About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

51 posts categorized "Identification & Authentication"

NSTICy questions

By Dave Birch posted Jul 6 2011 at 9:47 PM

I've been reading through the final version of the US government's National Strategy on Trusted Identities in Cyberspace (NSTIC). This is roughly what journalists think about:

What's envisioned by the White House is an end to passwords, a system in which a consumer will have a piece of software on a smartsphone or some kind of card or token, which they can swipe on their computers to log on to a website.

[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]

And this is roughly what the public think about it

Why don’t they just put a chip in all of us and get it over with? What part of being a free people do these socialists not understand?

[From White House Proposes A Universal Credential For Web : The Two-Way : NPR]

And this is roughly what I think about it: I think that NSTIC isn't bad at all. As I've noted before I'm pretty warm to it. The "identity ecosystem" it envisages is infinitely better than the current ecosystem and it embodies many of the principles that I regard a crucial to the online future. It explicitly says that "the identity ecosystem will use privacy-enhancing technology and policies to inhibit the ability of service providers (presumably including government bodies) to link an individual's transactions and says that by default only the minimum necessary information will be shared in transactions. They have a set of what they term the Fair Information Practice Principles (FIPPs) that share, shall we say, a common heritage with Forum friend Kim Cameron's laws (for the record, the FIPPs cover transparency, individual participation, purpose specification, data minimisation, use limitation, data quality and integrity, security and accountability and audit).

It also, somewhat strangely, I think, says the this proposed ecosystem "will preserve online anonymity", including "anonymous browsing". I think this is strange because there is no online anonymity. If the government, or the police, or an organisation really want to track someone, they can. There are numerous examples which show this to be the case. There may be some practical limitations as to what they can do with this information, but that's a slightly different matter: if I hunt through the inter web tubes to determine that that the person posting "Dave Birch fancies goats" on our blog comes from a particular house in Minsk, there's not much I can do about it. But that doesn't make them anonymous, it makes the economically anonymous, and that's not the same thing, especially to people who don't care about economics (eg, the security services). It's not clear to me whether we as a society actually want an internet that allows anonymity or not, but we certainly don't have one now.

The strategy says that the identity ecosystem must develop in parallel with ongoing "national efforts" to improve platform, network and software security, and I guess that no-one would argue against them, but if we were ever to begin to design an EUSTIC (ie, an EU Strategy for Trusted Identities in Cyberspace) I think I would like it to render platform, network and software security less important. That is, I want my identity to work properly in an untrusted cyberspace, one where ne'erdowells have put viruses on my phone and ever PC is part of a sinister botnet (in other words, the real world).

I rather liked the "envision" boxes that are used to illustrate some of the principles with specific examples to help politicians and journalists to understand what this all means. I have to say that it didn't help in all cases...

The "power utility" example serves as a good focus for discussion. It expects secure authentication between the utility and the domestic meter, trusted hardware modules to ensure that the software configuration on the meter is correct and to ensure that commands and software upgrades do indeed come from the utility. All well and good (and I should declare an interest a disclose that Consult Hyperion has provided paid professional services in this area in the last year). There's an incredible amount of work to be done, though, to translate these relatively modest requirements into a national-scale, multi-supplier roll-out.

Naturally I will claim the credit for the chat room "envision it"! I've used this for many years to illustrate a number of the key concepts in one simple example. But again, we have to acknowledge there's a big step from the strategy to any realistic tactics. Right now, I can't pay my kids school online (last Thursday saw yet another chaotic morning trying to find a cheque book to pay for a school outing) so the chance of them providing a zero-knowledge proof digital credential that the kids can use to access (say) BBC chatrooms is absolutely nil to any horizon I can envisage. In the UK, we're going to have to start somewhere else, and I really think that that place should be with the mobile operators.

What is the government's role in this then? The strategy expect policy and technology interoperability, and there's an obvious role for government -- given its purchasing power -- to drive interoperability. The government must, however, at some point make some firm choices about its own systems, and this will mean choosing a specific set of standards and fixing a standards profile. They are creating a US National Project Office (NPO) within the Department of Commerce to co-ordinate the public and private sectors along the Implementation Roadmap that is being developed, so let's wish them all the best and look forward to some early results from these efforts.

