Identity, authentication and authorisation are amongst the hottest of hot topics in our world right now. Even if we put Apple and it’s new face recognition technology to one side, there’s no shortage of excitement at the intersection of biometrics and electronic transactions. Remember this from earlier in the year?
A UK supermarket has become the first in the world to let shoppers pay for groceries using just the veins in their fingertips.
As I wrote at the time, this came only a few weeks after people forwarded me a link from to Time Out, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way. The system, called Fingopay, uses a scanner at POS to recognise customers in pubs and bars by the pattern of veins in their finger and then charges a linked payment account. I did remark on the overuse of “new”, as the first time that Consult Hyperion blogged about this technology was more than a decade ago, talking about mass market uses of biometrics and looking in the particular case study of Japanese banking, and it wasn’t new then! The technology has reappeared as a “new” solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…
The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.
The truth is that the idea of using fingers instead of cards goes back a long way (I can remember Piggly Wiggly exploring it in 2004) and reappears with regularity. So what’s different this time? Well, for one thing, we now have open banking. With strong customer authentication (SCA), risk-based authentication at POS and standard APIs for third-party access to accounts, retailers and other will soon be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around.
It’s the combination of technology (convenient biometric authentication), business (non-bank third party services) and regulation (open access) that means that the payments world is going to see more change in this space in the next year than in the previous ten. Almost every payment conference in that decade has highlighted the “identity problem” yet no-one was going anything about it. Now we have mass market solutions just around the corner.
Anyway, all of this is a roundabout way of saying how excited I am to be chairing the Money2020 workshop “Identity is Fundamental” in Las Vegas next week. We’re going to be talking about the latest trends in identification technology, authentication in the mass market and much more. And we have a detailed case study from Canada, as we have Toronto Dominion and SecureKey talking about the Canadian banks’ ambitious project to fix the identity problem with, amongst other things, the blockchain. You’d be mad to miss it, so look forward to seeing you in the Titian Room on Level 2 of the Venetian next Wednesday at 8.30am. Oh, and if you want to say hi to me or any of the Consult Hyperion team in Las Vegas next week, just email, tweet or message me on LinkedIn.
Estonia. Land of saunas, shepherds and song festivals. I keep hearing about Estonia all of a sudden and not for any of these reasons but because of the blockchain. At meetings and conferences, I keep hearing people talking about the Estonian national identity scheme that uses a blockchain. Only this week, for example, in the Harvard Business Review, I read that…
“since 2007 Estonia has been operating a universal national digital identity scheme using blockchain.”
I think this is a misinterpretation of the technical infrastructure of our neighbour to the north. The Estonian national digital identity scheme launched in 2002. Way back in 2007, my colleague Margaret Ford interviewed Mart Parve from the Estonian “Look@World” Foundation in Consult Hyperion’s long standing “Tomorrow’s Transactions” podcast series (available here). Mart was responsible for using the smart ID service (both online and offline) to help Estonia develop its e-society. If you listen carefully to them talking, you will notice that they never mention the blockchain, which is unsurprising since Satoshi’s Nakamoto’s paper on the subject was not published until October 2008. This only the most recent example of what I see to be a virulent strain of blockchainitis though.
Another Estonian outbreak of the same disease occurred just before Christmas when I was invited along to a blockchain breakfast (seriously) at the Mother of Parliaments.
After a while, the discussion moved on to the Estonian electronic identity system. I expressed some scepticism as to whether the Estonian electronic identity system was on a blockchain. The conversation continued. Then to my shame I lost it and began babbling “it’s not a blockchain” until the chairman, in an appropriate and gentlemanly manner, told me to shut up
I asked him where this “Estonian blockchain ID” myth came from, since I find it absolutely baffling that this urban legend has obtained such traction. He said that it might be something to do with people misunderstanding the use of hashes to protect the integrity of data in the Estonian system. Aha! Then I remembered something… More than decade ago I edited the book “Digital Identity Management” and Taarvi Martens (one of the architects of the Estonian scheme) was kind enough submit a case study for it. Here is an extract from that very case study:
Long-time validity of these [digitally-signed] documents is secured by logging of issued validity confirmations by the Validation Authority. This log is cryptographically secured by one-way hash-function and newspaper-publication to prevent back-dating and carefully backed up to preserve digital history of mankind.
Mystery solved! It looks as if the mention of the record of document hashes has triggered an inappropriate correlation amongst less technical observers and as Siim observed, it may indeed be the origin of the fake news about Estonia’s non-existent digital identity blockchain.
