23 August 2017

44975

Retired Member

3,100Posts 10,913,459Views 3,374Comments
Whatever...

Whatever...

A place to share stuff that isn't at all fintec related but is amusing, absurd or scary.

ID - The Issue - Who Cares Who The Stig Really Is?

13 November 2008  |  3735 views  |  3

I have a few ideas about identity management. The mobile money laundering article begins with a premise about Brittany a 'personal entertainer' (my description), who uses electronic payments to collect fees from her clients and to make her purchases because they are allegedly more anonymous than cash.

Well I'm not too sure about that. I would have thought Brittany would be a strictly cash sort of girl, or otherwise have a legitimate front like most professionals. Some simple ID procedures would make it more difficult do otherwise.

Money laundering is however common, and illegal and I'm not going to begin to suggest how to fix it all, although I'd suggest any payment provider made sure they had a good handle on the issue. It is often in the realm of fraud and some fraud prevention mechanisms help to stifle such practices.

The Real Problem - IDENTITY

The weakness which enables so much fraud and criminality is in the way we carry out identity verification and management. We are all worse off because of it.

The 'know your customer' obligation on FI's is supposed to reduce fraud, and after all, money-laundering is usually defrauding someone, perhaps the tax man for instance, and this goes part of the way to make it harder.

Sure we could use our mobile and transfer some money by SMS, a protocol which flies around in open text and right through the CALEA machine hooked into the phone system and already available to everyone from the local UK council to the FBI. There has been much comment on the viability of searching and sifting these sorts of records continuously to detect criminal or undesired behaviour. Originally available after gaining a warrant targeting an individual or group, it is now used to chase terrorists, child pornographers and drug dealers with limited success. Mostly this is like trying to cure the symptom rather than the disease. Do we really need to squander resources sifting endless information trying to spot a crime?

I suppose a call or message could be 'encrypted'. That wouldn't attract attention either, would it? Just like those guys with their scrambler phones, they may as well put flashing lights and targets on their foreheads. Its a simple matter to 'quiz' the phone system to look for that sort of thing.

Many countries require a mobile phone subscriber to identify themself when they activate a SIM. That process is currently flawed. A slightly different approach would see more effective accountability.

The right approach would link your identity to your life in real-time but include the controls to empower you to decide when, and to whom, that information is provided. Anywhere it is unnecessary by law, and the objective can be achieved without revealing your data, it would become a matter of your personal choice as to what you reveal and to whom.

Individuals want to protect their identity and governments have a responsibility to empower them to do it.

Back to the mobile, simply.

I can call Harry and ask him pick up some money from Bob.  I am using a mobile, but Bob has a land-line and although Harry has a phone, he lives next to Bob, so he'll just pop over. It's all too confusing. Am I laundering money?

Imagine 'monitoring' and trying to understand the nature of every call and communication. Ridiculous. I can send messages to anyone using my mobile without law enforcement ever knowing and make it impossible to understand my communication even if they did, even with CALEA.

There are a multitude of ways to launder money, probably many a lot easier than using mobile money. Most countries now have laws requiring transaction reporting, and limits on transactions and even running totals. I can't imagine any sensible transaction provider designing their system without taking these and potential future legal obligations into account.

Do we have to stop everyone using new technology is case they work out a way to incorporate it into a crime?

A better approach might be to make everyone use their mobile in any process where they want to protect their identity. Let them prove they have an identity, without always revealing the details. A mobile system need not rely on both parties having a mobile.

Stopping the rest of us using mobile transactions just because someone might use one in the commission of a crime is absurd.

IDENTITY - if 'fixed', it will help fix it.

Only a carefully designed mobile system enabling a broad range of interactions founded on identity will reduce fraud, money laundering and ID theft.

Governments are stuck in the 1950's with paper and cards when it comes to interacting with citizens. Banks and merchants hamstring their own security and waste millions of man-hours clinging to numbers and personal data.

Current practice makes it easy for the criminals to steal your money, your peace and your rights - along with your ID and your credit rating.
It also gives them the opportunity to defraud plenty of money to launder. Why would we go back to paper and cards? Will we all suddenly start writing letters on paper and posting them again? Unlikely, even ridiculous. We are in the 21st century and we must go forward with the times.

