[Dave Birch] It was identity theft week, or something like that, and since I'm about to start the CSFI's 2010/2011 Research Programme into "Identity in Financial Services", with support from Visa Europe, I've been thinking about the key aspects of the problem. For example: how well are current know-your-customer procedures working? After all, they are pretty stringent. To the point where the typical customer finds dealing with financial services organisations an absolute nightmare.

The ID banks require is getting beyond a joke. I’ve just been locked out of one of my online accounts, through no fault of my own, and they’re demanding I send them a certified document plus a utility/bank bill, but they won’t accept one printed online. Yet like many people, both for the environment and ease, I opt for paperless billing wherever I can, so I simply don’t get any printed statements anymore, leaving me at an ID disadvantage when banks refuse to count those as ID.

[From Martin Lewis' Blog… | The bank ID farce: online accounts don’t accept online statements]

Still, I'm sure we'd all agree that it's worth the massive imposition on customers, and the massive costs to companies, in order to crack down on ne'er-do-wells who are trying to defraud our banking system (at least, the ones who don't work for banks). But since identity fraud appears to be at record levels, either these stringent controls are counter-productive (because only criminals will bother jumping through the hoops) or a total waste of money.

Drawing upon victim and impostor data now accessible because of updates to the Fair Credit Reporting Act, the data shows that identity theft impostors supply obviously erroneous information on applications that is accepted as valid by credit grantors. Thus, the problem does not necessarily lie in control nor in more availability of personal information, but rather in the risk tolerances of credit grantors. An analysis of incentives in credit granting elucidates the problem: identity theft remains so prevalent because it is less costly to tolerate fraud. Adopting more aggressive and expensive anti-fraud measures is extremely costly and jeopardizes customer acquisition efforts.

[From SSRN-Internalizing Identity Theft by Chris Hoofnagle]

Given the amount of trouble I find in accessing my own accounts -- I tried to log in to my John Lewis card account this week and it asked me a password that I'd forgotten and when I followed the "forgotten password" link it asked me for a secret word or something that I didn't even know I'd set -- I can only assume that the total amount of time, effort and money wasted on this sort of thing across the financial services sector as a whole is enormous.

[Dave Birch] Pretty much every decision that the British government has made about ID cards has not only turned out to wrong, but almost optimally wrong. The collection of civil servants, management consultants, ministers and special advisors managed to leave us in as bad a situation as when they started -- with no national identity management infrastructure -- but hundreds of millions out of pocket. There is now a manifesto to get everyone online by 2012, but when they get there they won't be able to do anything since there's mechanism to identity or authenticate anyone other than usernames and password, which of course mean a massive increase in identity fraud.

The current coalition are just as bad: they have no strategic vision for identity, no tactics for getting us there and (crucially) no more understanding of the technology than their New Labour predecessors (who, to be fair, didn't understand the problem either). As Ben Laurie of Google, someone whose opinion I always take seriously, puts it

The trouble with allowing policy makers, CEOs and journalists define technical solutions is that their ability to do so is constrained by their limited understanding of the available technologies.

[From Links]

Quite. And in the field of identity, where "common sense" is an appallingly bad basis for requirements capture, they have even less chance of randomly happening across a workable solution than they do in the fields (pun of intended) of rural payments, where a cool ONE BILLION POUNDS has been totally wasted. The coalition's decision to simply scrap the ID card scheme was stupid.

Neither the existing scheme nor the Coalition scheme (ie, nothing) actually solve any of the problems that the lack of an identity infrastructure creates and I absolutely predict that the lack of such an infrastructure will in turn create a major barrier to improving efficiency in public services

[From Digital Identity: Back to the future of the ID card]

One of my pre-election suggestions to a couple of relevant "think" tanks was that the ID card should be renamed the Passport Plus, and sold as a revenue-raising £50 optional extra to passport holders: this would be straightforward to implement, since the ID card has no function other than as a travel document in the EU anyway. The wisdom of this suggestion has just come back to bite me.

ID cards, passport

[Dave Birch] I actually rather enjoyed my day out at Biometrics 2009 because it was an opportunity to catch up with old friends and see what the buzz is. Yes, you can have LinkedIn and Twitter, but there's still no substitute for hanging out in the coffee area at a big conference. Some of the content was, though, somewhat reminiscent of Biometrics 2008, 7, 6... we're still not at a mass market, and part of the reason is that no-one seems to know what that mass market is. Is it fingerprint scanners in every laptop? I doubt it. Is it logging in to your bank using voice authentication? Maybe. Is it using your National ID Card to get served in a pub? Doesn't look like it at the moment.

Personally, based on a couple of sessions I sat in on, I thought there was some confusion about the proposition -- not from everyone -- and I suspect that at least part of the problem is that the major integrators come from the government and defence space, so their approach to the market and their product set reflects that. If you've made a living selling large-scale automatic fingerprint identification systems to law enforcement agencies, then it may be difficult to make the transition to selling improved authentication to banks. And there's no reason to suspect that that improved authentication will be achieved using the same technologies anyway.