So there we have it as far as I can see. If there are any other crypto-sleuths out there with alternative theories, I’d love to hear from them.
I love the BBC’s Money Box programme with Paul Lewis and I listen to it every week. A recent episode included what, I’m afraid, has become an all-too-familiar story.
Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?
The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud she asked the bank for the money back and they said no.
From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email and text message or something when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that is normally used only for direct debits and standing orders would hardly need Watson to flag up a warning. From the bank’s perspective, I can see why they feel they are not responsible since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).
Whether the bank is at fault or not for this specific scam the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem and I can understand why consumer groups are upset about what they see as a lack of action from the banks.
The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.
It isn’t only phone calls. There’s a huge amount of e-mail fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitors account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow.
A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch and an account number to receive the funds. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitors real payment details from some fake payee details when reading an email. If you are expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.
Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before a transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase.
Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”.
Indeed they have. But if I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?
I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year,
if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.
In other news, MasterCard are apparently launching a bid for VocaLink.
This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I am sorry to say, no longer fit for purpose.
Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.
“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I am able to login to the solicitors email server and then send emails masquerading as them, it’s the solicitor that is being negligent not the bank!
Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?
My old chum Andy Ramsden wrote a nice piece on LinkedIn the other day, pointing out the difference between transactions that need identification (almost none of them) and transactions that need credentials (most of them). He used a current British case in point, which is how to come up with a scheme for preventing “health tourism” on the National Health Service (NHS) which is largely free at the point of delivery.
The receptionist doesn’t even need to know my name, all they need to verify is whether or not I am eligible for NHS treatment.
Indeed. Which is why a National Entitlement Scheme (NES) makes sense. Andy’s point is not a special case – quite the opposite, it is the general case. In almost all day-to-day transactions, who you are is not important. This is why, in our “Three Domain Identity” (3DID) model, transactions take place in the authorisation domain, not the identification domain.
Now, in the NHS case I imagine that for most people giving out your real name is probably not a barrier to seeking treatment (although I can easily imagine cases where it is – what does James Bond’s NHS card say, for example?) but I can think of plenty of cases where giving out your real name is not only a barrier to transactions taking place, it’s downright crazy. Adult services are an obvious case and they are a case that I like to use because they are a useful example for focusing security, privacy and commercial issues that apply to a wide range of services. What do I mean by adult services? Well, to fork one of my favourite jokes from one of my all time favourite TV shows, Greg the Bunny, I don’t mean voting. I mean services that grown up people might want to use that they do not necessarily want other people to know about: gambling, fantasy football leagues, dungeons and dragons discussions groups and so on. If we can fix the problem for adult services we can fix it for most other things.
Ofcom’s guidance on age checks for online video content suggest a range of options – from confirmation of credit card ownership to cross-checking a user’s details with information on the electoral register.
Both of these ideas are bad and are certain to lead to disaster, because both of them require the adult service provider to know who you are. This means that when they get hacked, as they inevitably will be, the personal details of the customers will be available to all. And, as actually happened in the case of the Ashley Madison hack, people will die. It’s not funny. Whether its adult web sites, or counselling services, or gay dating, or drug addiction helplines or whatever, where I go online is my business. We need a better solution than some dumb mandate to accelerate identity theft and foist its consequences on everybody.
Now, we already know what to do (that is, to have a functional identity privacy-enhancing infrastructure) but as yet there’s no sign of it coming into being. Therefore in the shorter term we have to come up with some workable alternative. It seems to me that a rather obvious way forward would be for banks, who have invested zillions in tokenisation services, to issue John Doe tokens to customers over 18. So, I can load my Barclays debit card into my Apple / Samsung / Android (* delete where applicable) wallet for free, but for £5 per annum I get an additional Privacy-Enhancing Token (a PET name). This stealth token would have the name of “John Barleycorn” and the address (for AVS purposes) of “Nowhere”.
Now, I can go online to the UK Adult Gateway Service or whatever it ends up being called and use the PET name to obtain an adult passport. Then I can use this adult passport to go and log in to Lovelies in Leather Trousers (which I only read for the gardening tips). Now:
Lovelies in Leather Trousers know that I am adult passport “John Barleycorn” and that they can charge to that passport (when they do, Apple Pay pops up on my phone and asks for authorisation).
