Don’t bank on identity

[Dave Birch] More than one correspondent has asked me why no banks are on the initial list of approved identity providers (IDPs) for the British government identity assurance (IDA) framework. I belong to the IDA working group on privacy and security and, as you might imagine, Consult Hyperion has provided (and is providing) paid professional services to a number of organisations in the private and public sectors who are developing identity-based products and services. So I think I have a reasonable and well-informed perspective. Unfortunately, it also means that I have to be very careful about what I say, as you might also imagine. But speaking generally, and without reference to any specific clients or projects, I’d say there are three main reasons:

  1. I had an e-mail from a bank person (not Barclays) who said that they had looked at starting an identity business but as it would only generate net revenue of $200m/annum after five years, it wasn’t worth pursuing. In other words, it’s classic Christenson disruptive innovation – the new opportunity is too small compared to core business.
  2. It’s a cross-silo and cross-sector opportunity covering both cost reductions and new businesses so it doesn’t fit corporate structure very well. If some form of identity infrastructure is to address both of these opportunities then it is going to cut across the whole sector, let alone individual banks and there isn’t much appetite for this at the moment.
  3. The business units don’t understand the underlying technology, and I’m afraid it’s one of those areas where you can’t brainstorm the products and services that might be delivered without some rudimentary understanding of federation, digital signatures and such like.

I’m a Barclays Premier customer and I’ve had an account there since 1977. Barclays know absolutely everything about me and my finances and they’ve given me a dongle to authenticate myself to them (which works fine) but I can’t use that dongle to log in to Barclaycard, let alone HSBC. What’s more, under the government-mandated expensive (heading toward a billion quid) and pointless account switching system that will go live in a year or two, despite my 36 years with Barclays, if I walk into Lloyds to open an account they’ll treat me as if I’ve just got off the boat and demand that I go home and come back with some high-security documentation (e.g., a photocopy of an old gas bill).

Identity Fraud accounts for over 50% of all frauds recorded in 2012… The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.

[From Fraud increase driven exclusively by identity crime, says CIFAS | 18 January 2013 | Stock Market Wire]

Identity fraud is out of control in the US as well, albeit for slightly different reasons, one of the key ones being the use of Social Security Numbers as “identity”. Although, rather hilariously, it seems that the criminals principal source of social security numbers isn’t dedicated teams of Eastern European super-hackers working under their direction but…

The most common method used for stealing identities appeared to be data breach notification letters. Approximately one in four recipients of these kinds of messages ended up being a victim.

[From Javelin: Identity fraud reports increased by more than a million last year | ZDNet]

This is the Law of Unexpected Consequences on stilts, isn’t it? No. Actually, it is the Law of Expected Consequences, since it is exactly as predicted at the time of the great HMRC CD debacle in the UK. I can remember saying, one more than one occasion, that the stupid decision to send out breach notification letters to every household in the UK — a letter that included the full name, address and national insurance number (doh!) of the recipients — would undoubtedly lead to more identity fraud being perpetrated than the loss of the CDs (if they ever existed, which, to be honest, I doubt).

We all need much better security around account access but to make it affordable we need standard, federated solutions operating inside cross-sector frameworks. We need to stop building bank-specific, or even banking-specific, solutions. And we need to make security into an essential element of the customer proposition, part of the business, not part of the back room technology infrastructure.

Here’s one idea of what could happen. When you open a bank account, you should be given a UK financial services identifier (your “money name”), just like you get a Facebook name or a Twitter name. Let’s say it’s £Barclays_Dave. The bank should provide 2FA against that money name. When I go to Lloyds to open an account, I should be able use my money name to open an account on the spot with no messing around with old gas bills. Alternatively, I should be able to open an account with old gas bills and get a new money name (e.g., £Lloyds_Dave) if I prefer.

It wouldn’t cost anything at all, or at least not very much. Banks could fund the system by having the Payments Council auction the “vanity” money names to the highest bidder. I’m sure Richard Branson would pay a million for £Virgin and Roger Moore another million for £007. It’s about time banks had some innovation in the identity space before they simply give the business away to organisations with a better understanding of the technology and it’s possibilities.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

These are the personal opinions of Consult Hyperion and its guests and should not be misunderstood as representing the opinion of its clients or suppliers. To discuss how any of the technologies discussed in this post can benefit your business, please contact Consult Hyperion.

