[Dave Birch] A common mistake in government-related discussions around identity is completely misunderstand the nature of the problem itself:
people need to prove who they are many times during a day.
[From In Development » Just what is ‘identity’?]
No, they don’t. People need to prove that they are entitled to do something or are allowed to do something several times during a day, which is actually an entirely different issue. Mind you, it’s an often-repeated mistake, even amongst those who should know better but haven’t really thought it through. When he was the Home Office Minister for ID cards, Andy Burnham said that “I take the view that it is part of being a good citizen, proving who you are, day in day out”. How wrong can you be? Other than the current Home Office Minister for ID cards, Meg Hillier, who said that we should see ID cards as “passports in-country”. Or, indeed, the Home Office Minister for ID cards before him, Tony McNulty, who said that
“There are now so many almost daily occasions when we have to stand up and verify our identity.”
[From BBC NEWS | Politics | Labour admits ID card ‘oversell’]
I blame the education system, but blog readers may have some other explanations as to why this same, fundamental, error is propagated by people who ought to have some grasp of the issues.
[Dave Birch] Well, not really identity theft at all, but stealing credit card details on a massive scale then using them to obtain goods or services fraudulently. These ones got caught.
Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed.
[From 11 Charged in Theft of 41 Million Card Numbers – NYTimes.com]
Judging by the ever escalating figures for credit card fraud, however, plenty of others are still getting away with it. Are the figures telling us something very specific about authentication: that online PINs and passwords are not only not a particularly good authentication mechanism but may actually make matters worse? The prosecutors allege that the criminals stole card details and PINs as they were passing (apparently unencrypted) over wireless networks and then used the fake card to details to manufacture cards and then used the PINs with the cards to withdraw cash from ATMs. No PINs, no cash out of the ATM.
[Dave Birch] Stuart Kwan, Director identity and Access at Microsoft, kicked off something a while back by talking about the need for some sort of "identity bus" that can allow different systems, components, applications to tap into an effective digital identity infrastructure. It doesn’t exist as an architecture, let alone products, but people do understand what he means.
The "identity bus" is, of course, still just a vision, but at least it is a beginning. Understanding and building toward an identity industry that is "the identity bus" should be the mission of every serious identity vendor out there.
[From Identity Bus: More than meets the eye | CSO Blogs]
Kim has been talking about this as well. There’s a lot to commend this way of thinking. From the technical side, we all understand what a bus implies: standards and interfaces, "plug and play", commodity units. Whether this is realistic in the identity space needs further discussion, because the industry may not be yet know enough about what is wanted, what the real requirements are, in order to be able to come up with some building blocks of lasting value. Yet in a discussion this afternoon, in connection with the use of mobile phones in the identity infrastructure, I did start to think that perhaps instead of endless industry bodies, government studies and new experiments, it might be better to just start plugging a few bits and piece together.
[Dave Birch] What are differences between the proposed German identity card and the proposed UK identity card? Well, for one thing we already know how the German card will work and what applications it will contain. In fact it will contain three: the ePass application for police and border control, the opt-out eID application for e-business and e-government and the opt-in eSignature application. It has some interesting functions, such as proof of age without disclosing age, and supports end-to-end online security because it has a mutual authentication scheme built in. If someone wants to authenticate you using your card, they have to provide a digital certificate (issued to them by the German government) that contains a map of the attributes (eg, address) that the service provider is allowed to use. Since the card and the service provider thus have an encrypted end-to-end channel, they are immune to man-in-the-middle attacks.
A function I find particularly interesting is the pseudonym function. A service provider can request an identity that is known only to that service provider and the card will generate a pseudonym according to a published algorithm. Since this involves using the service providers public key, service providers cannot know other service providers pseudonyms, a simple means to increase both security and privacy for very little effort. If there is a specification for the U.K.’s identity card that is currently being procured then I haven’t seen it, but I’d lay a pound to a penny that it does not include this kind of privacy-enhancing technology (PET) because I have never seen it in any of the management consultants presentations, government strategy documents or discussion forums. What a shame. Why do Germans deserve this kind of security but we Brits don’t?
