[Dave Birch] People who don’t really understand how anything actually works and have no perspective on the big picture that is needed for worthwhile risk analysis tend to grasp at reactionary ornaments when the public clamour “something must be done” reaches a particular level. Here’s an example. We know from previous experience that putting cardholder images on payment cards makes absolutely no difference to fraud. If it did, banks would do it. One of the reason why images make no difference is that retailers tell their staff not to look at them, because it’s not their problem. Retailers don’t want staff being assaulted by either criminals or disgruntled legitimate cardholders and since they are not liable for chip transactions where the correct PIN was entered, why would they bother? In the real world, you swipe the card and the light is green you get the goods. The photo ID is a good example of something that seems like it should be a good idea, but just isn’t.

Banking ombudsman in Karnataka M. Palanisamy Tuesday advised banks to issue chip-based ATM cards with customer’s photo to check frauds committed through debit or credit cards.

[From ATM cards with photo will check frauds: Ombudsman – NY Daily News | NewsCred SmartWire]

Of course, you don’t need to put the ID photo on the debit card. You could simply demand that customers produce ID when they use a chip and PIN card to buy something. I’ve noticed that this often happens in Spain: you buy something in a shop and present a chip and PIN card and enter the correct PIN and the transaction is authorised but the shopkeeper still asks for ID (I generally present my 1997 England football club supporter’s card because I leave my passport in the hotel safe) and then asks you to sign the slip as well. Asking for ID must reduce fraud, right? And ID cards that have jolly secure chips as well as photos must reduce fraud to immeasurably small levels, right?

“People have started using our principle of freedom of information as a tool to commit crime,” Lars Minnedal of the Stockholm police fraud unit told the Aftonbladet newspaper… Security experts have warned that Sweden may be soon hit with a “fraud epidemic,” as would-be criminals can get all the information they need by making a call to the Swedish Tax Agency (Skatteverket).

[From ID-card fraud ‘epidemic’ threatens Sweden – The Local – m.thelocal.se]

The law of unintendend-but-entirely-predictable consequences strikes again.

“The society we live in makes it possible. The problem is that we have a freedom of information principle, and people never thought of how it could be abused in the way it is today,” Minnedal added. “You can access everything on everyone and there’s no requirement to explain what you want to use the information for.”

[From ID-card fraud ‘epidemic’ threatens Sweden – The Local – m.thelocal.se]

How can you actually cut down on ID fraud? There are two basic approaches. You can make it harder to steal identity data (the Sisyphean PCI-DSS approach) or you can make it harder to use stolen identity data by having a working identity and authentication infrastructure (my approach, but who am I against so many?). This Swedish example illustrates perfectly how having easy-to-steal data and a non-working infrastructure delivers a perfect storm.

While Swedish identity documents are equipped with advanced security features, Minnedal lammented that many store clerks and sales people “systematically neglect” to look carefully at ID cards presented to them or lack knowledge of the card’s proper appearance.

[From ID-card fraud ‘epidemic’ threatens Sweden – The Local – m.thelocal.se]

Store clerks and sales people should not be required to become de facto identity verification experts. What is the point of the chip on the Swedish ID card if you are going to ignore it for verification purposes? Just as the mPOS revolution means that anyone can take payments, so it should similarly mean that anyone can check an identity card, anyone can “take identity”. Not by looking at an identity card — get with it Grandpa Sven, this isn’t 1952 any more — but by via iBeacon or by tapping it with their NFC phone or putting it in their iZettle. Then the system can check whether the card is real or not, require the cardholder to enter a PIN and a fingerprint if necessary and display the photo stored in the chip. Note that the photo will generally be ignored anyway, and eve when it isn’t, it won’t help.

Stolen second-generation ID cards are much prized by criminals engaged in fraud and money laundering as they cannot be canceled, an investigation has revealed. These cards don’t come with a secret disabling code so remain active even after their rightful owners inform police they are missing, said officials from the household registration management center in Tianjin Municipality, neighboring Beijing.

[From Crooks strike rich with ID card you can’t cancel- China.org.cn]

So in China for $65 you can buy a stolen ID card of someone who looks a bit like you and you’re home and dry. In a way, that’s worse than having no ID system at all, because it means that once you are inside the wire (ie, once you’ve flashed your stolen ID card at someone and they have accepted that it’s you) then your rights and privileges are no longer questioned!

Look. Identity infrastructure should be based on the premise that anyone’s identity might be stolen but that it cannot be used by anyone other than the rightful owner. That means an infrastructure with strong authentication. I think I might host a discussion table on this topic at the first ever Bay Area Tomorrow’s Transactions Unconference in Palo Alto on Friday 4th October. Consult Hyperion are organising this with our friends at BayPay and with support from the wonderful people at Discover.

For those of you unfamiliar with our Unconference concept, the event will build on the success of the previous London, New York and Toronto Unconferences, success that is down to the expertise and enthusiasm of the participants but also the event format itself. Instead of of a succession of pre-determined Powerpoint presentations, the events mix stimulating talk from thought-leaders with global perspectives and discussion sessions which bring together the delegates, experts and selected industry observers to cover topics chosen by the delegates themselves on the day. The goal of the day will be to help professionals in the finance, payments and related industries to explore the future of the retail electronic transactions space and go back to their companies with new ideas, new strategic input and new friends.

Who knows what the delegates will choose to discuss and debate in Palo Alto next week, but I expect the topics to be covered to include the future of online identity, the mobile “wallet wars”, migration to chip cards in the US, alternative and parallel currencies, “near banking” and much more. (At the London event this year the topics discussed ranged from bank APIs to writing a movie about payments, and at the Toronto events popular topics included identity as a banking service, the end of cash and big vs. small data in business models.)

The invited thought pieces that will stimulate the discussion in Palo Alto will be:

  1. David Wolman, contributing editor at Wired magazine and author of “The End of Money” (all delegates will receive a copy of David’s book).
  2. Nate Wehunt Sr., Head of Digital Channels at City National Bank.
  3. Sam Lession, the Head of the Identity Product Group at Facebook.
  4. Me, one of Wired magazine’s global top 15 favourite sources of finance and business news, and Europe’s most influential commentator on the emerging payments scene.

Following the keynote, during the Q&A sessions, the delegates will (in best open-space style, as described at http://www.unconference.net/) note down the topics that they would like to discuss and these will be organised into sets of parallel sessions (one before lunch and two after). Delegates are then free to join in any, all or none of the discussions. The points raised in the discussions will be captured and reported. If you are responsible for strategic directions around payments, banking and finance then come along and get new ideas, new perspectives and new insights to help you to develop robust strategies to make the most of the incredible technology, business and social changes underway.

There will be a range of delegates from different backgrounds at the fall events and we hope the cross-fertilisation of ideas will be something special. As for the other events, the day will be limited to 100 delegates so that everyone gets a chance to participate in discussion, debate and learning. I hope you decide to come along. It’s $50 for BayPay members and $100 for non-members, so you’d be mad not to get yourself a ticket right here, right now. See you next Friday.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: