<div dir="ltr"><div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><p style="margin:0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">Tom, there seems to be some confusion here. The CIBA profile provides a standard for backchannel auth. It is not tied to mobile phones even, it is just that the first "use case" was for Mobile Connect.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">In FAPI we are proposing that banks use CIBA in the following way:</p><ol style="margin:4px 0px 0px;padding:0px 0px 0px 40px;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px"><li style="word-wrap:break-word">A bank onboards a customer to the bank's mobile app (this is in the competitive space, but this onboarding process should hopefully include the generation of a key-pair, with a private key that never leaves that device).</li><li style="margin:0px;word-wrap:break-word">The customer uses this banking app for everyday banking interactions - the bank can obviously implement this in any way they see fit</li><li style="margin:0px;word-wrap:break-word">The bank implements CIBA and defines some <code style="font-family:SFMono-Medium,"SF Mono","Segoe UI Mono","Roboto Mono","Ubuntu Mono",Menlo,Courier,monospace;font-size:12px;line-height:1.4;padding:1px 3px;border:0px;border-radius:3px;background:rgb(245,245,245);box-sizing:border-box;display:inline-block;max-width:100%;overflow-x:auto;vertical-align:bottom;white-space:nowrap">login_hint</code> that third parties can use to start a CIBA request - this could be a username, an email address, a card number, etc.</li><li style="margin:0px;word-wrap:break-word">When the bank receives a CIBA request from a valid client with a valid login_hint, it sends a push notification to the user's device. (NB, not an SMS, but rather an Apple or Android push notification)</li><li style="margin:0px;word-wrap:break-word">The user opens their banking app from the push notification and is shown a consent screen where they can authorize the requested access</li><li style="margin:0px;word-wrap:break-word">Once the user authorizes the request, the client is issued an access token</li></ol><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">(NB the flow will probably include the comparison of binding messages, but we are still working through the detail of that)</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">The bank should have as strong an assurance that it is interacting with its user as any other time that the user is using the banking app.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">An attacker couldn't spoof this flow by hijacking the user's phone number as the flow doesn't use SMS messages or any telco based identity factors.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">If an attacker hijacked the Apple / Google push notification system, the flow still wouldn't break as the banking app would need to retrieve the consent details to display directly from the the bank's servers.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">Hopefully, this clarifies the proposed use case of CIBA in a FAPI context.</p><p style="margin:12px 0px 0px;padding:0px;word-wrap:break-word;color:rgb(23,43,77);font-family:-apple-system,system-ui,"Segoe UI",Roboto,Oxygen,Ubuntu,"Fira Sans","Droid Sans","Helvetica Neue",sans-serif;font-size:14px;letter-spacing:-0.07px">Dave</p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 28 November 2017 at 16:12, Tom Jones via Openid-specs-fapi <span dir="ltr"><<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">To be really clear then. Only the telco can support CIBA, correct?<div><br></div><div>Note that i voted against the MODRNA specs because, IMO, they do not uphold the user consent requirements in OpenID Connect. For FAPI to endorse the telco involvement in a financial transaction would exacerbate this failing.</div><div><br></div><div>..tom</div></div><div class="gmail_extra"><br clear="all"><div><div class="m_215621447756176667gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Peace ..tom</div></div></div></div>
<br><div class="gmail_quote">On Tue, Nov 28, 2017 at 7:16 AM, Gonzalo Fernández <span dir="ltr"><<a href="mailto:issues-reply@bitbucket.org" target="_blank">issues-reply@bitbucket.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>



  

    

    

  

  <div style="font:14px/1.4285714 Arial,sans-serif;color:#333">

    <table style="width:100%;border-collapse:collapse">

      <tbody>

        <tr>

          <td style="background:#f5f5f5;padding:10px 10px 0;font:14px/1.4285714 Arial,sans-serif">

            <table style="width:100%;border-collapse:collapse">

              <tbody>

                

                

                

                

                  

                     <tr>

  <td id="m_215621447756176667m_-4675330633121102806main" style="font:14px/1.4285714 Arial,sans-serif;padding:0;background-color:#fff;border-radius:5px">

    <div style="border:1px solid #ccc;border-radius:5px;padding:20px">

      <table style="width:100%;border-collapse:collapse">

        <tbody>

          <tr>

            <td style="font:14px/1.4285714 Arial,sans-serif;padding:0">

              <table style="width:100%;border-collapse:collapse">

                <tbody>

                  <tr>

                    <td id="m_215621447756176667m_-4675330633121102806avatar" style="font:14px/1.4285714 Arial,sans-serif;padding:0;width:32px;vertical-align:top">

                      

                      <img width="32" height="32" alt="xixon2002" src="https://avatar-cdn.atlassian.com/8244b0cf5b55c82883cb9a6457821df9?s=32&ts=1511881830" style="border-radius:3px">

                      

                    </td>

                    <td id="m_215621447756176667m_-4675330633121102806content" style="font:14px/1.4285714 Arial,sans-serif;padding:0 0 0 10px">

                      

  <table style="width:100%;border-collapse:collapse">

    <tbody><tr>

      <td class="m_215621447756176667m_-4675330633121102806user-action" colspan="2" style="font:14px/1.4285714 Arial,sans-serif;padding:0;line-height:1">

