The Secure Digital Wallet Portal

Prashant Dewan and David Durham, Intel

Secure Digital Wallet Portal (SDWP) enables the users to manage their credentials for various banks, e-commerce websites, e-mail servers on laptops, desktops and MIDs so that their susceptibility to identity fraud is minimized. Identity fraud is one of the ways by which the criminals on the Internet steal innocent user’s credentials and use it for illegitimate purposes. Criminals can steal credit card numbers to buy things on the Internet and tarnish our credit history. It can take a few days to a few months with lots of pain for the owner of the card to recover from such misuse. In the extreme cases the damage done could be irreparable.

The concept of digital wallets is a decade old. The early attempts forced users to download software for each merchant; later the merchants started storing user’s information on the merchant’s sites thereby raising privacy concerns. Subsequently each merchant had its own data format leading to the Electronic Common Modeling Language (ECML) Standard (D. Eastlake, T. Goldstein, RFCc3106 - ECML v1.1: Field Specifications for E-Commerce, April 2001, Available: http://www.faqs.org/rfcs/rfc3106.html). Moreover with the advent of near field technology (NFC) the same wallets can be used for traditional physical merchants and in online e-commerce.

Traditionally the e-commerce industry has used smart cards, smart dongles etc. for various forms of wallet applications. Besides adding to the cost, these hardware solutions are susceptible to increasingly smart malware attacks running on the user’s platform. In addition, more and more users are being exposed to phishing attacks. There also have been attempts to use single sign-on mechanism by certain web portals.

The digital wallet portal will be present on multitude of devices possessed by the user: laptops, to desktops, to cell phones etc. A user would be able to seamlessly transfer credit cards and digital money across different devices and use it for e-commerce and traditional commerce. The credit card information stored in the platform will only be transferred to the user-authorized third parties. The digital wallet will be protected against malware running in the operating system like key loggers, screen scrapers, phishing etc., resilient to social engineering, and can be made defunct if the device is stolen. Finally, it allows users to store e-tickets. SDWP uses ECML to populate merchant websites on user approval. In addition, it enables the user to validate transaction information before accepting the transaction and thereby safeguarding the user against phishing attacks.

SDW is based on security visor developed using CPU and memory virtualization to restrict illegitimate accesses to user credentials in transit and at rest. The access control is enforced under the operating system without modifying the OS kernel. More specifically the confidential information is encrypted while on disk and maintained in an enclave while in memory in a fashion that only an authenticated and validated code can access this information. Even the graphics rendered on the screen is under strict access control enforced by the security visor. The user’s information is stored on the user’s platform and shared only with the authorized services.

Digital Wallets are making a comeback especially in the ultra mobile platforms. SDWP advances the state-of-art by providing digital wallet usable across multitude of e-commerce sites and providing protection against platform resident malware and other forms of phishing attacks.

 

Security Challenges in Web Browsing: E-transactions

Subhashini Ganapathy, Delbert Marsh, and Glen J. Anderson, Intel

With significant increase in distributed data that can be accessed by various Web 2.0 applications and a variety of computing devices, the exposure of information to a wide array of threats has also increased. Also, these threats arise from many sources as an increasing number of hackers are driven by profit from identity theft. Many of the companies are focusing on going towards paperless transactions in an effort to go green.

As money becomes an increasingly digital construct and less physically tangible there is a need to ensure a balance of proper levels of security to protect a person’s identity and assets with ease of use and unfettered accessibility to their financial resources.

The focus of this paper will be on looking at security considerations for online transactions. The paper will address some of the perception of the IT administrators of companies with respect to browser security, based on data collected via semi-structured, on-site interviews with 25-30 IT professionals in the United States and United Kingdom across various business segments. The preliminary findings show that there is an increased concern on security from companies in United Kingdom vs. United States. UK more restricted in plug-ins and personal browsing. US more relaxed policies Field study also indicates that some companies feel that browser security is under control with the use of firewalls and anti-virus solutions. There is not a need to explicitly indicate that the browser is secure and safe. Some companies like the idea of protecting personal and transaction data. The paper will also demonstrate some methodologies to address the security concerns for these companies such as authentication of the legitimacy of the user and communication vehicles to satisfactorily convey and establish a trust relationship with the user of the system. Applying a human centered approach to security technologies will help alleviate problems associated with trust, usability and performance.