As an aside, I gave one of the keynote talks at the Smart Card Alliance conference in Chicago a few weeks ago, and I suggested, as a bit of an afterthought, after having sat through some interesting talks about the nascent NSTIC, that a properly implemented infrastructure could provide a viable alternative to the existing mass market payment schemes. But it occurs to me that it might also provide an avenue for EMV in the USA, because the DDA EMV cards that would be issued (were the USA to decide to go ahead and migrate to EMV) could easily be first-class implementations of identity credentials (since DDA cards have the onboard cryptography needed for encryption and digital signatures). What's more, when the EMV cards migrate their way into phones, the PKI applications could follow them on the Secure Element (SE) and deliver an implementation of NSTIC that could succeed in the mass market with the mobile phone as a kind of "personal identity commander".

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Confronting the issue

By Dave Birch posted Jun 24 2011 at 4:23 PM

There's an interesting choice of words in the O’Reilly Radar publication on "ePayments 2010". The report's subtitle is "Emerging Platforms, Embracing Mobile and Confronting Identity". I thought that this is expressive: the payments industry is "confronting" identity.

...even as consumers come to expect online systems to know more about them in order to facilitate transactions and reduce friction in accomplishing tasks, they are likely to want to maintain control over which online services have access to distinct aspects of their identity.

Very well put. It illustrates a point that I find myself making in more and more discussions these days: that if the players in the payments industry don't deal with the identity problem, then someone else will.

Identity is critical in many ways: It ensures the right degree of user personalization, enables the reliable billing of services used across a platform, and provides a strong foundation of trust for any transaction occurring on the platform.

[From Making Sense of Ever-Changing Payment Technologies: The Year of APIs and the Reshaping of the Payment Ecosystem - pymnts.com]

Patrick is right to highlight the key role of identity in constructing the future payments infrastructure, although I would draw a slightly different diagram to illustrate the relationship. He has drawn identity on top of payment services, whereas as I would draw them side-by-side to show that some commerce applications will use identity and some will not, some commerce applications will use payments and some will not. This isn't just a payments issue, of course. It's rapidly becoming a major block on the development of the online economy. There's a Chernobyl coming, and the recent fuss about Sony and Sega will appear utterly trivial in comparison. I'm not smart enough to know where or when it will happen, but it will happen. If I had to take a wild guess, I might be tempted to predict the epicentre if not the cause or symptoms.

I trust Facebook to give the messages that I type to my ‘friends’. I trust Facebook with the login details to my Yahoo email account... Even in the last week at least four of my friends have been link-jacked in Facebook – whereby their accounts start spewing malicious links onto the walls of their friends.

[From Trust co-opetition is the key to avoiding disintermediation « in2payments]

It's the interlinking via social networking that is precisely the danger, because that means when something goes wrong is goes connectedly wrong and gets out of control in unpredictable ways. Something has got to be done to make identity mischief substantially more difficult. But how?

We need online identities anchored in hardware cryptography. Everybody who does financial cryptography understands that for anything of value, you can’t store the keys in software. You need hardware protected keys, with a cryptoprocessor to operate on them, and very importantly, a trusted UI to the human that doesn’t involve hackable software. EMV is a good basis for this

[From The Case for EMV Chip Cards in the US? — Payments Views from Glenbrook Partners]

Hear hear. I'd say that it was the chip with a crypto co-processor that is the basis (EMV is just an application running on such a chip) but the point holds. So where are these chips today? Well, they exist in your chip and PIN card is a sort of autistic form, with limited communication and narrow bandwidth through which we can reach the smart core. And they exist in your mobile phone, in the form of the UICC, where they have high bandwidth, constant connectivity, a UI, huge memory and an ecosystem beyond the device. And they will soon exist in your mobile phone, set-top box and elsewhere in the Secure Element (SE). (As an aside, in some models the SE will be resident in the UICC, so there may only be one physical chip.)

