Criminal inconvenience

[Dave Birch] It was identity theft week, or something like that, and since I’m about to start the CSFI’s 2010/2011 Research Programme into “Identity in Financial Services”, with support from Visa Europe, I’ve been thinking about the key aspects of the problem. For example: how well are current know-your-customer procedures working? After all, they are pretty stringent. To the point where the typical customer finds dealing with financial services organisations an absolute nightmare.

The ID banks require is getting beyond a joke. I’ve just been locked out of one of my online accounts, through no fault of my own, and they’re demanding I send them a certified document plus a utility/bank bill, but they won’t accept one printed online. Yet like many people, both for the environment and ease, I opt for paperless billing wherever I can, so I simply don’t get any printed statements anymore, leaving me at an ID disadvantage when banks refuse to count those as ID.

[From Martin Lewis’ Blog… | The bank ID farce: online accounts don’t accept online statements]

Still, I’m sure we’d all agree that it’s worth the massive imposition on customers, and the massive costs to companies, in order to crack down on ne’er-do-wells who are trying to defraud our banking system (at least, the ones who don’t work for banks). But since identity fraud appears to be at record levels, either these stringent controls are counter-productive (because only criminals will bother jumping through the hoops) or a total waste of money.

Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data shows that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.

[From SSRN-Internalizing Identity Theft by Chris Hoofnagle]

Given the amount of trouble I find in accessing my own accounts — I tried to log in to my John Lewis card account this week and it asked me a password that I’d forgotten and when I followed the “forgotten password” link it asked me for a secret word or something that I didn’t even know I’d set — I can only assume that the total amount of time, effort and money wasted on this sort of thing across the financial services sector as a whole is enormous.

Share and share alike

[Dave Birch] I’m not sure if it was a good idea to have National Get Online Week at the same time as National Identity Fraud Prevention Week and at the same time as announcing record identity fraud figures!

The National Fraud Authority (NFA) said fraudsters who stole identities had gained £1.9bn in the past year. Their frauds had affected 1.8 million people, the NFA estimated.

[From BBC News – Identity fraud now costs £1.9bn, says fraud authority]

As Philip Virgo notes, there appear to be some conflicting messages here and there may be some danger of a lack of strategic co-ordination.

Just after Martha had described her plans to the “Parliament and the Internet” conference last week, those at the session on “On-line Safety” discussed the need to bring the two sets of messages together lest they cancel each other out.

[From Mixed messages: “Get Online Week” v. “National Identity Fraud Prevention Week” – When IT Meets Politics]

I’ve scoured the coverage to find out exactly what it is that the “Get Online” campaign and the “Fraud Prevention” campaign plan to do about identity infrastructure and I’ve looked through the Cabinet Office “Manifesto for a Network Nation” (which does not mention identity or authentication even once) to find out what the British equivalent of the US National Strategy for Trusted Identities in Cyberspace is but I’m afraid I’ve come up with a bit of a blank (although a search of the Get Online Week website did turn up one article that mentioned identity theft in 2008). Perhaps I’m looking in the wrong places and a correspondent can point me in the right direction.

The UK national security strategy that was released last week does at least mention identity theft as a problem (it says that “Government, the private sector and citizens are under sustained cyber attack today, from both hostile states and criminals. They are stealing our intellectual property, sensitive commercial and government information, and even our identities in order to defraud individuals, organisations and the Government”) but doesn’t actually mention identity or authentication, nor does it put forward any suggestion as to what might be done about the problem.

Listening in

[Dave Birch] Who should we be listening to when formulating digital identity strategy? Consumers? Experts? Politicians? Lobbyists? Consultants? Consider, for example, the issue of privacy. This is complicated, sensitive, emotive. And some of the voices commenting on it are loud. Take a look at the “Wal-Mart story” — the story that Wal-Mart are going to add RFID tags to some of their clothing lines — that has naturally attracted plenty of attention. One particular sets of concerns were founded on the idea that consumers could not have the tags “killed” and so would be tracked and traced by… well, marketeers, advertisers, sinister footsoliders of the New World Order, the CIA and so on. So what is the truth?