Governments need to act to provide tangible benefits to citizens, empowering individuals and giving them rights, privileges, safety and security, even anonymity - in exchange for their willing participation in a better, more fair and effective global identity management system.

I believe an authenticator 'beyond governments' but equally open to all, is the only solution which can empower citizens to protect themselves and their rights to peace and privacy. It would also give the governments the mechanism to more easily and efficiently protect their citizens.

The key issue is trust.

In the recent historic election in the US, almost half of the voters (a quarter of the people) voted against the incoming President. That is their right. They may be Republicans and not trust Democrats. In some countries a religious majority control government while a large minority might have many opposing views and not trust that government.

I am, therefore I have a right to my identity.

If we have an identity, it cannot be taken away at the whim of any government. Even wrongdoers have their identity, and we need them to have ID to make our system work, and be fair.

We need an international non-aligned independent identity provider with no other purpose than to enable trust between identities, no matter where they are and for any purpose.

A central identity authentication provider with no identity details of any person, yet able to provide two parties interacting with the guarantee that there exists a 'pointer' to a real identity, somewhere, and that  pointer must belong to the real identity of the person interacting.

Banks can play a part, but it is not core business for a bank, however ID is essential infrastructure for everyone, not just banks and existing identity management can be incorporated into a new solution and  strengthened by it.

ID can also help improve the web experience, preserve anonymity and enable many new services, even revolutionise the way we interact.

If you had to leave a 'pointer' to your identity when you began your web journey it would be easier to manage who went where, like letting kids into chat-rooms rather than fake-kid predators. If when you logged on to a site, there was a 'pointer' to your real identity (which even the site could not 'translate') to ensure that you are accountable for your actions, and law enforcement could, if you do something bad, track you down quickly -  but only after following mandated legal procedures.

Who is the Stig?

On a micro scale, Driver Stig is stopped at a police licensing checkpoint. He has done nothing wrong, it is merely a random stop and they're stopping everyone in the street. Policeman Bobby needs to know if Driver Stig is licensed.

Who knows? The 'Licensing Authority' knows, (at least some licensing authority knows), they also know Stig's real name and address,  date of birth, driver's license number and even when his license expires.

Does Policeman Bobby need to know Driver Stig's name? Of course not. Unless you cling to something that can be stolen, borrowed, forged, cloned, or otherwise mis-used. Using cards and paper and plastic licenses, then Policeman Bobby will waste valuable  time sifting through paperwork and trying to match Stig to his identity (Stig's time too). 

Surely Policeman Bobby only needs to know that the driver he is checking is actually licensed to drive (in this case the Stig).

If Stig can signal the Licensing Authority to confirm to Policeman Bobby that he is licensed, all that is left for Bobby to do is to wish the Stig a nice day.

The same principle applies when Stig signs on to his driving blog. All he has to do is get someone he trusts to signal to the site that he's the Stig.

Similarly when the Stig stops at the petrol station and fills up, the 'petrolier' doesn't need to know the Stig's real name, he just has to be confident that someone somewhere is going to (happily) pay for the Stig's purchases. Ditto when the Stig goes into a shop and makes a purchase, the merchant really only requires confidence that they are going to be paid.

ID is Empowerment

Identity is something we own for our lifetime and we have a right to control it, share it, or 'privatise' it and secure it. Most humans live longer than governments or political movements and identity outlasts Democrats, Republicans, Conservatives, Liberals, Communists and Dictators. It is time we acted like it.

If any system is designed to be open to mis-use , it will be mis-used.

There are countless occasions we can recall where information has been unnecessarily used, recorded, stolen or lost and been misused. There are occasions where persons have mis-used information gained in their official capacity. Accountability is a great deterent, and the right mechanism can make everyone accountable and safer with more anonymity, yet leave an indelible trail of our interactions. There would be a record of the Stig and Bobby's interaction, but no-one will ever even know he was stopped, unless of course he goes missing immediately after, then we can check with Bobby in an instant.