Comments

  1. Toby Stevens says

    That point (2) is so important – the business case for IDP only works when looked at in the context of the broadest proposition, and silo-driven cases simply don’t stack up. Problem is that pure-play IDPs aren’t going to make it in this market either, so we need to see those innovators who can cut across their silos and have real vision…

  2. David Moss says

    More than one correspondent has asked me why no banks are on the initial list of approved identity providers …

    Suppose I were a bank who had spent some centuries working hard to keep deposits safely, learning and developing the tradecraft of transactions, managing and protecting people’s personal data, generally building trust …

    and suppose I were then approached by a team of gifted website designers who have no track record in either transactions or privacy …

    who, suppose, said that my data could help to make tens of thousands of public servants redundant, thereby saving billions of pounds a year which Whitehall will hold on to and not pass back to the public – which is the Government Digital Service prospectus – …

    and what’s more they proposed to “nudge” everyone into using Personal Data Stores in the wild west of the web where they would be lambs to the slaughter,

    then I think I might be a bit reluctant to play ball, too.

  3. David Moss says

    … they’ve given me a dongle to authenticate myself to them (which works fine) but I can’t use that dongle to log in to Barclaycard, let alone HSBC …

    I’ve always been surprised that this non-interoperability annoys you:

    (a) it’s a security feature, surely, breaking in to £Dave_Barclays
    doesn’t allow me to plunder £Dave_Lloyds.

    (b) You believe that identity is the new money, well this is what it means to have your identity/money secured.

    (c) You believe that you have several identities, not just one, and, again, this is just what it means, you have separate protections, one each for your various identities, if one master key opened all the locks you’d just have one identity.

    The Government Digital Service say they want to make life convenient for us all such that we don’t have to remember lots of different user IDs and passwords, just one for each of our Personal Data Stores. If that doesn’t put you off the idea, nothing will.

  4. Alexander Peschkoff says

    @DM
    “a bank who had spent some centuries working hard to keep deposits safely”

    The above statement and the reference to Web designers (with “no track record”) is laughable: not all banks have a solid track record in looking after their customers’ money, because that’s simply not what modern banking is about (ever heard of a bank run – that would never have happened if the deposits were “safe”).

    Also, becoming an IDP has got nothing to do with Web designers (some of whom understand privacy better than any bank).

  5. Stephen Wilson, Lockstep says

    Dave rightly points out the frustrating inability of banks to rely upon one another’s identification of a customer. Funnily enough, a clue as to the nature of this problem is contained in the disclaimer at the bottom of Dave’s post:

    “These are personal opinions and should not be misunderstood as representing the opinions of Consult Hyperion or any of its clients or suppliers”.

    Clearly that’s bollocks.

    Dave Birch is Consult Hyperion’s thought leader on identity and banking. What he says goes. Further, many of Dave’s clients will have accepted his views and adopted them as their own. And so they should. He is the expert. So Dave’s blog does in fact reflect very closely what his employer and at least some of his clients think.

    So why the disclaimer? It’s a legal technicality. Consult Hyperion’s lawyers do not want the company to accept liability for the consequences of following an opinion provided outside the very tightly controlled conditions of a consulting contract; the lawyers do not want a blog to be represented as advice. Likewise, accepting another bank’s identification of an individual is something that cannot be done casually. The lawyers would be saying to all banks, sure, we know you’re all putting customers through the same identity proofing protocol, but unless there is a contract in place, you cannot rely on another bank’s process; you have to do it yourself.

    There is a way to chip away at the tall walls of legal habit. This is going to sound a bit semantic, but we are talking about legal technicalities here … Instead of a bank representing to another bank that it can provide the “Identity” of a customer, the bank might provide a digitally notarised copy of elements of the identity proofing, like a digitally signed message saying “here’s a copy of Dave’s gas bill” or “here’s a copy of Dave’s birth certificate which we previously verified”. That is, we could stop messing around with abstract identities (which in the fine print mean different things to different Relying Parties) and instead drop down a level and exchange bits of information about verified claims, or “identity assertions”. Individual RPs could then pull together the elements of identity they need, add them up to an identification fit for their own purpose, and avoid the implications of having third parties “provide identity”. The semantics would be easier if we only sought to provide elements of identity. All IdPs could be simplified and streamlined as Attribute Providers.

    More at
    http://lockstep.com.au/blog/2013/02/03/an-identity-claims-exchange-b
    http://lockstep.com.au/blog/2013/02/02/id-in-the-i-of-the-beholder

    Cheers, Steve Wilson.

  6. Pete says

    Looks to me like that ZDNet reporter misread the press release from Javelin. I could be wrong, but I hope you checked with the source before you went through your analysis.

    [Dave Birch] this is what Javelin say in their press release: “This year, almost 1 in 4 consumers that received a data breach letter became a victim of identity fraud”. I agree that correlation does not imply causation, but it I read it as meaning that if I send a data breach notification letter to you, there is a reasonable probability that that letter might be used to commit identity fraud, which seems entirely plausible to me.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>