The tags are based on the EPC Gen 2 standard, which requires that they have a kill command that would permanently disable them. So the tags can, in fact, be disabled. Wal-Mart does not plan to kill the tags at the point of sale (POS), only because it is not using RFID readers at the point of sale.

[From Privacy Nonsense Sweeps the Internet]

As a consumer, I don’t want the tags to be turned off, because that means that the benefits of the tags are limited to Wal-Mart and not shared with me. I’d really like a washing machine that could read the tags and tell me if I have the wrong wash cycle. And there are plenty of other business models around tags that might be highly desirable to consumers.

If it adds £20 to the price of a Rolex to implement this infrastructure, so what? The kind of people who pay £5,000 for a Rolex wouldn’t hesitate to pay £5,020 for a Rolex that can prove that it is real. Imagine the horror of being the host of a dinner party when one of the guests glances at their phone and says “you know those jeans aren’t real Gucci, don’t you?”. Wouldn’t you pay £20 for the satisfaction of knowing that your snooping guest’s Bluetooth pen is steadfastly attesting to all concerned that your Marlboro, Paracetamol and Police sunglasses are all real.

[From Digital Identity: The Rolex premium]

So does the existence of convenience, business model, consumer interest and practicality mean I have no privacy concerns? Of course not! So what is a reasonable way forward?

Wal-Mart is demanding that suppliers add the tags to removable labels or packaging instead of embedding them in clothes, to minimize fears that they could be used to track people’s movements. It also is posting signs informing customers about the tags.

[From Wal-Mart to Put Radio Tags on Clothes – WSJ.com]

That seems like a reasonable compromise: make it easy for people to cut the tags off if they don’t want them. So is that the end of the story? I don’t think it is.

What could possibly violate our privacy with tracking pants in a store to make sure there aren’t too many extra-large sizes on the shelves?

[From Privacy wingnuts « BuzzMachine]

The thing is, I agree with Jeff Jarvis here that some people are, indeed, “wingnuts”. But that does not mean that there are no genuine concerns and it does not mean that anyone who is concerned about privacy (eg, me) is a wingnut. But what it does mean, I think, is that we need to implement new identity technologies in a privacy-enhancing fashion and make the “privacy settlement” with the public more explicit so that there is an opportunity for informed comment to shape it. It seems to me that some fairly simple design decisions can achieve both of these goals, something that I’ve referred to before when using Touch2id as an example.

Let’s make crime illegal

[Dave Birch] In today’s newspaper, I read that the Blackberry is not, after all, to be banned from Saudi Arabia as it has been from UAE.

The agreement, which involves placing a BlackBerry server inside Saudi Arabia, would allow the government to monitor users’ messages and allay official fears the service could be used for criminal purposes.

[From Saudi Arabia halts plan to ban BlackBerry instant messanging – Telegraph]

I don’t know whether it’s a good thing for messages to be in the clear or not. If I were an investment banker negotiating a deal, I might worry that someone at the Ministry of Snooping might pass my messages on to his brother at a rival investment bank, for example. After all, the idea that only authorised law enforcement officers would have access to my private information is absolutely no comfort at all.

A drugs squad detective, Philip Berry, sold a valuable contacts book containing the personal details of the criminal underworld to pay off his credit card debt, a court heard.

[From Corrupt drugs detective ‘sold underworld secrets to pay debt’ – Telegraph]

The idea that law enforcement would be helpless to stem the tide of international crime unless they can tap every call, read every email, open every letter, is (if you ask me) suspect. If I am sending text messages to a known criminal, you do not need to be able to read those message to decide that you might want to obtain a warrant to find out who I am calling or where I am. The fact that I am using a prepaid phone does not, by itself, render me immune to law enforcement activity.

