Fintech South 2020 – Maintaining trust and safety in a digital world

At the (sadly, virtual) Fintech South event the year, I was asked to chair a discussion on identity and privacy with three extremely well-qualified experts who had informed perspectives on the state of, and trends in, those important pillars of a digital society. These were Adam Gunther (SVP, Digital Identity for Equifax), Andrew Gowasack (Co-Founder and President at TrustStamp) and Megan Heinze (President, Financial Institutions, North America for IDEMIA). It was great to talk to a group of people who were not only well-informed on these topics but had some passion for them too.

I won’t go over everything that was discussed, but I do want to pick up on a comment that was made in passing when I was chatting to the panelists: someone said that a guiding principle should be “no scary systems”. Hear hear! But what is a scary system? It is, in my opinion, a system that privileges security over privacy. This is not how we should be designing the identity systems for the 21st century!

Malware Wolves in Developer Sheep’s Clothing

internet screen security protection

When consumers install software on their devices, they often perform some sort of risk evaluation, even if they don’t consciously realise it.  They might consider who provides the software, whether it is from an app-store, what social media says, and whether they have seen any reviews.  But what if once a piece of software had been installed, the goalposts moved, and something that was a genuine software tool at the time of installation turned into a piece of malware overnight.

This is what happened to approximately 300,000 active users of Chrome ad blocking extension Nano Adblocker.  You see, at the beginning of October, the developer of Nano Adblocker sold it to another developer who promptly deployed malware into it that issued likes to hundreds of Instagram posts without user interaction.  There is some suspicion that it may have also been uploading session cookies.

Internet voting – challenging but necessary

i voted sticker lot

What did you think of the US election? I don’t mean the candidates and the outcome. What did you think of the election process? Should it be possible for national elections of this type to be done online? Last week the IET published a paper on internet voting in the UK, led by our good friend at the University of Surrey, Professor Steve Schneider. It’s well worth a read. As the paper explains, internet voting for statutory political elections is a uniquely challenging problem. Firstly voting systems have exacting requirements and secondly, the stakes are high with the threat of state level interference.

The best definition of Digital Identity

red lights in line on black surface

Our friends at Smartex challenged its readership to define Digital Identity the other day, with a bottle of wine on offer for the best definition. I’m pleased to say that the bottle of wine was won by Consult Hyperion, with a couple of competition entries submitted.

Coming up with a definition for digital identity is not easy. It can refer to quite a number of different things, making the task of encapsulating it in a sentence next to impossible. For my attempt I thought that rather than try to describe what it is, it would be better to describe what it does. I came up with this:

Digital identity allows us to trust each other by enabling us to share the minimum amount of verifiable information needed for the thing we want to do.

In one sentence I was trying to capture several points:

  • Digital identity is a means to an end not an end in itself
  • It’s bi-directional – in any transaction both parties need to have confidence in the other party
  • It’s about the information you need to share, which will vary considerably between contexts.
  • It protects privacy by only sharing the information (or claims) necessary.

DIACC announces launch of the Pan-Canadian Trust Framework

flag of canada

The Digital ID & Authentication Council of Canada (“DIACC”) announced the launch of the Pan-Canadian Trust FrameworkTM (“PCTF”) this week, a set of digital ID and authentication industry standards that will define how digital ID will roll out across Canada. Its launch marks the shift from the framework’s development into official operation and will begin alpha testing by public and private sector members in Canada. The alpha testing will inform the launch of DIACC’s PCTF Voila Verified Trustmark Assurance Program  (“Voila Verified”), set to launch next year. 

The tension in facial recognition

Facial recognition camera

The rise of facial recognition technology and the erosion of privacy

In the 2002 movie Minority Report, Tom Cruise’s character has his eyes surgically replaced so he can avoid being identified by the all-pervasive retina scanning system that the state uses to track people… and of course, uses to show targeted ads to people. This is a rather dystopian view of the broad application of biometrics technology.  However, judging by a lawsuit targeting Macy’s for their use of Clearview AI’s facial recognition technology in their stores, it seems that staying anonymous in the bricks and mortar world is becoming a little more like the movie. Whilst you may not require surgery, you may soon require something akin to glasses and a fake beard to avoid being tracked. The issue here is that Clearview AI has been scraping images from publicly viewable sources on the web for a while, enabling them to create a database of facial biometrics against which to match captured facial images. Amongst the sources of this data are Facebook, Twitter, LinkedIn, YouTube and Vimeo, with some of these companies having sent cease and desist letters to Clearview AI for breach of their terms of service.  The aim it seems is for Clearview AI to create a one-to-many facial recognition solution that can identify an individual from only an image of their face from anyone who is in a photo or video on the web.  Based on a report on Buzzfeed, they were working with over 2000 companies as of February 2020, and they are probably not alone, so perhaps we should be concerned.

