Identity really is the new money

close up of hand holding text over black background

Today is International Identity Day supported by the many organisations around the world seeking to address the huge inclusion issues caused by a lack of digital identity. It is tempting to think that this is a mainly developing world issue and that in the developed world the lack of digital identity services is more of an inconvenience than a real problem. Here in the UK, however there are still up to 5m people who struggle to access financial services because they do not have the right documents or data. More on that in our recent report.

Something I’ve been thinking about quite a bit this year is interplay between Digital Identity and Central Bank Digital Currency (CBDC). What’s that got to do with the pressing need to give effective digital identity to those that need it most? Two things really:

  • Firstly, a significant factor in the development of a CDBC will be to ensure it is inclusive. After all one of the main objectives in CDBCs is to provide a digital alternative to cash. The financially excluded rely on cash and so a CDBC may have an important role to play in addressing their needs.
  • Secondly, whilst the need is pressing, making it happen will take time. The UN Sustainable development goal 16.9 calls for the provision of legal identity for all by 2030. Many CDBC initiatives are operating on a similar timeframe.

The beauty of CDBCs is that, in the main, central banks are starting from a blank sheet of paper, which creates the opportunity to design something well from the start. A big problem in digital identity has been trying to retrofit it into a digital world after the fact.

Another interesting thing is that the emerging model for CDBCs has close similarities to the decentralised model for digital identity, which is the direction of travel in that space. Let me explain a little.

This following picture illustrates 2-tier model for CDBC:

Senders and receivers will have wallets that interact with each other. They will hold the identifiers (backed by private keys) that allow the parties to control the use of their CDBC value. The actual system of record will be a ledger provided by (or on behalf of) the central bank. Wallets will use tokens, which are cryptographic representations of the value managed by the ledger, which are bound to the identifiers (and keys) belonging to the parties.

Now look at the standard model for decentralised identity:

Identity information is sent from holders to verifiers. The information is sent in the form of cryptographic credentials (you could think of them as identity “tokens”) that are bound to identifiers which can be checked in a registry. Of course for those credentials to have any value they need to come from a trusted source – an issuer.

So you can see there is a strong correlation between CDBC and decentralised identity systems. The content of the two grey boxes is basically the same.

Furthermore, CDBC systems will have some very particular digital identity and privacy requirements:

  • There will need to be controls in place to prevent AML.
  • The CDBC must not become a mass surveillance system.
  • The system must allow anonymous transactions in some circumstances but not all.
  • Users must have control over how much data is shared (and in some cases if the user is not willing to share data the transaction will not be able to be completed).

These requirements could be met very well through the use of decentralised identity technologies such as those being developed in W3C, which support the presentation of verifiable identity information whilst employing strong privacy controls. There seems to be a strong case for the CDBC community to collaborate with the identity community. We have a foot in both camps and are working hard to ensure that the years of work put into decentralised identity is leveraged effectively in CDBCs.

It really is the case that Identity is the New Money.

New Features Greet Riders As They Return to Transit

people walking on train station

Everyone seems to think that MaaS (Mobility-as-a-Service) is a brand-new business model, when in fact, Transit Agencies have been providing mobility as a service for years, just without the hyphens. When I ride transit I just pay for the service when I need it or purchase a monthly pass if I expect to use it regularly. This is similar to the “as-a-Service” model that has been popularized by software companies who moved away from the license model where users pay a one-time fee to purchase the software. They now offer a subscription model where users pay a recurring fee to use the software. I’ve ridden transit for many years and have never had to buy a bus or train. Sounds like Mobility-as-a-Service to me.

CONSULT HYPERION ANNOUNCES NEW BOARDROOM APPOINTMENTS TO DRIVE NEXT PHASE OF GROWTH

Payment card issuance errors leave you vulnerable to fraud

Major payment cards

As Consult Hyperion, and as many other analysts, predicted, Covid-19 has driven the adoption and use of contact-free technology at the point of service. A recent survey funded by the National Retail Foundation, found that no-touch payments have increased for 69 percent of US retailers surveyed, since January 2020. In May, Mastercard reported that 78% of all their transactions across Europe were contactless.

Fraudsters are always looking for ways to take advantage of potential weaknesses or even inexperience in new payment devices. A recent news story promoted a man in the middle attack in which two phones are used to transfer and manipulate the transaction message between a stolen contactless card and the point of sale terminal.

A cryptocurrency for Scotland?

jane100100I rarely recommend reading the reader comments at the Guardian Online (or indeed any other newspaper site) unless you need a fast cure for low blood pressure or get a kick out despising your fellow man. However last week I did actually learn something interesting from the comments to a Guardian article about Bitcoin.

In common with countries such as Iceland, Scotland now has its own cryptocurrency – Scotcoin.

It’s not altogether clear from the Scotcoin website (http://scotcoin.org) exactly how Scotcoins are created but in contrast to Bitcoin they are pre-mined and will be distributed free to anyone in Scotland who wants some. At present they cannot be exchanged for other altcoins and they have no value in fiat currency (unless the free market decides otherwise, according to the website). Nor is it entirely clear whether the founder is actually based in Scotland but he was, he says, born there.  The purpose of Scotcoin, he says, is to provide a plan B currency for an independent Scotland.

Now, as someone who is not by nature a libertarian, at least where others are concerned, I’m a bit suspicious about cryptocurrencies. I don’t own any Bitcoin and feel slightly seasick at the idea of an asset whose value fluctuates more than the waves on a bad ferry crossing. Here at Consult Hyperion thought we generally believe that the technology behind Bitcoin, the blockchain, is a lot more interesting than the currency itself.

Nonetheless I felt moved, as a Scottish resident, to obtain some Scotcoins. Purely out of professional curiousity, you understand.