Law enforcement is in the same position as everyone else and if they aren't up to speed, they need to be engaging technologists before the fact rather than complaining afterwards, because there is no going backwards. Adaptation is a continuous imperative.

There is one reason cards will not do - it is un-equal.

If you don't have the reader or access to the ID database, then you'll likely become a victim of the person in control of your ID.

A mobile solution can provide equality in identity, and as such - it will be.

How much is it worth to us to fix ID?

In the race to 'protect' us, some have lost sight of the real goal, and actually undermined our welfare with the 'solution' meant to protect us.

We've wasted resources and time and just made the risk worse. We deserve it to be easy, and we deserve something that works, for everyone. If the answer also means wasting less of Policeman Bobby's and the Stig's time then we are all likely to be better off for it.

The savings we could make will dwarf the bail-outs.The productivity gains will reduce gross domestic costs and improve GDP for every nation. It is essential infrastructure for the 21st century.

QUALITY OF LIFE WILL BE BETTER.

Now is the time to do it.

The 21st century would be a good time to start reclaiming our identity, being proud of our individual identities and claiming the rights we deserved to have cemented to that identity.

It will require a little give and take, I envision a way where there'll be plenty of added benefits and fewer risks.

One thing is for sure, the process must be transparent and equal, exposed to debate and review, and when it is in place there'll only be one you.

How much would it cost and how long would it take?

Just like HSBC have found by investing in updating their information systems, ID too, can pay for itself as the roll-out progresses.

How long? 2-3 years to see the world covered if the G20 were committed.

We are in the 21st century and there's no going back. ID can empower us to catch up and to go forward. It's time.

The Stig with a few buddies in days gone by TagsCardsRetail banking

Comments: (6)

John Dring
John Dring - Intel Network Services - Swindon | 13 November, 2008, 15:23

Tell me you didn't write this just for Finextra?
Its worthy of at least a Chapter in a book ;)

So Identity is not perfect.  Trust is all important.  And we all have a right to our identity.  But (there's always a but) the scenarios you paint are the minority and make identity sacrosanct, which it can't be. Every civilisation has relied on absolute identity ('I am Alexander, the Great", "Napoleon III", "the artist formerly known as ..." etc) and so you cannot change that paradigm overnight, or ever.

The Trusted 3rd Party model says that the 'man in the middle' knows person A, and knows person B, and makes the decision if what person A wants from B is authorised or not (or vice versa).

So lets start at Person B - who is a Service Provider (say a Bank), who manages an Account for Person A.   Someone accesses the Bank system to view Person A account.  Person B needs to validate the access and so logs a Txn with the TTP... Person A needs to 'identify' themselves to the TTP (for that txn) and the TTP checks to see if there is a pointer or token for that person to perform that Txn.  If so, confirms to Person B to allow it. 
Person B never knows who Person A was, except that they had authority to access Person A account.

Ah, so Person A could be 'the taxman' or the FBI with the authority to access anyones account.  Or it could be a faker pretending they are the taxman. Or it could be an insider at the TTP?   So all the same indentity issues and needing to have 'transparency' in the audit trail come back again. Everyone has an identity, so why the big deal about showing it to those who need to know who you are (like the Policemman). The Mega-TTP won't work (too much like a New Order Government), and the Mini-TTP (where every Bank has a TTP) is just as much of a muddle as trusting the Bank to get it right.  And who audits the TTP to make sure they are not syphoning off parts of transactions, or selling data about you, or blocking you for no good reason (e.g. Credit Scoring Agencies).

It does all come down to Trust and Identity.  Does Person A trust Person B, and are they really Person A and B.  End of.  Is 2 factor authentication enough?  Probably. It depends on the context.  I never ask a Bank teller the other side of a bullet proof screen to prove he/she works at the bank - its implied in that context(of me being at the bank).  But if someone knocks at the door doing a police survey, I would. 

Between non-related (and therefor low trust) parties, the Identification is weaker (like an ID card with a  photo on it) and you make a judgement whether to trust it or not.