Beyene’s role in the heist was to buy so-called dirty telephones and hire a van to use as a blocking vehicle,

[From Gunman jailed for 23 years over Britain’s biggest jewellery robbery – Telegraph]

In fact this gang was caught because the police found one of the mobile phones they had been using. It contained four anonymous numbers, and from these the police were able to track down the gang members. It wasn’t revealed how, but there at least two rather obvious ways to go about it: get a warrant to track the phones and correlate their movements with known criminals or get a warrant to find out which numbers those other phones have been calling and follow the chain until you get to a known number. Yes, this might require some police work, which is more expensive than having everything tracked automatically on a PC, but it is better for society. This reminds of a recent discussion about anonymous prepaid phones. I’m in favour of them, but plenty of people are against them. (Same for prepaid cards.) Ah, but you and the authorities in some countries might ask: how can you catch criminals who use anonymous prepaid phones? Forcing people to

Earlier this month, the FBI revealed that the suspected Times Square bomber had used an anonymous prepaid cell phone to purchase the Nissan Pathfinder and M-88 fireworks used in the bomb attempt.

[From Senators call for end to anonymous, prepaid cell phones]

Setting aside the fact that this guy was caught (despite the dreaded “anonymous prepaid call phone”) and had been allowed on a flight despite being on the no-fly list, the politicians are, I’m sure, spot on with their informed and intelligent policy. In fact, one of them said:

“We caught a break in catching the Times Square terrorist, but usually a prepaid cell phone is a dead end for law enforcement”.

[From Senators call for end to anonymous, prepaid cell phones]

Amazingly, the very same issue of the newspaper that reports on the captured UK armed robbers contains a story about a Mafia boss caught by… well, I’ll let you read for yourself:

One of Italy’s most wanted mafia godfathers has been arrested after seven years on the run after police traced him to his wife’s mobile registered in the name of Winnie the Pooh

[From Winnie the Pooh leads to gangster’s arrest – Telegraph]

So, basically, if you require people to register prepaid mobile phones then you raise the cost and inconvenience for the public but the criminals still get them (because they bribe, cheat and steal: that’s criminals for you). I imagine that in the Naples branch of Carphone Warehouse the name “Winnie the Pooh” on a UK identity card looks perfectly plausible: they would have no more chance of knowing whether it’s real or not than the Woking Carphone Warehouse would when looking at an Italian driving licence in the name of Gepetto Paparazzo. Again it’s not clear exactly what the police did, but from elements of the story it appears to be something like: the police discovered (through intelligence) that the godfather’s wife was calling an apparently random mobile phone number at exactly the same time every two weeks. From this they determined which phone was hers (the “Winnie the Pooh” phone) and they tracked it to Brussels. But suppose some foolproof method for obtaining the correct identities of purchasers were to be found. Would this then stop crime in, say, Italy? Of course not.

In an attempt to combat the cartel-related violence, Mexico enacted a law requiring cell phone users to register their identity with the carrier. Nearly 30 million subscribers didn’t do this because of a lack of knowledge or a distrust of what could happen to that information if it fell into the wrong hands. Unfortunately, the doubters were proven right, as the confidential data of millions of people leaked to the black market for a few thousand dollars, according to the Los Angeles Times.

[From Did Mexico’s cell phone registration plans backfire?]

The law just isn’t a solution. It might even make things worse.

Head in the clouds

[Dave Birch] At the recent European e-Identity Management Conference, Kim Cameron from Microsoft pointed out a few privacy and security concerns that relate to the cloud. This is important stuff, obviously. For one thing, the cloud is the new black. Remember this from a year ago?

All government departments are to be encouraged to procure new IT services based on a cloud computing model.

