It’s in the bank

[Dave Birch] It’s not really about identity, but I was struck by Jerry Fishenden’s point about how banks could be offering more services on the back of their digital infrastructure. He was talking about services such as letting me store key personal information, information that I might then choose to disclose on a selective basis in the same way I can choose to selectively disclose or transfer financial information. Now I definitely agree with Jerry that this presents an opportunity here for banks to become the friend of the consumer in the digital age (I think I’ve called it “becoming the customer’s privacy pal” in a previous presentation). However, given that the Information Commissioner’s report for 2007 identified 12 U.K. high street banks as discarding customers’ personal details in rubbish bins, Jerry may be overestimating consumers’ inclinations toward banks as safe stores (!) but it’s a useful idea to play with. After all, if the bank issues me with an identity, then a bank might be a reasonable place to store data relating to that identity. Which is a small step from the bank as identity manager: why not have your IBAN as one of your OpenIDs (apart from Ben Laurie’s perfectly reasonable concerns about phishing)?

Technorati Tags: banking, identity, management, openid

OpenID is a good example of something that might be part of this jigsaw, After all, its bandwagon includes AOL, Microsoft and VeriSign, all of which publicly endorse the product. But the vulnerability highlighted by Ben is a real one must be obvious to anyone carrying out a risk analysis: reduce the number of names and passwords you use on the Internet, and you reduce the amount of information a thief needs to steal. In particular, if OpenID is implemented without proper 2FA (ie, 2FA involving end-to-end security) and is used with a password only, then one might expect to see a tidal wave of phishing messages trying to get hold of that password and, furthermore, one might not expect to see OpenID used for anything that’s worth protecting.

Anyway, Jerry’s point made me think about how the technologies that banks could deploy to support new payment services could be used to provide other services. I was thinking more about authentication, foresenics and so on but perhaps more value-added services. A couple of weeks ago, The Economist (I can’t remember which issue) said that Google was a bit like a bank but it stored information. But what would a bank that stored information look like? For one thing, it would have both

To me, this means that we need to consider the bank as an identity provider and the bank as an authentication provider as different propositions. It is far to observe that there is a real question to be answered around whether any external, 3rd party identification provider will find a business model that works and banks need to answer this the same as any other potential player. But banks need improved authentication as part of their existing business model, so converting a potential cost into a potential line of business here seems more straightforward.

Talk of business models brings us back to the topic of the value of identity, again. A U.S.-based study has found that nearly a quarter of the goods for sale on the online black market during the first half of the year were credit cards, selling for between 25p and £2.50. Most of these came from U.S. banks. This was closely followed by bank accounts, 21 per cent, which are trading for between £15 and £198. This seems a little low to me — I’d like to think that even my bank account was worth more than a couple of hundred quid — so perhaps the best business model for the banks would be to just buy back the stolen log-in details…

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]