Between related and highly trusted parties (say customer-Bank) an authentication scheme is agreed and used.  They are evolving.  My bank uses a UserID, a PIN and a Password (basically a fancy one where they challenge for just a part of it).  Eventually, some keylogging software will capture my whole password and send it off somewhere and my online account relationship will be compromised.  But no money can be transferred because they don't have the 4th thing, which is my Bank OTP Generator for making any changes to the account or setup new payments.  I do this so infrequently with this account that its always confusing to do it.  I woul dmuch prefer to use my registered mobile and have the bank text me a OTP as part of my auth login... that way I would find out PDQ if someone logged in without stealing my physical phone as well.  If I don't have my phone (the exception), then ask me a challenge.

Anyway, the point is that someone has to authenticate both sides, and not just me, so I know I am talking to the right Person B.  At least it would be the 'business' of a TTP to be serious about Identity, so there has to be a market for outsourcing the Auth function to an Auth-Clearing house.  I could use the same strong auth with the TTP to get access to a number of participating Service Providers.

So, long story short, I agree with the TTP concept, but think they are there to 'assure the Identity' not guard it.  Let the Service Provider decide on level of access or service based on the assured Identity. And yes, use of a mobile is just another tool in the box that can be used.

If banks continue down the hyped road of NFC tags, the credit card could disappear from your wallet and appear inside your mobile - it still represents 'something you have'.  The NFC ID will replace what used to be the WIM module idea (that MNOs again failed to use well).

This was supposed to be short, not another chapter.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Stephen Wilson
Stephen Wilson - Lockstep Group - Sydney | 13 November, 2008, 22:26

Dean might have paraphrased Pascal or Mark Twain, "I'm sorry this blog is so long, but I did not have time to make it shorter". 

Dean's encyclopedic post contains some good ideas, using what The Laws of Identity call "Directed Identity".  And there are some motherhood statements about trust.  But I'm still at a complete loss to know just what he proposes to do about anything.

As bloggers we all tend to fall into the trap of over-simplification.  In our hasty little dispatches we try to solve the problems of the world, without first defining the problem.  The medium of the bloggosphere  assumes that all readers understand the problem at the start of every rant.  But in the complex modern finance sector we're really not all on the same page.  The sub-problems are many and varied: money laundering and know-your-customer reforms, identity theft (actually better defined as identifier takeover), payments fraud (which breaks down further into online fraud, POS fraud etc etc.), rogue trading, payments efficiency, accessibility and ease of use, customer choice, and all the myriad aspects of the current financial meltdown. These diverse issues should not be carelessly (much less willfully) mashed up, as if they might be solved in one utopian paradigm shift.

Ranting and raving and waxing philosophical is great fun -- I enjoy robust dinner table arguments as much as the next person.  But most Finextra readers are probably more interested in solid contributions to solving specific, well defined problems in the finance system.

So in the interests of good problem definition, I'd just like to reiterate how I see the major security problem with cards.  CNP fraud is a huge problem, but it is not sufficient grounds to abandon cards and shift holus bolus to opportunistic untried mobile schemes.

The four cornered model remains fundamentally sound but it runs foul of fraud on the Internet because Merchants find it so hard to tell whether Cardholder data is genuine or not.  High tech solutions like 3D Secure operate by shifting the authentication task from Merchant-identifies-Customer to Issuer-identifies-Customer in real time.  Medium tech solutions like CAP blend two factor authentication to stop ID theft, with kludges like re-entering transaction data to thwart Man-in-the-Middle attack.  The price paid for these approaches includes slower processing because of all the new bottlencks, and complicated user interfaces.  But at least they don't introduce any new commercial entities, contracts or processors. 

Instead of leaving you with an oblique implied sales pitch, I will state clearly that my company researches specific solutions that safeguard cardholder data when they transact online. We advocate using smartcards (or USB keys or cryptochips in phones) to digitally sign cardholder IDs before presentation, using private keys in hardware, so that the IDs cannot be stolen and replayed.  The approach is simpler to use, faster to process, and introduces no new intermediaries or contracts.

Cheers,

Stephen Wilson, Lockstep.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Steve Liles
Steve Liles - Sheffield Computer Systems PL - Sydney | 14 November, 2008, 00:02

This subject is a very important one, thanks for raising it Dean.

