[Dave Birch] Now, as I'm fond of saying, the whole real/virtual thing is a bit fuzzy. One of the areas where this is frequently demonstrated is crime...

the Habbo Hotel folks have now asked Finnish police to investigate 400 cases of "theft" in their world. Seriously. Of course it is a bit more complicated than that. They're really upset about phishing scams that let scammers get users login information, which they then use to get into their account and transfer the virtual goods away. But that's not really "theft" and it's a misnomer to call it that.

[From Yet Again, Real Police Called Into Virtual World Over (Not Really) Theft Of Virtual Items | Techdirt]

Correct. This isn't theft any more than copying an MP3 is theft, but it is closer to what we might think of as theft in that it's fraud, but it's fraud that prevents the rightful owner of the virtual goods from enjoying their use (which is not the case when a teenager copies a friends CD).

And, really, if Habbo Hotel users are getting phished so frequently, perhaps the Habbo developers should focus on building a better login system that is not so susceptible to simple phishing scams..

[From Yet Again, Real Police Called Into Virtual World Over (Not Really) Theft Of Virtual Items | Techdirt]

This is correct. It it wrong to expect the rest of society to pay to support a business model that is founded on technology that is not fit for purpose. You wouldn't let carmakers sell vehicles without locks to save money while simultaneously lobbying for higher spending on the police to prevent car theft.

But here's an interesting thought experiment. If there were a working digital identity infrastructure, would it be possible to build a working law enforcement system on top of it? I think the answer is yes, because crime and punishment would both be founded on the management of reputation. Think of the example of eBay stars: if I am a top seller on eBay, then taking away my stars is a serious punishment, much worse than fining me money or, in some cases, locking me up.

crime and fraud, identity, regulation, social networking

[Dave Birch] Hurrah! My bank, Barclays, tell me that they have a new and improved mobile bank service. Fantastic. I go to the iTunes App Store. Nothing there. Odd. Turns out that the new and improved mobile bank service is just the web service but on a mobile phone. Oh well.

With odd serendipity, this came up at the recent Mobey Forum meeting in Helsinki. While watching a demonstration of Nokia Money, I got a text message from my son who was in London visiting his girlfriend and had run out of money. He asked me if I could send him £10 to get a train home. I was forced to reply that I could not, because we live in the UK and not in an advanced country such as Kenya, where phone-to-phone money transfer is commonplace. I fired up my iPhone and went to the Barclays page, only to discover that I couldn't log in and send him some money because I don't know my 12 digit user code (or whatever it is called) and I didn't have my dongle anyway (it was back home on my desk). (In case you are worried, the day was saved because he was able to go back to his girlfriend's house and borrow the money from her parents.)

Now, this demonstration of the utter hopelessness of mobile financial services in the UK took place under the watchful eye for Mobey Forum executive director Liisa Kannainen, who promptly showed me how she had responded to an earlier, similar, request from one of her children...

Yes, she still uses the same paper-based Nordea Transaction Authorisation Number (TAN) system introduced in Finland for remote banking years ago, And it still works fine. So to send her kids money, she logs in on the phone and is prompted for the next TAN. She types it in and then crosses it off. Works perfectly. And she always has her TAN list with her in her purse, whereas as I never have my dongle with me away from home.

What I do have with me all the time is, of course, my mobile phone. As do almost all of the population. Surely it would make sense for both Nordea and Barclays to move to some standard mobile phone-based 2FA scheme. And then we could move to a standard set of authentication "levels". For small transactions, just have the phone. For larger transactions, enter PIN into the phone. For very large transactions have the take your voiceprint, then enter a PIN. Something like that. And if we could use it log in for banking, then why couldn't we use it to log in for other things as well

authentication, banking and finance, mobile, security

[Dave Birch] I was in a meeting recently, the context is not relevant, where some of the Consult Hyperion team were helping a customer to develop a roadmap that included in a future transition to biometrics, and a discussion began about whether biometrics in certain kinds of mass market systems are about security or convenience (I'm convinced that they are about convenience, but that's another discussion) and, if they are about security, whether existing biometrics are "secure enough". "Secure enough", though, is a complicated assertion -- I'm glad to say, otherwise our risk analysis business wouldn't be around for long -- and this reminded about about a story from the Gulf about a woman who had been deported and then re-entered because her biometrics didn't match the ones of hers on the "already been deported" register.

Although there were glitches in the system when it started, “for the past three or four years, we have not heard of a single case of someone getting around this”, the representative said.