When Lovelies in Leather Trousers gets hacked, the hackers find the adult passport John Barleycorn but they can’t use it to find out who I am. Even if they could log in to the Adult Gateway Service, it only knows that I am John Barleycorn and that the token comes from Barclays. Since there are tens of thousands of Barclays PETs with the name John Barleycorn, who cares.
If the hackers get into Barclays and discover that the particular PET name belongs to me, then Barclays have a far amount more to worry about than the £100,000 compensation they will be paying me for breaching my privacy.
Meanwhile, if the adult passport John Barleycorn is used in some criminal activity, the police can simply go to Barclays with a warrant and Barclays will tell them it is me.
Simple. Incidentally, there’s another aspect to all which means that the networks and the banks might want to invest in this kind of infrastructure. Since adult payments are lucrative, and since an effective privacy-enhancing age check would increase the use of such services, and since a tokenised approach would also reduce fraud and chargebacks, there are real incentives for the stakeholders to get out their and put something in place.
The Digital Economy Bill already includes measures to bring in age checks and the power to withdraw payment services from sites which do not implement the controls.
I really don’t like the idea of using the payment system as a policeman, but it makes sense as an interim solution until such time as we actually have a working identity infrastructure with pseudonymous virtual identities that can be used for adult transactions, just as they will be used for all other transactions. Including getting hospital treatment if you are entitled to it.
I had a really enjoyable time chairing the “futures” panel in the closing plenary of Intergraf’s Security Printers 2016 in Seville. This is a conference for the people who (amongst other things) print banknotes so I had a fun time behind enemy lines learning about paper, ink, substrates, polymers, foils and special machines that print serial numbers.
One of the topics that came up on the panel was the role of central banks as currency issuers. I think this is a pretty interesting topic because it may be that the switch from physical to digital currency will change the way that the medium of exchange is managed. As Marilyne Tolle from the Bank of England noted on their “Bank Underground” blog recently, one might imagine a central bank-issued electronic money that she labels “CBCoin”:
If households and firms were given access to CBcoin accounts at the CB, banks’ dominant role as providers of payment services would be called into question.
Indeed it would. Note also that Marilyne is clearly describing a digital currency not a cryptocurrency, but that’s by the by. Right now, money reaches the public through commercial banks, a practical structure that stems from the banks role in providing payment services. In response Marilyne’s hypothetical example, I might observe that not only is there no fundamental economic reason why banks should be the dominant providers of payment services, there is no fundamental economic reason why they provide them at all — see, for example, Radecki, L., Banks’ Payments-Driven Revenues in “Federal Reserve Bank of New York Economic Policy Review”, no.62, p.53-70 (Jul. 1999) — and there are many very good reasons for separating the crucial economic function of running a payment system to support a modern economy and other banking functions that may involve systemic risk. Marilyne goes on to note
The conflation of broad and base money, and the separation of credit and money, would allow the CB to control the money supply directly and independently of credit creation
As far as I can tell, this would be a good thing. But we must recognise that impact that it will have on commercial banks. According to the management consultancy McKinsey (2016), global payment revenues are around $1.7 trillion (and will be $2 trillion by 2020) and these account for around 40% of global bank revenues! So if payments go away, banks are going to have to think of something else to do instead.
I have a suggestion (you know what’s coming, don’t you) and I think it’s a practical one. The Security Printers panel was actually called “the future of banknotes and identity” which I think shows us the way forward… If you can move money from anyone to anyone else, instantly and for free with final settlement in central bank money, and this is provided as a utility service provided by the central bank, then the fraudsters who are plaguing the Faster Payments Service (FPS) in the UK will have a field day. Perhaps, then, the role for the central bank is to issue the digital currency and run the digital currency payment platform that will (in a fairly short time I would think) replace commercial bank (and all other) payment services. Not so much CBCoin as CBPesa, since it would manage balances not coins.
However, the central bank doesn’t want to do KYC on millions of people, run mass-market authentication services, perform AML checks, manage black lists and run interfaces with law enforcement and so on. Just like Bitcoin, the central bank accounts would be pseudonymous. The central bank would know that account no. 123456789 belongs to a retail consumer, but not which consumer. It would know that account no. 987654321 belongs to a retailer, but not which retailer. This way the central bank could generate a dashboard of economic activity for the Chancellor to look at when he wakes up, but not routinely monitor what you or I are up to.
It would be the commercial banks provide the services linking the pseudonymous accounts to the “real” world (and get paid for them). Then your Sterling bank account will just be a pass-through API to a central bank digital currency account (what Marilyne calls the “CBCoin Account”) because my Barclays current account and your Lloyds current account are just skins on the Bank of England UK-PESA platform and the commercial banks can chuck away their legacy payment systems and focus delivering services that add real value.
