What Government Could Learn from Payment Companies About Identity Management

Africa Studio/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
By John Breeden II

By John Breeden II

|

If someone finds or steals a government Personal Identity Verification card, it’s possible that they could access sensitive or secret information during a very limited window before its loss was reported or discovered.

As someone who has covered identity and biometric technology for decades, I was surprised to hear President Trump announce last week that a photo identification was now required to purchase groceries. I had not experienced this before and assumed it was some sort of new national security policy designed to keep our vegetables out of the hands of terrorists.

I realize that he was making the case for better identification protocols when voting, even though that isn’t how voter fraud takes place these days. Thousands of Russian agents aren’t secretly sneaking into the country pretending to be American citizens so that they can tip the scales in the next election. They are buying fake Facebook ads and trying to trick us into voting against our best interests.

Just to make sure there was no new policy, I conducted a fact-finding mission to the local grocery store, leaving my identification behind. Cautiously, I crept into the soda aisle, loading up on Pepsi, which was on super sale. Then I figured I would go for broke, as I was deep in enemy territory at that point anyway, and also grabbed two kinds of Doritos, Nacho and Cool Ranch. With a trembling hand and a cart with a shaky wheel, I approached the express line—the one with a real person working it. The self-checkout would have been too easy.

I inserted my credit card into the payment machine and watched as the woman scanned my items. Other than a brief look of disdain at my unhealthy selections (full disclosure, I also bought a mega pack of chocolate chip cookies—also on sale), she hardly gave me even a sideways glance. The machine alerted me to remove my card. I grabbed my receipt and made a quick getaway. A half-hearted “have a nice day” mumbled from the checkout person was my only pursuer.

I had achieved the impossible. I purchased groceries, or something that might qualify as such, and nobody challenged me during the heist. I almost ate a celebratory cookie in the parking lot.

Seriously, I didn’t really expect to be challenged about my identity, but good reporters cover all possibilities. Plus, I really wanted those Doritos. The truth is that the last big advance in terms of payment and identity for purchasing things was EMV, named for Europay, MasterCard, and Visa, the three companies that originally created the standard. It’s why at most stores you insert your chipped credit card into the payment device instead of swiping, and why you don’t need to sign anymore.

For buying cookies, having the credit card with the hack-resistant chip is probably enough security. It’s possible that if you drop your card, someone could pick it up and make a few purchases before you can report it stolen, but the chip makes large-scale stolen credit card fraud very difficult.

The amount of information contained by identification cards these days makes things like the Homeland Security Presidential Directive 12, issued back in 2004 by President George W. Bush, much easier to implement. Combined with commonsense best practices like background checks on all cardholders and multiple forms of identification in order to obtain the card, it represents a good, if static system that is subject to the same limitations as EMV. If someone finds or steals a government Personal Identity Verification card, it’s possible that they could access sensitive or secret information during a very limited window before its loss was reported or discovered.

There are a few technologies being fielded that could change that. Over in the payments area, a company called NuData Security, which is a division of Mastercard, is looking to start fielding EMV 3-D Secure authentication protocol (EMV 3DS). Not surprisingly, it builds upon EMV, which Mastercard helped to create. EMV 3DS adds passive biometrics, historical data and behavioral analytics to chipped cards.

How it works is that the company collects data about users with cards or other products that support it. This can be anything from how they log in and browse web pages to how much pressure they put on a touchpad when swiping. Their history is also taken into consideration. The idea is that in the event of a scripted type of attack, where a computer program is using stolen data to create fake accounts, the process of doing that won’t match the real user’s biometric patterns. Or if a real user only ever buys groceries in Maryland, but suddenly starts purchasing big screen televisions in Berlin, then there is a high degree of certainty that something is amiss.

NuData has a few successes listed on their webpage, though not too many. I am wondering if EMV 3DS might be running up against privacy concerns, especially in Europe, where privacy is taken very seriously.

The new technology might find a more receptive home within the halls of government. Gathering location, historic and biometric data like typing speed and usage patterns would be much easier within a closed system like the federal government. And it would likely face less resistance as well. After all, much of the data driving EMV 3DS is collected passively, which would actually be much less intrusive than the background checks already required by HSPD 12.

If EMV 3DS could tell that someone with a government smartcard is behaving suspiciously, within a government building or while accessing a network remotely, that might be a good way to combat stolen or compromised credentials. Even if the bad guys can get a hold of a government login or PIV card, they wouldn’t know how fast the linked employee types, their daily behaviors, or their login patterns, all of which could be used to raise a red flag and thwart a potential attack.

I’m confident that our grocery stores are secure given the current level of technology, as are our in-person voting protocols. But it’s always good to look at new security methods, and it seems like EMV 3DS has the potential to be a great benefit to government, enhancing what agencies already have in place and closing a few potential vulnerabilities.

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

NEXT STORY: Identifying the Cyberattack Patterns and Doing the Easy Stuff

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.