ID - The Issue - Who Cares Who The Stig Really Is?

Tell me you didn't write this just for Finextra?
Its worthy of at least a Chapter in a book ;)

So Identity is not perfect.  Trust is all important.  And we all have a right to our identity.  But (there's always a but) the scenarios you paint are the minority and make identity sacrosanct, which it can't be. Every civilisation has relied on absolute identity ('I am Alexander, the Great", "Napoleon III", "the artist formerly known as ..." etc) and so you cannot change that paradigm overnight, or ever.

The Trusted 3rd Party model says that the 'man in the middle' knows person A, and knows person B, and makes the decision if what person A wants from B is authorised or not (or vice versa).

So lets start at Person B - who is a Service Provider (say a Bank), who manages an Account for Person A.   Someone accesses the Bank system to view Person A account.  Person B needs to validate the access and so logs a Txn with the TTP... Person A needs to 'identify' themselves to the TTP (for that txn) and the TTP checks to see if there is a pointer or token for that person to perform that Txn.  If so, confirms to Person B to allow it. 
Person B never knows who Person A was, except that they had authority to access Person A account.

Ah, so Person A could be 'the taxman' or the FBI with the authority to access anyones account.  Or it could be a faker pretending they are the taxman. Or it could be an insider at the TTP?   So all the same indentity issues and needing to have 'transparency' in the audit trail come back again. Everyone has an identity, so why the big deal about showing it to those who need to know who you are (like the Policemman). The Mega-TTP won't work (too much like a New Order Government), and the Mini-TTP (where every Bank has a TTP) is just as much of a muddle as trusting the Bank to get it right.  And who audits the TTP to make sure they are not syphoning off parts of transactions, or selling data about you, or blocking you for no good reason (e.g. Credit Scoring Agencies).

It does all come down to Trust and Identity.  Does Person A trust Person B, and are they really Person A and B.  End of.  Is 2 factor authentication enough?  Probably. It depends on the context.  I never ask a Bank teller the other side of a bullet proof screen to prove he/she works at the bank - its implied in that context(of me being at the bank).  But if someone knocks at the door doing a police survey, I would. 

Between non-related (and therefor low trust) parties, the Identification is weaker (like an ID card with a  photo on it) and you make a judgement whether to trust it or not.

Between related and highly trusted parties (say customer-Bank) an authentication scheme is agreed and used.  They are evolving.  My bank uses a UserID, a PIN and a Password (basically a fancy one where they challenge for just a part of it).  Eventually, some keylogging software will capture my whole password and send it off somewhere and my online account relationship will be compromised.  But no money can be transferred because they don't have the 4th thing, which is my Bank OTP Generator for making any changes to the account or setup new payments.  I do this so infrequently with this account that its always confusing to do it.  I woul dmuch prefer to use my registered mobile and have the bank text me a OTP as part of my auth login... that way I would find out PDQ if someone logged in without stealing my physical phone as well.  If I don't have my phone (the exception), then ask me a challenge.

Anyway, the point is that someone has to authenticate both sides, and not just me, so I know I am talking to the right Person B.  At least it would be the 'business' of a TTP to be serious about Identity, so there has to be a market for outsourcing the Auth function to an Auth-Clearing house.  I could use the same strong auth with the TTP to get access to a number of participating Service Providers.

So, long story short, I agree with the TTP concept, but think they are there to 'assure the Identity' not guard it.  Let the Service Provider decide on level of access or service based on the assured Identity. And yes, use of a mobile is just another tool in the box that can be used.

If banks continue down the hyped road of NFC tags, the credit card could disappear from your wallet and appear inside your mobile - it still represents 'something you have'.  The NFC ID will replace what used to be the WIM module idea (that MNOs again failed to use well).

This was supposed to be short, not another chapter.

Dean might have paraphrased Pascal or Mark Twain, "I'm sorry this blog is so long, but I did not have time to make it shorter". 

Dean's encyclopedic post contains some good ideas, using what The Laws of Identity call "Directed Identity".  And there are some motherhood statements about trust.  But I'm still at a complete loss to know just what he proposes to do about anything.

As bloggers we all tend to fall into the trap of over-simplification.  In our hasty little dispatches we try to solve the problems of the world, without first defining the problem.  The medium of the bloggosphere  assumes that all readers understand the problem at the start of every rant.  But in the complex modern finance sector we're really not all on the same page.  The sub-problems are many and varied: money laundering and know-your-customer reforms, identity theft (actually better defined as identifier takeover), payments fraud (which breaks down further into online fraud, POS fraud etc etc.), rogue trading, payments efficiency, accessibility and ease of use, customer choice, and all the myriad aspects of the current financial meltdown. These diverse issues should not be carelessly (much less willfully) mashed up, as if they might be solved in one utopian paradigm shift.

