Tag: identity authentication technology consumer

Malware Wolves in Developer Sheep’s Clothing

by Leave a comment
internet screen security protection

When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it.  They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews.  But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.

This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker.  You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction.  There is some suspicion that it may have also been uploading session cookies.

Continue reading “Malware Wolves in Developer Sheep’s Clothing”

NHS test and trace text messaging scams target vulnerable people

by Leave a comment
person using smartphone

Here at Consult Hyperion we tend to go on about the lack of a joined up thinking around government policy on digital identity and source authentication but mostly it doesn’t really affect us personally. I mean, we get this stuff, we can spot a scam a mile off. But sometimes it does get a bit close to home…

I discovered today that my frail but still mentally competent parents have been quarantining for the past week, and a bit, because they received an NHS Test and Trace text warning that they’d been in the proximity to someone diagnosed with COVID-19. As they’re in the very high risk category, you can imagine how worried they were. But here’s the thing – they never give their mobile number to anyone and they wouldn’t know how to download an app even if I spent a year explaining it to them. It was a scam – in fact the text deleted itself, but almost certainly it will have contained “more information” link, which would have downloaded malware onto their phone.

Continue reading “NHS test and trace text messaging scams target vulnerable people”

The best definition of Digital Identity

by Leave a comment
red lights in line on black surface

Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.

Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:

Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.

In one sentence I was trying to capture several points:

  • Digital identity is a means to an end not an end in itself
  • It’s bi-directional – in any transaction both parties need to have confidence in the other party
  • It’s about the information you need to share, which will vary considerably between contexts.
  • It protects privacy by only sharing the information (or claims) necessary.

Continue reading “The best definition of Digital Identity”

Things aint what they used to be

by 2 Comments

[Dave Birch] It’s pretty obvious that RFID is going to transform a variety of retail supply chains, adding value to the services delivered to the end customers.

Izzy’s Ice Cream Café in St. Paul, Minnesota is putting to use RFID technology for giving real time updated on flavors available in its dipping cabinet. It offers more than 100 flavors but serves only 32 in its dipping cabinet at any point of time. The cabinet comes equipped with readers capturing every flavour’s corresponding labels embedded with an RFID tag. The reader captures information 22 times every second and is sent to a system which updates website of the parlour so that customers get to know what is available even before they enter the store. Coloured dots are projected on the wall of the store or TV behind the counter so that the customers get to know the flavours available.

[From The RFID Weblog: RFID chip and ice creams]

Now this is a great use of the technology and I’m sure it’s only one of the ways in which retailers will find that RFID provides a platform for better management, better service and entirely new services. Nevertheless,iIt’s a step from this kind of use of RFID to the idea of an “Internet of things” has been around for a while.

The “Internet of things” (can’t we think of a better name? the everynet? the allnet? — what about “skynet”, or has that been used somewhere before?) has two essential components: the concept that everything is connected to everything else, and the concept that everything can distinguished from everything else. Universal connection and universal identification. If we take the former for granted and take the Electronic Product Code (EPC) as an example of the latter, we can immediately see that this will create as many problems as it solves (which is not a reason for not doing it, since it also creates many opportunities). It’s easy to see why. Suppose that your phone reads the EPC from my underpants. So what? Now your phone knows that I am wearing either Gucci underpants or a pair of Primark underpants with a Gucci chip in them to impress the ladies. If such phones and such tags were to exist, what would actually happen? What would be the impact on society of knowing what everything is and where everything is all the time.

, ,

Continue reading “Things aint what they used to be”

Collision

by Leave a comment

[Dave Birch] Here at Consult Hyperion we’ve recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there’s another less tangible reason for being interested in it: because once the US government has chosen something as a “standard”, then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I”m not the only one who has been reflecting on just how significant the US government’s support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago — long before the US government announcement — during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with “soft” OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook “Identity”, then I’m sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to “hard” OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of “private” digital identities. I think that, as Burton note, the US government’s decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a “gold standard” identity provider as well as an identity oonsumer, but that’s another issue.

Continue reading “Collision”

Out of control, up to a point

by Leave a comment

[Dave Birch] I re-read an excellent post over at Emergent Chaos. It reflected an important discussion between two people, both of whom I take very seriously. To paraphrase and simplify horribly, Bob thinks that the social structures maintain privacy, Adam thinks that technological structures maintain privacy.

In a world where some people say “I’ve got nothing to hide” and others pay for post office boxes, I don’t know how we can settle on a single societal norm. And in a world in which cheesy-looking web sites get more personal data — no really, listen to Alessandro Acquisti, or read the summary of “Online Data Present a Privacy Minefield” on All Things Considered… — I’m not sure the social frame will save us.