I happened to be sitting next to Forum friend Maxine Most from Acuity Inc, one of the world's leading analysts of the international biometrics market, and she made a key point early on in the day: the mass market is about mobile phones, not PCs. This was a central element of my presentation on biometrics in the event space and was further amplified by the Precise Biometrics presentation advocating match-on-SIM going forwards. This, as an aside, suggests to me that there is a premium on biometric technologies that synergise with mobile phones -- we're talking about the mass commercial market here, not law enforcement and national security -- so that really means voice recognition and voice authentication (I don't buy the fingerprint-scanner-in-handset model in the mass market). A couple of people remarked that these biometrics didn't seem to be getting much coverage compared to fingerprints, iris and the like, which I imagine is also a reflection on the government and law enforcement focus of the show.

[Dave Birch] Forum friend Toby Stevens of EPG started something of a discussion by putting forward a few conjectures about what might happen to the UK identity card and passport schemes, systems and structures come the expected opposition victory in the forthcoming general election. I don't want to say anything about the rights or wrongs of the current schemes, systems and structures but I want to comment on an observation about the current situation. There is no engineering, technical or security reason for the "I" and "P" to be together in the Identity & Passport Service (IPS). As far as I am concerned, the ID card and the Passport are conceptually distinct. The British government might in time issue ID numbers to everyone on the planet, all six or seven billion of them, because the purpose of the ID scheme is to record that you are known, uniquely, to the British government. That's all. It's a mistake to mix a jumble of biographical details, pointers to government records and other things into the same records. There may be some credentials attached to that you may want to demonstrate to third parties (eg, you have the right to work in the UK, you are over 18, you are registered in the governments new Independent Safeguarding Authority database -- the IS_NOT_PAEDOPHILE attribute) but these are not part of the database. On the other hand, a passport means that you are a British citizen and can travel overseas (and other countries might want to put visas in it, which is another distinguishing characteristic). There will be people who have ID cards but not passports and vice versa. But they both have to be unique. So what to do?

[Dave Birch] Someone mentioned iris biometrics over coffee which reminded me again that, a couple of weeks ago, I had stimulating day out at the 2nd interdisciplinary workshop on Identity in the Information Society at the LSE. Many thanks to James Backhouse and the team for putting together such a great programme. I really enjoyed Kevin Bowyer's keynote on iris biometrics and wanted to highlight one or two of the points that he made. You can read the paper for yourself, but a few key findings were that:

• Pupil dilation has an impact;
• Contact lenses have an impact;
• Sensor changes (ie, someone has been enrolled on one system and is being matched on another) have a significant impact (even when using the same software);
• Irises change over time more than had been anticipated. The effect on false reject rates is small, but measurable,

In all of the cases, it is the match distribution that is changing: in other words, it's "fail safe" in that the system behaviour is such that false rejects go up but false accepts do not. So not too bad. But at population scale, the number of false rejects will still be enough be noticeable and dealing with the false rejects effectively (which might mean different things in different environments) will be central to the success of schemes.

biometrics

[Dave Birch] I was at the European Patent Forum in Prague talking about biometrics in an enjoyable seminar on Privacy and Identity Theft, along with Ivo Teutloff from EPO and Max Snijder from the European Biometrics Group. The reason that the session was so enjoyable is that we'd each chosen to focus on different aspects of the topic. By coincidence, when I woke up and was sitting in my hotel room looking through my slides with BBC Breakfast TV in the background, the first item on the BBC news was the rise in card fraud, again. And this is in hand-in-hand with another massive increase in identity-related fraud in general.

A 40% increase in the number of people being impersonated indicates that the flat trend seen in 2008 (where identity fraud increased by only 0.06% from 2007) was exceptional. While last year's figures were a surprise, the sudden and significant increase in the first quarter of 2009 heralds an unwelcome return of identity fraud as the fraudsters' method of choice; as fraudsters assume creditworthy identities in order to swindle individuals and companies alike: stealing funds, goods and services at someone else's expense... During this quarter, a staggering 75% increase in facility takeover (also known as account takeover) frauds - where the fraudster gains access to, and plunders the legitimately obtained accounts of innocent victims - continued the steep upward trend seen throughout 2008.

[From Fraud trends and recession go hand in hand - CIFAS Online]

If biometrics could make a dent in that, you would think that banks would be rushing to implement them. After all, as CIFAS notes, the account takeover fraud explosion has been going on for some time. Plenty of time to plan and develop a biometric countermeasure, you might think.

UK account takeover fraud grows 207% year-on-year in 2008 - study [From UK account takeover fraud grows 207% year-on-year in 2008 - study]

Yet nothing much is happening. Identity theft is growing and, in the UK at least, the government's identity card scheme won't do anything to help. But why? Max made a very interesting point, which goes back to my current obsession, the "narrative". In his presentation, he pointed out that because the biometric sector had its origins in the identification problem, that is how they see the world. So they would see the retail payments problem as an identification problem, which leads to PayByTouch. On the other hand, other people (eg, me) see the retail payments problem as an authentication problem: so we need progress in what he called "anonymous" biometrics to get down to solving that particular problem. And he made a very positive suggestion that I had not considered before.