About the authors

Subhashini Ganapathy is a user experience researcher at Intel. She joined Intel in 2006 and began working in the Security Application Services group. Subhashini received her Ph.D. in Human factors engineering from Wright State University, Dayton OH. Her research interests include modeling human interactions on complex systems, decision making, information protection, model-based information technology systems, design optimization, and simulation and modeling. Her email is subhashini.ganapathy [at] intel.com

Delbert Marsh received his B.S. degree in Human Factors in 1995 from Florida Tech and his M.S. degree in Human Factors in 1998 from Clemson University. He joined Intel in 1999 working in an internal consulting capacity to design and evaluate internal applications before switching to his current role as a User Experience Researcher focusing on future home, office, and mobile product offerings in January of 2006. Prior to Intel, Delbert worked in aerospace doing interface design and testing supporting NASA, the FAA, and the US military. His e-mail is delbert.k.marsh.ii [at] intel.com

Glen J. Anderson joined Intel in 2004 and began work on implementing and evolving the U2PR process, first for the Digital Home Platform, then for the Digital Office. His interests include applied-research methodologies, mobile device design, online help systems, and patenting of user-oriented technology and methods. Glen received his BA degree in Psychology in 1987 from the University of St. Thomas; his MA degree in 1991, and his Ph.D. degree in 1993 in Human Factors Psychology from the University of South Dakota. His email is Glen.J.Anderson [at] intel.com

Money at the Intersection of Culture, Economy and Society: A Social Life of Money and the Inside Story of www.zopa.com

Bruce Davis, Freemarket

One day in 2003, a freelance ethnographic researcher found himself sitting in a converted barn nestling in the English countryside with the co-founder of egg (at the time, the world’s largest online bank) drinking coffee and eating cookies.  The topic of conversation was not the search for a new product or innovation, but rather a point of view.  After 10 years creating market leading innovations in the world of banking, Richard Duvall felt that he needed to step back and find a new point of view on the social and cultural change that he perceived to be going on around him – change which challenged his own perspective specifically on what money means to people in everyday life and what we value about money and finance.  What was the world going to be like when the dust settled on the internet boom?  What were the opportunities for himself as an entrepreneurial individual?

Egg had been an early adopter (in UK terms) of ethnographic research in the development of its products and services. Richard recognized the value of looking beyond conventional perspectives of ‘consumers’ and ‘needs’ and instead understanding the implications of the ‘social life of things’ – specifically what that meant for the meaning and value of money in an increasingly digitally enabled, individualized and changing cultural context.

While talking about my own experiences and the different ways that money was part of the creation and affirmation of meaning in the social and cultural experience of everyday life, it soon became clear that the ‘meanings’ of money were increasingly disconnected any idea of money being created and symbolized by banks, financial systems and macro economics.  Money and the value of financial services were not immune to the individualization of culture enabled by the digital revolution.

Working together with a group of co-escapees from egg, the result of these conversations was zopa.com, the world’s first social lending website - a site which allows individuals to lend and borrow from one another via the internet without the need for banks or conventional institutions. Described as ‘eBay for money’ it has gone on to attract more than $50 m in funding and launch in the UK, USA, Italy and beyond – with an increasing number of imitations around the world including prosper.com and …

This paper will tell the inside story of the creation of zopa.com and the ethnographic insights that inspired a completely new perspective the role and value of digital money in everyday life, and also how those experiences have been taken into other areas of banking, from sales processes, branch designs and new product development in UK, Europe, Russia and USA.

Richard Duvall sadly died suddenly of cancer in 2006, but he did live to see his vision realized and shared by 200,000 users in the UK alone and the launch of the site in the USA.

Links

• Slides presented at talk

About the author

Bruce Davis continues to work as a freelance researcher studying the social life of consumption, brands and of course, money. His clients include Unilever, Bacardi, egg, Royal Bank of Scotland, HBOS, Orange, Vodafone, GfK NOP, UK government (Treasury and Direct.gov)  – he has been a contributor to reports on the future of digital money for IPPR and digital consumer activism for OfCom (to be published in September). He lives near the Thames in London with his wife and 4, soon to be 5, children. His most valued marketing creation is Monkey Shoulder whisky – inspired by weeks of immersion in the UK drinking culture on behalf of William Grant and Son’s.  A drink that can claim to be the world’s first ethnographically inspired whisky!