Therefore, there is an opportunity to roll-out an SE-based infrastructure, perhaps in the NSTIC architecture, that sets us down the path to identity security. I'm surprised that, in Europe at least, the mobile operators haven't already got together to develop their joint response to NSTIC and begun work on the business models that it spawns. The mobile operator is a naturally identity and attribute provider and they already have the tamper-resistant hardware (ie, UICCs) out in the market. They know the customer, they know the network, they know the device. I should be logging on to everything using my handset already, not messing about with passwords and secret phrases and mother's maiden name.

From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach.

[From Digital Identity: USTIC]

This may be another area where the ease of use afforded by NFC makes for a big difference in the shape of the marketplace and the trajectory of the stakeholders. There were some early experiments in SIM-based secure PKI, but they were very, very clunky because they needed SMS or Bluetooth to connect the handset to the target device, like a PC or a kiosk (or a POS). But in the new world of NFC, what could be simpler: use menu on phone to select identity, tap and go online. And since the SE can handle the proper cryptography, my phone can tell whether it is talking to the real Barclays as well as Barclays working out whether it is talking to my phone. The NSTIC framework, when combined with the security and ease-of-use of NFC in mobile phones, may not be whole solution, but it's certainly a plausible hypothesis about what that solution may grow from.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It's all fun and games, until... no, wait, it is all fun and games

By Dave Birch posted Jun 4 2011 at 4:08 PM

Consult Hyperion has been working on a project called VOME with the UK Technology Strategy Board. The idea of the project is to help people who are specifying and designing new, mass-market products and services (eg, Consult Hyperion's clients) to understand privacy issues and make better decisions on architecture.

VOME, a research project that will reveal and utilise end users' ideas and concepts regarding privacy and consent, facilitating a clearer requirement of the hardware and software required to meet end users' expectations.

[From Technology Strategy Board | News | Latest News | New research projects help to ensure privacy of data]

Part of the project is about finding different ways to communicate with the public about privacy and factor their concerns into the requirements and design processes. Some of these ways involve various kinds of artistic experiments and it's been fun to be involved with these. We've already taken part in a couple of unusual experiments, such as getting amateur writers to produce work about privacy from different perspectives.

More recently we have been working with Woking Writers’ Circle on the production of a collection of short stories and poems entitled ‘Privacy Perspectives’.

[From Media - Consult Hyperion]

As one of the technical team, I have to say that it's very useful to be forced to try to think about things like privacy-enhanced technology, data protection and risk in these different contexts. One the artistic experiments underway at the moment, primarily aimed at educating teenagers and young people about the value of their personal data, is the development of a card game that explores the concept. The card game experiment, lead by Dr. David Barnard-Wills from Cranfield University, has reached the point where the game needs playtesting. So... we all met up in London to play a couple of games of it.

Turned out that not only had the chaps developed the game way further than I had imagined, but they've invented a pretty good game. Think the constant trading of "Settlers of Catan" with the power structures of "Illuminati" mixed with game play of "Crunch". I liked it.

You get cards representing personal data of different kinds. Depending on who you are (each player is a different kind of business: bank, dating agency, insurance company etc) you want different datasets and you want to link them together into your corporate database. A dataset is a line of three or more data items of the same kind. Here's a corporate database with two datasets in it: the green biographical data 2-2-3 and the orange financial data 3-3-3, these will score at the end of the game.

There are event cards, that pop up each round to affect the play, and some special cards that the players get from time to time. Check out the database I ended up with in the game that my colleague and I won! I was the bank, so I was trying to collect financial data in my database but I was also trying to collect social data (purple) in my hand.

We had great fun, and we all contributed a ton of ideas. The game is being refined for a new version in a month or two, so we'll try it again then and I'll let you know how it's going! I don't know if the guys are actually going to turn it into a commercial product (that isn't really the point of it) but I'd say they are on to a winner. My tip: instead of calling it "Privacy", call it "Super Injunction".