Identity in Vegas

Identity, authentication and authorisation are amongst the hottest of hot topics in our world right now. Even if we put Apple and it’s new face recognition technology to one side, there’s no shortage of excitement at the intersection of biometrics and electronic transactions. Remember this from earlier in the year?

A UK supermarket has become the first in the world to let shoppers pay for groceries using just the veins in their fingertips.

From British supermarket offers ‘finger vein’ payment in worldwide first

As I wrote at the time, this came only a few weeks after people forwarded me a link from to Time Out, calling attention to a new payment mechanism using a new biometric identification technology to effect retail payments in a new way. The system, called Fingopay, uses a scanner at POS to recognise customers in pubs and bars by the pattern of veins in their finger and then charges a linked payment account. I did remark on the overuse of “new”, as the first time that Consult Hyperion blogged about this technology was more than a decade ago,  talking about mass market uses of biometrics and looking in the particular case study of Japanese banking, and it wasn’t new then! The technology has reappeared as a “new” solution to these same problems a great many times since then. It seems like every couple of years or so some stories about this new technology and new way to pay reappear. For example…

The BBC were kind enough to invite me on to their lunchtime “You and Yours” magazine programme to discuss this innovation. I think they were a tiny bit surprised, to be honest, when I told them that the technology was eight years old! I also told them, in the spirit of openness and integrity that is associated with the good name of Consult Hyperion throughout the civilised world, that we had been retained by Hitachi some years ago to carry out a study on the security of this product and its suitability for certain financial services applications.

From We’ll be giving Barclays the finger next year | Consult Hyperion

The truth is that the idea of using fingers instead of cards goes back a long way (I can remember Piggly Wiggly exploring it in 2004) and reappears with regularity. So what’s different this time? Well, for one thing, we now have open banking. With strong customer authentication (SCA), risk-based authentication at POS and standard APIs for third-party access to accounts, retailers and other will soon be able to process payments themselves by obtaining payment institution (PI) licences and obtaining consumer consent for access to their bank accounts. Thus, putting your finger on a reader in store and having the retailer instruct an immediate instant payment transfer from your account to the retailer account looks like a more promising model this time around.

It’s the combination of technology (convenient biometric authentication), business (non-bank third party services) and regulation (open access) that means that the payments world is going to see more change in this space in the next year than in the previous ten. Almost every payment conference in that decade has highlighted the “identity problem” yet no-one was going anything about it. Now we have mass market solutions just around the corner.

Anyway, all of this is a roundabout way of saying how excited I am to be chairing the Money2020 workshop “Identity is Fundamental” in Las Vegas next week. We’re going to be talking about the latest trends in identification technology, authentication in the mass market and much more. And we have a detailed case study from Canada, as we have Toronto Dominion and SecureKey talking about the Canadian banks’ ambitious project to fix the identity problem with, amongst other things, the blockchain. You’d be mad to miss it, so look forward to seeing you in the Titian Room on Level 2 of the Venetian next Wednesday at 8.30am. Oh, and if you want to say hi to me or any of the Consult Hyperion team in Las Vegas next week, just email, tweet or message me on LinkedIn.

Estonia, fake news and digital identity

Estonia. Land of saunas, shepherds and song festivals. I keep hearing about Estonia all of a sudden and not for any of these reasons but because of the blockchain. At meetings and conferences, I keep hearing people talking about the Estonian national identity scheme that uses a blockchain. Only this week, for example, in the Harvard Business Review, I read that…

“since 2007 Estonia has been operating a universal national digital identity scheme using blockchain.”

via Blockchain Will Help Us Prove Our Identities in a Digital World

I think this is a misinterpretation of the technical infrastructure of our neighbour to the north. The Estonian national digital identity scheme launched in 2002. Way back in 2007, my colleague Margaret Ford interviewed Mart Parve from the Estonian “Look@World” Foundation in Consult Hyperion’s long standing “Tomorrow’s Transactions” podcast series (available here). Mart was responsible for using the smart ID service (both online and offline) to help Estonia develop its e-society. If you listen carefully to them talking, you will notice that they never mention the blockchain, which is unsurprising since Satoshi’s Nakamoto’s paper on the subject was not published until October 2008. This only the most recent example of what I see to be a virulent strain of blockchainitis though.

