You’ll hear us repeat phrases like “Secure Credentialing” or “Privilege Entitlement and Access Control“.   That’s because it’s actually the correct way to think about things like Mobile Payments.  After all, what are “Mobile Payments”?  Aren’t they your ability to pay, crammed into your phone?  What are we cramming into that phone?  A credit card or debit card?  What’s that?  A credit card is nothing but a piece of plastic, with a number written on it, that represents your PRIVILEGE to use a pre-approved bank line-of-credit.  In other words, the credit card is a credential, representing a banking privilege.

Now just consider how many credentialed privileges we enjoy on a daily basis.  Driving a car (drivers license), boarding a train or plane (ticket/boarding pass), entering a building (security badge), accessing Government services/Entitlements (Social Security Card/Medicare Card), using a cell phone (SIM card), employment (Corporate ID), education (school ID), and healthcare (health card), Web-services (SSL/PKI certificate)….we enjoy these privileges daily without even thinking about them and they are all represented by a credential of some sort.  Of course, these privileges are extremely valuable, which is why people try to steal them or damage them.  Thus, the credentialing system is nothing but an access control system designed to protect access to those valuable privileges.

Now consider this.  According to Verizon, as much as 76% of all data breaches last year were exploits of weak credentialing systems.  In fact, we find weak credentialing and access control is at the heart of most of our major problems of the day.  Credentialing is a primary element of Entitlement Reform and Immigration Reform.   Even the tragedy of 9/11 was a similar exploit, where the hijackers used fake credentials to get into the United States, access flight school and board planes.  Identity Theft and most online frauds are schemes based on a purposeful misrepresentation of an identity, which by default, is enabled by weak credentialing that presumes to guard the privilege.  You can read a bit about this Verizon report here:

http://www.verizonenterprise.com/about/news/?nu=/news/2013/05/training-senior-manager-director-vp-cxo-owner

I’d like to make two primary points here.

First….Its clear that what we are doing isnt working.  Anti-virus?  Security Information & Event Management (SIEM)?  Perimeter security systems?  OTP tokens?  Passwords/PIN?  ID Cards?  If this stuff was actually that effective, why are these frauds and attacks so pervasive?  In fact, traditional security systems cannot effectively thwart these attacks because they are either reactive by design or they are simply a second credential representing the first credential.  Weak protecting the weak.  Consider anti-virus and SIEM, for example.  These technologies presume to recognize an attack or violation by comparing real-time network behaviors to a template or portfolio of attack signatures.  However, they cannot anticipate new signatures and, therefore, cannot prevent new forms of attack.  In fact, their ability to thwart an attack is based purely on what we’ve learned from previous attacks.  Well…you cant see the future in the rear view mirror.  Can you?

Second….All these credentialing systems are broken and are in the process of being replaced.  Governments across the globe, lead largely by the US Govt, have worked to design and proof new forms of Privilege Entitlements Systems, that require new forms of Secure Credentialing & Identification to protect those privileges.  There are three primary components of the modern Secure Credentialing System: Biometrics, Smartcards and Cryptography.  Importantly, biometrics are the only way to physically connect a person to a transaction at the time of the transaction.  This is why Government imposed credentialing systems, like those governing Federal ID cards and Passports, require all three, including biometrics.  Now, dont you think governments will consider this when attempting to fix highly regulated (by government) industries, like banking and healthcare?

All these weak credentialing systems will be replaced, which is a mindbogglingly large task.  Maybe its easier to shift to another system, rather than rip out and replace all the sunk infrastructure.  Enter the biometric, crypto and NFC enabled smartphone…..