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

25% increase in authentication

By Dave Birch posted May 10 2011 at 9:59 PM

I had an annoying problem with my PayPal account that ended up with me being posted a password, all quite tedious and strangely manual. As I observed at the time, it seemed odd that in 2011 we hadn't got anything figured out when it comes to authentication. Why couldn't I use my Barclays 2FA PINSentry to prove who I was to PayPal? In fact, why couldn't I use it for 2FA in general, since moving from passwords to 2FA involving tamper-resistant hardware would be a simple way to improve security across a range of services. We don't use 2FA, and we should.

But that might be changing [recently] Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail.

[From Two-factor authentication: Gmail's new system offers more security than just a password. - By Farhad Manjoo - Slate Magazine]

This is a good step. I use gmail, and I'd actually prefer to use it with 2FA than without, provided that the 2FA is based on something I already have, such as my phone, because I don't want to carry another dongle. Unfortunately, my mobile operator doesn't provide any sort of identity management or authentication services, so I can't use my phone. I do already have a tamper-resistant chip that I have with me most of the time, and that's in my bank card. Why not use that in some way?

Alternatively, you could slide your credit card through your phone's card reader—or simply wave your credit card so that it can be recognized by the "near-field communication" chip in your phone.
Are these things too far out?

[From Two-factor authentication: Gmail's new system offers more security than just a password. - By Farhad Manjoo - Slate Magazine]

I'd say not really, especially since I've seen SecureKey's system for doing just this work perfectly with Google, using a USB key NFC reader and the customer's contactless bank card to provide the second factor. Today I read about someone pitching iris recognition via USB device as a potential third factor as well. But are three factors enough?

I saw a discussion over at the Identity Management Specialists Group on LinkedIn that set me wondering about authentication factors. Traditionally, us experts have referred to three authentication factors: something you know, something you have and something you are (or, as Ben Laurie once told me, something you've forgotten, something you've lost and something you were). The LinkedIn discussion was about whether location might be a fourth authentication factor, because it is independent of the other three and can be determined in isolation.

So does this make sense? Is location an alternative third factor, another kind of "something you are" or is it genuinely something new that adds an additional degree of authentication power. The conclusion in the group discussion was (I think!) that location isn't an authentication factor because where you are doesn't change who you are, but that it is an authorisation factor because you may wish to assign different capabilities to an identity depending on where the physical person is (ie, are they in the office or at home?). I'm not so sure about this: it seems to me that corroborating your location obtained from your mobile phone with, say, a password, does indeed strengthen authentication. There are plenty of options, so a workable strong authentication scheme must be getting closer. right?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

It all comes back to liability

By Dave Birch posted Mar 14 2011 at 2:23 PM

I posted about the silo-style identity and authentication schemes we have in place at the moment and complained that we are making no progress on federation. Steve Wilson posted a thoughtful reply and picked me up on a few points, such as my "idea" (that's a bit strong - more of a notion, really) of developing an equivalent of creative commons licences, a sort of open source framework. He says

CC licenses wouldn't ever be enough. Absent new laws to make this kind of grand identity federation happen, we will still need new contracts -- brand new contracts of an unusual form -- struck between all the parties.

[From comment on Digital Identity: The sorry state of id and authentication]

But isn't that what CC licences solve?

It's complicated by the fact that banks & telcos don't naturally see themselves as "identity providers", not in the open anyway

[From comment on Digital Identity: The sorry state of id and authentication]

Well, I'm doing what I can to change that (see, for example, the Visa/CSFI Research Fellowship), but on the main point I happened to be reading the notes from the EURIM Identity Governance Subgroup meeting on 23 February 2011, talking about business cases for population scale identity management systems. The notes say that

It is alleged that the only body with the remit, power and capability needed for assuring and recording a root identity through a secure and reliable registration process is Government.

