I've just been filling out a form for my bank -- why isn't relevant, except to say that every single item that I was required to fill in was something that my bank of 33 years already knew -- and I decided to drive round and drop it off later in the week rather than post it, because I'm starting to become slightly paranoid about identity theft. Unlike half the population, who are seriously concerned.
The poll of 970 UK adults, part of the bi-annual global Unisys Security Index, reveals that cyber-security is the public's chief concern, with 85% of respondents worried, and over 50% "seriously concerned", about bank card fraud and identity theft.
[From Finextra: Brits switching banks over security and privacy concerns - Unisys]
This is an odd result, I think. I couldn't care less about bank card fraud, since it's the banks' problem and not mine. I never use a debit card for anything, offline or online, so I'm totally protected by the legislation around credit cards. I'm much more worried about identity theft, because it's more time consuming to put right.
New figures from the National Fraud Authority [NFA] estimate that every year in the UK identity fraud costs more than £2.7billion and affects over 1.8million people.
[From UK Attorney General]
So what is being done about that? Well, banks in particular are trying hard to have better identity management. The results are, I think, often negative. Phil Windley explained how one of his bank accounts got frozen and what a complete hassle it was to unfreeze. The details aren't germane, but his conclusion is succinct.
Clearly what banks are doing now to prove identity online is not convenient and doesn’t scale.
[From Phil Windley's Technometria | The Problem with Identity Proofing]
I think it's important to draw attention to both of these issues: the convenience and the scale. My Barclays PINSentry is tolerably (but not entirely) convenient but it doesn't scale: I can't use it for logging in to Barclaycard, let alone another bank. As a consequence, countless hours are wasted in call centers and on web sites, transactions are abandoned and customers find themselves inconvenienced and alienated.
Convenience is hardly worth remarking on: clearly, if an identity and authentication mechanism isn't convenient, then people won't use it. Or, at least, they will only use it in proportion. This is why I tend to think that mechanisms that are based on things that we already have that have secure elements in them (eg, mobile phones, chip and PIN cards) are better than special-purpose devices. But we still have to have convenience in another sense: a common interface with a well-understood grammar. This is why I rather like using OpenID to log in to things.
The second characteristic is just as important. The financial sector needs a solution that scales. It cannot require a phone call for every log in and nor can it result in a torrent of phone calls back in to call centres. This is why a highly-distributed solution is necessary. In many countries, this means two-factor authentication (2FA) using one-time passwords (OTPs) or dynamic passcodes.
Effective Jan. 1, banks in India must decline any transactions initiated by phone, including those using automated Interactive Voice Response systems, if the customer does not have and use a one-time passcode, according to the Reserve Bank of India. Cardholders will have to register for the service with their bank, which will send requested passcodes only to the customer’s registered mobile-phone number and e-mail address.
[From india-require-passcode-phone-transactions - PaymentsSource Article]
This seems reasonable to me: perhaps the European financial services industry should set a deadline for mandatory 2FA for access to financial services and stick to it. Whether OTPs are the best implementation is not clear to me at all, but that's another topic we'll be exploring in the round table series.
Who steals my purse steals trash; 'tis something, nothing;
'Twas mine, 'tis his, and has been slave to thousands;
But he that filches from me my good name;
Robs me of that which not enriches him, and makes me poor indeed.
William Shakespeare, Othello (Act 3, Scene 3).