About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« October 2008 | Main | December 2008 »

7 posts from November 2008

Cheering on ID cards

By Dave Birch posted Nov 28 2008 at 7:47 PM

[Dave Birch] One my favourite recent identity stories was the one about the woman who assumed her daughter's identity to attend school so that she could fulfill her dream of graduating and being a cheerleader.

A 33-year-old woman stole her daughter's identity to attend high school and join the cheerleading squad, according to a criminal complaint filed against the woman.

[From The Associated Press: Mom allegedly uses daughter's ID to be cheerleader]

It's a shame that there won't be any more stories like this once ID cards are widespread. In the U.K., students are one of the target groups for the government's launch of its national identity card, so no more 16-18 year old "getting served in pubs" or "masquerading as a cheerleader" high jinks for them. But hold on a minute. If this woman could fool the school well enough to obtain a false identity as her own daughter, then wouldn't she be able to fool staff at the Identity & Passport Service (IPS) just as well? She'd sail through the rigorous interview (since she'd have no problem answering questions about her daughter's date of birth and such like) and then get a biometric ID card: cheerleader dreams still on. It's not as if it's impossible to fool government employees who, after all, are just people like us (except with better pensions).

The Home Office admits that nearly 5,400 fraudulent passports were probably issued last year alone. For the previous year the figure was 10,000. The DVLA admits that "tens of thousands" of its licences are suspect. The Guardian has been told that there may be around 100,000 "duplicate" driving licences in the system and nearly as many fictitious passports.

[From Up to 200,000 ID documents may be false | Money | The Guardian]

I wonder if the government will have to bring forward some kind of DNA testing in order to establish family relationships or to rule out this kind of personation. That set me to wondering just how close the woman's DNA would be to her daughter's, and then I remembered reading about a new DNA service that opens up the possibility of finding out.

If you've ever wanted to know just exactly how much DNA you share with your ridiculously tall brother or doppelganger best friend, you'll soon be able to find out. 23andMe, a personal genomics startup in Mountain View, CA, is about to unveil a new social-networking service that allows customers to compare their DNA. The company hopes that the new offering will encourage consumers to get DNA testing, potentially creating a novel research resource in the process.

[From Technology Review: Social Networking Hits the Genome]

I love the idea of social networking that includes sharing genetic information as well as fave pop bands (perhaps the power of the Internet will reveal a connection -- sorry, I just don't have a Robbie Williams gene), a sort of Facebook meets Dr. Moreau.

Continue reading "Cheering on ID cards" »

Opening for business

By Dave Birch posted Nov 20 2008 at 9:34 PM
[Dave Birch] Despite some criticism, OpenID continues to spread. I have a rather soft spot for OpenID, but it is fair to observe that not everyone is enthusiastic.

We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

[From Digital Domain - Goodbye, Passwords. You Aren’t a Good Defense. - NYTimes.com]

OpenID is simple (to technical persons such as myself), which is one of the main reasons why it is spreading, but that simplicity also means that it doesn't solve all of the problems.

OpenID provides Single Sign On to social networking sites and blogs. It means we can use a public personna across sites, and just log in once to use that persona. But OpenID doesn’t have the privacy characteristics that would make it suitable for government applications or casual web surfing. And it doesn’t have the security characteristics necessary for financial transactions or access to private data.

[From IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer]

True. However, there are people working to combine OpenID with other technologies in fruitful ways.

Google also announced that it is looking to combine the OAuth and OpenID protocol so that a service can not only request a user’s identity through OpenID, but also “request access to information available via OAuth-enabled APIs such as Google Data APIs as well as standard data formats such as Portable Contacts and OpenSocial REST APIs.”

[From Google Adopts, Forks OpenID 1.0 - ZePy]

All of these pointers suggest to me that business strategies should be featuring OpenID as a near-future practical component rather than as a distant solution to a poorly-understood problem.

Continue reading "Opening for business" »

Children and identity theft

By Dave Birch posted Nov 18 2008 at 4:55 PM

[Dave Birch] OK, so we know that overall identity theft is falling, but that doesn't mean it is vanishing and nor does it mean that it is falling for all segments of the population. A recent U.S. study about the theft of children's identities illustrates how the subject area is evolving. The issue of identity theft so far as children are concerned is an interesting one.

Rarely do parents or guardians consider the possibility that their child may have a credit history, and thus few will check to see whether their child has a credit report under their name. This can make children easy targets for identity thieves,

[From Debix - Research]

The headline results of this study are as follows:

  • The study discovered 5% of the children had one or more credit reports using their social security number
  • 3% were found to be actual victims of child identity theft, while 2% were victims of file/credit contamination.
  • Among the 5%, the children had on average $12,779 in fraudulent or wrongly assigned debt.
  • While the study found that children were more likely to find problems in their credit histories as they aged, an astonishing 12% of those with problems were age 5 and under.
  • A handful of cases stand out as especially severe: one child had seven identities listed under his SSN, with several thousand dollars in medical bills, apartment rentals, and credit accounts in collections; another child’s SSN was associated with over $325,000 in debt.
  • One in four victims in the study had bills or lines of credit in collections or foreclosure, while almost twothirds of these children had fake or wrong names listed under their SSN.
  • 42% of those children with erroneous credit reports only had credit files at one credit bureau, meaning their fraud could have gone unnoticed without checking all three bureaus.