The notes then go on to talk about case studies such as the Nordic bank-issued eIDs though. These arguments are to some extent circular, of course, because the e-government applications in the Nordics are using bank-issued eIDs, but the only reason that the banks can issue these eIDs is because they are using government ID as the basis for KYC. In the discussion about this at a recent roundtable in that Visa/CSFI "Identity and Financial Services" series, someone made a comment in passing (and I'm embarrassed to say that I can't remember who said this, because I noted the comment but forgot the commenter) that all of this takes places in a model absent liability. That is, as far as I understand what was said, the government accepts no liability from the banks, and vice versa. So if the bank opens an account for me Sven Birch, using a government "Sven Birch" identity, but it subsequently transpires that I am actually Theogenes de Montford, then the bank cannot claim against the government. Similarly, if I used my bank eID "Sven Birch" to access government services, but it subsequently transpires that I am actually Theogenes, then the government has no claim against the bank. (If this isn't true, by the way, I would appreciate clarification from a knowledgeable correspondent.)

So what is the situation? Must we have a liability model, or can we all agree to get along without one. Or do you have to a have a more consensual society, or perhaps one with fewer lawyers per head of population?

The sorry state of id and authentication

By Dave Birch posted Mar 9 2011 at 8:03 PM

I had a problem with my PayPal account: I used it in China, and it got blocked as the result of some kind of fraud screening.

I ended up having to promise the guys at Bike Beijing that I will sort this out when I get back to the UK and then send them their money.

[From Digital Money: Holding court]

They still haven't got their money. In order to unblock the account, you had to log in to your account and then have a code sent via your home telephone number. I clicked, the phone rang, I punched in the number and hung up. Nothing. I clicked again, the phone rang, I punched in the number and waited. Nothing. I clicked again, the phone rang, I punched in the number. After a while, I got an e-mail telling me that the authentication process had failed and so PayPal would send a letter containing some kind of code to my home address and that I could then use this code to unblock my account. It mentioned that the letter might takes six weeks to arrive.

So the nice guys at Bike Beijing still don't have their money and I'm still embarrassed.

Now, all the time that this nonsense about codes and letters was going on, I had on my desk a Barclays' PINSentry (which I can't even use to log on to Barclaycard, let alone PayPal) and a O2 mobile phone (I've been with O2 for two decades and have a billing relationship with them - their system knew that I was in China) and a keyring OTP generator that we used for our corporate VPN. Any one of these could provide a better solution then messing about typing in code numbers, but they all sit in their own silos and don't provide the kind of general-purpose services that they should.

What should have happened, of course, is that I should have been able to log in to PayPal using OpenID and then logged in to a 2FA OpenID using my (say) PINSentry. So now PayPal knows that I have been 2FA logged in from an "acceptable" source (ie, Barclays Bank) and we could move on. So why doesn't this happen? Is it because OpenID has failed?

But if OpenID is a failure, it’s one of the web’s most successful failures. OpenID is available on more than 50,000 websites. There are over a billion OpenID enabled URLs on the web thanks to providers like Google, Yahoo and AOL. Yet, for most people, trying to log in to every website using OpenID remains a difficult task, which means that while thousands of websites support it, hardly anyone uses OpenID.

[From OpenID: The Web’s Most Successful Failure | Webmonkey | Wired.com]

It can't be that. OpenID has plenty of support, and even the US government got behind it.

Who would have predicted say, 5 years ago, that you would some day be able to use commercial identities on government websites? Evidently, this raises questions about privacy and security but if these initiatives can garner enough public support, government validation of open identity frameworks could be a boon for the ecosystem of the open, distributed web. Plus, it can make dealing with the government a lot easier for you, too.

[From US Government To Embrace OpenID, Courtesy Of Google, Yahoo, PayPal Et Al.]

It's not about the technology. I make no judgement as to whether OpenID is the best technology or not (although it does actually exist, which is a good start), but the truth is that it simply doesn't matter whether it is or it isn't.

The unresolved business and legal challenges implicit in federated identity are to blame for the under-delivery of OpenID

[From OpenID, Successful Failures And New Federated Identity Options | Forrester Blogs]

Indeed they are. So the problem isn't really anything to do with OpenID, or any other framework that might come along in cyberspace, but the legal framework that it has to sit inside. This is where we need the breakthrough. We need potential identity providers (eg, Barclays, O2) to be able to set up OpenID responders for their customers inside a well-known and well-understood legal framework. Now, you can do this contractually (as IdenTrust has done), but to scale to the open web, we need something more than that, perhaps an equivalent of the "creative commons" licences that are used for content but for credentials.