[From Iris scan fails to stop returning deportee - The National Newspaper]

But this is illogical, isn't it? If there were glitches in the system that allowed people to get through, then the bad guys would learn about this pretty quickly. People who are getting through on forged passports and not being recognised by the iris-recognition system are not going to report the system's failure. So how would anyone know? It's only when a failure comes to light through some other route that the failure is "logged". So while the system is apparently working perfectly, in reality it isn't. Let's hope that a more detailed investigation in the UAE reveals that this woman's irises were not scanned on re-entry or it will be back to drawing board for many people.

As readers will know, I like the idea of a "gold standard" biometric database, comprising iris, face and finger biometrics, to ensure the uniqueness of identity numbers (and that's all). Adding biometrics to any identity system isn't a "magic bullet", but having a system that is founded on guaranteed uniqueness achieved through the use of biometrics might just be.

banking and finance, ID cards, retail, smart cards

[Dave Birch] I had a lovely time chairing the panel on mobile payments at the April meeting of Mobile Money at the GSMA. I was lucky to have a great set of panelists, including Neil Daly who is the Mobile Money Director at the GSMA. Neil made a terrific presentation, but I can't tell you about it because all of this slides were marked "confidential" and I don't want to get into trouble. So, anyway, what does all of this have to do with identity? Well, during the excellent panel discussion, John Lunn from Paypal, whose opinions I always take seriously, made (I think) a profound point. He said that as payments are disappearing into the cloud, they are going to merge, so that mobile payments and internet payments and all other payments (including retail payments) become the same thing, essentially. He's not the only person who thinks this.

Most consumers still pay offline, like in restaurants or stores. But I have no doubt that in future all these businesses will be connected to the Internet and then, virtually all payments will be made online.

[From Globes [online] - Israel business news - For PayPal, it is only the beginning]

A few days later, at the Future of Money This makes for some interesting thinking, because the use of new devices and new networks to access the cloud data means that all sorts of new services can be provided. But it also means that the evolution of digital money and digital identity will be wholly interconnected because the problem of all payments will resolve down to identifying the payment "account" associated with the individuals (or the individual and the merchant) and then authenticating that they are who they claim to be. Once these steps have been taken, then moving a few bytes around to execute the payment is not much of an effort. (Almost) anyone can do it and absolutely everyone can use it.

A software platform—perhaps in the cloud-- can lower those costs by investing in linking to the multitude of software programs that handle various elements of payments. By exposing APIs, this software platform then makes it possible for entrepreneurs to quickly integrate into most relevant aspects of the payments business... A great deal of innovation can be unleashed once these APIs are exposed.

[From Why the Payments Industry Needs a Catalyst to Drive Payments Innovation - pymnts.com]

Following along this line of thinking, where are the high added-value nodes in the new value network? If anyone can provide the engine, anyone can access the APIs, anyone can come up with ideas for using the new payments platform, what is there that not anyone can do? One fruitful area for exploration might be security.

banking and finance, ID cards, mobile, cloud

[Dave Petch] It’s not often the case that eBay users find cause to congratulate the internet giant, in fact quite the opposite is usually the case.  Whether it’s seller rebellion against fee hikes, anger at seller policy changes, lawsuits against the selling of counterfeit goods or password vulnerabilities in the developer program, eBay are never far away from controversy of some kind.

So I was therefore pleasantly surprised to discover that eBay (in the UK at least) have implemented location-based login checks, something which would surely assist in the ongoing fight against phishing attacks were it implemented more widely at other online merchants / communities. It was also another great but simple example of the utility of the mobile phone as an authentication channel.

I discovered this through the somewhat suspect process of using my friend’s eBay login details to help him sort out an item listing issue that he had.  He’s one of those illiterate computer users who doesn’t know one end of the web from the other, so he didn’t hesitate in telling me his login and password over the phone.

My friend lives 20 miles away from me.  When I tried to log in using his valid credentials, eBay took me to a page stating it had been noticed I was logging in from a “location” that was not my usual one.  I presume this was detected using my IP address, although whether it was able to trace me to a spot in Guildford or just to the location of my ISP is not clear (a whois of my IP address at home tells me that I live in Hull, East Yorkshire, which is at least 230 miles from my house but unsurprisingly not very far from my ISP).  However, for the security mechanism in question, this was more than enough information for eBay to detect the disparity from my friend’s usual network access data.

