[Dave Birch] More than one correspondent has asked me why no banks are on the initial list of approved identity providers (IDPs) for the British government identity assurance (IDA) framework. I belong to the IDA working group on privacy and security and, as you might imagine, Consult Hyperion has provided (and is providing) paid professional services to a number of organisations in the private and public sectors who are developing identity-based products and services. So I think I have a reasonable and well-informed perspective. Unfortunately, it also means that I have to be very careful about what I say, as you might also imagine. But speaking generally, and without reference to any specific clients or projects, I’d say there are three main reasons:
- I had an e-mail from a bank person (not Barclays) who said that they had looked at starting an identity business but as it would only generate net revenue of $200m/annum after five years, it wasn’t worth pursuing. In other words, it’s classic Christenson disruptive innovation – the new opportunity is too small compared to core business.
- It’s a cross-silo and cross-sector opportunity covering both cost reductions and new businesses so it doesn’t fit corporate structure very well. If some form of identity infrastructure is to address both of these opportunities then it is going to cut across the whole sector, let alone individual banks and there isn’t much appetite for this at the moment.
- The business units don’t understand the underlying technology, and I’m afraid it’s one of those areas where you can’t brainstorm the products and services that might be delivered without some rudimentary understanding of federation, digital signatures and such like.
I’m a Barclays Premier customer and I’ve had an account there since 1977. Barclays know absolutely everything about me and my finances and they’ve given me a dongle to authenticate myself to them (which works fine) but I can’t use that dongle to log in to Barclaycard, let alone HSBC. What’s more, under the government-mandated expensive (heading toward a billion quid) and pointless account switching system that will go live in a year or two, despite my 36 years with Barclays, if I walk into Lloyds to open an account they’ll treat me as if I’ve just got off the boat and demand that I go home and come back with some high-security documentation (e.g., a photocopy of an old gas bill).
Identity Fraud accounts for over 50% of all frauds recorded in 2012… The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.
Identity fraud is out of control in the US as well, albeit for slightly different reasons, one of the key ones being the use of Social Security Numbers as “identity”. Although, rather hilariously, it seems that the criminals principal source of social security numbers isn’t dedicated teams of Eastern European super-hackers working under their direction but…
The most common method used for stealing identities appeared to be data breach notification letters. Approximately one in four recipients of these kinds of messages ended up being a victim.
This is the Law of Unexpected Consequences on stilts, isn’t it? No. Actually, it is the Law of Expected Consequences, since it is exactly as predicted at the time of the great HMRC CD debacle in the UK. I can remember saying, one more than one occasion, that the stupid decision to send out breach notification letters to every household in the UK — a letter that included the full name, address and national insurance number (doh!) of the recipients — would undoubtedly lead to more identity fraud being perpetrated than the loss of the CDs (if they ever existed, which, to be honest, I doubt).
We all need much better security around account access but to make it affordable we need standard, federated solutions operating inside cross-sector frameworks. We need to stop building bank-specific, or even banking-specific, solutions. And we need to make security into an essential element of the customer proposition, part of the business, not part of the back room technology infrastructure.
Here’s one idea of what could happen. When you open a bank account, you should be given a UK financial services identifier (your “money name”), just like you get a Facebook name or a Twitter name. Let’s say it’s £Barclays_Dave. The bank should provide 2FA against that money name. When I go to Lloyds to open an account, I should be able use my money name to open an account on the spot with no messing around with old gas bills. Alternatively, I should be able to open an account with old gas bills and get a new money name (e.g., £Lloyds_Dave) if I prefer.
It wouldn’t cost anything at all, or at least not very much. Banks could fund the system by having the Payments Council auction the “vanity” money names to the highest bidder. I’m sure Richard Branson would pay a million for £Virgin and Roger Moore another million for £007. It’s about time banks had some innovation in the identity space before they simply give the business away to organisations with a better understanding of the technology and it’s possibilities.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
These are the personal opinions of Consult Hyperion and its guests and should not be misunderstood as representing the opinion of its clients or suppliers. To discuss how any of the technologies discussed in this post can benefit your business, please contact Consult Hyperion.