[Dave Birch] Government identity is so important that the vigilance of the "issuers" must be unwavering. Thus, the rest of the identity management value network can function. It's so important that one might even go so far as to say that a key role of government should be to test it's own vigilance in an open and transparent way. In other words, shouldn't parts of the government be checking up on other parts of the government and telling us what happened. This would be a really interesting experiment to try here in the UK, now that the government has started issuing identity cards. It would be great to have some reassurance that the process is indeed protecting us from international terrorists, dole scroungers and health tourists. The National Audit Office (NAO) could try and obtain bogus identity documents from the Identity and Passport Service (IPS) and see what happens. Just like the recent experiment in the US.

To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen’s personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office.

[From Security Document World]

And the results? Did the ever-vigilant staff, the best IT that money can buy and the process designed by top management consultants come together to defeat these almost trivial attempts to deceive?

In its four tests simulating this approach it was successful in obtaining a genuine U.S. passport in each case.

[From Security Document World]

Uh oh.

[Dave Birch] There's been another rash of stories about fingerprinting and the linking of identity and authentication and I thought I'd take a look at a few of them after my afternoon at the Social Market Foundation. Let's begin by looking at a mass market use of biometrics...

Under a new law published Monday, Mexico will start a national register of mobile phone users by fingerprinting all customers in an effort to catch criminals who use mobile phone to extort money and negotiate kidnapping ransoms. The new law, which will be in force this April, will give mobile phone companies a year to build the database of their clients - complete with fingerprints and any other personally identifiably information.

[From New Mexico Law to Fingerprint All Mobile Phone Users]

Fingerprint mobile phone users could never happen here, of course. Well, not for a while. But fingerprint mobile providers might...

Vodafone dealership DigitalMobile is the latest employer to introduce fingerprint scanning for staff. DigitalMobile spokesman Will Allan says the scanners have been installed in the company's 22 stores around the country and most of its 190 staff are using them to clock in and out.

[From Vodafone sales staff asked to scan in - New Zealand's source for technology news on Stuff.co.nz]

This seems pretty reasonable: using biometrics to make life easy more people is a much more convincing business case and, as far as I can see, a much more effective use of the technology than biometrics for security (outside nuclear missile launch codes and that kind of thing).

[Dave Birch] A couple of days ago and I again mentioned the government's "break the glass" plan for a national identity scheme. In other words, what is the emergency plan to be followed should the integrity of the system itself fail. The point about the "break the glass" plan is a serious one. While I have no evidence that the government has such a plan, I'm sure they must do. If hackers, mafia extortionists or opposition MPs get into the database then someone has to be able to press a button to sound the alarm, to raise the drawbridge to other government systems and to initiate the meltdown process of re-issuing keys (or whatever else needs to be done).

What kind of meltdown might require the government to break the glass? Well, just for amusement purposes (since it could never happen, because the Home Security said that the ID card system will use "military" security) let's suppose that a disgruntled member of staff steals the entire biographical database. Let's say a fifty million individual records (5 x 10^7). Each individual record comprises 50 data items -- actually in the UK Identity Cards Bill it was slightly more than 50 -- so that's 5 x 10^1. Let's say each data item is 1KB. They're not, but whatever. So now we have a database of 5 x 5 x 10 x 10^7 or 25 x 10^8 or a couple of terabytes. That's it, a couple of a terabytes. I can buy a 2TB USB hard drive on Amazon right now for a couple of hundred quid and by the time the database is up and running, it will be fifty quid. So I can store the entire database for next to nothing, chuck it in my car and zoom off with it.

When they come in in the morning and notice it missing, there needs to be a big red button on the wall that they can smash the glass and press. Ah, you might say, it seems unlikely that a vetted civil servant will deliberately and flagrantly break the data protection act or whatever. Well I imagine that's what they thought in Chile, before a civil servant started publishing their national identity register on the Internet. We shouldn't let this kind of thing stop us from building a better identity infrastructure, but we should use it to help us build a better one, by which I mean one that depends on open peer review for its security.

[Dave Birch] Well well. Now here is an interesting story that hasn't got anything like the attention that it demands:

A South Korean woman barred from entering Japan last year has reportedly passed through its immigration screening system by using tape on her fingers to fool a fingerprint reading machine... A South Korean broker is believed to have supplied her with the tapes and a fake passport, the Yomiuri said, adding that officials believe many more foreigners might have entered Japan using the same technique.

[From Woman fools Japan's airport security fingerprint system]

Now, I wonder if the Japanese ministry of immigration (or whatever) chose that particular system on the basis that it was (according to the vendor) foolproof? That is certainly the perception of biometrics, particularly amongst politicians, but who can say? I suppose the risk analysis they carried out -- I'm sure they must have carried out a risk analysis -- would have put impersonation as a theoretical probability with a low likelihood and low chance of success. Ooops.