About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« April 2011 | Main | June 2011 »

4 posts from May 2011

What do they want us to do?

By Dave Birch posted May 26 2011 at 8:08 AM

What do the politicians, regulators, police and the rest of them want us (technologists) to do about the interweb tubes? It might be easier to work out what to do if we had a clear set of requirements from them. Then, when confronted with a problem such as, for example, identity theft, we could build systems to make things better. In that particular case, things are currently getting worse.

Mr Bowron told the MPs this week that although recovery rates were relatively low, the police detection rate was 80 per cent. However, the number of cases is rising sharply with nearly 2m people affected by identity fraud every year.

[From FT.com / UK / Politics & policy - MP calls cybercrime Moriarty v PC Plod]

So, again, to pick on this paricular case, what should be done?

Mr Head also clarified his position on the safety of internet banking, insisting that while traditional face-to-face banking was a better guarantee against fraud, he accepted that society had moved on. “If you take precautions, it’s safe,” he said.

[From FT.com / UK / Politics & policy - MP calls cybercrime Moriarty v PC Plod]

Yet I remember reading in The Daily Telegraph (just googled it: 20th November 2010) there was a story about an eBay fraud perpetrated by fraudsters who set up bank accounts using forged identity documents, so face-to-face FTF does not, as far as I can see, mean any improvement in security at all. In fact, I'm pretty sure that it is worse than nothing, because people are easier to fool than computers. I would argue that Mr. Head has things exactly wrong here, because we an integrated identity infrastructure should not discriminate between FTF and remote transactions.

I think this sort of thing is actually representative of a much bigger problem around the online world. Here's another example. Bob Gourley. the former CTO of the U.S. Defense Intelligence Agency, poses a fundamental and important question about the future identity infrastructure.

We must have ways to protect anonymity of good people, but not allow anonymity of bad people. This is going to be much harder to do than it is to say. I believe a structure could be put in place, with massive engineering, where all people are given some means to stay anonymous, but when a certain key is applied, their cloak can be peeled back. Hmmm. Who wants to keep those keys

[From A CTO analysis: Hillary Clinton's speech on Internet freedom | IT Leadership | TechRepublic.com]

So, just to recap, Hillary says that we need an infrastructure that stops crime but allows free assembly. I have no idea how to square that circle, except to say that prevention and detection of crime ought to be feasible even with anonymity, which is the most obvious and basic way to protect free speech, free assembly and whistleblowers: it means doing more police work, naturally, but it can be done. By comparison, "knee jerk" reactions, attempting to force the physical world's limited and simplistic identity model into cyberspace, will certainly have unintended consequences.

Facebook's real-name-only approach is non-negotiable – despite claims that it puts political activists at risk, one of its senior policy execs said this morning.

[From Facebook's position on real names not negotiable for dissidents • The Register]

I've had a Facebook account for quite a while, and it's not in my "real" name. My friends know that John Q. Doe is me, so we're linked and can happily communicate, but no-one else does. Which suits me fine. If my real name is actually Dave bin Laden, Hammer of the Infidel, but I register as John Smith, how on Earth are Facebook supposed to know whether "John Smith" is a "real" name or not? Ludicrous, and just another example of how broken the whole identity realm actually is.

For Facebook to actually check the real names, and then to accept the liabilities that will inevitably result, would be expensive and pointless even if it could be achieved. A much better solution is for Facebook to help to the construction and adoption of a proper digital identity infrastructure (such as USTIC, for example) and then use it.

The implementation of NSTIC could force some companies, like Facebook, to change the way it does business.

[From Wave of the Future: Trusted Identities In Cyberspace]

That's true, but it's a good thing, and it's good for Facebook as well as for other businesses and society as a whole. So, for example, I might use a persistent pseudonymous identity given to me by a mobile operator, say Vodafone UK. If I use that identity to obtain a Facebook identity, that's fine by Facebook: they have a certificate from Vodafone UK to say that I'm a UK citizen or whatever. I use the Vodafone example advisedly, because it seems to me that mobile operators would be the natural providers of these kinds of credentials, having both the mechanism to interact FTF (shops) and remotely, as well as access to the SIM for key storage and authentication. Authentication is part of the story too.