Ranting and raving and waxing philosophical is great fun -- I enjoy robust dinner table arguments as much as the next person.  But most Finextra readers are probably more interested in solid contributions to solving specific, well defined problems in the finance system.

So in the interests of good problem definition, I'd just like to reiterate how I see the major security problem with cards.  CNP fraud is a huge problem, but it is not sufficient grounds to abandon cards and shift holus bolus to opportunistic untried mobile schemes.

The four cornered model remains fundamentally sound but it runs foul of fraud on the Internet because Merchants find it so hard to tell whether Cardholder data is genuine or not.  High tech solutions like 3D Secure operate by shifting the authentication task from Merchant-identifies-Customer to Issuer-identifies-Customer in real time.  Medium tech solutions like CAP blend two factor authentication to stop ID theft, with kludges like re-entering transaction data to thwart Man-in-the-Middle attack.  The price paid for these approaches includes slower processing because of all the new bottlencks, and complicated user interfaces.  But at least they don't introduce any new commercial entities, contracts or processors. 

Instead of leaving you with an oblique implied sales pitch, I will state clearly that my company researches specific solutions that safeguard cardholder data when they transact online. We advocate using smartcards (or USB keys or cryptochips in phones) to digitally sign cardholder IDs before presentation, using private keys in hardware, so that the IDs cannot be stolen and replayed.  The approach is simpler to use, faster to process, and introduces no new intermediaries or contracts.

Cheers,

Stephen Wilson, Lockstep.

This subject is a very important one, thanks for raising it Dean.

To begin with, we can agree that ID theft is on the rise...and tomorrow it could be yours that is stolen...it really isn't difficult to do.

The drivers that FSI's have to protect customer identity are substantially on their bottom line.  Their perspective is about “How much are we losing in dollar terms and brand damage?”.  As you know, brand translates into future dollars.

Regulators are similarly ineffective or uncaring because the problem is only, so they say, 4.5 basis points of the bottom line of FSIs? and reflected by only a soft cry from unheard victim statistics.

Only the governments, call them regulators if you like, can stipulate and monitor appropriate ID protection guidelines and I don't think they have the gumption, co-ordination or vision needed to address this issue yet.  

Let's consider Joe Public for one moment instead of the bottom line of FSI's.  The impact that ID theft has on any individual and their immediate families can be and often is absolutely devastating.  The emotional and financial impact is something that is impossible to imagine.  It would equate to your life being high-jacked and all your values and trust being lost forever...no job, no money, infringement notices or court appearances to try to clear your name and sometimes, prison terms.  Worse still, for those who suffer chronic depression, suicide is way out. Our legal system is such that the costs of fighting these cases can exhaust the family savings very quickly! (let’s leave this for another discussion)

How much does this weigh on the conscience of FSI's or, in voting terms, on the real government priority of staying in office?  Well, it doesn’t!  Despite the process tinkering and the hyperbole surrounding technology advancements, do you hear any improvements being made in the numbers of ID thefts?  No, quite the opposite!

So put yourselves in this position and ask how important is your identity? Tell me that you have just a little shiver of uncertainty, a hesitation...it's not just you but your kids and theirs to come…very scary stuff but we are responsible…and now, or we really can be found ‘guilty as charged’.

Will you defer to the tide of impotence and suggest a 'steady as she goes' approach?  Let's leave our health and wellbeing to the guys with their bottom lines to protect...hey that's good advice...or shall we even not care and think that the regulators will take care of us? 

The discussion on this thread may help people understand that hard decisions need to be made and encourage governments to feel strongly enough to make them.  Are you pushing software solutions, hardware solutions or can you put your hand on your daughter or son’s head, ruffle their hair and say I’m saying this for you?

We are apparently spending billions of dollars saving the planet but who is saving our well being…our identity?

While identity and it's impact on all of us certainly isn't simple and can only be simplified in a blog, albeit a Twain-ish tome, its far too boring for dinner conversation at my table.

Perhaps putting it in another simplistic way - Who has an interest in identity?

While you think of the great long list and answer, I'll do it for you.

Everyone has an interest in identity.

I suppose the best course is to make the banks shoulder the burden alone? That doesn't fit too well with anyone's bottom line.

Expecting banks to provide identity is a bit like suggesting they should become internet providers and telco's just so as people can internet bank and (mobile)phone bank. In my mind anyway.