[From Emergent Chaos: Bob Blakley Gets Future Shock Dead Wrong]

The lack of a “norm” is a good point here, and I have to say it made me think. We should be developing tools that allow people to construct their norms (within boundaries, obviously) but not setting out a norm so that the tools can only implement one model. For this reason, amongst others, I tend to come down on the more technological side of this argument, which is why I’m so keen to see privacy as part of customer propositions and privacy-enhancing technologies as part of the systems being built in both public and private sectors.

Continue reading “Out of control, up to a point”

4D Secure

by 1 Comment

[Dave Birch] One of the things that I thought might happen this year is that the US government standard for ID cards might begin to spread into the commercial sector, simply because of the impact of standardisation. I wasn’t the only person who thought this, by the way.

In 2009, common access card programs will get another chance to conquer the enterprise market due to the government’s drive to implement PIV cards for all employees and contractors, the availability of standards and compatible products, the spread of standards beyond the federal government to state and local entities as well as government-linked enterprises. Most importantly, security convergence will finally receive market traction.

[From ContactlessNews | Look for renewed interest in enterprise common access card programs in 2009]

I should say that I thought this was a good thing. The PIV might not be an exact match with some corporate requirements, but on the other hand a standard means lower costs and an emerging ecosystem. So, if we want to improve corporate security, do we start designing our own, optimal solution, or go with the grain of what’s out there on the basis that it’s much, much better than nothing?

Continue reading “4D Secure”

Good morning, thing

by 3 Comments

[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being “recognised” by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.

The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).

[From FSTC | Financial Services Technology Consortium – Press & Articles]

Why would banks want to do that? Well, it is relatively easy to implement vicinity (let’s say up to a couple of metres) read-only functionality along side the proximity (let’s say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.

Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.

[From What high street banking will look like in 2020]

While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,

Now “Yes Bank” which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises… The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.

[From The RFID Weblog: RFID being used to give preferential treatment to rich clients in Indian banks]

I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it’s rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.

This system creates a tiny, ultra-thin, pressure sensitive switch “which ensures that the device can only be read when the owner is pressing the switch”, said Peratech.

[From British firm develops RFID security technology to prevent ‘skimming’ | 20 Aug 2008 | ComputerWeekly.com]

Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:

In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand

[From The RFID Weblog: The Do It yourself Guide to implanting RFID Chip in your hand]

Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.

Continue reading “Good morning, thing”

Give us the chance to do better

by 1 Comment

[Dave Birch] One of the frustrating aspects of being a technologist in the identity space is that I know that the technology can deliver more than customers want. There are a number of reasons for this, but two of them will suffice to make a point. Firstly, people’s “common sense” version of identity is simply not sophisticated enough for a modern economy and, secondly, that the people who actually specify and procure systems that hinge on identity do not make privacy part of the proposition because they (incorrectly) view security and privacy as opposites. In fact, the technology can deliver both and some times it’s very easy to make it do just that. Look at the basic case study of “no fly” lists, where the problem is to check whether someone’s name appears on a list of people to be excluded…

In comparing the contents of two databases, such as an airline-passenger list and a no-fly list, for example, officials should be interested only in the names that appear on both lists. They have no need for the rest of the passengers’ names. Those mutual names can be found by first encrypting both lists using strong encryption.

[From Sharing information while preserving privacy is a technologically trivial challenge, researcher says — Government Computer News]

Quite. And if the lists are encrypted, and don’t need to be decrypted to make them work, then privacy is automatically improved without ombudsmen, best endeavours and the rest of it. A rudimentary understanding of the issues is all that is needed to deliver vastly better solutions.

Continue reading “Give us the chance to do better”

No, wait, Titanic isn’t the right metaphor

by 2 Comments

[Dave Birch] For many years I have consistently maintained that multiple identities (more specifically, multiple virtual identities bound to digital identities that can be authenticated against “real world” identities) are an integral part of the digital identity infrastructure of the future and emphatically part of the solution, not part of the problem. There is a technical caveat though: the virtual identities must be kept separate. As Robin Wilton notes, with his usual perceptiveness,

maintaining different ‘personas’ can contribute to personal privacy – and personal privacy is undermined when the barriers between those ‘personas’ are broken down.

[From Racingsnake – the blog of Future Identity: Is privacy only for the rich?]

So we need a good technology (firewalls, PKI, keys, tamper-resistant hardware blah blah blah, you know the score) to make the barriers and should not rely on guidelines or ombudsmen instead. However, I made a terrible mistake explaining this vision to group of people recently. I said that the partitioning of identity in this way was the equivalent of building a big ship with a series of waterproof compartments separated by strong bulkheads, so that if one compartment is holed, the ship is not threatened. What, someone said, you mean like the Titanic?

Continue reading “No, wait, Titanic isn’t the right metaphor”


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.