyberspace(NSTIC), whose guiding principles state that identity solutions will be:
As participants with the Identity Ecosystem Steering Group can confirm, this is a challenging set of guidelines to achieve, but we believe that with strong leadership and clear planning, the ambitious goals set by the executive order can be achieved.
Overall, this executive order provides an ambitious but realistic set of targets for government agencies to achieve tangible improvements for financial and citizen-to-government transactions.
-Contributed by: Scott Shorter