[From UK government CIO wants to build a “government app store” – 19 Jun 2009 – Computing]

This never meant that they actually would, or indeed, should have used the cloud for anything. I’m not sure if I’d want my medical records on Google Docs, one phished password away from universal access. Indeed, the idea of a special cloud for e-government wasn’t far behind:

Establishing a Government Cloud or ‘G-Cloud’. The government cloud infrastructure will enable public sector bodies to select and host ICT services from one secure shared network. Multiple services will be available from multiple suppliers on the network making it quicker and cheaper to switch suppliers and ensure systems are best suited to need.

[From News : NDS ]

Hold on. Suppose the cloud goes wrong, as one might imagine that a government IT cloud would have a propensity to do, what then?

In our opinion cloud computing, as currently described, is not that far off from the sort of thinking that drove the economic downturn. In effect both situations sound the same… we allowed radical experiments to be performed by gigantic, non-redundant entities.

[From MAYA Design: The Wrong Cloud?]

Hhhmmm. So this means that if the government cloud goes down, or more likely that the gateway goes down, then there are no government services. Surely the solution is to have lots of clouds, not one, so that citizens can use any of the clouds to connect to any of the services: it shouldn’t matter whether citizens want to sign on in person, at a kiosk, using the phone, through the set-top box or on a PC. All of these channels should federate their identity through to the government for access.

Faces

[Dave Birch] As I blogged before, Consult Hyperion joined forces with Identrust to sponsor the Digital Identity Forum track on “Identity is the new money” at this year’s European e-Identity Management conference in London on 9th-10th June 2010. It was a really enjoyable event, I have to say, so hats off to Roger and the team from EEMA. The morning keynote came from Emer Coleman from the Greater London Authority who showed us a video about squirrels and then went on to talk about something called the “London Datastore”. I didn’t really understand her slides, which mentioned Marx, The Wire, Mini-Me from that Austin Powers movie, a tumble dryer and the Chicago School, but I think it meant that they are going to start using open source, which is a good thing, and they are going to open up some public data, such as where the new cycle hire stations will be (although they don’t know, since the sites are only indicative and you have to file a Freedom of Information Act request to find out).
This was followed by a panel discussion on the different “faces” of identity: ethical, legal and technical.

  • The ethical perspective came from Alexander Hanff, Head of Ethical Networks at Privacy International. Alexander noted the significant changes that have occurred in the UK in the last couple of weeks, with the abolition of the ID card, Children’s Index and so forth. He was rather positive about the new Coalition and said that he expected more “positive changes” to come. I have to say that I wasn’t clear on the vision, although he did mention transparency as a key element in the new identity and trust landscape, and that’s something I do agree with.
    • He did mention in passing that most businesses are unprepared for the impact of European telecoms regulation. This isn’t my field, so I didn’t entirely follow this part, but it seems that the EU is going to require the interweb to spy on its users in case they are terrorists or something.
  • The legal perspective came from Kevin Fraser, Head of Data Protection, Ministry of Justice. Kevin explained the eight key principles of data protection.
  • The technical perspective came from Forum friend Kim Cameron, Chief Architect, Identity & Access, Microsoft. Kim set out some of the drivers for cloud computing and some of the challenges that it faces. He mentioned in passing the problems of synchronising data over the interweb, which is exactly the problem that I have noticed with Microsoft Exchange and Outlook (they seem to send megabytes of data back and forth). He asked, essentially, whether the costs of identification and authentication will erode the cost advantages of the cloud (I think not, because I expect standard platforms to arise) and pointed out, entirely accurately, that none of this has really been thought through. He was advocating a claims-based model and reminded people that this is about M2M as well.

I liked having these different perspectives brought together at the beginning of the event as it made for a good foundation for observations and questions in the Digital Identity Forum stream, where John Bullard from Identrust chaired the speaking session and I chaired the panel session: though I say so myself, it was an excellent afternoon — many thanks to John Skipper, Vincent Jansen, Giles Sergant, Frank McCarthy, William Heath, Pete Bradwell, Robin Wilton and Henry Potts — and I came away with a number of new ideas to take back to our customers who are interested in developing identity-based businesses for the mass market. I was specifically curious as to whether the panel and the delegates had any feelings about the potential for banks to be identity providers, but the conversation was much more interesting and wide-ranging. I’ll put together a discussion of a few key points for the EEMA web site when I have some time.