I was then asked if I wished to be authenticated using either a phone call (instant) or an email (short delay).  I selected authentication by phone call (it uses the existing registered number and does not allow you to enter a different one), my friend’s mobile rang almost instantly, after which an electronic voice announced, “Hello, this is eBay, are you expecting this call? If so, press #”.   My friend pressed # and an access code was read out to him.  He reported the code to me, I entered it at the website and in I went.

The specifics of the situation were obviously beyond that for which the protection mechanism was strictly designed, but the process worked very smoothly and was close to real time, it presented the user with alternative options for added convenience and, above all, it was simple.  Sure, it slowed me down for a minute, but my initial thought was that such a simple mechanism would surely assist in the fight against the use of phished credentials.  If you cannot stop the consumer from continuing to fall for what is fast becoming one of the oldest tricks in the book, then stopping the use of those captured credentials using simple location checking seems to be a worthwhile next step, at least until such time that the highly flawed method of user authentication that we call “passwords” is replaced by something better.

There was a flaw in the process, however.  Having completed my login to the website using my friend’s credentials, I then asked him to log in at the same time so that he could see the effect of the changes I was making to his item listing.  eBay allowed him straight in, although it should have been clear at this point that it was not possible for him to be in two different locations at the same time, at least not without considerable mind power.

[Dave Birch] Jorge F. Krug is the head officer of the IT Security Division of Banrisul, State Bank of Rio Grande do Sul, Brazil, and has a seat in a number of IT associations and committees, including Brazilian Bank Association (FEBRABAN)’s Digital Certification Committee, Sucesu-RS (Society of Computer Science and Telecom Users of the Rio Grande do Sul State), ASBACE (Brazilian Association of State and Regional Banks). Mr. Krug is also the head of AC-RS (Rio Grande do Sul State Digital Certification Authority). In this podcast he talks about the introduction of the Banrisul EMV card with PKI on board, a project previously discussed in detail on this blog.

Listen here in either [Podcast MPEG4] or [Sound-only MP3] format.

[Dave Birch] I was looking something up and came across a post that I'd made about a report from TNS Global on the "New Future in Store" and I noticed that of a list of new technologies that they interviewed the European public about, fingerprint payments were rated top. This struck me as incongruous, given the commercial failure of fingerprint technology-based payment systems at POS, including in Europe.

Albert Heijn has currently decided not to follow up on the trial, citing ‘security issues and vulnerability to fraud’. The participants however were enthusiastic about the payment method and applauded the fact that they could complete their purchases without needing their debit cards, cash or loyalty cards.

[From The Paypers. Insights in payments.]

There was a similar trial in the UK, with the Co-Op, that was similarly discontinued. That's not to say that biometrics are of no interest to retailers, because there are some process that can be greatly be improved through the use of the technology.

The Co-operative Group is to use fingerprinting machines to track staff hours. The society plans to install biometric data collection terminals in its food stores over the next two years to record the working hours of its 55,000 staff.

[From thegrocer.co.uk | Articles]

This illustrates a general point from my talk at Biometrics 2009, which is that the commercial payback on biometrics as part of an overall identity management strategy looks much better when it comes to "staff" applications rather than "customer" applications. That's not to say that biometrics will not become a customer choice in the future.

[Dave Birch] Here at Consult Hyperion we've recommended to more than one non-US customer that they look at specifying PIV solutions. Why? Because PIV does almost all of what they want, and the cost and integration advantages make it a better short- to medium-term solution. But there's another less tangible reason for being interested in it: because once the US government has chosen something as a "standard", then that is where the energy will go, because the suppliers are rational people. The seal of approval is very, very important. Which is why I"m not the only one who has been reflecting on just how significant the US government's support for OpenID is. When this support was announced, Bob Blakely highlighted just how important an announcement it was.

But the identity world had its own big news today; the news is that the US Government has teamed up with the OpenID Foundation, the Information Card Foundation, the Kantara Initiative, and InCommon in creating the Open Identity Initiative.

[From Burton Group Identity Blog: US Government Identity News]

I was involved in some discussions with a government department a few months ago -- long before the US government announcement -- during which I suggested opening up some public services using OpenID. My reasoning was that we could experiment with "soft" OpenIDs provided by (to consumers) familiar services. If you asked a customer to log in to the DVLC using their Facebook "Identity", then I'm sure they would manage to do this with little training and no mention of trust infrastructures and the like. Once they are comfortable with this, then you can restrict access to "hard" OpenIDs (by which I mean 2FA OpenIDs).