Even then, would someone like PayPal rely on them? Or would it only rely on identities from regulated financial institutions in the EU? Or only such institutions that met some minimum authentication standard? We're a long way from fixing my Chinese problem, despite having all of the technology needed to do so.

Not magic bullets, but bullets nonetheless

By Dave Birch posted Feb 23 2011 at 2:14 PM

How do you identify people? This is a difficult problem. Let's set aside what you need to identify people for, and just concentrate on large scale solutions.

The Indian government is trying to give all 1.2 billion Indians something like an American Social Security number, but more secure. Because each “universal identity number” (UID) will be tied to biometric markers, it will prove beyond reasonable doubt that anyone who has one is who he says he is. In a country where hundreds of millions of people lack documents, addresses or even surnames, this will be rather useful. It should also boost a wide range of businesses.

[From India: Identifying a billion Indians | The Economist]

The "but more secure" is obvious, because otherwise "something like" a US SSN will be as disastrous as a UK National Insurance number as a viable means of identifying individuals.

The study found that rather than serving as a unique identifier, more than 40 million SSNs are associated with multiple people. 6% of Americans have at least two SSNs associated with their name. More than 100,000 Americans have five or more SSNs associated with their name.

[From One In Seven Social Security Numbers Are Shared]

So what do we mean by "more secure"? How do you go about uniquely identifying people? In the case of India, it means a biometric universal ID (UID). Once the word "biometric" appears, people seem to think there is now a magic bullet against identity theft and fraud and they want to use it for everything (which is why I have previously argued that - given convenience - the market will automatically shift to demand the highest level of assurance of identity for every transaction, whether it requires it or not).

Securities and Exchange Board of India (SEBI)... has constituted an internal group with members from various departments to examine the modalities for making UID applicable for KYC norms and to formulate their views. This information was given by the Minister of State for Finance, Shri Namo Narain Meena in written reply to a question raised in Rajya Sabha today.

[From Press Information Bureau English Releases]

This kind of behaviour builds a tower on shifting sand, introducing a single point of failure into all systems. In fact, it introduces exactly the same single point of failure into all systems, which is why I like the NSTIC approach of multiple identity providers (of which the government in merely one, and a non-priviledged one at that). In India, biometrics have not had a good start. The first attempts to register people for the UID saw only a fifth of the attempts succeed.

Though the department conducted proof-of-concept (pilot project) on over 266,000 people in Mysore and Tumkur districts, only 52,238 UIDs could be generated.

[From Pilot project yielded few UIDs - The Times of India]

Is there something unusual about Indian biometrics? I suspect not. I suspect that biometrics are being used in systems designed by management consultants who have been watching Hollywood movies rather than by technologists who understand the appropriate modalities and bounds. You wouldn't get that sort of thing here in the UK. No, wait...

Biometric face scanners at Manchester Airport have been switched off after a couple walked through one after swapping passports.

[From Aircargo Asia Pacific - Face scanners switched off at Manchester]

I've been through the e-passport face scanners at LHR a few times (I don't use the IRIS scheme after it rejected me three trips in a row) and I can't say I haven't wondered whether it is real or not. We all know that iris scanning is more secure.

A woman from eastern Europe who was deported from the UAE re-entered weeks after her departure using a new identity... To prevent her from returning, her eyes were scanned before she left. But, according to her testimony in court this week, she returned to the UAE through Dubai International Airport using a forged passport and a different name. She said her eyes were scanned upon entry.

[From Iris scan fails to stop returning deportee - The National Newspaper]

Hhhmmm. It seems as if building big databases of biometrics may not be the way forward for the time being. Is there any other way to make biometrics more practical at a large scale? I'm sure there is. Perhaps a good place to start would be to marry some capability and convenience. One thing that we know from examples around the world is that customers like biometrics because of convenience. So what else is convenient? I know: contactless, wireless and RIFD technology.