But perhaps the US government’s four convenient “levels of assurance” (LOAs), which tie strong authentication to strong identity proofing, don’t apply to every use case under the sun. On the recent teleconference where I discussed these findings, we ended up looking at the example of World of Warcraft, which offers strong authentication but had to back off strong proofing.

[From Identity Assurance Means Never Having To Say “Who Are You, Again?” | Forrester Blogs]

Eve is, naturally, absolutely right to highlight this. There is no need for Facebook to know who I really am if I can prove that Vodafone know who I am (and, importantly, that I'm over 13, although they may not be for much longer given Mr. Zuckerberg's recent comments on age limits).

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

An idea for the Independent Commission on Banking

By Dave Birch posted May 23 2011 at 9:15 AM

The Independent Commission on Banking recently published an interim report on their Consultation on Reform Options. This interim report raises the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seems reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seems a plausible request for 2011, but phone numbers and account numbers aren't quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then "registers" with a network. I am writing this in Singapore, where I just turned on my iPhone, so now my O2 SIM card is registered with Singtel. When you call my number, O2 will route the call to Singtel, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an "All Call Query" or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

It's entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let's call it the Current Account Number (CAN) — from the underlying bank account and have an industy database that maps CANs to IBANs. This database would be the equivalent of the ACQ database. (I rather like the branding too: if the banks decided to operate this cross-border, they could label it the international current account number, or iCan.) So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduces their own costs.

There is an analogy to this is in the way that some of the new contactless payment cards work. In the US, American Express credit cards give up what is called an "alias PAN". The PAN, or primary account number, is the 16-digit number on your credit card. When you use your Amex card via contactless, the 16-digit number it gives up is not the actual plan but an alias PAN. Only Amex know which actual PAN this alias PAN refers to. The advantage of doing this is that if criminals get hold of the alias PAN, they can't use it to make a counterfeit magnetic stripe card, because the alias PANs are only valid for the contactless cards (which they can't counterfeit, because the contactless cards have computer chips in them).

In the UK, we route by sort codes. Any account number beginning 20- is known to be Barclays, so a payment switch will send the payment through to Barclays. We might decide, say, that sort codes beginning with 00 are iCans. When you get your first bank account, the bank sets up the IBAN and iCan. For your salary, direct debits, standing orders and so forth, you give the iCan. BACS and FPS will be told about iCans, so when a payment to an IBAN beginning "UK00-" enters one of those systems, they go to a shared database and look up the IBAN to route the payment to.

The advantages of this are that banks would not have to do anything with their existing systems, because the iCans will always be translated into IBANs by the time they reach their systems.

The disadvantages are that the public might not understand what is going on and, since they don't change bank accounts that often, they might not bother to find their iCan and tell their employers, utility companies and others. It doesn't deliver enough value to them, so we need to find some way of bundling the iCan to find more ways to use it to the benefit of stakeholders. One idea might be to create some kind of Financial Services Identifier, or FSI, which is an index not only to the iCan but to other data as well. If this meant an increase in consumer convenience, then it would spread by itself and take the iCan with it.

To see how it might work, consider my household. I rather belatedly decided to remortgage in order to abandon my outrageous fixed rate and obtain a base rate plus variable rate mortgage just in time for interest rates to rise again (I know nothing about personal finance). I went along to Barclays, my bank of 33 years, to apply and they sent me a multi-page form to complete. I was unable to uncover a single question on this form that they didn't already know the answer to. Yet I had to fill it out and they had to type it in. What a waste of time and money.

Similarly, when I applied for the most middle-class of all financial instruments, the John Lewis MasterCard with cashback in the form of Waitrose vouchers, I went off to their web site and filled some stuff out and it said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement, a handy identity theft kit all in one. Coincidentally, she also had to post off her driving licence because of a speed camera ticket, and it never came back. Foreign readers might be puzzled at this Victorian process, but it's because British driving licences have a paper supplement on which (I'm not making this up) the police write your speeding points. Such is the state of our identity infrastructure in 2011.

All of this is ridiculous in this day and age. Once someone is "known" to the British, or perhaps even European, financial services industry then there should be no need to go through all of this nonsense every single time they come into contact with the industry again.