On the money

[Dave Birch] As I blogged before, Consult Hyperion has joined forces with Identrust to sponsor the Digital Identity Forum track on “Identity is the new money” at this year’s European e-Identity Management conference in London on 9th-10th June 2010. Having been through the usual juggling as people drop in and out, get called away to meetings and mess up their calendars, the final line-up is now as fixed as it can possibly be:

The Digital Identity Forum: Identity is the New Money
Sponsored by Consult Hyperion and Identrust

Session 1: Chaired by John Bullard, Identrust

13:15 John Skipper, PA Consulting
13:45 Vincent Jansen, Innopay
14:15 Sonia Rossetti, RBS
14:45 Giles Sergant, Touch2ID

15:15 Tea

Session 2: Chaired by David Birch, Consult Hyperion

15:45 Expert Panel on the Identity Business

Joe Norburn, Identrust
Robin WIlton, FutureIdentity
Jan Dart, Bell ID
Todd Facemire, Barclays

16:45 Expert Panel on Identity and the Consumer

Peter Bradwell, DEMOS
Henry Potts, UCL
Marc Dautlich, Olswang
William Heath, MyDex

17:45 Close.

Look forward to seeing you there. By the way, the promotional code EID10DIF will give your delegates 20% OFF of one or two day passes.

Identity is the new money

[Dave Birch] There’s a lot going in the world of identity, as anyone following this weeks Internet Identity Workshop will attest to. A decade after the web went mass market, we still have no mass market identity infrastructure in place, despite all of the efforts made by a wide variety of suppliers, standards bodies, open source groups and governments. It’s not because there aren’t technologies that can help — there are plenty — but because the technology is only part of the problem. The key technologies, in fact, are pretty well understood and in “closed” systems such as the DoD they are already deployed on a large scale (and here there has already been some progress on interconnection).

For example, Northrop Grumman is preparing to issue its new OneBadge identification cards to thousands of employees. The OneBadge card design and policies meet federal and DOD standards, said Keith Ward, director of enterprise security and identity management at Northrop Grumman. The company expects to be one of the first federal contractors to use a centralized public-key infrastructure as part of its identity management program, Ward said. The company participates in CertiPath, an entity created by several defense contracting firms that is part of the federal government’s trust network through a bridge relationship with the Federal Bridge Certification Authority.

[From Contractors prep interoperable identity management systems]

Look at all of the technologies that are in place here: PKI, smart cards, certification, federation and so on. Nevertheless technology is an important part of the equation, and we need to pay attention to the emerging technologies, because it will take some real effort by a coordinated industry grouping in order to get worthwhile (ie, involving tamper-resistant hardware) authentication deployed and this will need to be linked to a framework (such as the new OpenID Connect) that can easily be adopted by web sites, mobile services and across other channels.

One such grouping is obviously banks and payment schemes. And here, I think, there is a growing recognition that identity and authentication need new thinking.

The Visa card with one-time code offers banks an innovative solution to authenticate consumers through an alpha-numeric display and a 12-button keypad built into a conventional credit, debit or prepaid card. It is a neat solution for consumers to use and also contains a battery designed to last three years. The product has been developed in conjunction with EMUE technologies.

[From Leading banks join pilots of the innovative Visa card with one-time code]

Over on the Digital Money blog, we’re always very interested in developments in identification and authentication. Why are these these so important in the payments world? I think that the dynamic is this: if there is an infrastructure in place to manage identity, and that infrastructure includes clear division of responsibilities and clear assignment of legal liabilities, then it takes a big chunk of the costs out of building and running a new payment system. A general trend in the next phase of electronic payment evolution will be the unbundling of the payment, the identification and other services (such as fraud management).