Commercial banks will then have an important function as the vaults that look after identity, not money. As I told the panel in Seville, money and identity look like very different topics, but in reality they are the same.
The latest CIFAS Fraudscape figures for the UK show identity theft up by half again in 2015. And there’s no end in sight. I’m genuinely not sure whether the fraudsters are getting smarter or the public is getting stupider. It does seem to me that some of the frauds being perpetrated might well be beyond the defensive capabilities of even the most advanced technology.
A taxpayer who bought and handed over £15,000 in Apple iTunes gift card vouchers is one of “hundreds” of HMRC customers to be defrauded in the past month, a scam bulletin says.
So much of the fraud going on depends, in one way or another, on the lack of an identity infrastructure and the useless proxies that support our daily interactions. That taxpayer had no reasonable way to determine whether they were talking to HMRC or not. There’s not going to be a green light on the phone that tells you the caller is who they say they are, although I can imagine how a some sort of digital passport that can check whether other digital passports are valid and I’m sure someone could come up with good mobile UX for it. The consequences are pretty significant.
The annual cost of fraud in the UK could be as high as £193bn a year, far higher than a government estimate of £50bn, according to a new report. The latest Annual Fraud Indicator, based on research from Portsmouth university, has estimated that private sector losses could be as high as £144bn a year — much larger than the public sector figure of £37.5bn. It also counted the cost of fraud against individuals.
Well, let’s not panic. After all, £193 billion doesn’t buy as much as it used to. Let’s call it £200 billion for a round figure. Against this, card fraud is a miserable half a billion, about a quarter of a percent. Hardly worth worrying about. And, of course, thanks to EMV and 3D Secure and all that, it’s going down. Oh wait…
Statistics by Financial Fraud Action (FFA) UK show fraud losses on UK payment cards totalled £567.5 million in 2015, representing an 18% increase from £479 million one year before.
OK, so it’s going up but we should be doing about it? Since there doesn’t seem to much enthusiasm for a general identity infrastructure to actually fix the problem, we should probably continue to focus on better authentication against revocable tokens in tamper-resistant hardware for payments for the time being (although that really isn’t going to stop people from sending gift vouchers to the “inland revenue”) and then see if we can move that model into other areas. If I can have a token that says I can pay by Visa but does not give away my actual PAN, then why can’t I have a token that says I’m over 18 without giving away my age or allowed to drive a car without giving away my address?
Speaking at the Dutch National Blockchain Conference back in June, I remarked in passing that I thought bank customers would be storing their money (their wealth) in all sorts of places in the future – from a small percentage in demand deposit accounts, through investment accounts of one form or another, P2P marketplaces and who knows what – but that they would be storing their identity back at the bank.
This was picked up on Twitter and a few people commented on it, so I thought I’d expand on what I meant here. First of all, it is neither a new idea nor my idea: other people have been saying this and they’ve been saying it for a while. I might have expressed it in a better soundbite, but it isn’t my concept.
Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities.
That’s from a couple of years ago. It is not some out-of-left-field edge thinking or me spouting aphorisms for a conference stream either. Round about this time, the European Banking Association (EBA) said something similar and you can’t get much more mainstream than them.
Banks are well positioned as is explained in a recent white paper of the European Banking Association (EBA).
So what might banks do with your identity once they’ve got it safely locked away in their vaults? Well, one idea, particularly popular with me, is that they might give you a safe, pseudonymous virtual identity to go out an about with.
Some suggest that digital identity verification by banks could ultimately end the need to type in a credit-card number on an ecommerce website
Some others (uncharitable persons, of which I am not one) also suggest that banks will pratt about and muck this all up and hand digital identity ownership over to Apple, Facebook, Google, Amazon and Microsoft on a plate. But if banks were to develop some common strategy around this topic (perhaps related to the financial services passport concept that’s been discussed here before) then where should they start?
Well, what about the “adult identity”? Why doesn’t my bank put a token in my Apple Pay that doesn’t disclose my name or any other personal information, a “stealth card” that I can use to buy adult services online using the new Safari in-browser Apple Pay experience? This would be a simple win-win: good for the merchants as it will remove CNP fraud and good for the customers as it will prevent the next Ashley-Madison catastrophe. Keep my real identity safe in the value, give me blank card to top shopping with – a simple use case that will test the viability of the concept.