To begin with, we can agree that ID theft is on the rise...and tomorrow it could be yours that is stolen...it really isn't difficult to do.

The drivers that FSI's have to protect customer identity are substantially on their bottom line.  Their perspective is about “How much are we losing in dollar terms and brand damage?”.  As you know, brand translates into future dollars.

Regulators are similarly ineffective or uncaring because the problem is only, so they say, 4.5 basis points of the bottom line of FSIs? and reflected by only a soft cry from unheard victim statistics.

Only the governments, call them regulators if you like, can stipulate and monitor appropriate ID protection guidelines and I don't think they have the gumption, co-ordination or vision needed to address this issue yet.  

Let's consider Joe Public for one moment instead of the bottom line of FSI's.  The impact that ID theft has on any individual and their immediate families can be and often is absolutely devastating.  The emotional and financial impact is something that is impossible to imagine.  It would equate to your life being high-jacked and all your values and trust being lost forever...no job, no money, infringement notices or court appearances to try to clear your name and sometimes, prison terms.  Worse still, for those who suffer chronic depression, suicide is way out. Our legal system is such that the costs of fighting these cases can exhaust the family savings very quickly! (let’s leave this for another discussion)

How much does this weigh on the conscience of FSI's or, in voting terms, on the real government priority of staying in office?  Well, it doesn’t!  Despite the process tinkering and the hyperbole surrounding technology advancements, do you hear any improvements being made in the numbers of ID thefts?  No, quite the opposite!

So put yourselves in this position and ask how important is your identity? Tell me that you have just a little shiver of uncertainty, a hesitation...it's not just you but your kids and theirs to come…very scary stuff but we are responsible…and now, or we really can be found ‘guilty as charged’.

Will you defer to the tide of impotence and suggest a 'steady as she goes' approach?  Let's leave our health and wellbeing to the guys with their bottom lines to protect...hey that's good advice...or shall we even not care and think that the regulators will take care of us? 

The discussion on this thread may help people understand that hard decisions need to be made and encourage governments to feel strongly enough to make them.  Are you pushing software solutions, hardware solutions or can you put your hand on your daughter or son’s head, ruffle their hair and say I’m saying this for you?

We are apparently spending billions of dollars saving the planet but who is saving our well being…our identity?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 14 November, 2008, 01:44

While identity and it's impact on all of us certainly isn't simple and can only be simplified in a blog, albeit a Twain-ish tome, its far too boring for dinner conversation at my table.

Perhaps putting it in another simplistic way - Who has an interest in identity?

While you think of the great long list and answer, I'll do it for you.

Everyone has an interest in identity.

I suppose the best course is to make the banks shoulder the burden alone? That doesn't fit too well with anyone's bottom line.

Expecting banks to provide identity is a bit like suggesting they should become internet providers and telco's just so as people can internet bank and (mobile)phone bank. In my mind anyway.

I'm just suggesting that there are more stakeholders than just banks, and while it might seem sexy to differentiate your brand with a new gadget, I'm not sure the shine is worth the cost of the polish. Most business analysts can tell you that if you innovate, your competitors will soon follow, and your advantage may diminish quickly.

It follows that your expenses will increase but not necessarily your market share. Any banks had people rushing in and churning their account so they can get the latest security gadget?

Every financial services provider has the potential to suffer over trust issues.

I can't find any instance of where a gadget has led to an increase in market share, unless you are the manufacturer of the gadget. The iphone might be an exception and may have lead to more subscribers for telco's but I'll leave how fabulous mobiles are out of the discussion for the moment.

There is a school of thought that see's everything as a profit centre and anticipates a bottom line profit in providing a service, although identity may be harder to make profitable as a lone bank, or even a whole country.

Inevitably that country requires integration with another, or another bank and you could end up with all sorts of difficulties and cost. You get different approaches, standards, and levels of trust. Risk becomes unpredictable. Liability becomes arguable. Banks are distracted from their core business. Banking.

Banks are also burdened with the lions share of the costs. They get no return when a customer uses their bank documentation to establish identity elsewhere.