There are different opinions about how the unbundled identification part might be implemented. I’ve written before that I think that a mobile, SIM-based approach might be the best way forward. The SIM provides the tamper-resistant hardware that we need to store the keys, the mobile phone provides the connectivity and interfaces and mobile operator provides the business model. There has to be a business to make identity work.

So what is the business model? For the operator, it’s incremental messaging revenue; in the first deployment, with Turkcell, the identifications were charged at the same rate as text messaging. According to Turkcell, this resulted in an average of 21 extra messages a month for each user who signed up for Mobile Signature; as a typical user sent 95 messages a month, that amounts to a 20% boost to messaging ARPU.

[From Case Study: Mobile Signature solution approaches key growth milestone – Convergence Conversation]

There are plenty of other possibilities, and if anyone tells you they know how this will work out, they’re wrong. But if they tell you that identity and authentication technologies will shape future payment strategies, they’re right. As I heard someone remark in a meeting a few months ago, if I were a bank, I’d want to be part of the identity value chain rather than a commoditised and low-margin payments value chain.

Dying for mail

[Dave Birch] I found the South-by-Southwest (SXSW) interactive sessions that I went to, without exception, first class. It may be because of the spectrum of people that they attract, or it may just be something in the Austin air, but I got caught up in a number of exceptionally stimulating discussions, all of which gave me new things to think about. Here’s an example: I signed up for a session on Digital Wills run by Corvida Raven from she-geeks. She ran an outstanding session, and I can’t resist blogging around it despite the morbid tone of some of the discussions that resulted from it! First of all, let me say that this is an aspect of the online world that I have been interested in for some time. I wrote a piece about it for The Guardian way back in 2004, reflecting on the fact that I had been making a will and had gone and got a booklet about it (I think from the bank, but I can’t remember) and I was remarking that it didn’t seem to cover my data.

It wasn’t mentioned in the booklet of sample will elements I was using. That covered topics such as houses and kids, but it should have had additional specimen clauses along these lines: “I leave the 100GB external Firewire drive containing all of my emails and the back-ups of all of my personal documents, my iPhoto library and my iTunes to my wife. This volume was encrypted by Mac OS X using AES-128 and the password is the name of the band we saw together on our first date followed by the age of our first female cat when she died.”

This may seem silly, but could become a serious problem in the future. My wife will need my username and password for Barclays, BT, British Airways and our family blog – and there was nothing about that in the booklet, either.

[From Second sight, Dave Birch | Technology | The Guardian]

This isn’t a sophisticated enough solution, of course. What we really need, as a society, is proper security and privacy technology and we are an awfully long way from seeing this introduced at all, let alone introduced into probate law or custom and practice. Nothing much has changed since my article, as Cory Doctorow reinforced last year.

What I found surprising all through this process was the lack of any kind of standard process for managing key escrow as part of estate planning.

[From Tales from the encrypt: the secrets of data protection | Technology | guardian.co.uk]

There are clearly some business opportunities here, and not only for lawyers! Some organisations have already decided to take the digital afterlife seriously.

Facebook may not have been the first to create a specialized policy for deceased users, but it was one of the highest profile because of the way it handled the issue. Instead of merely agreeing to let a family member take control of the account, the company instead decided to take things a step further and let people turn someone’s account into a memorial.

[From Death and social media: what happens to your life online?]

This is nice, but it seems to be still fairly rare. Take e-mail as a fairly standard requirement. If you die, Yahoo will delete your e-mail. But I may not want my e-mail to be deleted. Can I ask Yahoo not to delete my e-mail? No. But hold on, how do they know I am dead? If I just give my Yahoo password to my wife, then presumably she can carry on using it or archive the messages or even delete them. But what I if leave her the password and tell her not to delete them but just to save them for posterity and not read them? This is all getting a bit complicated.