In the world of payments, a related discussion has sprung up. This is the discussion about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

A global standardized Legal Entity Identifier (LEI) will help enable organizations to more effectively measure and manage counterparty exposure, while providing substantial operational efficiencies and customer service improvements to the industry ... The LEI Solution is a capability that will help global regulators and supervisors better measure and monitor systemic risk.

[From Legal Entity Identifiers: An Emerging Risk Management System]

I'm sure I'd heard somewhere before, possibly at the International Payment Summit, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that's no longer the case. Fabian Vandenreydt, the new Head of Securities and Treasury Markets at SWFIT, recently said that the International Standardization Organization’s Technical Committee 68 (ISO TC68) has concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch but ISO TC68 want we we nerds call an MBUN (a "meaningless but unique number").

I don't think this is way forward for people, though. LEIs are unique corporate identifiers: a corporate identity has one, and only one, LEI. Fortunately, or unfortunately, depending on your view, there is no unique identifier for British persons (and nor is there likely to be under the present administration), nor Europeans, nor citzens of the world. And I don't think we would want the financial services industry to develop its own sort-of-identity card scheme. We just want a simple, portable, pointer to a person that can be used to index into their KYC'd persona.

The easiest way to do this would be to assign a unique financial services identifier (FSI) to a person or other legal entity the first time that they go through a KYC process. I might have the FSI "citizendave!barclays.co.uk", for example. One someone has one of these FSIs, then there would be no need to drag them through "know your customer" (KYC) again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your FSI and watching the application form magically populate by itself on screen.

It doesn't matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a KYC process. If the FSI Directory ends up with two "Dave Birch" entries, so what? It's not an ID card scheme, it's a "save money for the financial services sector and make life easier for consumers" scheme. And it wouldn't matter either if both of my FSIs point to different iCans: I might, for example, have a personal persona and a small business persona -- lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts -- and I want to use them for different purposes.

Picture this. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the FSI (obtained from your card) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the FSI Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is printed out for you to sign and, once you have, the existing system for transferring accounts is triggered.

There might be another useful spin-off from the FSI as well. Suppose you could designate a default account against the FSI: generally speaking, your iCan, but it could also be a prepaid account somewhere, or your PayPal account or whatever. Then someone could send you money by giving your FSI: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the FSI into the ATM, or their internet banking screen, or (most likely) their mobile. You might get used to storing FSIs in address books. There's nothing secret about them, and because every use of an FSI would require two-factor authentication, no-one can do anything with your FSI just by knowing it (except send you money).

For this to work, then, there needs to be some way for a customer to prove that they are, indeed, the person referenced by the FSI. There's no need to invent anything new for this: banks could use CAP/DPA, some third-party service (which in a rational world would be provided by mobile operators) or their own app to do the authorisation. We have everything we need to deliver the results that the Commission wants: step 1 create the iCan, step 2 create the FSI, step 3 operate a more efficient, more effective and more convenient banking system.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

News from the bunker

By Dave Birch posted May 17 2011 at 4:21 PM

The government is battening down the hatches and repelling all boarders, even if they have e-tickets. And not before time!

Foreign intelligence agencies are carrying out sustained cyberattacks on the UK Treasury, targeting it with malicious emails and programs designed to steal information, the Chancellor, George Osborne, has revealed. He said that government systems are the target of up to 20,000 malicious emails every month

[From Osborne: Treasury under sustained cyberattack | Technology | guardian.co.uk]

And that's not counting the ones from taxpayers, I imagine. Setting aside how ludicrous and meaningless this figure is, there is nonetheless a serious point. If Son-of-Stuxnet crashes the Treasury, that might well be a net benefit to the economy, but if it crashes the electricity distribution network, even I won't be laughing. We need effective cyberdefences. So what should the authorities do to bolster these defences? I would have thought that have some kind of working identity infrastructure might be a first step, and in that respect things haven't been going to well in the UK.

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.

[From Henry Porter - Home Office suppressed embarrassing ID cards report]

The report says that there were no specifications for usage or verification (which we knew - this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that "it is likely that European travel" will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed, what the Identity & Passport Service (IPS) delivered was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it "Passport Plus" and selling it to frequent travellers (eg, me) as a convenience, and idea that really should have been taken more seriously by the coalition administration.

