We have had a number of different views expressed recently on our approach to creating an alternative to Microsoft Passport with ActiveCheckout. http://checkout.gpayments.com/
Our position is that unless alternatives are introduced into the market, Microsoft will eventually end up owning OUR INFORMATION and controlling our ONLINE IDENTITIES. The current Passport Terms of Use agreement not only fails to guarantee confidentially, but actually gives Microsoft and its business partners the right to OWN YOUR IDENTITY, and do pretty much what they want with it. For further information see http://www.theregister.co.uk/content/6/18002.html ActiveCheckout is the approach we have taken to provide an alternative. We appreciate any constructive feedback which assists us in providing a solution to this problem. This has been an interesting discussion which has diverged into a number of areas and I would like to thank everyone who has shared their views and participated in the discussion. I have attempted to reference as many of these views as possible and give some further background in this response. Both PC's and Servers have vulnerabilities when it comes to secure data storage. However, in some cases the PC is not the most insecure place to store information. The rewards for hacking into a PC are not as great as hacking a server and the PC also gains a security advantage through safety in numbers. Where ever sensitive information is stored it should be stored in encrypted form and only be accessible via password. As was pointed out, passwords are the most common form of protection on the web and the web is growing at a healthy rate based upon password authentication systems. We agree that most users do not have the interest or ability to secure their PC's. ActiveCheckout had to be designed to take care of this without the user even knowing it. This is why the user only has to type in their information into the applet and create a password. Their information is then automatically stored more securely than if they were to type the information into, for example, a word processing document. This is the approach we took with ActiveCheckout by storing the sensitive information in encrypted form on the user's local PC. Our approach is not the same as Microsoft's in emphasizing convenience over security. The focus of ActiveCheckout is security, privacy and the ability to leverage industry standard authentication schemes being introduced by major credit card companies. While there are many shock-value news stories regarding the fraudulent use of credit cards online, I am assuming that as we move forward people will continue to transact over the Internet in greater numbers. ActiveCheckout is different from the WALLETS which were promoted by Microsoft and IBM - Please see http://checkout.gpayments.com/faq5.htm which has comparison tables for both Microsoft and IBM wallets. We agree with the approach taken by the working group in the x9.59 standards regarding making the financial transactions authenticated. If Verified by Visa and MasterCard SPA/UCAF become ubiquitous the result will be that credit card account numbers are no longer shared-secrets and the concern regarding storage of account numbers will diminish. While ActiveCheckout is really built for this future it also recognizes that the credit card number must remain an unauthenticated shared secret in the medium term. Therefore ActiveCheckout encrypts the credit card number for storage on the user's local PC rather than storing it in the clear. This is designed to mitigate the possibility of credit card fraud attacks such as Egghead.com, CD Universe etc. We should have said that authentication of online credit card payments should remain with credit card issuers rather than with technology companies such as Microsoft. This does not preclude other organisations from providing authentication services for other non-financial services or for other payment types. We are keen for the banks to work with other trusted entities but once again the reality is that banks have shown a reluctance to do this. While there are exceptions, most of the time banks see these other entitites as potential competitors. We feel that for Consumers to buy generic signing devices with pin pads involves too much friction for the consumer to make authenticated online transactions. Authentication should at a minimum only require software and not hardware which is expensive and not always available. I must make it clear that ActiveCheckout does not sell, share or reveal any kind of personal information on anyone unless the user chooses to provide this information via a standard website to third parties. In this way it is different from consumer shopping and advertising networks. ActiveCheckout was designed specifically as an identity management and authentication solution. ActiveCheckout does give the user the ability to manage their authentication themselves. It does not involve any certificate authority being involved in the authenticated transactions. It actually gives the individual the right to identify themselves to other parties in transactions through enlisting the assistance of their bank. We agree that individuals have a right to their own reputation and that this is certainly a higher natural right than the right of some person or company who sold me a product. The logical extension here is that the individual should be