Practical identity

[Dave Birch] It’s all very well people like me going on about keys, certificates and zero-knowledge proofs but what are the problems that an identity infrastructure has to solve down at the coal face, so to speak. Here’s an example from a newspaper I happened to be reading (The Daily Telegraph “Money” section, 13th March 2010). I won’t repeat the entire story, which concerns an elderly, partially-disabled woman who had UKP500 stolen from her bank account at Santander. The bank discovered the fraud, to their credit, and asked the women to come to the branch so that they could sort things out. However, they demanded that she product either a valid passport, a valid driving licence with a picture on it or a birth certificate. She (along with countless other people) had none of these. Despite the fact that she had had an account with them for many, many years, the process derailed The charity Age Concern, quoted in the article, noted the expense of obtaining new passports for people who have no intention of travelling anywhere and also noted that elderly people are sometimes asked to produce utility bills (to get a mobile phone contract, say) that they do not have because they live in care homes or with relatives and that there is a further serious problem where they ask family members to deal with financial services, government and other organisations on their behalf. If you can’t prove who you are to the bank where you have had an account for decades, how on earth is your daughter supposed to deal with the bank on your behalf?

One practical suggestion might be for Age Concern to operate a service to provide fake passports to its members. It could do this at low cost, and since fake British passports do not have to be particularly high quality to suffice (the bank just photocopies them anyway), this could provide a simple and cost-effective means to help their members.

Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.

[From Snowblog – What the Dubai murder says about airport security]

I doubt the elderly lady’s local bank branch has “passport scanning machines” of any description, so my suggestion is entirely practical. On the other hand, if we decide to opt for legal solutions, what should we do? If we are going to have a shot at improving the identity infrastructure to the benefit of society, then it has to work in these cases, which are hardly rare or extreme. This simple, practical case should serve as a benchmark: how can an older person use whatever system is proposed in order to ring up a bank and get something done with their own money.

In this light, how does the banking industry manage identity in the future… Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?

[From Predicting the Future of Identity | Future Banking Blog]

Actually fifteen years ago I did predict, more than once, that we wouldn’t be using passwords by now. I thought then, and I still think now, that passwords aren’t really security of any kind. Never mind elderly people trying to remember passwords on the phone, I can’t remember passwords on the phone. I was speaking one of my card providers recently, having called to query a declined transaction, and was genuinely shocked to be asked for my password. I had no memory of having set a password on this account at any time in the past, so had to go through the whole set-up all over again. (Which was pretty annoying, but not as annoying as being asked for my card number yet again, ten seconds after I had punched all sixteen digits into the keypad!!).

As I sat down to write the rest of this post, the combination of prosaic, archaic and potentially catastrophic palaver that is the process of opening an account in modern Britain was once again raising blood pressure in our household. Having got annoyed with the poor customer service from one of our credit card issuers, I cancelled the card (a card, incidentally, that I spend around £3,000 per month on, since I travel a lot for business) and appealed to the twitterverse for suggestions as to alternatives. A testament to my middle class status, the most popular suggestion was the John Lewis Partnership Card that delivers shopping vouchers for Waitrose and John Lewis, so I went off to their web site and immediately applied. Hurrah! It said something like “congratulations, you’re accepted”. My happiness was short lived, as it soon became apparent that they weren’t going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month’s bank statement. International terrorists would find these completely impossible to forge <sarcasm=”on”> as they contain advanced anti-counterfeiting watermarks, holograms and embossing </sarcasm=”off”>. Of course, this being 2010, you might have thought that my wife would merely have to log in to John Lewis using her Barclays’ dongle and Barclays would federate her identity (which they must have already established to the satisfaction of financial regulators) but I’m afraid even these rudimentary steps toward an identity infrastructure have yet to be taken.

In summary: everyone’s time and money continues to be wasted and we are no closer to having an identity infrastructure for the 21st century than we were at the dawn of the web.


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.