As an aside, the report also says (in section 5.5) that the "significant" number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).

[From Home Office suppressed embarrassing ID cards report - 1/7/2011 - Computer Weekly]

How did it all go do wrong? Liam Byrne was supposed something about IT as he used to work for Accenture, as did the James Hall (Joan Ryan was a sociology teacher who later became famous for claiming more than £170k/annum in expenses). All in all, it was a pretty disastrous period for those of us who think that identity infrastructure is crucial to the future of UK plc, let alone the UK government. This is not to say that, despite all of the evidence (including today's fascinating FT piece on the UK government's equally disastrous NHS infrastructure project), that the UK is uniquely hopeless at developing identity infrastructure for the 21st century.

Thai citizens who applied for their first national identity card or who applied to have their ID card renewed, have been issued with a yellow slip instead of the new microchip-embedded "smart" cards. The reason behind the problem is that the Interior Ministry refused to accept the new "smart" cards which were supplied by the Ministry of Information and Communications Technology, claiming that they did not meet the prescribed specifications stipulated in the ministerial regulation.

[From Bangkok Post : The silly saga of 'smart' cards]

Now, this may seem funny, but I ought to point out in the interests of international balance that there are, right now, in 2011, many people walking around branches of the British government with printed pictures of smart cards hanging around their necks. Yes, that's right: pictures of smart cards, rather than actual smart cards. I'm afraid our cyberdefences are more a cyber home guard at the moment.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

25% increase in authentication

By Dave Birch posted May 10 2011 at 9:59 PM

I had an annoying problem with my PayPal account that ended up with me being posted a password, all quite tedious and strangely manual. As I observed at the time, it seemed odd that in 2011 we hadn't got anything figured out when it comes to authentication. Why couldn't I use my Barclays 2FA PINSentry to prove who I was to PayPal? In fact, why couldn't I use it for 2FA in general, since moving from passwords to 2FA involving tamper-resistant hardware would be a simple way to improve security across a range of services. We don't use 2FA, and we should.

But that might be changing [recently] Google launched two-factor authentication for Google Accounts—the credentials you use to log in to all Google services, including Gmail.

[From Two-factor authentication: Gmail's new system offers more security than just a password. - By Farhad Manjoo - Slate Magazine]

This is a good step. I use gmail, and I'd actually prefer to use it with 2FA than without, provided that the 2FA is based on something I already have, such as my phone, because I don't want to carry another dongle. Unfortunately, my mobile operator doesn't provide any sort of identity management or authentication services, so I can't use my phone. I do already have a tamper-resistant chip that I have with me most of the time, and that's in my bank card. Why not use that in some way?

Alternatively, you could slide your credit card through your phone's card reader—or simply wave your credit card so that it can be recognized by the "near-field communication" chip in your phone.
Are these things too far out?

[From Two-factor authentication: Gmail's new system offers more security than just a password. - By Farhad Manjoo - Slate Magazine]

I'd say not really, especially since I've seen SecureKey's system for doing just this work perfectly with Google, using a USB key NFC reader and the customer's contactless bank card to provide the second factor. Today I read about someone pitching iris recognition via USB device as a potential third factor as well. But are three factors enough?

I saw a discussion over at the Identity Management Specialists Group on LinkedIn that set me wondering about authentication factors. Traditionally, us experts have referred to three authentication factors: something you know, something you have and something you are (or, as Ben Laurie once told me, something you've forgotten, something you've lost and something you were). The LinkedIn discussion was about whether location might be a fourth authentication factor, because it is independent of the other three and can be determined in isolation.

So does this make sense? Is location an alternative third factor, another kind of "something you are" or is it genuinely something new that adds an additional degree of authentication power. The conclusion in the group discussion was (I think!) that location isn't an authentication factor because where you are doesn't change who you are, but that it is an authorisation factor because you may wish to assign different capabilities to an identity depending on where the physical person is (ie, are they in the office or at home?). I'm not so sure about this: it seems to me that corroborating your location obtained from your mobile phone with, say, a password, does indeed strengthen authentication. There are plenty of options, so a workable strong authentication scheme must be getting closer. right?

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]