The central point, though, was that the government could help to create an identity infrastructure built on a diverse selection of "private" digital identities. I think that, as Burton note, the US government's decision signals a genuine paradigm shift in this direction, a genuine change in the mental model are identity.

after years of government attempts to create identities and assign them to citizens (via such bad ideas as the UK National ID scheme and the US REAL-ID act), a government has finally recognized that individuals already HAVE identities, and that it’s a better idea, for most purposes, to use these identities than to establish a new government bureaucracy to create new identities

[From Burton Group Identity Blog: US Government Identity News]

Personally, I think that the government ought to be a "gold standard" identity provider as well as an identity oonsumer, but that's another issue.

[Dave Birch] The whole business of air travel is a laboratory for experimenting at the boundary between public and private identities, where national and international agreements interact with corporate alliances, outsourcing and value chains to produce a complex environment that needs and benefits from change. Speaking as a frequent traveller, and happy near-weekly user of Heathrow's Terminal 5, it seems to me that air travel has got considerably quicker, more efficient and simpler in the last couple of years. I print my boarding pass out at home, jump in a cab or on the train, nip through T5 to the lounge and then on to the plane -- the only hold-up in the whole process is the queue for security on the way out (sometimes this can be 10-15 minutes even at T5) and the queue for passport control on the way in.

However, the need to print a physical boarding pass, even using 2D barcodes rather than a magnetic stripe, and the lack of an efficient bag drop system means that despite the universal electronic ticket for air travel, more than two-thirds of passengers still went to a check-in desk. Where to look for the next improvement? Well, I'm sure like most people I think that the key technology that will change this is the mobile phone. If the mobile phone allows you to check in and obtain a boarding pass, and a kiosk at the airport allows you to self-tag (clearly there are some security issues around this) then the flow through airports would increase significantly and the costs would reduce accordingly.

In fact I saw a presentation for one of the companies that supplies infrastructure to airports recently an they were talking about their experiences with the mBCBP (mobile bar code boarding pass) -- they said that "we only care about Blackberry, iPhone and high-end smartphones", which means we can assume big, clear screens -- but still the current 2D barcode solutions don't carry enough data for the airlines to store more than three legs plus frequent-flier and other data.

So why am I looking at this space? One of the biggest players in the industry, IER, is advocating the "pass & fly" sticker solution and I saw them present on the Air New Zealand and Air France case studies which, I have to say, was rather impressive.

[Dave Birch] I'm going provide a case study on the use of multi-application smart cards with EMV "chip and PIN" software on them that I think contains some useful nuggets for us in the UK to ponder over, because the case study is about combining payment (EMV) and digital signature (PKI) applications on the same card.

Identity folks will have to understand a little about the payment folks' EMV standard to understand the dynamics. There are actually three flavours of EMV, the international card scheme standard for chip transactions. These are Static Data Authentication (SDA), Dynamic Data Authentication (DDA) and Combined Data and Application Cryptogram (CDA). Most of the cards out on the streets in the UK are SDA cards without enciphered PIN (the PIN is not encrypted from the PIN pad into the card).

SDA cards are cheapest, which is why our banks issue them, but they can be cloned and used in terminals that are offline, so they are a security risk. DDA cards are not vulnerable in this way, but they are more expensive, both because the cards are more sophisticated -- they have a cryptographic co-processor to handle asymmetric cryptography and take longer to "personalise" -- but UK banks will have to replace SDA with DDA by end of 2010 (indeed, Consult Hyperion work with banks to help them to migrate in a cost-effective way). CDA cards cost the same as DDA, but still need to be planned for.

For technical reasons, CDA cards are more secure than DDA cards. Why? Because CDA protects against the "wedge attack". It is possible to insert a device that would let a genuine DDA card generate a legitimate digital signature but then intercept the request for an application cryptogram and return a bogus one for a different amount to the terminal. The terminal would carry on regardless. This is not possible with CDA since both the DDA signature and cryptogram are delivered by the card at the same time.

OK, so all this is well-known, but why does it matter to the digital ID world? Well, if a bank goes to the expense of issuing DDA or CDA cards, then the presence of re-usable cryptographic software and the cryptographic co-processor mean that it is a minimum of cost and complexity for the card to carry an additional PKI application as well as the EMV application. Almost all of the PKI application's "guts" are already on the card because they are used by the EMV application. What's more, the card can generate its own key pairs (which is very good for security) and then, provided you have the infrastructure, third parties can sign the card's public key(s) to create a wide variety of public key certificates to deliver interesting services. The card can store these certificates if it has enough memory or store pointers to the certificates online somewhere if it doesn't.

Here's a real example.