TechNews digests: Jan - Nov 2008

TechNews is a technology, news and analysis service aimed at anyone in the education sector keen to stay informed about technology developments, trends and issues. TechNews focuses on emerging technologies and other technology news. TechNews service : digests september 2004 till May 2010 Analysis pieces and News combined publish every 2 to 3 month

The use of prepaid cards for banking the poor

Prepaid products can become an effective instrument for banking the poor, as they can be used for collecting microdeposits and so operate as a low-cost account. Prepaid platforms have characteristics that make them especially useful for developing low-cost microfinance business models. Indeed, customers using prepaid systems do not need bank accounts or debit or credit cards. Prepaid issuers do not need to develop or invest in new technologies, as this mechanism can be used on a range of platforms, including PCs, mobile phones, hand-held and set-top boxes. Furthermore, prepaid products are specially designed for offering services demanded by the poor, such as micropayments, microdeposits and even microcredits. Lastly, they allow users to monitor their cash flow by receiving statements (some providers offer this feature online, others provide physical statements) or accessing balances through PCs, mobile phones, hand-held and set-top boxes. Besides collecting microdeposits, prepaid products (or SVCs as they are called in the United States) offer other services that can be very valuable for serving the unbanked population. As explained in this paper, prepaid products generally lack the identification and credit requirements that effectively bar millions of individuals from opening traditional bank accounts, especially in the United States. Moreover, prepaid products can be purchased and reloaded at a growing number of locations other than bank branches, such as check cashers, convenience stores and other retailers. Prepaid instruments can also provide immediate availability of funds at a cost that, in some cases, is lower than other alternatives for unbanked consumers. Also, prepaid products are difficult to overdraw, thus reducing the likelihood of unexpected fees. Lastly, many prepaid issuers offer some sort of bill pay option, especially branded cards that enable signature-based transactions, and a significant number of them offer remittances.Prepaid card; microdeposits; mobile phone; store value card; e-money; banking the poor;

A protocol for programmable smart cards

This paper presents an open protocol for interoperability across multi-vendor programmable smart cards. It allows exposition of on-card storage and cryptographic services to host applications in a unified, card-independent way. Its design, inspired by the standardization of on-card Java language and cryptographic API, has been kept as generic and modular as possible. The protocol security model has been designed with the aim of allowing multiple applications to use the services exposed by the same card, with either a cooperative or a no-interference approach, depending on application requirements. With respect to existing protocols for smart card interoperability, defining sophisticated card services intended to be hard-coded into the device hardware, this protocol is intended to be implemented in software on programmable smart cards

Biometric surveillance in schools : cause for concern or case for curriculum?

This article critically examines the draft consultation paper issued by the Scottish Government to local authorities on the use of biometric technologies in schools in September 2008 (see http://www.scotland.gov.uk/Publications/2008/09/08135019/0). Coming at a time when a number of schools are considering using biometric systems to register and confirm the identity of pupils in a number of settings (cashless catering systems, automated registration of pupils' arrival in school and school library automation), this guidance is undoubtedly welcome. The present focus seems to be on using fingerprints, but as the guidance acknowledges, the debate in future may encompass iris prints, voice prints and facial recognition systems, which are already in use in non-educational settings. The article notes broader developments in school surveillance in Scotland and in the rest of the UK and argues that serious attention must be given to the educational considerations which arise. Schools must prepare pupils for life in the newly emergent 'surveillance society', not by uncritically habituating them to the surveillance systems installed in their schools, but by critically engaging them in thought about the way surveillance technologies work in the wider world, the various rationales given to them, and the implications - in terms of privacy, safety and inclusion - of being a 'surveilled subject'

Identity Management in Information Age Government: Exploring Concepts, Definitions, Approaches and Solutions

Our research question is the following: What could be a useful working definition of Identity Management in government at present? a) What are conceptualisations, definitions and approaches of IDM in government according to academic literature? b) Which e-authentication solutions have been developed in other jurisdictions

A generic framework for process execution and secure multi-party transaction authorization

Process execution engines are not only an integral part of workflow and business process management systems but are increasingly used to build process-driven applications. In other words, they are potentially used in all kinds of software across all application domains. However, contemporary process engines and workflow systems are unsuitable for use in such diverse application scenarios for several reasons. The main shortcomings can be observed in the areas of interoperability, versatility, and programmability. Therefore, this thesis makes a step away from domain specific, monolithic workflow engines towards generic and versatile process runtime frameworks, which enable integration of process technology into all kinds of software. To achieve this, the idea and corresponding architecture of a generic and embeddable process virtual machine (ePVM), which supports defining process flows along the theoretical foundation of communicating extended finite state machines, are presented. The architecture focuses on the core process functionality such as control flow and state management, monitoring, persistence, and communication, while using JavaScript as a process definition language. This approach leads to a very generic yet easily programmable process framework. A fully functional prototype implementation of the proposed framework is provided along with multiple example applications. Despite the fact that business processes are increasingly automated and controlled by information systems, humans are still involved, directly or indirectly, in many of them. Thus, for process flows involving sensitive transactions, a highly secure authorization scheme supporting asynchronous multi-party transaction authorization must be available within process management systems. Therefore, along with the ePVM framework, this thesis presents a novel approach for secure remote multi-party transaction authentication - the zone trusted information channel (ZTIC). The ZTIC approach uniquely combines multiple desirable properties such as the highest level of security, ease-of-use, mobility, remote administration, and smooth integration with existing infrastructures into one device and method. Extensively evaluating both, the ePVM framework and the ZTIC, this thesis shows that ePVM in combination with the ZTIC approach represents a unique and very powerful framework for building workflow systems and process-driven applications including support for secure multi-party transaction authorization

