The root problem in most identity theft as we know it today is the ease with which ID data can be taken over and replayed.  Businesses ask for -- and obtain -- ever increasing amounts of precious ID data in an increasingly futile effort to authenticate their online customers.  IDs get stolen and traded on a vigorous black market, enabling fraud which for Card Not Present alone in the UK alone is approaching half a billion pounds p.a.

The simplest, most general, systemic solution to the identity crisis is to ensure the pedigree of identifiers.  Whether they be credit card numbers, PANs, other customer reference numbers (CRNs), unique health IDs or government IDs, the problem would go away if we could ensure that identifiers cannot be taken over and replayed without their owners' consent.  Stolen identifiers would become worthless.

If we focus on the root problem of the pedigree of identifiers, we can preserve the exisiting business models for how people transact.  In CNP payments for instance, we can retain the mature four cornered model including all the legal arrangements amongst merchants, acquirers and card schemes, and avoid introducing costly and risky new intermediaries into the settlement process.  Furthermore, with more dependable personal identifiers, we could strip away all that extraneous personal detail and restore some basic privacy in our mercantile relationships.

It turns out to be straightforward to indelibly mark each transaction with one's identifier.  An ideal method is to generate a digital signature code using a certificate that incorporates that identifier.  The underlying key can be managed a number of ways -- in a smartcard, a USB gadget, a SIM or a mobile device.  The infrastructure, services and software building blocks -- Crypto APIs, XMLsignatures, PC/SC interface standards -- are all in place now to enable digital marking of mainstream transactions. Smartcard readers are spreading, driven by Chip-and-PIN as well as government and corporate ID schemes in many countries that are normalising the public's experience of cards. Alternatives like USB smart keys are blossoming.

We have demonstrated several practical real world applications of this core technique, including a unique solution to Card Not Present fraud that leverages Chip-and-PIN cards.  The proven approach is entirely thin client, uses an off-the-shelf browser, and requires just 20-30 lines of software to be added to the merchant's shopping cart software.

I am undertaking a research study next week (November 3-7), taking in the Cartes Conference in Paris, and one-on-one meetings in London with banking and government identity stakeholders.  I would very much value the opportunity to talk to additional parties 'at the coal face' to discuss this R&D and road-test the suggested approach.  If you're interested, please contact me via my Finextra account; alternatively my e-mail address is on the page linked below.

Cheers,

Stephen Wilson, Lockstep.