About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« November 2008 | Main | January 2009 »

7 posts from December 2008

It's always, always the same

By Dave Birch posted Dec 22 2008 at 7:13 PM

[Dave Birch] One of the reasons why a digital identity infrastructure ought to be more than just building a big database of everyone and then letting everyone have access to it is that the infrastructure will inevitably be abused by those on the inside, no matter how much effort goes into keeping out the bad guys on the outside.

Missouri Citibank employee Brandon Wyatt... accused of tapping Citibank's computers for customer information, then using it to set up checking accounts online with competing banks, including Bank of America, Washington Mutual and AmTrust. Wyatt allegedly wire transferred customer funds from Citibank to the new accounts, then cashed them out with additional transfers, checks, debit card purchases and ATM withdrawals. His take, according to federal prosecutors in St. Louis, was at least $380,000.

[From Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts | Threat Level from Wired.com]

It's hard to see how you can stop this from happening completely in an economic way, but what you can do is make sure that there is an audit trail so that someone how decides to have a go at this kind of fraud has a reasonable expectation of being caught. Although I have to say that armed bank robbers have a reasonable expectation of being caught (and a reasonable expectation of a long sentence if they are caught) but they still do it. Anyway, my point is that if you take people personal data and put it in a honeypot, there is only one outcome. A database is not an infrastructure.

Continue reading "It's always, always the same" »

That'll do nicely

By Dave Birch posted Dec 19 2008 at 9:29 PM

[Dave Birch] Some time ago, I pointed out that aggressive retailers might use ID cards to cut payment schemes out of the transaction loop, by using ID cards as payment tokens and using the ACH network rather than Visa or MasterCard and I subsequently wrote a piece on this for Electronic Finance & Payments Law & Policy. Having been thinking about this and other implications of the introduction of a national ID card scheme, I was surprised to hear from a bank that I was talking to that they had no strategy on the UK ID card (despite the fact that the first cards have already been issued) and no plans to develop a strategy. Now, on the one hand this is understandable, since the UK cards don't do much and there are no readers for them anyway, but on the other hand it may be unwise if other people are developing strategies that may impact banking.

As I have long been advising our clients in the payment space, there will be inevitable implications for retail payments businesses once a national ID card is in place.

[From Digital Identity Forum: Paying for identity]

Retailers want business change, not just lower fees, and has been discussed over on Digital Money, retailers may well be the key stakeholder group when it comes to developing new payment schemes for use at retail POS. Now, a barrier to their competing with existing card schemes themselves has been the cost of issuing and managing secure smart cards or other tokens. But if the government is going to do it for them, then they may as well exploit it. I can easily imagine taking my ID card and a blank cheque down to Tesco, putting them both into a machine and punching in my PIN. Then, next time I go shopping, I punch my PIN into the keypad at the checkout lane, wave my ID card over a reader and then go on my way. This kind of the service has already begun to spring up in the U.S.A., in response to the issuing of “Real ID”drivers’ licences which have machine readable magnetic stripes that can be read at POS terminals. A company called National Payment Card (NPC) has begun to exploit the opportunity, by getting customers to register their bank details and a PIN against their licence. This means that customers can then pay for fuel by swiping their licenses at petrol stations and entering a PIN. A similar national scheme has just launched in Malaysia, where one of the leading banks has begun installing kiosks where customers can use their bank chip card and the MyKad ID card (without biometric authentication) together to link the ID card with the bank account automatically:

Consumers will have to open either a savings or a current account with EON Bank, which is the only bank providing payment transactions through the MyKad at the moment.

[From Buy fuel with your MyKad]

The scheme is targeting the fuel sector in the first instance and has signed up all Caltex and BHP filling stations, so that customers can fill up and they pay at the pump with their ID card. Since the margins on fuel are thin, the sector has every incentive to cut payment schemes out of the loop and move to direct bank transfer via ACH. I wonder if they even bother to authorise the transactions: after all, if you try to cheat them by presenting the ID card when you have no money in the bank, they have your ID details and I imagine you'll be hotlisted pretty quickly.

Continue reading "That'll do nicely" »

Vote "no" to yesterday's technology

By Dave Birch posted Dec 16 2008 at 2:32 PM

[Dave Birch] The recent Pew report on the Future of the Internet makes the same point that I have been droning on about for ages. Looking at PCs and the web doesn't tell you anything about the future, because the future is mobile.

“Clearly, in the long run, mobile wins,” says Consult Hyperion’s Birch. “For most people, in most of the world, most of the time, the mobile phone is the most important device.”

[From FST]

Now, in some advanced countries, it is seen as natural to being to transfer applications that hinge on identity over to the most personal interweb interface, the mobile phone. An interesting case study is Estonia. We've looked before at Estonia's use of new technology and they are back at the forefront this month:

Lawmakers approved a measure Thursday allowing citizens to vote by mobile phone in the next parliamentary elections in 2011... The mobile-voting system, which has already been tested, requires that voters obtain free, authorized chips for their phones, said Raul Kaidro, spokesman of the SK Certification Center, which issues personal ID cards in Estonia.

[From Estonia to vote by mobile phone in 2011 - International Herald Tribune]

This is a similar architecture to that being deployed in Turkey, where the key pair at the heart of scheme is stored in the SIM and the on-board application uses it for digital signatures.