Standard Chartered is issuing RFID chips to select customers at its newest Korean location, eliminating the need for affluent individuals to wait in lines at the branch. When a customer holding an RFID tag enters the facility, the system immediately notifies the branch manager and a relationship manager who can greet the customer personally at the door.

[From RFID Chips Spell End to Branch Lines for High-Value Customers | The Financial Brand: Marketing Insights for Banks & Credit Unions]

Ah, but when you get to the counter, how does the bank know that you are indeed the valued customer and not an imposter, intent on transferring funds off to Uzbekistan? Well, you could ask the customer to put their finger on a pad, or look at a camera, or speak into a microphone, or what ever, and then send the captured biometric to the RFID device for matching. Instead of rummaging through a giant database, the system can now do an efficient 1-1 comparison offline. If the device returns the correct, digitally-signed response, then the customer is verified. No PINs, no passwords: the combination of biometrics, contactless and tamper-resistant chips can deliver a workable solution to a lot of problems.

My new mantra

By Dave Birch posted Aug 13 2010 at 3:10 PM

[Dave Birch] Why do people (eg, me) say that "identity is the new money"? What does the catchphrase actually mean? I use it because I can see that we are heading into a transition period between the "old" world of electronic payments where we built dedicated networks to move money from account to account (the world of Visa and American Express, MasterCard and Diners) to a "new" world of electronic payments where there is a single network that all participants access. The money stays put in the cloud while we move our identity around access channels (the world of PayPal and M-PESA, WebMoney and QQ Coins).

The dynamics are easy to understand. The downward pressure on the pricing of commodity payments, the ubiquity of intelligent devices (of which the mobile is currently the most important) and the ease of connecting banks, retailers, processors and others, combine to create a new landscape, where most of the value of the payments layer comes from the ability to identify and authenticate the participants in the transaction.

We have long observed, in our classification, that in the long run digital identity will be more valuable than digital money. This is because authentication is difficult and expensive: if you break down the way that, say, your debit card works, and separate the authentication part (the chip and PIN) from the processing and settlement of the transaction (and all of the fraud management, customer support and so on) you can see the asymmetry between the money part -- a few bytes moving from bank to bank -- and the identity part.

There is an interesting area for speculation identified by this analysis. Who will provide the identity functions? Will it be the existing players who bundle identity as part of the payments business -- PayPal or Barclaycard -- or will it be players who deal with identity and reputation -- Experian or the Passport Services -- or will it be the players who with authentication and switching -- Vodafone or Google -- or will it be an entirely new class of organisation?

I have a suspicion that it will be the latter. Just as new economic environments have led to new kinds of organisations before, so they will again. Just as Visa arose to exploit new opportunities, so something like Visa arise to create a digital identity infrastructure that creates new value. There is some logic to the proposition that it will be the mobile operators who in some way will give birth to this new organisation. That's because the technology required to implement digital identity is founded on public key infrastructure (PKI) and for this to work we need some secure storage, some tamper-resistant hardware, to store our private keys and to execute authentication processes. Right now, the one piece of tamper-resistant hardware that everyone has is the SIM in their mobile phone. Indeed, there are a number of initiatives around the world that are already starting to use the SIM for precisely this purposes. The examples of Turkcell in Turkey and BankID in a number of Scandinavian markets have been looked at before. I've bored about this at length before:

One of the world’s leading experts in this field, David Birch, spent some time with me explaining how mobile operators, in particular, could actually become ‘smart pipes’ with financial transactions. The ‘secret sauce’ according to Birch, lies in the ability for operators to provide secure identification linked to the SIM providing private and public keys for multiple providers. The resultant digital signatures would allow for ultra-secure tow level authentication via the mobile device.

[From The 'secret sauce'? - The Insider - TM Forum Online Community]

How might this play out? In the US, we already see ACH alternatives to scheme payments emerging. An example is the "Pinpoint" card marketed by First Data ISO American Payment Systems. It provides a per-retailer loyalty scheme combined with ACH payment. Imagine something like this combined with stronger 2FA authentication at POS -- perhaps using 2FA to release an identity credential or authenticating using some mobile network-based validation (eg, ValidSoft's "proximity" transactions validation) -- to create a product where the payment is a commodity but identity isn't.

