Good morning, thing

[Dave Birch] OK, so I know it sounds spooky and people are uncomfortable with RIFD-at-a-distance, but there would be some advantages to being “recognised” by machines. Think about the subject from a customer service perspective rather than a security, spying and generally creepy perspective. As, in fact, some people already have been.

The Financial Services Technology Consortium (FSTC) today announced the launch of a project whose goal is to help member banks adopt radio frequency identification technology (RFID).

[From FSTC | Financial Services Technology Consortium – Press & Articles]

Why would banks want to do that? Well, it is relatively easy to implement vicinity (let’s say up to a couple of metres) read-only functionality along side the proximity (let’s say up to a couple of centimetres) read-write functionality used in contactless identity cards, bank cards and NFC phones. The chip sets are readily available. Handled correctly, this is something that a great many customers would appreciate.

Imagine a world where, when you walk into your bank, messages and adverts pop up that address you by name.

[From What high street banking will look like in 2020]

While The Times might see this as something for 2020, more technologically advanced nations are already experimenting with the technology,

Now “Yes Bank” which is a commercial bank operating out of India has been piloting an RFID system so that bank employees can identify these rich fat customers and offer them personalized services. Under the pilot RFID banking cards have been offered to select customers apart from deployment of RFID interrogators and customized gate antennas at bank premises… The moment the elite customer arrives in the bank his details are flashed on the system which enables the relationship team to identify the concerned person so that they can accord him services in the best possible manner.

[From The RFID Weblog: RFID being used to give preferential treatment to rich clients in Indian banks]

I can readily imagine using a Tesco Clubcard with this technology, or a BA Executive Club card or a transit card. As a consumers, I want to get better service where possible and the idea that everything from shopping cards to airport display boards might know who I am and deliver personalised service because of that is rather appealing. At least, it’s rather appealing provided that my identity is managed properly and my privacy is assured. This could be done at a physical level: you might, for example, have a Clubcard that only functions when you press a button on it.

This system creates a tiny, ultra-thin, pressure sensitive switch “which ensures that the device can only be read when the owner is pressing the switch”, said Peratech.

[From British firm develops RFID security technology to prevent ‘skimming’ | 20 Aug 2008 | ComputerWeekly.com]

Well, I can see how that might work for a card, although it seems a bit of a hassle in practice. But what about other form factors, particularly form factors that might make it difficult for someone to physically reach the switch. For example:

In times where a lot of hue and cry is being raised over injecting humans with RFID tags here is a video of a guy who seems pretty cool about injecting RFID chip in his hand

[From The RFID Weblog: The Do It yourself Guide to implanting RFID Chip in your hand]

Connecting things up is easy, but disconnecting them is hard! The solution, surely, is not down at the physical layer but in the logical layer above it. Extending the future digital identity management infrastructure to the Internet of things has to be the way forward and if properly designed such an infrastructure could deliver more, I think, thank many people imagine. In particular, such an infrastructure could protect privacy through the judicious use of cryptography rather than through codes of practice or goodwill.

Give us the chance to do better

[Dave Birch] One of the frustrating aspects of being a technologist in the identity space is that I know that the technology can deliver more than customers want. There are a number of reasons for this, but two of them will suffice to make a point. Firstly, people’s “common sense” version of identity is simply not sophisticated enough for a modern economy and, secondly, that the people who actually specify and procure systems that hinge on identity do not make privacy part of the proposition because they (incorrectly) view security and privacy as opposites. In fact, the technology can deliver both and some times it’s very easy to make it do just that. Look at the basic case study of “no fly” lists, where the problem is to check whether someone’s name appears on a list of people to be excluded…

In comparing the contents of two databases, such as an airline-passenger list and a no-fly list, for example, officials should be interested only in the names that appear on both lists. They have no need for the rest of the passengers’ names. Those mutual names can be found by first encrypting both lists using strong encryption.

[From Sharing information while preserving privacy is a technologically trivial challenge, researcher says — Government Computer News]

Quite. And if the lists are encrypted, and don’t need to be decrypted to make them work, then privacy is automatically improved without ombudsmen, best endeavours and the rest of it. A rudimentary understanding of the issues is all that is needed to deliver vastly better solutions.

No, wait, Titanic isn’t the right metaphor

[Dave Birch] For many years I have consistently maintained that multiple identities (more specifically, multiple virtual identities bound to digital identities that can be authenticated against “real world” identities) are an integral part of the digital identity infrastructure of the future and emphatically part of the solution, not part of the problem. There is a technical caveat though: the virtual identities must be kept separate. As Robin Wilton notes, with his usual perceptiveness,

maintaining different ‘personas’ can contribute to personal privacy – and personal privacy is undermined when the barriers between those ‘personas’ are broken down.

[From Racingsnake – the blog of Future Identity: Is privacy only for the rich?]

So we need a good technology (firewalls, PKI, keys, tamper-resistant hardware blah blah blah, you know the score) to make the barriers and should not rely on guidelines or ombudsmen instead. However, I made a terrible mistake explaining this vision to group of people recently. I said that the partitioning of identity in this way was the equivalent of building a big ship with a series of waterproof compartments separated by strong bulkheads, so that if one compartment is holed, the ship is not threatened. What, someone said, you mean like the Titanic?

Authentication in 3D

[Dave Birch] Over on Digital Money there’s been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn’t really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.

The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.

[From Verified by Visa Europe upgraded to improve cardholder experience]

MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.

To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

I’m interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.