Continue reading "Vote "no" to yesterday's technology" »

Commercial activities

By Dave Birch posted Dec 11 2008 at 6:53 PM

[Dave Birch] Identity management technologies have to get into the consumer space and go with the grain of what companies and their customers want to do. Clearly we can't just start from scratch and redesign all commercial interactions on top of a (currently non-existent) identity infrastructure. Yet the technology that we need to improve the customer-business interaction is coming together, so it would be a good idea to try and figure how it can be made useful or attractive.

The good news is that these problems are already being addressed. Technology now makes possible an identity infrastructure that simultaneously addresses the security and public service needs of government as well as those of private sector organisations and the privacy needs of individuals. Privacy-enhancing security technologies now exist that enable the secure sharing of identity-related information in a way that ensures privacy for all parties involved in the data flow.

[From IdentityBlog - Digital Identity, Privacy, and the Internet's Missing Identity Layer]

The (albeit limited) marketplace concept of identity management as a way making logging in to web sites and filling out online forms less painful is there, so it would be a good place to start.

Continue reading "Commercial activities" »

Business and identity cards

By Dave Birch posted Dec 8 2008 at 11:53 AM
[Dave Birch] We've decided to run a number of events linking the Digital Identity Forum to sister organisations with shared interests. The first of these will be joint seminar with EEMA at the British Computer Society in London on January 29th next year. This seminar, sponsored by Consult Hyperion, will be looking at the business opportunities that might arise from the introduction of the UK national identity card. You can register for the seminar at the EEMA web site. IPS will be presenting and we're hoping that all of their prime contractors will join an expert panel to share ideas on how British businesses can create new value around the scheme. We'll have an in-depth case study from Belgium to examine the business ecosystem that has grown up around the smart identity card introduced there. Look forward to seeing you there.

Continue reading "Business and identity cards" »

Gambling on ID security

By Dave Birch posted Dec 3 2008 at 9:42 PM

[Dave Birch] It's been a landmark week for those of us fascinated by the UK's national identity card scheme. The first cards have now actually been issued, so even as we speak identity fraud in the UK will be going... up. Why? Well, the government has met its own artificial target for the issuing of cards, but as you may have observed when you try to use one of the other smart cards in your possession (eg, your debit card), the cards are not the system.

Britain's first ID cards cannot be read by any official body because the government has not issued a single scanner. Ministers promised to roll out hundreds of electronic readers of biometric details. However, a spokesman for the Home Office admitted last week that no employers, police forces, hospitals or colleges have been given the machine - and there are as yet no plans to issue them.

[From No scanners to read ID cards | Politics | The Observer]

So, in other words, as long as you can make something that looks like a plausible ID card, no problem. If you want to make it plausible, you need to go to the IPS web site to find out what physical features might be required to pass manual inspection. This will direct you to a helpful section on the UK Border Agency web site that describes those features in detail. it also explains how to verify a card that is presented to you...

Sponsors are expected to look at the card carefully. It will show the person's entitlement to work, study or access public funds. The Guidance on identity cards for foreign nationals shows how you can check a card to ensure it is valid. This will help you to become familiar with its design and recognise the card when you are shown one. It also gives information on the card's security features, to help you make your checks.

Although you are not legally required to check documents, we recommend that you do so for everyone you wish to employ.

[From UK Border Agency | Checking identity cards for foreign nationals]

The accompanying Guidance explains what a valid card should look like, but also includes some additional helpful steps for employers. These include

Physical checks can also be performed on the card. As it is made entirely from polycarbonate, it will have a distinctive sound when flicked, and the holder’s image will always be in grey-scale. The card should not be bent or folded, as this is likely to cause it to break. Contact with water should be avoided to prevent damage to the contact chip.

[From UK Border Agency | Checking identity cards for foreign nationals]

As far as I can see, life just got easier for illegal workers, since all they now have to do is to produce a valid-looking card and they are sorted. If you think that this is a hypothetical problem because no-one in the UK actually accepts these cards as proof of anything, think again.

UK casino operators can accept the Government's new compulsory identity cards for foreign nationals as proof of ID - provided they meet money laundering regulation requirements, according to the Gambling Commission.

[From Identity Cards Now Welcome At UK Casinos | GamblingCompliance.com]

I'm sure the chance of an illegal immigrant using a forged card to launder money in a casino is so small as to be infestiminal, but nevertheless it does seem slightly odd to not even have plans to issue readers.

Continue reading "Gambling on ID security" »

It was great until the users showed up

By Dave Birch posted Dec 1 2008 at 10:24 PM

[Dave Birch] An example that I've used before to explore what can go wrong with identity management system is the smart card-based "strong" authentication system that has been delivered as part of the National Health Service (NHS) £20 billion Connecting for Health (CfH) scheme.

The poll of more than 300 GPs found that one in six family doctors said they were aware of NHS staff sharing smartcards in their area, and one in 20 GPs admitted they sharing their own smartcard. Reasons given included the time taken to log-on to systems or to access data at multiple terminals, and losing cards or leaving them at home.

[From E-Health Insider Primary Care :: CfH condemns smartcard sharing]

Now, obviously the $20 billion and-still-rising Connecting for Health scheme is hardly representative of the average project with identity management requirements, but it does illustrate what happens when the management consultant-driven top-down politically-architected grand project meets the real world: in the end, something always gives.

A spokesperson for NHS Conecting for Health said the sharing of smarcards was unacecceptable and a serious discplinary offence.

[From E-Health Insider Primary Care :: CfH condemns smartcard sharing]

Whatever.

Continue reading "It was great until the users showed up" »