Written by 
Explaining the offside rule to Sean Park from Anthemis.
After a couple of glasses of champagne I found myself talking to a senior payments executive. He asked me what I thought the next big things in payments would be: I said identity is the new money (as I always do), payments data is worth more than payments (as everyone always does), and that APIs were the new competitive front (as I have begun to in last few months). I was working on a report on APIs for one of our clients this morning, and I googled something and discovered just how unoriginal my perspective is:
At the Defrag conference in Broomfield, Colo., this week, three themes came in the forefront: APIs, identity and data.
[From 3 Pillars Of The New Business World: APIs, Identity, and Data | TechCrunch]
I agree with this analysis wholeheartedly and I will be posting endlessly about all three in the year to come, naturally, but first I want to make a point about APIs. We need more than just payment APIs to make mobile commerce work. The December 2012 edition of the TM Forum‘s Digital Life report has a nice piece by Annie Turner looking at ten hot areas for innovation (focusing on the telecommunications industry, of course) across the coming year. A couple of them I agree with very strongly, such as the transition to prosumer networks and the rise of the machine-to-machine business opportunities. Some I’m not sure about, such as the need for innovation in execution. But it’s her last point that interests me the most. She says that communications service providers (CSPs), just like a great many other businesses, will find themselves in API-based businesses. Observers are already saying that this will be $100 billion plus business within a couple of years, so learning how to compete in an API world is an immediate priority for a great many organisations and, I have to say, a great many of our clients. It’s particularly interesting to me that the second-largest category of API in the market projections she uses (in this case, from Alan Quayle’s webcast) is the billing of non-digital goods by CSPs.
Given that many of us think that mobile wallets are going to be hot, and that these mobile wallets will want to access fairly standard APIs, I think the track record in the telecommunications sector is fairly poor the moment. The GSMAs “OneAPI” initiative hasn’t really taken off yet and the other Tier 1 operator’s own API programs (such as those from AT&T and Telefonica) are in their early phases. Naturally, given my perspective, I see the API-powered smart pipe in simple terms, exposing digital identity, digital money and digital network APIs. It’s another matter whether the CSP or third-parties provide the services that sit behind those APIs.
We already have carrier billing and location-based services, so we can imagine what the digital money and digital network APIs might look like, but we don’t yet have any identity-based services, which might suggest to some observers that for the CSPs at least, a strategy toward identity ought to be a priority. It might be preferable to have a sector-wide approach that helps mobile operators, in particular, to provide network-centric identity services. Actually, I’ve already one such approach put forward: Operator-ID. Operator-ID was proposed at the GSMA Mobile Identity meeting in Nice last year. The proposal is based on the use of OpenID Connect to deliver a basic, practical and interoperable federated identity solution for mobile operators.
OpenID Connect performs many of the same tasks as OpenID 2.0, but does so in a way that is API-friendly. OpenID Connect can also be extended to include more robust mechanisms for signing and encryption. Integration of OAuth 1.0a and OpenID 2.0 required an extension (called the OpenID/OAuth hybrid); in OpenID Connect, OAuth 2.0 capability is built into the protocol itself.
[From Connect | OpenID]
The GSMA have very kindly invited me to chair a panel on “Mobile Identity: Opportunities and Challenges for Service Providers” at the Mobile World Congress in Barcelona next month (at 2pm on Tuesday 25th February) and I’m delighted to say that Patrick Fischer, who presented the Operator ID proposal in Nice, has kindly agreed to one of my panelists, along with representatives from Verizon, Citi and Nokia Siemens Networks. Look forward to seeing you there.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
Hi Dave,
The Achilles Heal of using mobiles in any part of this security chain is the ease of which it is possible obtain a PAC code. The number you need to port your mobile number to another network.
A few months ago a real estate agent found herself the victim of financial fraud based on the usual DOB and maiden name etc. One of her accounts got cleaned out by $19k, fortunately she could survive this while it got sorted out.
http://www.itnews.com.au/News/322059,home-buyer-funds-targeted-in-phone-porting-scam.aspx
A few weeks, I later I obtained the PAC code to my girlfriend’s number online via chat with what felt like ZERO security checking. I’m kicking myself I didn’t save the transcript…
An industry standard on issuing PAC codes is likely to be ZERO. UK or International.
There is a way of solving the issue using the same method of protection yourself against identity theft in the UK. EG “Write a notice of correction” – using your own fingerprints. http://www.redlinesecurity.co.uk/product_info.php?products_id=193
The same method could be used to protect the issue of a PAC code, the industry would hate it because of the cost and speed slow down. But don’t the consumers deserve a choice in their security? Or at least a half decent attempt to make something broken better, instead using sticky tape all the time.
The question I constantly find myself asking is the way that financial systems are basically signed-off. IS risk assessment and underwriting really the best way to go. I’m not an academically qualified person in network security, I’m just a middle aged Computer Science Grad, but I feel the whole way many industries that find themselves having to provide security on the Internet plain lame?
Enjoy the Bar Camp with Gordon R, he’s supposed to say hello for me!