able to maintain their own identity in their own applet rather than having it maintained by Amazon, AOL, Microsoft or Yahoo. For further information I will refer you to another GPayments whitepaper: Electronic Wallets: Past, Present and Future which can be found at http://www.gpayments.com/pdfs/GPayments_eWallet_Whitepaper.pdf There is a general concern over a single bank being able to gain access to a consumer's lifetime banking transaction history. We realized that consumers are always going to deal with more than one financial institution and for this reason ActiveCheckout supports multiple banks. It allows a cardholder to enter multiple credit cards from multiple issuers, potentially authenticate with all of them while providing a single management point for the consumer. From this perspective ActiveCheckout could be viewed as a personal authentication gateway for the consumer. While I would characterize ActiveCheckout as an alternative to Microsoft Passport I would say that it is an applet which could work with inititatives such as Liberty Alliance in the future. We agree that banks and credit card companies have the best chances of hosting/supporting authentication schemes due to their trust function. However, these organisations are slow when it comes to deploying the technology to support the authentication schemes. Our approach is to provide an applet which can connect to banks, when they come on board with authentication standards, but allows the consumer to retain control of their online identity. Brent Clark GPayments -----Original Message----- From: Pete Thomas [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 16, 2002 1:37 AM To: 'Don Park'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Alternative to Microsoft Passport: Sunshine vs I think we are subverting the original topic around Microsoft Passport and the Gpayment wallet, and turning it into a thread entitled 'Fear of a Hacker Planet'. Let's return to the issue and mention the similar Liberty Alliance project, http://www.projectliberty.org, and a relatively recent report on the subject by Mastercard (July 2001, available on http://www.finextra.com/Finextra-downloads/MCARD_EWALLET.PDF). Questions exist about whether such eWallet initiatives: (1) are effective in building a better customer experience using existing e-commerce authentication schemes; (2) will generate sufficient 'network good' in the marketplace for merchants to consider promoting them, and (3) can straddle the inherent competitive sensitivities of e-commerce aggregation. The first issue is addressed very well by Gpayments' collateral and the Mastercard report. Despite its appeal, single sign-on alone is rarely a good enough reason for a consumer to install an aggregator-wallet per se - a considerable leap of faith by the user is required (on the lines of 'don't put all your eggs in one basket', no matter how trustworthy the basket). The additional effort of installing the client-side software is typically sweetened by peripheral customer benefits: automated form population (ex: MS Passport, Gpayments); screen-scraping, or aggregated views of e-commerce accounts (ex: Yodlee); the ability to encrypt personal files; (for corporate scale implementations) intelligent management of ACLs (ex: Ubizen's MultiSecure); etc. Even stronger, commercial sweeteners are being tried by some players in the space - discounts at wallet-linked merchants (ex: AllCharge), affilated access to multiple digital content providers (ex: ClickShare), or enforcing wallet-usage as a pre-requisite for using a specific service (numerous pre-pay schemes take this approach, ex: Germany's Paybest). Mastercard's evidence suggests that banks and credit card companies have better chances of hosting/supporting these schemes (53%, versus 36% for Internet Companies and 11% for ISPs). The second issue is that the best technology doesn't always win. Merchants will not invest in enabling their sites to participate in wallet-enabled revenue-share schemes unless they see a positive effect on their bottom line: more (or more loyal) customers, fewer shopping cart abandonments, cost reductions, revenue increases, and... dare I mention it... profits. Few technology start-ups can afford to target a global, mass-market consumer base and build sufficient recognition for their wallet. They need to focus on relationship building among organisations with a ready-made consumer base (banks, telcos, utilities, retailers, etc.). Microsoft's trump card rests on its brand recognition, sheer size, deep pockets and ability to suppport developers building .net compliant platforms. The Liberty Alliance has these too, but I'm guessing that marketing of the Liberty wallet is likely to be slowed by the collegiate decision-making of all collaborative e-commerce groups... any insider comments on progress at the Liberty Alliance are welcome. The third issue is highly relevant in the financial sector, especially in countries where a handful of domestic banks typically dominate the retail scene (read 'nearly all countries'). Customer ownership and The Brand are major issues for financial institutions. Around two years ago, aggregation schemes were seen as a killer application in e-banking, yet banks have woken up to the competitive issues of the technology ('how can we monitor customer use of our platform?', 'why should the bank rely on the security of a third party