Another Estonian outbreak of the same disease occurred just before Christmas when I was invited along to a blockchain breakfast (seriously) at the Mother of Parliaments.

After a while, the discussion moved on to the Estonian electronic identity system. I expressed some scepticism as to whether the Estonian electronic identity system was on a blockchain. The conversation continued. Then to my shame I lost it and began babbling “it’s not a blockchain” until the chairman, in an appropriate and gentlemanly manner, told me to shut up

From House of Blockchain | Consult Hyperion

As it happens, a few days ago I had breakfast with the new CIO of Estonia, Siim Sikkut. What a nice guy!



I asked him where this “Estonian blockchain ID” myth came from, since I find it absolutely baffling that this urban legend has obtained such traction.  He said that it might be something to do with people misunderstanding the use of hashes to protect the integrity of data in the Estonian system. Aha! Then I remembered something… More than decade ago I edited the book “Digital Identity Management” and Taarvi Martens (one of the architects of the Estonian scheme) was kind enough submit a case study for it. Here is an extract from that very case study:

Long-time validity of these [digitally-signed] documents is secured by logging of issued validity confirmations by the Validation Authority. This log is cryptographically secured by one-way hash-function and newspaper-publication to prevent back-dating and carefully backed up to preserve digital history of mankind.

Mystery solved! It looks as if the mention of the record of document hashes has triggered an inappropriate correlation amongst less technical observers and as Siim observed, it may indeed be the origin of the fake news about Estonia’s non-existent digital identity blockchain.

So there we have it as far as I can see. If there are any other crypto-sleuths out there with alternative theories, I’d love to hear from them.

Super-complaints but no super-solutions

I love the BBC’s Money Box programme with Paul Lewis and I listen to it every week.  A recent episode included what, I’m afraid, has become an all-too-familiar story.

Paul Lewis hears from a listener who built up savings of £180,000 over more than ten years in business, only to have it all stolen from her account in 24 hours by online scammers. Should her bank have noticed and stepped in?

From BBC Radio 4 – Money Box, Cheaper energy when it rains

The essence of the story is that the customer fell for a scam. She had a phone call from someone purporting to be from BT and the upshot of it was that she allowed fraudsters access to her Santander business account whereupon they immediately began to transfer all of the money out to a variety of other accounts. When she discovered that she had been the victim of fraud she asked the bank for the money back and they said no.

From her perspective, I can see why she feels aggrieved. She feels that the bank’s antifraud mechanisms should have resulted in a phone call or email and text message or something when these completely unusual transactions took place. After all, 33 transfers in 24 hours from an account that is normally used only for direct debits and standing orders would hardly need Watson to flag up a warning.  From the bank’s perspective, I can see why they feel they are not responsible since she authenticated all of the fraudulent transfers by entering the 2FA codes they texted her (they hadn’t read my blog on why SMS isn’t security).

Whether the bank is at fault or not for this specific scam the banks, collectively, will have to do something about the instant payment fraud problem in general. These frauds have become a very serious problem and I can understand why consumer groups are upset about what they see as a lack of action from the banks.

The Payment Systems Regulator’s (PSR) response to the Which? super-complaint on bank transfer scams ‘has let the banks off the hook’.

From Super-complaint response lets banks off the hook – December – 2016 – Which? News

It isn’t only phone calls. There’s a huge amount of e-mail fraud going on as well. In essence, fraudsters intercept legitimate requests to transfer money from one account to another using the Faster Payments Service (FPS) and they change the details so that the payer sends the money to an account under the control of the fraudsters rather than the intended destination. So, typically, the fraudsters will get into the email of a solicitor and when that solicitor sends an email to one of their clients requesting money for a house purchase to be transferred into the solicitors account, the fraudsters replace the legitimate account details with details of another account that they control. I wrote about this ages ago and put forward the obvious solution, which is to stop using e-mail for important transactions, but nobody paid any attention, and the problem continued to grow.