      <span>

        

          

            <strong>Gonzalo Fernández</strong> commented on issue #127:

          

        

      </span>

      </td>

    </tr>

    <tr>

      <td class="m_215621447756176667m_-4675330633121102806title" colspan="2" style="font:14px/1.4285714 Arial,sans-serif;padding:5px 0 0;font-weight:bold;line-height:1.2">

        <a href="https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues" style="color:#3572b0;text-decoration:none" target="_blank">CIBA: security issues</a>

      </td>

    </tr>

    

      <tr>

        <td colspan="2" class="m_215621447756176667m_-4675330633121102806markup-content" style="font:14px/1.4285714 Arial,sans-serif;padding:10px 0 15px">

          

            <p style="margin-bottom:0;margin:10px 0 0;padding:0;margin-top:0">Hi Nat,</p>

<p style="margin-bottom:0;margin:10px 0 0;padding:0">Telcos companies do know the device associated with a user, in fact they use such information to improve customer care when he calls for something related with the device. As far as I know, when the terminal has been registered in the network, it sends the IMEI and thanks to that the operator is able to know the device and associated it to the MSISDN and IMSI because at this time it also has that information.</p>

          

        </td>

      </tr>

    

    

    

    <tr><td class="m_215621447756176667m_-4675330633121102806spacer" style="font:14px/1.4285714 Arial,sans-serif;padding:10px 0 0"></td><td class="m_215621447756176667m_-4675330633121102806spacer" style="font:14px/1.4285714 Arial,sans-serif;padding:10px 0 0"></td></tr>

  </tbody></table>



                    </td>

                  </tr>

                </tbody>

              </table>

            </td>

          </tr>

          

<tr>

  <td class="m_215621447756176667m_-4675330633121102806actions" colspan="2" style="font:14px/1.4285714 Arial,sans-serif;padding:10px 0 0;border-top:1px solid #ccc;line-height:1">

    

    

      

        <a href="https://bitbucket.org/openid/fapi/issues/127/ciba-security-issues" style="color:#3572b0;text-decoration:none" target="_blank">View this issue</a> or add a comment by replying to this email.

      

    

  </td>

</tr>



        </tbody>

      </table>

    </div>

    

  

<div style="border:1px solid #ccc;border-radius:5px;padding:20px;display:none">

  <div>

    

    

  </div>

  

</div>





  </td>

</tr>



                  

                

                <tr>

                  



<td style="padding:20px 0;color:#707070">

  <table style="width:100%;border-collapse:collapse">

    <tbody>

      <tr>

        <td style="padding:0">

          

            

            

              

                <a style="color:#3572b0;text-decoration:none" href="https://bitbucket.org/api/1.0/repositories/openid/fapi/issue/127/unsubscribe/tomcjones/f30a0030618b6476696b7a6f4abe3a0090d0f6ad/" target="_blank">Unsubscribe from issue emails</a> for this repository.

              

            

          

          

        </td>

        <td style="padding:0">

          

            



  <img width="1" height="1" src="https://bitbucket.org/account/notifications/mark-read/767491557/cd8c121f6d52a6046bcfcb9d9159b56ce62dee94/">





          

        </td>

        <td style="text-align:right;width:100px;padding:0">

          <a href="https://bitbucket.org" style="color:#3572b0;text-decoration:none" target="_blank">

            <img width="125" height="18" src="https://d301sr5gafysq2.cloudfront.net/370568ebc84f/img/email/bitbucket-footer.gif" alt="Bitbucket">

          </a>

        </td>

      </tr>

    </tbody>

  </table>

</td>



                </tr>

              </tbody>

            </table>

          </td>

        </tr>

      </tbody>

    </table>

  </div>


</blockquote></div><br></div>
<br>______________________________<wbr>_________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net">Openid-specs-fapi@lists.<wbr>openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>fapi</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:'Open Sans';font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165);text-decoration:none" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border:none;padding:0px;border-radius:2px;margin:7px"></a></div><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px;background-color:transparent">10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br></div><div style="color:rgb(97,97,97);font-size:14px;font-weight:normal;font-family:lato,"open sans",arial,sans-serif"><font color="#00a4b7"><span style="font-size:11px;line-height:15.925px"><br></span></font><div style="color:rgb(51,51,51);line-height:1.4"><span style="font-size:0.75em">Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register </span><span style="font-size:0.75em;background-color:transparent">(FRN </span><span style="font-size:0.75em;background-color:transparent;color:rgb(0,164,183);font-weight:bold">561538</span><span style="font-size:0.75em;background-color:transparent">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. Momentum Financial Technology is registered in England & Wales, company registration number </span><span style="font-size:0.75em;color:rgb(0,164,183);font-weight:bold;background-color:transparent">06909772</span><span style="font-size:0.75em;background-color:transparent"> </span><span style="color:rgb(34,34,34);font-family:arial,sans-serif;background-color:transparent"><font size="1">©</font></span><span style="font-size:0.75em;background-color:transparent"> . </span><span style="background-color:transparent;font-size:0.75em">Momentum Financial Technology Limited 2016. </span><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div>
</div>