I have to give a presentation about putting identity on the blockchain, even though no-one seems entirely clear what “identity” means or, for that matter, what “blockchain” means. So I thought I’d try and experiment in thinking out loud this week, using your feedback to try and finish the week with some consistent model of a solution that will solve a known and understood problem. A tall order. But there’s lots of work being done in this area and I’ve been reading some very interesting papers and posts. I think it’s a worthwhile experiment in the week of the Cloud Identity Summit and I’m hoping that colleagues and friends in New Orleans will be coming up with some new ideas in this area too.
There has been a lot of discussion recently about the idea of using the blockchain to “do something” about identity, so I thought I’d put together a few blog posts with some of our thoughts on the topic, gathered from a few of the different projects that we are involved with. Lots of people seem to think that putting identity on the blockchain is a good thing to. But, as many other people have pointed out, in order to come up with some kind of idea as to what exactly the blockchain is going to do is first necessary to come up with some idea about what the identity problem is and then come up with some more specific ideas about how exactly a blockchain (or, more generally, any other form of shared ledger) might solve them.
The idea for this blog post began when my colleagues were putting together some ideas to present at the Open Identity eXchange (OIX) meeting in London few weeks ago. I thought it might be useful to contribute some of our thoughts around that presentation, in their incomplete form, to structure further discussion around this topic. First, the identity problem. Actually there are lots of different identity problems so I thought I’d choose a specific one I’ve been working with recently. As the chair of the techUK payments group (techUK is the trade association for the British technology industry), I’ve been taking part in the Financial Services Passport Working Group that started discussing the issue a couple of years ago. This is a good example of a very specific identity problem and a community that is looking for solution.
Let me illustrate what the problem is with a personal example. I’ve been a customer of Barclays since 1977 and they know absolutely everything about me and my financial history. My salary has always been paid into the same Barclays current account. My mortgage is currently with Barclays and were I to have any savings they would probably be with Barclays to, since I’m extremely lazy. Now suppose I go to open account with the NatWest. The fact that I’ve had an account with Barclays the 40 odd years will count for absolutely nothing and they will treat me as if I’d just arrived as a refugee. I have to produce some form of identity documentation (which they might well be incapable of verifying: I have literally no idea how the counter staff at NatWest go about checking whether a Romanian passport is real or not) as well have some proof of address, which normally comes down to that well-known high security fundamentally British identification document, a gas bill.
Now suppose I go to get some pensions advice from a financial adviser or look into changing my mortgage to get a better deal or decide to open one of those ridiculous Individual Savings Accounts (ISAs) that the Chancellor of the Exchequer has created so that rich people can salt away tax-free money for their children and thus drive up house prices even further to no general economic benefit to the nation. In any of these cases I would be faced with the necessity to provide my financial identity all over again. So what can be done about this? It’s hardly a new problem.
“An adviser to a new charitable incorporated organisation that spent more than a year trying to open a bank account has blasted Barclays for its onerous demands and disproportionate due diligence.”
Well suppose when you open your first bank account and the bank goes through all of its complex know your customer (KYC), anti-money-laundering (AML), counter-terrorist financing (CTF), politically exposed person (PEP) checking and credit referencing and then decides to give you an account. Suppose at that point the bank gave you some kind of financial passport (put to one side what this actually is or what data it contains or where that data might be stored) that you could use to open accounts at the NatWest, change mortgages, open a savings account or obtain financial advice simply by proving that it is your financial passport. Then it becomes a simple problem of authentication and we have a variety of strong authentication mechanisms available to us (even without some proper National Entitlement Infrastructure as I have long called for). The cost savings to the industry from not having to continually repeat identification procedures would be substantial and the convenience afforded to the consumer notable.
So why doesn’t this happen? Well, that’s a good question. We started to look at it a generation ago and the assumption was, at that time, that we would use public key infrastructure (PKI) to solve the problem. I know, I know, people have been going on about this sort of thing for years (here, for example). So, I open a bank account and the bank generates a key pair. The private key is kept in tamper-resistant hardware (at the bank, so that I can’t lose it) and the public key is used to form a variety of public key certificates (PKCs) or what I prefer to call “virtual identities”. Each of these identities contains a number of different attributes that are attested to by whoever signed the certificate.