I'm just suggesting that there are more stakeholders than just banks, and while it might seem sexy to differentiate your brand with a new gadget, I'm not sure the shine is worth the cost of the polish. Most business analysts can tell you that if you innovate, your competitors will soon follow, and your advantage may diminish quickly.

It follows that your expenses will increase but not necessarily your market share. Any banks had people rushing in and churning their account so they can get the latest security gadget?

Every financial services provider has the potential to suffer over trust issues.

I can't find any instance of where a gadget has led to an increase in market share, unless you are the manufacturer of the gadget. The iphone might be an exception and may have lead to more subscribers for telco's but I'll leave how fabulous mobiles are out of the discussion for the moment.

There is a school of thought that see's everything as a profit centre and anticipates a bottom line profit in providing a service, although identity may be harder to make profitable as a lone bank, or even a whole country.

Inevitably that country requires integration with another, or another bank and you could end up with all sorts of difficulties and cost. You get different approaches, standards, and levels of trust. Risk becomes unpredictable. Liability becomes arguable. Banks are distracted from their core business. Banking.

Banks are also burdened with the lions share of the costs. They get no return when a customer uses their bank documentation to establish identity elsewhere.

If they get it wrong, they risk suffering losss of reputation. Why, just to impact those miniscule bottom line points or perhaps make a buck or two on the gadget?

Stick to banking, leave the electronic gadgets business to Car Toys. They're much better at it. Perhaps you would advise Car Toys to get into banking if the gadgets are to rule and are what drive customers to banks? It doesn't if the gadget adds a single step to the process, and it harms the brand if it is to complicated. So I suppose car Toys could get into banking if they knew how to use the gadgets they sell to satisfy the customer's need to transact and have ID. Perhaps I'll give them a call.

Governments have a lot more to gain than banks in the identity equation. They should carry their fair share of the burden.

It also has the bonus that if you are all using a third party system, if there is a problem (and historically there have been  many), then the bank is not to blame - the third party system is. It's called shifting risk. Spreading the burden of what is not core business.

So I guess I'm barking up the wrong tree, if banks see proving identity as a profit centre and can bear the risk of loss of reputation, but if they are actually more into banking they might understand my simplistic points.

I try and relate it to the bottom line. If bankers understand anything, it should be that.

So if getting economy of scale, governments contributing and perhaps mandating 'user pays', won't improve every stake-holder's bottom line, then I obviously didn't go to the same business school as Stephen.

If the banks got together to improve trust that would have to be a good thing for the industry at a time when it is most needed. The time may never be better. It's a 21st century thing to do. It is going to happen, the banks can enter later at the user pays stage or take the bull by the horns and get all the benefits on their bottom line from the start, and probably when they really need it most..

I'll leave you to think about your bottom line because I've mentioned bottom one time to many and that great bum competition in Paris just keeps interrupting my thoughts. :)

Speaking of competitions, we could always have a global competition to come up with the most practical and cost-effective ID solution and see who wins.  Bring on the expert panel, bus in the PhD's. I'm up for it. It won't be half as much fun as Paris but it could really take banking into the 21st century.

I would answer the technical part from John, but it would be another tome, suffice to say the issues you mention generally don't apply with the methodology I have in mind, from the risks you mention right through to the audit trail.

It isn't so much about 'hiding' your identity, it is about not needing to reveal personal data in order to ID yourself.

A thief will not be able to steal your ID, because of the new ID process. You'll be able to put as much personal information anywhere you like,because it'll take more than that to impersonate you.

Relying on carrying documentation is just plain asking for trouble, and trouble keeps coming. There is enough personal data out there now to keep ID thieves going for at least 30 years and we can't get it back. If we managed to secure every bit of personal information from now on while still relying on existing ID procedures it would take decades before we recovered.

We need a new approach to the way we identify ourselves, and it would best be one that isn't just based on a lot of personal data flying around. That data has already flown the coup.

'Biometrics' might be put forward as an option, well an imprint in my frontal lobe is biometrics, and I'm already carrying a built in reader that no-one else can operate. My brain.

I reiterate 'What can be abused, will be abused'.

I don't fancy having my biometric data and DNA in everyone else's hands along with my personal data. With more than a passing knowledge of medical science and human nature I can only see dark things down that route, and it isn't worth the risk when there are easier and lower cost solutions.

We just need to use our brains, and perhaps our mobiles.

Er.......Just to be a pedant,

Mr. Stig was never an F1 driver as in your picture - He was a WTCC (or similar) driver so most unlikely to be in the frame. Also, he would have been around 40 odd when your picture was taken (a little too old to drive F1 unless your name is Jacques Laffite).

Well we are talking about Identity theft!!!!