Continue reading "My new mantra" »

They must have been cuckoo

By Dave Birch posted Aug 11 2010 at 10:31 PM

[Dave Birch] Where are we going with authentication? Bruce Schneier made me think about this again with a post about the breaking of the Russian "spy ring" operating in the US.

Ricci said the steganographic program was activated by pressing control-alt-E and then typing in a 27-character password, which the FBI found written down on a piece of paper during one of its searches.

[From Schneier on Security: Cryptography Failure Story]

The Russian equivalent of "M" must be furious! "Doh! -- if it wasn't for those darn kids" etc. The idea that making a password 27 characters long (probably a pass phrase, in fact, since there are relatively few 27-letter words even in Russian) makes it secure is hilarious, since any user security expert would have absolutely predicted the scheme's doom. But this led to muse in another direction, which is about how much time and money must be wasted messing around with these pointlessly long passwords that don't actually add any real security, that are just another kind of performance art in the great security theatre. I looked back through some of my notes on that topic and came across an actual figure (for the US).

In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.

[From Boston.com]

So, in other words, if you made a law to stop everyone in the US from using passwords to log in to their bank accounts and insisted that they instead use some kind of 2FA that takes a minute (eg, look up OTP on mobile phone then type it in to web site -- which wouldn't actually protect against MITM attacks) then it would have to save $16 billion per annum to make it worthwhile. According to the FBI, US cyber-bank robbery is running about $100 million per month, or only about $1.2 billion per annum, so we're better off doing nothing.

What? Hold on, there must be a flaw with this approach, and it must be that the overall cost of having the security must factor in potential losses and costs to rectify as well as user time. Anyway, the point is we need to make some strides in authentication.

Continue reading "They must have been cuckoo" »


By Dave Birch posted Jul 28 2010 at 10:15 PM

[Dave Birch] I rather like LinkedIn, and use it reasonably often. It's proved a convenient way to build up my network of professional contacts in a very dynamic and useable form. Well, I say "my" professional contacts...

A recent judgement in the UK courts has forced a former employee of Hays to hand over details of the business contacts build up through LinkedIn.com whilst he was employed by them. The decision is one of the first in the UK to show the tension between businesses encouraging their employees to use social networking websites whilst trying to claim that the contacts should remain confidential at the end of their employment.

[From Bombay Crow: Who owns your online networking contacts?]

I have a slightly old-fashioned policy towards LinkedIn. When I get a connection request, I won't accept unless it is someone that I've spoken to (or, preferably, met in person). The validity of this policy was demonstrated during the week, when I read the story of the security consultant who set up a fake LinkedIn site for an imaginary woman called "Robin Sage" who supposedly worked in cybersecurity for the US Navy. In less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors.

Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise." It is not the first time "white-hat" hackers have carried out such a social-engineering experiment, but military and intelligence security specialists told The Washington Times that the exercise reveals important vulnerabilities in the use of social networking by people in the national security field.

[From Fictitious femme fatale fooled cybersecurity - Washington Times]

The story also revealed another sad truth, a reflection on human nature. Men will do anything for an attractive woman, without even bothering to check whether she's real or not.

Ms. Sage's connections invited her to speak at a private-sector security conference in Miami, and to review an important technical paper by a NASA researcher. Several invited her to dinner. And there were many invitations to apply for jobs

[From Fictitious femme fatale fooled cybersecurity - Washington Times]

Jobs! You'd think one of the first, basic checks that someone might make is that their employment target is real! Yet we're told that social networking means that employers know all about us all the time.

“We’re hearing stories of employers increasingly asking candidates to open up Facebook pages in front of them during job interviews,”

[From The Web Means the End of Forgetting - NYTimes.com]

This would be fantastic, if it were true. I would love to work for someone so dumb that they think that what's on a Facebook page has any reputational capital value at all. In half-an-hour my kids could easily make up a Facebook page that would present them as the best candidate ever for whatever job. If employers are hiring people this way, they deserve what they get.

Continue reading "Linked" »