A particular problem, of course, is that you identify a payee by giving a sort code number that identifies the bank branch and an account number to receive the funds. I defy anybody to carry around the six digit sort code and nine digit account number of their correspondents in their heads or to be able to spot their solicitors real payment details from some fake payee details when reading an email. If you are expecting to send the money to $dgwbirch (you can try this by the way, it’s my Square Cash name) and then get an email asking you to send instead to $davidovichbirchski then you might be a little suspicious, but if you get an e-mail using to switch from sort code 12-34-56 to 34-56-78 its less obviously a fraud.

Now, for someone like me who is reasonably savvy about the operations of the UK domestic interbank payment networks, instant payment fraud isn’t a problem. Whenever I have to set up a new payee for instant payments, I always send an initial payment of a fiver and wait for confirmation that it has arrived before a transfer any larger amount. But a great many people, and a great many people who are intelligent and sophisticated customers, do not. They enter the incorrect payee details and hit send. The impact of this is significant as the number of frauds continues to increase.

Hannah Nixon, managing director of the PSR, said: ‘Tens of thousands of people have, combined, lost hundreds of millions of pounds to these scams”.

From Super-complaint response lets banks off the hook – December – 2016 – Which? News

Indeed they have. But if I tell my bank to send £10,000 to the Nat West in Barnsley by mistake – whether I was scammed or typed in the wrong sort code or was using an out-of-date account reference or whatever – and I go through all of the security hoops to do so, why is it my bank’s fault that the money went to the wrong place? It is not obvious at all that it is my bank that should be compensating me for my mistake. If scammer gets me to send my house deposit to the wrong account, then my claim is against the scammers or the destination bank if it was negligent in some way (e.g., if it didn’t do KYC) isn’t it?

I agree with the BBC and everyone else that something needs to be done. On this Money Box episode, Hannah Nixon (the UK’s Payment Systems Regulator) mentioned one specific countermeasure that is to be implemented by 2018, which is payee verification, but I wonder if the solution isn’t to put an overlay on top of FPS for retail and SME customers to use. As I wrote earlier in the year, 

if someone put a scheme on top of FPS so that they did the payee verification for you and included chargeback rights for a small fee then that might be very attractive to a great many people.

In other news, MasterCard are apparently launching a bid for VocaLink.

From Are the banks telling you that you may as well use bitcoin? | Consult Hyperion

This isn’t just about bank accounts and instant payments, of course. If it was, I wouldn’t be blogging about it. I hate to say it, but the problem and the solution are all about identity. She couldn’t tell it was BT, and bank couldn’t tell it was her (and she wouldn’t have been able to tell it was the bank). Fraudsters are ruthless about exploiting the gaps in identification, authentication and authorisation infrastructure and as far as I can tell, right now there are only gaps and no actual infrastructure. A system based on the gold standard of gas bills is, I am sorry to say, no longer fit for purpose.

Police later discovered Ghani and Mahmood carried out the fraud after stealing three utility bills from Mr To’s mailbox.

From Stockport identity fraud victim’s £500k home put on market – BBC News

“Having forged his signature, they then transferred the deeds to his house into Ghani’s name”. Yes, I know I know, I’m sure the blockchain will put a stop to this, but in the meantime… should a homewoner whose house is stolen in this way be entitled to compensation from the utility company for sending the bills? Or from the whoever it is that transferred the deeds based on a forged signature? If I can steal your house just by getting information from utility bills and forging your signature, society wouldn’t expect you to be the one to lose out and I understand this, would it? Surely if I am able to login to the solicitors email server and then send emails masquerading as them, it’s the solicitor that is being negligent not the bank!

Just whose fault is it when someone gets scammed in an environment that has no effective identity infrastructure?

I’m entitled to adult services

My old chum Andy Ramsden wrote a nice piece on LinkedIn the other day, pointing out the difference between transactions that need identification (almost none of them) and transactions that need credentials (most of them). He used a current British case in point, which is how to come up with a scheme for preventing “health tourism” on the National Health Service (NHS) which is largely free at the point of delivery.

The receptionist doesn’t even need to know my name, all they need to verify is whether or not I am eligible for NHS treatment.