If they get it wrong, they risk suffering losss of reputation. Why, just to impact those miniscule bottom line points or perhaps make a buck or two on the gadget?

Stick to banking, leave the electronic gadgets business to Car Toys. They're much better at it. Perhaps you would advise Car Toys to get into banking if the gadgets are to rule and are what drive customers to banks? It doesn't if the gadget adds a single step to the process, and it harms the brand if it is to complicated. So I suppose car Toys could get into banking if they knew how to use the gadgets they sell to satisfy the customer's need to transact and have ID. Perhaps I'll give them a call.

Governments have a lot more to gain than banks in the identity equation. They should carry their fair share of the burden.

It also has the bonus that if you are all using a third party system, if there is a problem (and historically there have been  many), then the bank is not to blame - the third party system is. It's called shifting risk. Spreading the burden of what is not core business.

So I guess I'm barking up the wrong tree, if banks see proving identity as a profit centre and can bear the risk of loss of reputation, but if they are actually more into banking they might understand my simplistic points.

I try and relate it to the bottom line. If bankers understand anything, it should be that.

So if getting economy of scale, governments contributing and perhaps mandating 'user pays', won't improve every stake-holder's bottom line, then I obviously didn't go to the same business school as Stephen.

If the banks got together to improve trust that would have to be a good thing for the industry at a time when it is most needed. The time may never be better. It's a 21st century thing to do. It is going to happen, the banks can enter later at the user pays stage or take the bull by the horns and get all the benefits on their bottom line from the start, and probably when they really need it most..

I'll leave you to think about your bottom line because I've mentioned bottom one time to many and that great bum competition in Paris just keeps interrupting my thoughts. :)

Speaking of competitions, we could always have a global competition to come up with the most practical and cost-effective ID solution and see who wins.  Bring on the expert panel, bus in the PhD's. I'm up for it. It won't be half as much fun as Paris but it could really take banking into the 21st century.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 14 November, 2008, 08:02

I would answer the technical part from John, but it would be another tome, suffice to say the issues you mention generally don't apply with the methodology I have in mind, from the risks you mention right through to the audit trail.

It isn't so much about 'hiding' your identity, it is about not needing to reveal personal data in order to ID yourself.

A thief will not be able to steal your ID, because of the new ID process. You'll be able to put as much personal information anywhere you like,because it'll take more than that to impersonate you.

Relying on carrying documentation is just plain asking for trouble, and trouble keeps coming. There is enough personal data out there now to keep ID thieves going for at least 30 years and we can't get it back. If we managed to secure every bit of personal information from now on while still relying on existing ID procedures it would take decades before we recovered.

We need a new approach to the way we identify ourselves, and it would best be one that isn't just based on a lot of personal data flying around. That data has already flown the coup.

'Biometrics' might be put forward as an option, well an imprint in my frontal lobe is biometrics, and I'm already carrying a built in reader that no-one else can operate. My brain.

I reiterate 'What can be abused, will be abused'.

I don't fancy having my biometric data and DNA in everyone else's hands along with my personal data. With more than a passing knowledge of medical science and human nature I can only see dark things down that route, and it isn't worth the risk when there are easier and lower cost solutions.

We just need to use our brains, and perhaps our mobiles.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 17 November, 2008, 16:22

Er.......Just to be a pedant,

Mr. Stig was never an F1 driver as in your picture - He was a WTCC (or similar) driver so most unlikely to be in the frame. Also, he would have been around 40 odd when your picture was taken (a little too old to drive F1 unless your name is Jacques Laffite).

 

Well we are talking about Identity theft!!!!

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Retired's profile

job title
location
member since 2014
Summary profile See full profile »

Retired's expertise

Member since 2009
3066 posts3,374 comments
What Retired reads

Who's commenting on Retired's posts

Ketharaman Swaminathan
Charmaine Oak
Francis Chlarie
Raymond Lee
Deepthi Rajan
Melvin Haskins
João Bohner
Bob Lyddon
Urs Meier
Steven Hatton
Ahmed Saleh
Barclays Loans Service