The Future of Online Money

Creating Secure Payments Globally

Jonathan LeBlanc

Twitter: @jcleblanc

Book: http://bit.ly/iddatasecurity

10 Years ago, the iPhone

launched

2013: More cell phones than toilets (time.com)

7 billion people, 6.5 billion with cell phones, 4.5 billion

with access to toilets.

2014: More cell phones than people (independent.co.uk)

7.22 billion cell phones, 7.19-7.2 billion people.

2015: More people own a cell phone than a toothbrush (CTA)

3.7 billion people own a cell phone, 3.5 billion own a

toothbrush.

2020: More people with a phone than electricity (cnet.com)

5.4 billion people will own a cell, 5.3 billion will have

electricity, 3.5 billion with running water, 2.8 billion cars

on the road.

Mobile, by the Numbers...

3 Years: IoT vendor revenue could top $470 billion

for hardware, software, and solutions. - Bain

5 Years: Nearly $6 trillion will be spent on IoT

solutions. - BI Intelligence

10 Years: IoT market will grow from 15.4 billion

devices (2015) to 30.7 billion devices (2020), and

75.4 billion (2025). – IHS

15 Years: Investment is expected to top $60

trillion. - GE

The IoT Market by 2020 and beyond

We’ve Built a New

Generation of Inventors

Prototyping and Mainstreaming

Contextual Commerce

Removing Interaction Hurdles

Applications need to know

about you & what you want

How do we Secure Payments?

Securing Payments within

unsecure channels

Securing Channels: Asynchronous

& Synchronous Cryptography

Credit Card Tokenization

Credit Card Information

Address Information

Card Holder Name

...

7e29c5c48f44755598dec3549155

ad66f1af4671091353be4c4d7694

d71dc866

Apple / Android

pay tokenization

system

EMV payment

tokenisation

specification

Merchant register is

changed to hardware

transfer bridge

Network handles direct merchant

requests. Vault stores surrogate

to token lookup.

Secure ElementHost-based

Card Emulation

Context and Verification

What do we Need to Identify Someone?

33 bits of entropy to identify approximately

8 billion people uniquely.

What do we Need to Identify Someone?

ΔS = -log2 Pr(X=x)

ΔS: Reduction in entropy, measured in bits

Pr(X=x): Probability that the fact would be true

of a random person

Building up Bits of Entropy

Date of Birth

Birth Month: ΔS = -log2 Pr(MOB=December) = -log2 (1/12) = 3.58 bits

Birthday: ΔS = -log2 Pr(DOB=Dec 6th) = -log2 (1/365) = 8.51 bits

Location

ZIP code is 95123: ΔS = -log2 (65,276/7,503,205,943) = 16.81 bits

City is Santa Clara: ΔS = -log2 (122,192/7,503,205,943) = 15.90 bits

State is CA: ΔS = -log2 (39,140,000/7,503,205,943) = 7.58 bits

Browser Fingerprinting

https://panopticlick.eff.org/

Device Fingerprinting

//-------------

// Build Info: http://developer.android.com/reference/android/os/Build.html

//-------------

System.getProperty("os.version"); // OS version

android.os.Build.DEVICE // Device

android.os.Build.MODEL // Model

android.os.Build.VERSION.SDK_INT // SDK version of the framework

android.os.Build.SERIAL // Hardware serial number, if available

Retrieving Build Information for Android Device

Location Awareness

Purchase History

Ninety percent of individuals could be

uniquely identified using just four

pieces of information- telegraph.co.uk

Getting Paired Devices

The Future of Secure Payments

Thank you!

https://www.slideshare.net/jcleblanc

Jonathan LeBlanc

Twitter: @jcleblanc

Book: http://bit.ly/iddatasecurity