From Proving your identity needn’t be this hard | Andy Ramsden | Pulse | LinkedIn

Indeed. Which is why a National Entitlement Scheme (NES) makes sense. Andy’s point is not a special case – quite the opposite, it is the general case. In almost all day-to-day transactions, who you are is not important. This is why, in our “Three Domain Identity” (3DID) model, transactions take place in the authorisation domain, not the identification domain.

3D Domain Model


Now, in the NHS case I imagine that for most people giving out your real name is probably not a barrier to seeking treatment (although I can easily imagine cases where it is – what does James Bond’s NHS card say, for example?) but I can think of plenty of cases where giving out your real name is not only a barrier to transactions taking place, it’s downright crazy. Adult services are an obvious case and they are a case that I like to use because they are a useful example for focusing security, privacy and commercial issues that apply to a wide range of services. What do I mean by adult services? Well, to fork one of my favourite jokes from one of my all time favourite TV shows, Greg the Bunny, I don’t mean voting. I mean services that grown up people might want to use that they do not necessarily want other people to know about: gambling, fantasy football leagues, dungeons and dragons discussions groups and so on. If we can fix the problem for adult services we can fix it for most other things.

Ofcom’s guidance on age checks for online video content suggest a range of options – from confirmation of credit card ownership to cross-checking a user’s details with information on the electoral register.

From Plan to block porn sites accessible to children – BBC News

Both of these ideas are bad and are certain to lead to disaster, because both of them require the adult service provider to know who you are. This means that when they get hacked, as they inevitably will be, the personal details of the customers will be available to all. And, as actually happened in the case of the Ashley Madison hack, people will die. It’s not funny. Whether its adult web sites, or counselling services, or gay dating, or drug addiction helplines or whatever, where I go online is my business. We need a better solution than some dumb mandate to accelerate identity theft and foist its consequences on everybody.

Now, we already know what to do (that is, to have a functional identity privacy-enhancing infrastructure) but as yet there’s no sign of it coming into being. Therefore in the shorter term we have to come up with some workable alternative. It seems to me that a rather obvious way forward would be for banks, who have invested zillions in tokenisation services, to issue John Doe tokens to customers over 18. So, I can load my Barclays debit card into my Apple / Samsung / Android (* delete where applicable) wallet for free, but for £5 per annum I get an additional Privacy-Enhancing Token (a PET name). This stealth token would have the name of “John Barleycorn” and the address (for AVS purposes) of “Nowhere”.

Now, I can go online to the UK Adult Gateway Service or whatever it ends up being called and use the PET name to obtain an adult passport. Then I can use this adult passport to go and log in to Lovelies in Leather Trousers (which I only read for the gardening tips). Now:

  1. Lovelies in Leather Trousers know that I am adult passport “John Barleycorn” and that they can charge to that passport (when they do, Apple Pay pops up on my phone and asks for authorisation).

  2. When Lovelies in Leather Trousers gets hacked, the hackers find the adult passport John Barleycorn but they can’t use it to find out who I am. Even if they could log in to the Adult Gateway Service, it only knows that I am John Barleycorn and that the token comes from Barclays. Since there are tens of thousands of Barclays PETs with the name John Barleycorn, who cares.

  3. If the hackers get into Barclays and discover that the particular PET name belongs to me, then Barclays have a far amount more to worry about than the £100,000 compensation they will be paying me for breaching my privacy.

  4. Meanwhile, if the adult passport John Barleycorn is used in some criminal activity, the police can simply go to Barclays with a warrant and Barclays will tell them it is me.

Simple. Incidentally, there’s another aspect to all which means that the networks and the banks might want to invest in this kind of infrastructure. Since adult payments are lucrative, and since an effective privacy-enhancing age check would increase the use of such services, and since a tokenised approach would also reduce fraud and chargebacks, there are real incentives for the stakeholders to get out their and put something in place.

The Digital Economy Bill already includes measures to bring in age checks and the power to withdraw payment services from sites which do not implement the controls.

From Plan to block porn sites accessible to children – BBC News

I really don’t like the idea of using the payment system as a policeman, but it makes sense as an interim solution until such time as we actually have a working identity infrastructure with pseudonymous virtual identities that can be used for adult transactions, just as they will be used for all other transactions. Including getting hospital treatment if you are entitled to it.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.