technology, rather than direct customer authentication?', 'this wallet widget completely ignores my logo and never falls for my cross-sell ads', etc.). In Europe at least, only the brave financial institution would attempt a unilateral wallet scheme that is able to store passwords of a competing bank's e-banking app. Multilateral, cobrand and white label workarounds seek to solve the issue (see the FSTC's FAST initiative). The jury is still out here, too. Let's discuss these issues with a view to some consensus. Pete Thomas - Marketing and Communications Clear2Pay - In banks, we trust Zikkelstraat 64 rue de la Faucille - 1970 Wezembeek-Oppem (Brussels) - Belgium T: +32 2 759 94 96 - F: +32 2 759 45 54 E-mail: [EMAIL PROTECTED] Web: www.clear2pay.com P.S. - As to security, as former editor of SecurityWatch.com I've seen my fair share of shock articles... a new one surfaces every month or so in the big news sources, and every few minutes on infosec portals like www.securitynewsportal.com. I agree with Don that the carder issue is neither new, nor will it disappear. The issue remains one of ensuring that risk is manageable. Until we all sprout wings and strum harps, society will be subject to crime. So in the meantime, we must engage in a security and legislative arms race: the benefits of a good e-commerce application should outweigh the risks, every time. -- This message is confidential and may contain privileged information. If you are not the above named addressee or authorized to receive this message on behalf of the addressee, you are not allowed to use, copy, disclose or take any action based on it or any information herein. If you are not the intended recipient of this message, please advise the sender immediately by reply e-mail or phone and delete this message. If you are the intended recipient please be aware that the e-mail message does not establish any legally binding relationship. Thank you for your cooperation. -----Original Message----- From: Don Park [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 15, 2002 12:09 AM To: '[EMAIL PROTECTED] '; '[EMAIL PROTECTED] ' Subject: RE: Alternative to Microsoft Passport: Sunshine vs John, I have read the news article about apparently blooming and evolving business of trading credit cards and card numbers. To be frank, it was not news to me. Desperate and creative people, like rats, will steal what they can. Its a fact of life. You can't get rid of them just as you can't get rid of rats in ships. You wrote: "I'm deadly serious! Take a couple of minutes *right now* and read this article carefully - it will certainly be the most important thing you do today (if not this YEAR)." You are starting to sound more like a salesman than a security expert at this point. Your company, PaymentCentral, sells "Secure Telephone Transfer" and claims that telephone is the most secure payment method. Nice pitch, but it will take more than a doomsday salesman to stop the online payment industry. Getting back to the original subject, validity of client-side authentication, my position is that the risk is within acceptable limits because a) credit card number theft from desktops are not easily scalable, and b) there are more rewarding preys (i.e. servers). Yes, entrepreneurial hackers sometime attack desktops, but they usually do so to look for information that will help them hack into servers. Run of the mill hackers attacking desktops are either small fries or on a joyride. The article also pointed toward evolving and organizing world of credit card black market. My position is that attempts to organize such market beyond the 'acceptable' level will result in its own demise. If you have studied the Catastrophe theory, you will know that something will snap and rats will have to scramble yet again and life will go on. Best, Don Park -----Original Message----- From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: 5/14/02 7:43 AM Subject: RE: Alternative to Microsoft Passport: Sunshine vs DO>It is true that desktop machines are easily compromised. However, we are DO>not searching for the holy grail here, just something practical and DO>acceptable to all parties involved. Also, I don't see the point of trying DO>to solve everything with technology when there are other means such as DO>social, legal, and business means to control the risk. DO>Practically entire web is currently protected with just passwords yet the DO>web is healthy and thriving despite constant attacks at all points. DO>Everyone knows that DNS is a weak chain, yet billions use it everyday. DO>Best, DO>Don Park Don, If you really believe that ANY online method can possibly be "practical and acceptable to all parties concerned", then check out this article which appeared yesterday in the New York Times, and come back and tell me if your opinion remains the same - if it does, then (forgive me!) you're living in a dream world, not the real world. http://story.news.yahoo.com/news?tmpl=story&cid=68&ncid=68&e=2&u=/nyt/ 20020513/ts_nyt/credit_card_theft_thrives_online_as_global_market_losses _grow I'm deadly serious! Take a couple of minutes *right now* and read this article carefully - it will certainly be the most important thing you do today (if not this YEAR). (If you have any trouble accessing it, let me know and I'll send you a copy.) Cheers, John Vinokur President Payment Central Inc. mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]