Stakeholder Preferences for Mobile Payment Security Platforms: Understanding Trade-offs Between SIM, Embedded and Cloud-based Secure Elements

Authentication and identification for mobile payment transactions is typically provided by the secure element. While the SIM-card has long been the only option for locating the secure element, recently alternatives emerged like embedding the secure element into the device or offering it through the cloud. This paper elicits factors that influence stakeholder preferences for these three technical options. Exploratory interviews suggest a wide range of decision-making factors. Our results show that besides the basic security and performance traits of the technical options, other factors can only be understood when framing based on concepts of multisided platforms. The case of secure elements for mobile payments represents a highly complex illustration of platform competition that takes place on three different levels of the technical architecture

End-to-end encryption in on-line payment systems:The industry reluctance and the role of laws

Various security breaches at third-party payment processors show that online payment systems are the primary target for cyber-criminals. In general, the security of online payment systems relies on a number of factors, namely technical factors, processing factors, and legal factors. The industry gives its best endeavors to strengthen the technical and processing factors, while the government has been called upon to improve the legal factors. However, a breach of consumer's data and financial losses resulting from such a breach keep occurring. Findings from the forensic audit show that most online payment systems, such as those using credit and debit cards as their instruments, have a weak point leaving the systems vulnerable to hacking. This weak point concerns the so-called financial data in transit that are not fully encrypted. Encryption is indeed employed within the systems, but only on certain networks. Industry’s standard reflected by code of conducts only obliges the players to encrypt the financial data transmitted on the public network, and not on their private networks. On top of that, laws and regulations are often in a vacuum to regulate the encryption. Thus, although seen as the strongest method so far to prevent the breach, end-to-end encryption has not entirely been implemented. Why does the industry seem to be reluctant in implementing end-to-end encryption? What do laws rule on this and would it be appropriate for the law to rule such obligation for the sake of consumer protection? This paper tries to shed a light on these issues. To investigate the industry reluctance, this paper discusses security of online payment systems and the nature of the retail payment systems. As for the laws and regulatory frameworks, this paper outlines and focuses on the EU level. Online payment systems using credit or debit cards are used as the main example in this paper as such methods have much more matured compared to the others. However, special attention on the innovative payments such as mobile payments and virtual currencies will be drawn as the security issues of such innovative payments have given rise to regulatory challenges

Identidade digital federada globaliD

Mestrado em Engenharia de Computadores e TelemáticaO presente texto propõe uma solução para a gestão de identidade digital online tendo em conta a versatilidade, o anonimato, a privacidade, a veracidade, a credibilidade e a responsabilidade do utilizador, recorrendo para isso ao uso do Cartão de Cidadão Electrónico Nacional Português e a outros meios de autenticação públicos usados diariamente pelos utilizadores. A dissertação é composta pela apresentação do conceito de identidade e das suas particularidades, por uma análise aos vários problemas da gestão da informação pessoal online, uma análise aos vários modelos, mecanismos e especificações existentes para gerir a identidade digital online (gestão de identidade digital). Uma solução de gestão de identidade digital baseada no modelo de identidade federada e associada ao Cartão do Cidadão Electrónico Nacional Português é apresentada, descrita, analisada, avaliada e comparada com outras soluções existentes. Por fim um protótipo de um provedor de identidades digitais federadas baseado na solução de gestão de identidade digital proposta é apresentado.The following text provides a solution for the digital identity management on the Web regarding the users’ versatility, anonymity, privacy, veracity, trustworthiness and accountability by using the Portuguese National Electronic Citizen Identity Card and other publicly available authentication mechanisms users use daily. The dissertation consists of the presentation of the concept of identity and its particularities, an analysis to the several problems of managing personal information online, and an analysis to the several existing models, mechanisms and specifications for the management of the digital identity online (digital identity management). A solution for digital identity management based on the federated identity model and associated to the Portuguese National Electronic Citizen Identity Card is introduced, described, analyzed, evaluated and compared to other several existing solutions. Last, a prototype of a federated digital identity provider based on the purposed solution for digital identity management is presented