You can see why criminals are going for this mode of attack, because using the SSNs of children must have (on average) a longer time available for abuse before anyone detects fraudulent activity. And remember, behind each of these statistics is a real person left with the mess of cleaning up identity theft.

Police say identity theft is the reason the Internal Revenue Service recently warned a seven-year-old boy from the northwestern Chicago suburb of Carpentersville that he owed back taxes on $60,000. Officers said Friday the second-grader's identity has been in use by someone else since 2001 -- not long after his birth. Detectives accused 29-year-old Cirilo Centeno of Streamwood of using the boy's personal information to obtain a truck, three separate jobs, gas and electrical service for his home, a credit card, unemployment benefits and more than $60,000 in pay and services.

[From IRS tells 7-year-old boy he owes back taxes on $60,000 -- chicagotribune.com]

A credit card? Unemployment benefits? I don't understand how stealing a seven year-old's identity helps you to obtain either of these, but clearly the government and the banks have some pretty lax "know your customer" procedures if a date of birth in 2001 can get you welfare and a line of credit.

Continue reading "Children and identity theft" »

Authentication in 3D

By Dave Birch posted Nov 14 2008 at 2:04 PM
[Dave Birch] Over on Digital Money there's been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn't really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.

The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.

[From Verified by Visa Europe upgraded to improve cardholder experience]

MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.

To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

I'm interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.

Continue reading "Authentication in 3D" »

Mobile eye-D

By Dave Birch posted Nov 10 2008 at 9:17 PM

[Dave Birch] OK, so I've been thinking about mobile phones in the identity space again, because I've been considering a problem around remote identification in connection with a project we're working on. The mobile phone is an obvious focus for a solution, because everyone has one and (generally speaking ) they know how to use them. Therefore, if you have to use your mobile phone in some way to identify or authenticate yourself on the web, you probably won't mind that much. And not having to buy some kind of dongle makes it cheaper. We have to be careful with this thinking though. As we discussed recently, we must thoughtful and not tomake unwarranted assumptions about the security of the mobile handset, applications, network and systems. People think that mobile is more secure than it actually is, and not because master criminals are planting trojan horse viruses

Though he's seen cases in which customers were sent SMS messages that tricked them into giving up passwords or other key information, he hasn't yet seen any cases in which losses were caused by key logging programs or other malware that infiltrated cell phones.

[From Mobile Insecurity: Reality or Just hype? - 11..2008 - Bank Technology News Article]

What we need is for end-to-end security to become standard on mobile phones and, to my mind, what that really means as a first step is a digital identity infrastructure that is rooted in the SIM. This, in itself, is not that hard. A SIM Toolkit (STK) application for creating and verifying digital signatures together with a key pair is all that is needed to get started. But so long as the handset itself remains insecure, there will always be the possibility of viruses capturing PINs and so on. If the manufacturers could get together to add some kind of trusted processing to the handset (which, incidentally, would mean that mobile phones could become approved PEDs and become part of PCI-DSS solutions) it would open up a whole new field of value-added business.

Continue reading "Mobile eye-D" »

The numbers game

By Dave Birch posted Nov 6 2008 at 10:15 PM

[Dave Birch] I was privileged to be invited along to the Home Secretary's talk on the roll-out of ID cards (not, sadly, because she reads this blog but because I'm a member of the IPS advisory forum). It was basically an update on the development plan outlined earlier in the year, explaining where the procurement is and what happens next. I imagine the focus of the media coverage will be the announcement that the original plan for all airport "airside" workers to get ID cards in the near future has been revised to an experimental 18-month trial of ID cards at two airports (London City and Manchester) and the confirmation that cards for foreign nationals will start on 25th of this month.

She also talked a little about a potential competitive market for enrollment services, which I think is management consulting fantasy (there's no reason to do anything other than enroll at certain post offices, which would provide a convenient income -- Jacqui estimated £200m per annum -- for a network threatened with politically unpopular closures and go with the grain of public expectation), and mentioned that a trial enrollment of 15,000 people had successfully detected duplicates and had no failed enrollments at all.

Continue reading "The numbers game" »

Personal development

By Dave Birch posted Nov 3 2008 at 9:50 PM

[Dave Birch] I was given a useful insight into a different perspective on identity, the developing countries perspective, when I spoke on a panel at the Chatham House conference on Technology and Development. I'd actually been invited along because I know about mobile payments and mobile banking in developing countries, not because I particularly know anything about NGOs, foreign aid or so on, but it gave me the opportunity to sit in on some discussions that I wouldn't otherwise have heard. For example, one of the audience asked a question about the deployment of mobile phones in the development world, a question that would never have occurred to me. The question was about security and privacy, and I won't violate Chatham House rules by giving away an identifying information, suffice to say that the core of the question was about the use of mobile phone data, mobile phone location information, call records and billing information. In some countries, where you are and who you call is dangerous information that can have disastrous consequences.

Continue reading "Personal development" »