OpenID is a good example of something that might be part of this jigsaw, After all, its bandwagon includes AOL, Microsoft and VeriSign, all of which publicly endorse the product. But the vulnerability highlighted by Ben is a real one must be obvious to anyone carrying out a risk analysis: reduce the number of names and passwords you use on the Internet, and you reduce the amount of information a thief needs to steal. In particular, if OpenID is implemented without proper 2FA (ie, 2FA involving end-to-end security) and is used with a password only, then one might expect to see a tidal wave of phishing messages trying to get hold of that password and, furthermore, one might not expect to see OpenID used for anything that’s worth protecting.
Anyway, Jerry’s point made me think about how the technologies that banks could deploy to support new payment services could be used to provide other services. I was thinking more about authentication, foresenics and so on but perhaps more value-added services. A couple of weeks ago, The Economist (I can’t remember which issue) said that Google was a bit like a bank but it stored information. But what would a bank that stored information look like? For one thing, it would have both
To me, this means that we need to consider the bank as an identity provider and the bank as an authentication provider as different propositions. It is far to observe that there is a real question to be answered around whether any external, 3rd party identification provider will find a business model that works and banks need to answer this the same as any other potential player. But banks need improved authentication as part of their existing business model, so converting a potential cost into a potential line of business here seems more straightforward.
Talk of business models brings us back to the topic of the value of identity, again. A U.S.-based study has found that nearly a quarter of the goods for sale on the online black market during the first half of the year were credit cards, selling for between 25p and £2.50. Most of these came from U.S. banks. This was closely followed by bank accounts, 21 per cent, which are trading for between £15 and £198. This seems a little low to me — I’d like to think that even my bank account was worth more than a couple of hundred quid — so perhaps the best business model for the banks would be to just buy back the stolen log-in details…
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]