Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion
This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.
Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.
« July 2008 | Main | September 2008 »
PA Consulting – which on Tuesday told ministers it had misplaced the unencrypted names, dates of birth and expected release dates of the inmates, as well as the addresses of 33,000 prolific criminals – has won £240m of government contracts since 2004, including one as the Home Office's "development partner" to "work on the design, feasibility testing, business case and procurement elements of the identity cards programme".
[From Consultants who lost data are working on ID cards - UK Politics, UK - The Independent]
Today, however, PA Consulting have vanished from the papers, having been swept away by the hilarious blunder by one of RBS' suppliers, who sold a disk drive on eBay without erasing it first.
The computer hard drive was sold for a paltry £35 but the information on it was priceless, as it contained highly sensitive documentation on American Express, NatWest and Royal Bank of Scotland customers.
[From Customers' bank data sold through eBay | News | TechRadar UK]
Now, while the newspaper anger is, to my mind, slightly misplaced -- while RBS losing peoples' personal details including mother's maiden name is bad, what's worse is that you can use personal details including mother's maiden name to execute transactions because RBS (like many other banks) have no consistent two- or three- factor security across channels, so the paper should be angry at banks for not implementing digital identity rather than losing hard drives -- it must at some level lead to even further erosion of trust in banks.
[Dave Birch] A common mistake in government-related discussions around identity is completely misunderstand the nature of the problem itself:
people need to prove who they are many times during a day.
[From In Development » Just what is ‘identity’?]
No, they don't. People need to prove that they are entitled to do something or are allowed to do something several times during a day, which is actually an entirely different issue. Mind you, it's an often-repeated mistake, even amongst those who should know better but haven't really thought it through. When he was the Home Office Minister for ID cards, Andy Burnham said that "I take the view that it is part of being a good citizen, proving who you are, day in day out". How wrong can you be? Other than the current Home Office Minister for ID cards, Meg Hillier, who said that we should see ID cards as “passports in-country”. Or, indeed, the Home Office Minister for ID cards before him, Tony McNulty, who said that
"There are now so many almost daily occasions when we have to stand up and verify our identity."
[From BBC NEWS | Politics | Labour admits ID card 'oversell']
I blame the education system, but blog readers may have some other explanations as to why this same, fundamental, error is propagated by people who ought to have some grasp of the issues.
[Dave Birch] Well, not really identity theft at all, but stealing credit card details on a massive scale then using them to obtain goods or services fraudulently. These ones got caught.
Federal prosecutors have charged 11 people with stealing more than 41 million credit and debit card numbers, cracking what officials said on Tuesday appeared to be the largest hacking and identity theft ring ever exposed.
[From 11 Charged in Theft of 41 Million Card Numbers - NYTimes.com]
Judging by the ever escalating figures for credit card fraud, however, plenty of others are still getting away with it. Are the figures telling us something very specific about authentication: that online PINs and passwords are not only not a particularly good authentication mechanism but may actually make matters worse? The prosecutors allege that the criminals stole card details and PINs as they were passing (apparently unencrypted) over wireless networks and then used the fake card to details to manufacture cards and then used the PINs with the cards to withdraw cash from ATMs. No PINs, no cash out of the ATM.
[Dave Birch] The British Government is to invest in three new research projects that will help to develop the next generation of secure identity management systems. The Technology Strategy Board, Engineering and Physical Sciences Research Council (EPSRC) and Economic and Social Research Council (ESRC) have joined forces to back the three projects with an investment of over £5.5 million. The three projects are:
Consult Hyperion are contributing to the VOME project (with Royal Holloway University of London, Cranfield University, Salford University and Sunderland City Council) and the pvnets project (with University of Oxford, University of St Andrew’s, University College London and University of Bath), so I hope to be able to share some interesting results with blog readers in the future!
[Dave Birch] The newspapers here are having a fine time with the very latest Dutch chip shenanigans: A Dutch researcher has shown The Times how easy it is to clone e-passport chips and change the details.
The Home Office has always argued that faked chips would be spotted at border checkpoints because they would not match key codes when checked against an international data-base. But only ten of the forty-five countries with e-passports have signed up to the Public Key Directory (PKD) code system, and only five are using it. Britain is a member but will not use the directory before next year. Even then, the system will be fully secure only if every e-passport country has joined.
[From ‘Fakeproof’ e-passport is cloned in minutes - Times Online]
Nearly right. It's digital signatures that "would not match" and the international database contains the public keys that allow you to check the signatures. I doubt it's much of a threat to be honest, because you'd have to forge the paper part of the passport to match the cloned chip, and that strikes me as a little harder. The only people who read the chips, or at least attempt to read the chips, are immigration officers. My bank doesn't have any readers, nor does my airline and nor does Eurostar or anyone else. Anyway, as the journalist points out, digital signatures are pretty useless if no-one implements them. I'm not sure why it's in the new today, since it's a recycling of a story that's a couple of years old
A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.
[From Hackers Clone E-Passports]
It may be a symptom of a general collapse in public trust of any kind of government IT rather than a specific reflection on anything to do with e-passports.
[Dave Birch] Stuart Kwan, Director identity and Access at Microsoft, kicked off something a while back by talking about the need for some sort of "identity bus" that can allow different systems, components, applications to tap into an effective digital identity infrastructure. It doesn't exist as an architecture, let alone products, but people do understand what he means.
The "identity bus" is, of course, still just a vision, but at least it is a beginning. Understanding and building toward an identity industry that is "the identity bus" should be the mission of every serious identity vendor out there.
Kim has been talking about this as well. There's a lot to commend this way of thinking. From the technical side, we all understand what a bus implies: standards and interfaces, "plug and play", commodity units. Whether this is realistic in the identity space needs further discussion, because the industry may not be yet know enough about what is wanted, what the real requirements are, in order to be able to come up with some building blocks of lasting value. Yet in a discussion this afternoon, in connection with the use of mobile phones in the identity infrastructure, I did start to think that perhaps instead of endless industry bodies, government studies and new experiments, it might be better to just start plugging a few bits and piece together.