[Dave Birch] Let’s suppose you are a master identity criminal and you’ve pulled off a heist: You’ve got away with the HMRC disks, or the POS keylogger or the hospital laptop. You’ve got my identity. Now what are you going to do with it? Open a bank account? Pretend to be me to commit acts of international terrorism?Take out a mortgage? Stalk someone via social networks? Get a credit card? Actually, it’s none of the above.
Wireless-phone accounts were the most frequent types of new accounts opened using ID theft, according to the report. These criminal cellphone account openings increased from 19 percent to 32 percent of new account fraud last year, exceeding fraudulently opened credit cards, loans, checking or savings accounts.
[From Javelin Strategy and Research » The Savvy Consumer: Don’t be taken in by drop in identity theft]
Generally speaking, most kinds of identity theft are really financial frauds of one form or another. If you want to sneak into NORAD, then you’re unlikely to find a useful ID floating around on the Net, you’d be targeting a more specific identity, blackmailing someone, that kind of thing. So if run-of-the-mill identity theft is about getting a bank loan in a bogus name, then I wonder if it might be economically more efficient for society as a whole to make getting bank loans harder to get rather than racking up costs defending against identity theft. if, in the U.S., you needed more than a plausible name, address and social security number combination to get a loan, then stealing the name, address and social security would presumably become less interesting to criminals.
[Dave Birch] 2FA is clearly important. But what kind of 2FA? At the moment, the "something you know" plus "something you have" version is in vogue, and a great many organisations have been rolling out tokens of one form or another. In the U.K., Barclays (to name but one) have already rolled-out 2FA to the mass market:
Gemalto announced it has passed the 1 million mark for Barclays customers using PINsentry, its cryptographic smart card reader. The bank started deploying its authentication program in July 2007 and since then not one PINsentry online customer has suffered fraud.
[From 1 million Barclays customer using smart card reader : SecureID News]
As I’ve said before, I’m a happy PINsentry customer, even though I know it doesn’t provide total security. But it’s a bit limited. I can’t use it to log in to anything else: I’d much rather that Barclays offered a 2FA OpenID login using the PINsentry and then I could use my Barclays OpenID to log in not only to the bank but to any other sites that needed that kind of security (eg, the government). Simon Willison’s excellent OpenID blogged alerted me to the fact that other people are already thinking in that direction.
Microsoft are accepting OpenID for their new HealthVault site, but with a catch: you can only use OpenIDs from two providers: Trustbearer (who offer two-factor authentication using a hardware token) and Verisign.
[From Simon Willison’s Weblog]
So OpenID/2FA is not only feasible, it’s a good idea. But we don’t want to end up with a 2FA necklace — with the tokens from half-a-dozen banks plus eBay plus our corporate networks plus plus plus — that we have to carry with us at all times and this could happen if banks and other service providers don’t accept each other’s OpenIDs in a rich enough way.
[Dave Birch] Using SMS to provide an out-of-band 2FA scheme for access to online services sounds like a reasonable idea. But it depends on customers to do the right thing, and this is generally a bad idea in security terms. One study of a scheme
that required customers to copy a pass code from their phone to a web page (to confirm online transactions) found that customers did not notice when the message included incorrect details. My guess is that this is a general result: once you train customers to perform some simple action in order to obtain security, they won’t do any of the other cross-checks and because they think (for no reason) that SMS is somehow secure, then SMS-based approaches may be even more exposed. This is a shame, because it may hinder the development of mobile services, such a banking. People are increasingly comfortable with using their mobiles for banking, we all know that. According to TowerGroup
, 90% of those who tried mobile banking at Bank of America have remained active with 99% checking balances, 87% looking at transaction history, 10% making funds transfers, and 5% paying a bill. But if they begin to read in the newspapers about mobile security being subverted, those numbers will fall.
[Dave Birch] Dealing with the government online is precisely the kind of activity that is subverted by bad identity management. Case in point:
Ambitious plans to switch the majority of provisional licences from postal to online could not be taken up by one of the largest group of customers – teenagers – because they couldn’t prove their identity. Only 40,000 out of the 1 million people seeking a provisional licence were able to complete an online application. The remaining 960,000 had to stick to postal applications. One of the main reasons, according to the NAO, was that online applicants had to have either a new digital passport or a credit record to prove their identity.
