Stephen Wilson

Stephen Wilson

Managing Director at Lockstep Group
Message Message me Posts: 34 Comments: 177
Bio I specialise in digital identity, privacy, smart technologies and fraud prevention. I run the Lockstep Group, which researches and develops innovative solutions to Card Not Present fraud and identity theft. We also provide independent analysis & advice in privacy and identity security. See ht Career History Nearly 30 years in IT and high tech R&D in Australia and the USA. Since 1995, dedicated to digital identity, working for KPMG, PwC beTRUSTed/Cybertrust and SecureNet. In 2004, established Lockstep to provide specialist consulting, and to develop novel privacy and safety solutions using sm



Now is not the time to go soft

03 Aug 2012

Online computing represents probably the first new platform in thirty years. Not since the PC have we seen a whole new hardware-software-solution-product environment emerge. It's understandable that there's a mad land grab for app-driven market share. But you'd think that the rush to market would be moderated by a realisation that we ought to b...



How much worse can CNP fraud get?

17 Jul 2012

The Australian Payments Clearing Association (APCA) releases card fraud statistics every six months for the preceding 12m period. For the first time in many years, Australian card fraud has grown in all categories. The ratio of Card Not Present fraud to all fraud remained steady at just under three quarters. An up-turn in skimming and counter



Credit card numbers are like nitroglycerine

13 Jan 2012

It's terrific that merchants are increasingly pushing back on PCI-DSS. It really is high time we shifted the emphasis from ad hoc stop gap compromise measures, onto tackling the real problem: the replayability of account data. Credit card numbers are a bit like nitroglycerine: handle them with great care or they'll blow up! The slightest slip-up,...


Banks really know their customers

13 Dec 2011

A few months ago, the Australian banking consortium BPAY announced the cancellation of its promising and well funded account portabilty MAMBO. What does this mean for the even more audacious plans for federated identity in banking? The US government's National Strategy for Trusted Identities in Cyberspace (NSTIC) envisions using university studen...


Stephen is Commenting on

EU watchdog tells FS firms to focus on blockchain security risks

  ENISA warns that "key management and encryption are still largely the same" challemnge with blockchain as traditional security. Well, yes and no.  Certainly many blockchain pundits overlook key management.  I sifted through twenty-odd blockchain-for-healthcare proposals in the US Dept of Health & Human Service blockchain challenge last year, and attended the two day symposium at NIST headquarters. I was shocked at how few teams looked at key management. I don't just mean private key hygiene in hardware wallets and the like, but the management task of knowing which keys go with which users. See And here's the deep problem: blockchain's Proof of Work algorithm was designed so there is no need for key management.  It doesn't matter to the system which key goes with which user, because Bitcoin is electronic cash. Possession of the private key is all that matters.  Famously, you cannot recover lost Bitcoin balances if you lose your key, for there is no administrator. The absence of an administrator makes it necessary to crowd-source the overseeing of all currency movements (to stop Double Spends). That's what Proof of Work "consensus" does - it's the crowd satisfying itself that all spends are OK.  When you hybridise blockchain, and adfold back in traditional key management and encryption (not to mention persmissions management for private blockchains), you take away the reason for being of the consensus algorithm. Why have crowd-sourced consensus when an administrator has already been able to oversee which key goes with which user?  As your selves: What is the real point of the original public blockchain?  Consensus in the public blockchains as designed today becomes moot when you have key management. So yes, key management in blockchain technologies is much the same as with traditional security; just beware of where it leaves public blockchain architecture which was designed to expel all administration. Many hybrid blockchains look rather like solar powered race cars retrofitted with petrol engines to make them go faster.