Now I wander into the NatWest and present my Barclays virtual identity, perhaps by using my mobile phone or smart card, and all NatWest have to do is to validate that I am rightful owner of the private key associated with the public key in the certificate. They can do this in a variety of ways, but let’s say for sake of argument they send a message to my phone that is encrypted using the public key in my Barclays virtual identity and my Barclays app on the phone demands strong authentication and gets it and reports back. NatWest would also have to check that the public key certificate I’m presenting to them hasn’t been revoked so this means they have to query the Barclays Certificate Revocation List (CRL) in some way either as part of the challenge to the app or in a separate step.
Or a least it might have been, had anybody ever implemented any of this stuff. Identrust gave it a go in the corporate space, defining a complete set of standards and more importantly the business rules that go around them, but nothing ever happened in the customer space. I did think for a while that, because the cryptography used to support chip and PIN is the same as the cryptography needed to support this kind of PKI, it would be efficient to add something along the lines of the financial passport to the debit cards in widespread use. I have a vague memory of being involved in some discussions around this with one of the UK banks a decade or so ago and as I recall (and my memory may well be imperfect) the reason for not doing it was that debit card production was outsourced to one particular supplier and they had no interest in raising the cost of the cards issued by a couple of pence in order to save the bank a ton of money in the branches or to combat fraud. I shouldn’t think things have changed much by now. And persons of a suspicious nature may well want to believe that banks don’t want to make identification easy and portable because they see it as a way of locking in customers, but I am sure that they would not engage in this kind of behaviour.
So if we’re not going to implement the financial services passport that way then how can we implement it? In the techUK working group that’s been looking at this we were really focusing on a couple of obvious architectures that all simplify down to the centralised architecture and the federated architecture. In the centralised architecture, the banks will all chip in to build a central database somewhere, perhaps run by BACS or some other industry body, and that would hold the details of the identity, the identity verification processes that had been completed and the relevant keys and certificates. So I go into NatWest to open accounts and I authenticate myself to the financial services passport database and Bob’s your uncle. This would have course require some coordination between banks and everybody else, and it would have to be pretty reliable otherwise it would turn into a honeypot for criminals and fraudsters, but it’s a plausible hypothesis.
Another way of doing it would be a federated solution where each bank holds its own database of the financial passports that it has issued and other banks can query that database using the normal protocols of federation in order to gain access to the data under controlled circumstances. I used to think that this would be the best of way of moving forward, decoupling the banks in this way, despite what it meant in terms of having to sort out liability agreements. I remember a survey for VocaLink a couple of years ago in which some two-thirds of respondents said that they saw value in the establishment of that centralised KYC utility, and I was sure they were wrong. There’s no need for a central KYC utility, I thought, when we could have a federated identity linked to verified attributes infrastructure (i.e., a reputation infrastructure).
There would be no need for NatWest to actually store my Barclays financial services passport, they would just need to store a pointer to with the records showing that they had checked. Then if I subsequently get arrested for fraud or Barclays closes my account because I turn out to be associated with money-laundering, we need some mechanism for informing all the other people who are depending on that passport that it is no longer but I’m sure it’s not beyond the wit of humanity to come up with some sort of semantic federation that could take care of this.
In recent times, however, a new possibility has wandered into the discussion. Yes, the blockchain. Well, a blockchain. Or to be more precise, some form of Shared Ledger Technology (SLT).
What if we could use shared ledger technology to build this record of financial services passports but but in such a way that no institution owned it, that it had no central system to go down, that it could resist intrusion or attempts at fraud from compromised members of the network, and that it could provide a platform for new products and services that we can’t really imagine at the moment? Personally, I think the shared ledger may well a plausible solution to this problem and having chaired a discussion on identity and personal security as well as a superb panel on identity at Consenus 2016 in New York I’ve been thinking harder about what shared ledger technology could do for organisations in this field. If we take our layer-based model (the “consensus computer” and the applications that we are going to run on it) and begin to think what kinds of identity-related content might be useful, I think we can get somewhere.
Let’s start building the models that we need to think this stuff through clearly. I think we should start with our model of the Shared Ledger that we are going to use to store “identity”. I think Consult Hyperion’s “4×4” model works very well, so we’ll use that.
So in this emerging paradigm, our thought processes then drift on toward the content of this ledger. I saw some interesting demos at Consensus. Deloitte and others had started to build blockchains with defined content assets and these were interesting. But let’s say for sake of argument that a ledger is a record of transactions. The ledger isn’t simply a write-only file containing copies of driving licences and passports and whatever else, it’s a record of transactions that link entities identified at the communications layer with a variety of identity attributes through transactions, developing a reputation associated with that identity. This, I think, is the kind of architecture that Cambridge Blockchain explained to me when I bumped in them last year and it seems a reasonable starting point, congruent with our ideas about the kinds of transactions that might be entered into a shared ledger.