[From DVLA plan fails ID test | Special Reports | Guardian Unlimited Politics]
The government has portal for accessing public services — DirectGov — but it’s of limited usefulness, precisely because of this issue. And I’d lay a pound to a penny that the new ID card won’t make the slightest difference, since I’ve not heard a single minister or official say anything about using it in this way. Speaking of which, young people won’t have to worry about this problem for much longer because they’ll soon be able to get a splendid new identity card that will solve that problem for them. As the Home Secretary said recently
We will start to make identity cards available to young people on a purely voluntary basis in 2010. I believe there are clear attractions in the scheme. It will make it easier to enrol on a course, apply for a student loan, open a bank account, or prove your age – especially as we get tougher on sales of alcohol to those under-age.
[From BBC NEWS | Politics | In full: Smith ID card speech]
Anyone familiar with the U.K. will recognise the wisdom of making it more difficult for children to buy alcohol.
[Dave Birch] There’s a story about identity in The Economist magazine that I read on the plane to Washington ("My bow is my bond", p.98, 26th April 2008) that connects directly with something I’m working on for a client at the moment. Naturally, neither the client or the assignment will be discussed here, except to note that I’ve been playing around with some ideas on value-adding identity services for the mass market. I’d also recently received an e-mail from an august body, which won’t be discussed here either, asking if I’d like to provide (for free!) some ideas on how to get private companies to use the U.K. identity card: I ignored the request, of course, but I did jot down a few notes. For both of these reasons, the story caught my eye.
The story concerns a fraud against Lehman Brothers in Japan. They lent a Japanese company $350 million, The load was guaranteed by a well-established Japanese trading house. Bankers from Lehman met an executvie from the trading house — at the trading house’s office — to sign the contract. When the firm in question defaulted, Lehman went to the trading house to get their money, but the trading house claimed no knowledge of the deal. The executive had been an imposter and the contract was fake. When someone gives you their business card, you assume that it is true (by custom and practice — you don’t explicitly validate it) and when they put a letterhead in front of you, you take it to be real. Oops.
[Dave Birch] Privacy and security aren’t additional extras, costly options for new system. They are (or should be) part of the fabric. You can choose how to implement systems in either a privacy-enhancing or privacy-reducing way. Take, for example, congestion charging. There are a couple of ways to do this: you could do it the way they do in Singapore, where you have a prepaid card that communicates via RF with an overhead gantry. When you go through a gantry, the system attempts to take a fee from the card. If the transaction goes through (it’s an offline purse transaction) then you’re on your way. If you borrow a mate’s car, you can take your card and put it in his car, no problem. But if you don’t have a card, or you don’t have any money on your card, then you get photographed. Alternatively, you can do it the British way. In London, all cars get photographed and then automatic numberplate recognition is used to try and work out who to charge. In many cases, it works and the correct account of a poor person is charged. I say poor person, because rich people register their Lambourghinis as taxis and avoid the charge
Cleangreencars has discovered that there are an unusually high number of luxury cars that have been granted the private hire designation, including two Maserati Quattroportes, three Maybach 62 and eight Rolls Royce Phantoms.
[From Taxi!? London luxury car owners register Maseratis, Rolls Royces as C-charge-free private hire vehicles – AutoblogGreen]
Incidentally, if you can’t be bothered to send your chauffeur round to register the Porsche as a private hire, you can always just leave the Belgian plates on it, because the supercomputer running the system is not connected to other supercomputers in other European countries…
I drove for 4 years in london with a german plate, many times in the zone (once it was introduced), never paying and my ex never got a ticket sent to her place in HH where the car was registered.
[From London congestion charge for foreign cars]
In fact, as that tax-avoiders’ handbook The Independent notes,
there are a number of ways to exploit the loopholes in this system as a private, law-abiding motorist if you are willing to be a little inventive.
[From Congestion charge loopholes: Now just learn the Knowlege… – Features, Motoring – The Independent]
Bit I digress. My point is that we have choices, and not building privacy-enhancing technology into a system is making a positive choice to have a data catastrophe at some point downstream.