Digital Certificates – Get ready, they’re here!
It was somewhat hilarious to see the person in front of me at the store when it came time to pay. He pulled out his credit card and instead of swiping it, he was asked to insert it. The look on his face was priceless.
Turns out, he had no idea that the little, funny looking gold square on his credit card is actually a personalized digital certificate issued to him by his credit card company.
These chips are not new. The U.S. Federal Government has been using them for years…but more on that later. So, why are these chips so great and why did the credit card companies start using them?
For the same reason the Federal government did – positive identity proofing.
To put it simply, identity proofing is a means of positively confirming that a person engaged in a transaction is, in fact, that person. Common and unfortunately popular fraudulent government activities occur frequently in healthcare, immigration and student loans, to name just a few.
Identity fraud alone costs the Government billions of dollars each year and compromises national security. The US Government Accountability Office (GAO) reported that Medicare estimates it paid out $60B in taxpayer money in abuse and improper payments in 2015.
According to this Nasdaq article, CreditCard.com reports that the US is responsible for 47% of global credit card fraud, while only accounting for 24% of card volume. So, how does this little chip prevent that?
The credit card chip is a digital certificate – also referred to as a public key or "identity certificate". The certificate must be issued by a third-party certification authority and verifies the credentials of the sender, letting the recipient know that the data is from a trusted source.
When you buy something at the store with your credit card, the transaction data (such as store ID, date, time, purchase total) are then ‘hashed’ using this certificate. An algorithm calculates a single, unique value for the transaction that can only be reproduced using the exact same mathematics; which means it can only be reproduced using your certificate (credit card chip).
Using digital certificates, credit card companies can guarantee that the transaction belongs to you by placing you at the store, at that time, making that purchase. In other words, they can prove it was you making the purchase in person with your card. In the future, credit card companies will eventually no longer be responsible for fraudulent activity where your credit card was in hand.
So, how does all this apply to Government or, for that matter, business?
Let’s go back to understand why the Federal Government has been using this technology for years.
Building digital trust
Personal certificates have long been used to prove identity for such things as granting secured access to rooms and buildings. Today, with the proliferation of digital transformation and trusted digital business, these chips are commonly used for digital authorizations in the form electronic signatures. Signing documents in a digital world, rather than printing them and signing in ink, uses your digital certificate to tie you to your e-signature. Much like that store purchase, a unique ‘hash’ of the signature, date, time and other data, during the signing, is used to compute the algorithm using the personal certificate – tying you to the signature.
What is non-repudiation?
This is referred to as Full Non-Repudiation – being able to absolutely prove who signed the document. But be careful – not all e-signature companies do this in the same way. Most e-signature vendors hash the document at the very end, after all signatures are in place. How, then, could you prove who signed? Look for an e-signature vendor who generates the hash for EVERY signature on EVERY document.
The cost of issuing ID cards is high (unlike credit cards, where they foot the bill). So the Federal government is moving to new technologies such as Derived Credentials. (Read more about derived credentials in my previous blogs: E-Signing with Smart Cards in US Government Agencies and Building Digital Trust in Government Processes)
What about State & Local governments?
They, too, must eventually lean on identity proofing to positively link a transaction to a person. And the time is now. Technology for Smart apps that can prove identify or the use of digital or physical tokens is readily available; as are a host of biometric tactics like facial recognition and fingerprint scans that are becoming increasingly popular and necessary. Identity proofing technologies are a critical success factor in building trusted digital transactions.
One of the easiest, low risk ways to implement identity proofing is to begin with the employees within an organization. Rolling this out to verify in-house transactions is easy and inexpensive and can include simple digitized processes such as signing expense or travel reports, employee reviews and HR compliance documents.
As adoption grows within the private sector, leveraging other certificates for identity management will be easily adapted for all aspects of business.
Well, back to my purchase…time to whip out my credit card.