Thus, a blockchain can act as a provenance protocol for data across disparate semi-trusting organizations.
We have to be careful with what we are putting in the Content layer, naturally. We don’t want to turn the shared ledger into a resource for despots and confidence tricksters. Hence it is reasonable to ask whether anyone should be able to look at my financial services passport or whether it should be encrypted in some way so that only “authorised” entities can decrypt it. My first thought is that we may want to go for something like this, which is why I prefer to call the Content Layer of our model translucent rather than transparent.
A distributed and irreversible system for trust management, which stores personal data, could offer a hotbed for doxing and identity theft – and even undermine an individual’s right to be forgotten.
Indeed it could, which is why it should not store personal data in the clear. So, to end this problem statement of our thought experiment, let’s recap: what we will be storing in the shared ledger is not identity itself but some kind of identity transaction and when you come and present your financial services passport to a bank, you will do it by proving that you have control of the private key that corresponds with the public key that is linked to the relevant identity transactions (e.g., Barclays KYCd Dave Birch).
I happened to be talking about access to payment infrastructure (something I blogged yesterday) at a client event yesterday, and got involved in a discussion about how the fintechs might begin to work with banks in the new world of PSD2 and mandatory APIs. This has been subject of great interest to me at the recent Money 2020 Europe (with top, top players like Shamir Karkal from BBVA and Alex Mifsud from Ixaris explaining why the move to APIs will mean a big shift in the delivery of banking services) and other recent events. Generally speaking, and this is a sweeping generalisation, I think there has been a shift in European bank thinking in recent times. They well understand that if they do nothing, then in the instant payments, API-centric, PSD2 world they stand to lose significant income. The outsourcing company Accenture, for example…
estimates that the new new breed of payment initiation service providers will erode 33% of online debit card transaction volumes and 10% of online credit card transaction volumes resulting in a total market share of 16% of online retail payment volume by 2020.
So the Payment Initiation Service Providers (PISPs) stand to capitalise on the new arrangements (if the banks do nothing, of course). What kind of services might they provide? Well, an obvious example is integration with social media. If you look at the use of instant payment “overlay services” (as they call them down under) in the UK (PingIt and PayM) it is far less than the use of, for example, Venmo in the USA. And Venmo doesn’t deliver immediate settlement (it works through the debit card networks). In the last quarter of 2015, Venmo transferred $2.5 billion. In January 2016 alone it transferred $1 billion. So why is it so popular? It’s the integration with social media. Just over half the users are 18-24 and half the payments relate to food and drink sharing! On a US college campus, “I’ll Venmo you” has entered the lexicon. In the UK, “I’ll PingIt you” has not. Paym is growing steadily, but it is still only transferring about £12 million per month.
So now imagine, post-PSD2, a combination of the immediate availability of funds like PingIt and Paym with the social media integration of Venmo. It will be a wholly different payment experience. I’ll give you an obvious example. My wife and some of her friends are planning a weekend break in August. They do this through a Facebook chat group. But when it comes to settling up for hotels and air fares, everyone has to log out, e-mail everyone for their bank details and log in to home banking and set them up as payees, then make the payments. Then everyone else has to log in to their bank accounts to see if the money has arrived and that it is the right amount. In 2018, however, it will all be different. Facebook will be integrated with instant payments through APIs so that it can function as a PISP. When my wife gets a message to say that she owes her friend £100 for her air ticket, or £25 for her share of the dinner, or £10 for the tickets to a show, then she will put money into her return message just as she adds emoticons today. Under the hood, Facebook (which of course knows the bank account of the person you are sending a message to) will initiate an instant payment and within a second or so her friend will get a message to tell that the money has arrived. Remember, Facebook already do this is in the US through debit cards (like Venmo).
It’s not all about payments though. The other category of organisation with direct access to the bank account, the Account Initiation Service Providers (AISPs) also stand to benefit from bank inertia. The row about “screen scraping” in the US adumbrates similar pressure for bank strategies in Europe.
JP Morgan Chase CEO Jamie Dimon is incensed about fintech startups like Mint, Acorn and Bloom “scraping” his customers’ data
I’m sure his experienced strategists will be quick to reassure him that third-party access to bank accounts (the data is the customers, not the banks, of course) ought to be seen to be an opportunity for JP Morgan Chase to develop some terrific new products and services. The reason why customers of JP Morgan Chase use Mint is because JP Morgan Chase do not provide a suitable, better product for them to use instead. Mr. Dimon, as a champion of free enterprise, would surely object to organisations building walled gardens and using regulatory barriers to defend them. If Facebook or Amazon provide a better financial services app for customers to manage their JP Morgan Chase accounts, then good for them.
