[Openid-specs-fapi] Fwd: Letter from Vice-President Valdis Dombrovskis: Comments about Redirection

Tom Jones thomasclinganjones at gmail.com
Wed Feb 27 07:17:41 UTC 2019


We have pisps today in the us. For example amazon, pay pal, and to a certain extent square. They are all bound by the fed reg that limits losses to the consumer.  We have electronic check presentment, so we have something like pisps, checks are scanned at checkout, or by a cell phone snap. So far I have heard little complaints about exploits for check presentment, but since they are new perhaps the bad guys haven’t figured them out yet. It might be instructive to consider that pay pal was designed to do direct to bank withdrawals (ACH), but afaik is mostly using the credit card networks today.



What is new is direct merchant to pisp to bank all operating in the consumer’s cell phone and not out on networks that we understand today. There is a lot of hand waving about how this can be made secure, but I have not seen any evidence to that fact and even if there were robust threat analyses, I expect that the bad guys will have a great deal of fun finding new vulnerabilities that have not be expected. Consider the man in the middle attack running entirely inside your cell phone. As a matter of fact I have not even seen a rich data flow diagram of the process, only some slide ware.  A rich DFD is a prerequisite to a good threat model and analysis.



What else is new (at least to my knowledge) is direct withdrawals from a consumer’s bank account by a merchant or a pisp, other than the debit card case which does something like that, but with different rules and a different network (same as credit card) than a bank transfer(ACH). Theoretically a merchant could use the ATM network to get direct access to a consumer’s account, but I have not heard of that either. The ATMs at the casinos are still outside the cashier’s window. When then go inside, be afraid.



I heard one of the start ups in a December w3c ccg meeting explain that the fundamental different between the us and Europe is that the US banks are considered to be fiduciaries of the user whereas that is not the case in Europe.  I cannot attest to that myself. If you have knowledge of that I would like to hear it. What little I do know comes from Ross Anderson’s expose’ of the UK banks, which was pretty damning.



Peace ..tom



________________________________
From: Anders Rundgren <anders.rundgren.net at gmail.com>
Sent: Tuesday, February 26, 2019 10:48:12 PM
To: Financial API Working Group List; Tom Jones
Subject: Re: [Openid-specs-fapi] Fwd: Letter from Vice-President Valdis Dombrovskis: Comments about Redirection

On 2019-02-24 23:07, Tom Jones via Openid-specs-fapi wrote:
> Boy, you hit the nail on the head there. The bank regulators will take the side of the merchant and pisp over the bank and its customer.  What could possibly go wrong?


Tom,
Just for my curiosity, could you elaborate a bit about what *new* security issues PISPs bring to the table and if you see any remedies to them?

Anders

> Peace ..tom
>
>
> On Sun, Feb 24, 2019 at 12:15 PM Dave Tonge <dave.tonge at momentumft.co.uk <mailto:dave.tonge at momentumft.co.uk>> wrote:
>
>     Big merchants will become PISPs, but its not worth it for smaller merchants.
>     The UX doesn't need to be too bad though in a 4 party model - the PISP can collect consent in a widget on the merchant site before redirecting to the bank.
>
>     The negativity against redirection is quite strange as PSD2 essentially brought in two competing requirements:
>       - third party payment initiation
>       - strong customer authentication
>
>     Those against redirect have in their mind the mental model of card based payments where the user enters some numbers in the merchant website and never interacts with the bank who issued the card. However all card payments will end up having to be redirected because of the strong customer authentication requirements - so it is a contradictory position to hold.
>
>     I think that most regulators will take a pragmatic position on this based on whether the bank is putting up "obstacles".
>
>     Dave
>
>     On Sat, 23 Feb 2019 at 05:09, Tom Jones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
>
>         Why would the merchant not seek to become the pisp? Then the ux is pretty, but highly insecure. Isn't that what PSD is all about?
>
>         thx ..Tom (mobile)
>
>         On Fri, Feb 22, 2019, 7:45 PM Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
>
>             On 2019-02-22 13:25, nat at sakimura.org <mailto:nat at sakimura.org> wrote:
>              > And interestingly, the Nordic countries support OpenID Connect in the redirect modes. It is actually quite interesting that people gets impression that redirects are user unfriendly where in fact if done correctly, it is hardly noticeable by the user. I probably should bmake a  YouTube video about it.
>
>             In a two-party scenario like a Fintech + Bank it can work fairly smooth.
>
>             For a three-party scenario like Merchant + PISP + Bank, the UX part as a whole seems like a challenge.  That's the video I would like to see!
>
>             Anders
>
>             _______________________________________________
>             Openid-specs-fapi mailing list
>             Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>             http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>         _______________________________________________
>         Openid-specs-fapi mailing list
>         Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>
>
>
>
>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190227/d472934a/attachment.html>


More information about the Openid-specs-fapi mailing list