This involved downloading and installing the Scotcoin wallet. In other words downloading and installing an executable file from a non-https website I’d previously not heard of. As an IT security graduate this made me feel even sicker than the Bitcoin exchange rate but I did it nonetheless (to an old laptop) and I now own 1000 shiny Scotcoins.

Now what? It’s hard to say. Is it for real?

I feel obliged to report that not everyone is convinced about Scotcoin (see http://loggingoff.tygabitworks.com/) but then there’s a lot of negativity about Bitcoin too. I’m absolutely not endorsing that view, merely reporting it but the Scotcoin website certainly displays a creative attitude to punctuation and spelling, whether that means anything or not. On the other hand around 100 or so other Scots seem to have downloaded the wallet so presumably they think it’s fine*. And my virus checker (paid for AVG) hasn’t picked up anything feeding my online banking details offshore.

In any case there’s absolutely nothing wrong with the concept of a Scottish cryptocurrency, irrespective of whether Scotcoin is it or not and Alex Salmond would be well advised to consider it. If you’d like to know more, Dave Birch will be talking about the idea of a Scottish virtual currency to the Financial Services Club Scotland in Edinburgh on 29th April. 

*I’m enchanted to note that one of the first power users is called Dug. Dug of course is Scots for Doge.

Google Wallet Review

OLYMPUS DIGITAL CAMERA

Google Wallet is back!  They have moved away from a focus on NFC to an e-wallet that will work with all mobile phones and have drastically reduced the friction with merchants, banks, mobile carriers and customers.

Downloading the Google Wallet app to my iPhone was quick and easy.  After downloading the wallet, it asks you to “sign in with your Google Account” or “create an account”.  The tag line is “One Google Account for everything Google”…you don’t see sign-in with Facebook here!

Wallets, wallets everywhere! Which ones have an edge today?

OLYMPUS DIGITAL CAMERAAs someone that is exposed to the payments industry, attends conferences, reads the industry publications and generally interested in all things payment related, even I am surprised at the number of mobile wallets that are available.  Everyone wants me to download his or her e-wallet to my mobile phone – from Starbucks, to Square Wallet to Isis and the list goes on.  So I have decided to take a journey over the next few weeks and experience a variety of mobile wallets that are available in the US marketplace.  And here is the real challenge – I carry an iPhone! 

Threats, risk and attacker motivation: a real life example

Margaret FordTravelling home from a meeting at the Payments Council on Monday afternoon, I was enjoying the peace and quiet of the train gradually emptying as it drew further out of town. At Sunningdale, a station normally notable only for the most prosperous passengers, a group of excitable teenagers joined the train obviously looking for trouble. Brandishing camera phones, they seemed more of an irritant than a threat.

Avidly reading advice on strategies to avoid arrest by over-zealous US police officers, quoted in an article from the latest edition of Cryptogram, I felt comfortably detached from my surroundings. The luxury of a half-empty train on the Reading line is a rare treat.

The author of the article advised that unlawful activity is best indulged in from the comfort of your own home. If you must commit crimes in public, avoid drawing attention to yourself. In particular, even if you become aware of an officer while performing an illegal act, it is better to continue rather than raise suspicion through a sudden change in behaviour.

At this point I became aware that I had unwittingly become the focus of the gang, who had moved on from threatening to punch random strangers to wielding newspapers and cigarette lighters while daring each other to take my phone. Suddenly alert to the situation, I put my phone away, muttered ‘excuse me’ and wandered gently up the carriage. They left the train at the next station.

I’d made the mistake of forgetting that my brand new phone which I regarded as a standard device for accessing content and keeping in touch, could also be seen as a status symbol with significant market value. On reflection, it gave me a tangible example of one of the key risk concepts being investigated by the TREsPASS project: attacker motivation. This had moved from the general to the specific, as an opportunity was spotted and the incident unfolded. It was clearly unpremeditated and yet in many ways predictable.

As my brother commented the next morning, teenage gangs in our area just aren’t what they were in our youth, when they would steam the length of trains in groups of twenty or more. He also gave me a great tip for protecting my phone in future, which in his experience deters all potential muggers.  Waterproof, costing only a few pence, with the option of additional cotton wool for extra authenticity: an attractive little black plastic bag with yellow drawstring, as commonly carried by dog walkers.

If it’s not malware it should be

[Jane Adams] I’ve got a sore back. Or to be more precise I’ve got a sore tail bone. I don’t know whether it’s from being thrown in a fight or from the amount of time I spend on trains commuting between home (Edinburgh) and work (Guildford) but sitting down has been painful recently. Last night I felt moved to Google the problem on my phone to see what could be done.

Google did its job with a multiplicity of results. But I couldn’t access any of them because my MNO blocked them all as adult content. I didn’t use *rse or b*m as search terms but anything below the waist appears to be out for this MNO.

What I was presented with was a tiny, barely legible (even on my Samsung S3), barely branded screen asking me to input my credit card details to prove that I was old enough to read about what is probably age-related spine degeneration.

On an Android phone? You must be kidding.

And why is this necessary? I have an account with my phone provider (one of the big 4). I’ve had a business account with my phone provider for something like 10 years. Until recently, when I got my proper job with Consult Hyperion, I was VAT registered and the MNO had that information in its system. If, as the phone owner, I’m old enough for a VAT registration, I’m old enough to read about bottoms. And if I’m not the venerable phone owner and I’ve nicked their phone, I’ve probably nicked their credit card too.

There’s a lot of talk about big data at the moment. Proper use of data could considerably improve the prospects for mobile wallets. However if this is indicative of what mobile operators are doing with data, I’m not optimistic.

Frankly, I rather hope that the screen was malware generated rather than genuine.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.