In fact, it seems to me, that this is a very likely outcome of rational market evolution. I buy my electricity from whichever supplier offers the best deal for our household. When I change suppliers, I don’t need to change my TV. When I change banks, why should I change my digital wallet if I don’t want to? With a standard API, might personal finance management (PFM) app and my wallet app and my social networks will all access my bank account, whatever my bank. And if I change banks, whatever.
So… what makes sense for banks? Why bother making the wallet or PFM apps? Why not instead provide the best possible API to people who are better at making these apps. Why bother with PingIt and PayM? Why not instead provide the best possible API for PISPs to use. Why bother with fancy applications at all? Why not instead provide identification and authentication services (through APIs of course) that all of these other apps, APIs and services will depend on. After all, if I’m going to give Facebook access to my bank account then Facebook need to be pretty sure that it’s actually me and I need to be pretty sure that it’s actually Facebook. My bank is a rather obvious middleman here.
All of which leads me to suspect, as I have mentioned before with tedious regularity, that the banks should focus on what the Euro Banking Association call the “non-mandatory, non-payment APIs” (as shown above) as a basis for strategic advantage and get together to agree a digital identity infrastructure and a common set of digital identity APIs. Nothing to it, really…
Kicking off the session on “Old vs. New P2P” at Mobile Banking & Payments in New York, Steve Kirsch (the CEO of Token) made the strong point that somehow the era of the PC and the Internet left the basic payment “rails” unchanged. For a long time we’ve papered over the cracks — using 3D Secure, PCI-DSS and so on — but with the arrival of the smartphone we could all see that it was time for change. What we may have underestimated is just how big that change will be.
it can still feel natural to talk of the PC as the most fully-featured version of the internet, and mobile as the place where you have to make lots of allowances for limitations of various kinds… I’d suggest that we should think about inverting this – it’s actually the PC that has the limited, basic, cut-down version of the internet.
I couldn’t agree more. And in my framing, it’s all to do with identity. The PC was never personal: it didn’t have a SIM. My laptop isn’t mine in the same sense that my smartphone is and, as a consequence, will never be able to deliver as personal a service. Now, I suppose you could argue that it’s silly to talk about smartphones as PCs because they are, after all, phones.
The study also showed that four in ten users could manage without the call-making capability on their handset.
I rarely make calls on my smartphone and I rarely answer them either. Unless it’s the police, my CEO or my wife then I’ll let it go to voicemail or hit the “please text me if it’s anything important” button. Calling it a phone is just a figure of speech, like when you say you are going to dial a number to someone who has never seen a phone dial and has no idea why the word “dial” is used in that context.
So what is the smartphone for?
We’ve all seen a thousand conference slides that show the smartphone as a Swiss army knife: calendar, watch, contact book, diary, games console, social media gateway, radio and so on. But if we go back to Benedict’s point, then we can answer the question in a different way. My smartphone is… me. Well, as good as. It’s sort of proxy me.
a smartphone knows much more than a PC did… It can see who your friends are, where you spend your time, what photos you’ve taken, whether you’re walking or running and what your credit card is.
We can all see the what the consequences are in payments and banking. The practical result of the identity-less PC vs. the proxy-identity smartphone is that when I want to transfer some money or pay a bill, I use my excellent Barclays mobile app. I’ll only use my laptop if I absolutely have to because I have to type stuff in (like setting up a new payee). Conversely, it seems bizarre that when I phone up my bank, or my insurance company, or my airline or whatever else, I’m asked to demonstrate my identity by getting involved in (as I heard someone describe it recently) an episode of Jeopardy hosted by Kafka — OK, Franz, let’s go with “places I have lived” — when they could just ask the other me. The mini-me. The mobile-me.
Similarly when I go into a bank branch or a retail outlet or a government office, why do they ask me for bits of paper that cannot possibly be verified when they could just ping mobile-me. App pops up on the phone, you put your finger on the sensor, job done. And just as the crucial role of the smartphone in disrupting the payments industry is to take payments, not make them, so the crucial role of the smartphone in disrupting the payments industry is to validate credentials, not present them. Since my mobile-me can check that your mobile-me is real, our mobile world ought to be much safer our internet world.