Blog article
See all stories »

Identity is a simple idea that has become a complex problem

Identity  has become complex due to fraud. Fraud, motivated by money, easy credit, and the ease of account takeover. Because identity has yet to be effectively established, anyone can be you. “Identity has yet to be established” is a bold statement that really requires an entire blog post. I’ll explain briefly here and in detail another time.

For example, in the US, we have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data. All of these documents can be compromised by a good scanner and inkjet printer. This is not established identity. This is an antiquated treatment of identity and ID delivery systems. Identity has yet to be established.

Like it or not, you will soon be effectively identified. And by “soon,” I mean within the next 10 years. Big Brother, whatever that means, will have your “number.” Governments across the globe have been gearing up and introducing numerous technologies to identify, verify and authenticate.

Proper identification starts with government employees, who basically have little say in the matter. Small, specific segments of society such as airport employees, those of immediate concern to Homeland Security, are also first in line to be identified.

Security Management reports that as of this month, all workers and mariners attempting to access secure maritime and port areas nationwide will have to flash a government-approved Transportation Worker Identification Credential (TWIC),biometric identification card before entry. As expected, the system is riddled with problems and complaints.

HSPD-12, or Homeland Security Presidential Directive 12, set universal identification standards for federal employees and contractors, streamlining access to buildings and computer networks, but not without some glitches.

Many privacy advocates scream in horror about a national ID. The fact is, we already have a national ID and it’s the Social Security number. While the Social Security number was never intended to be a national ID, it became one due to functionality creep. And it does a lousy job, because anyone who gets your SSN can easily impersonate you.

Privacy advocates and others who believe that there is or ever was true privacy are operating under an illusion. The issue here isn’t really privacy, its security. It’s managing our circumstances. Growing up, my mother was a privacy advocate. She advocated that privacy was a dead issue as long as I lived in her house. At any given time, she could rifle thorough my stuff if she even got a hint of glazed eyeballs.

I’ve always been fascinated with identification and what it means. Over the years, as I’ve dug deeper into information security and then identity theft, I have been floored by the ineffectiveness of the existing system. Numerous identity technologies use software or hardware as the delivery system. A Smartcard is a delivery system, it isn’t your identity. Identity may include biometrics and verification questions.

Then there is the issue of properly identifying a person. How? And what is the difference between authentication and verification? I’ve always used them interchangeably, so I asked an expert, Jeff Maynard, President and CEO of Biometric Signature ID, who is in the game of properly identifying his clients’ clients through dynamic biometrics, for his take on authentication vs. verification. There is a distinct difference. “Authentication is the ability to verify the identity of an individual based on their unique characteristics. This is known as a positive ID and is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples of each are: Static - iris, fingerprint, facial, DNA. Dynamic - signature gesture, voice, keyboard and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify their asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.”

Identity proofing means proving identity, which, as I see it, is the foundation for identity and one of the most overlooked and under discussed aspects of identity amongst industry outsiders. This is a most fascinating topic. I will get into that soon.

Robert Siciliano, identity theft speaker, discusses Social Security numbers.

8635

Comments: (5)

Dave Kershaw
Dave Kershaw - Ulster Bank - Belfast 22 April, 2009, 08:41Be the first to give this comment the thumbs up 0 likes

I have often wondered why identification is always one way, with the bank website asking me for a password. Instead, why not make it two way and I ask the bank for a password as well. This could be a single thing, or a range of questions:

What's my favourite fruit?

Can you show the picture of me holding a penguin?

When did I last use one of your ATMs?

After all, your identity is supposed to be shared with those you know. And this is a two way process.

A Finextra member
A Finextra member 22 April, 2009, 10:15Be the first to give this comment the thumbs up 0 likes

Yes, the fundamental concepts of this vitally important topic need to be discussed threadbare, understood and systemic solutions implemented globally.

It is probably fair to say that we have made some progress from the early days of the web. Today, we agree to have our (real) profile information demanded and stored for the sake of the convenience of online transactions but the safety mechanisms and reliability of the service providers have hardly kept pace with the increased usage.

The tendency is to take any new technology and tout it as state-of-the-art to the masses as long as it gets in more customers. Most of the popular press articles titled, "How to Safely Use the Internet" still talk about looking for the lock icon on the status bar of the browser as an ultimate guarantee of safety.

As soon as somebody deploys a new technology, say, fingerprint matching to withdraw cash from an ATM, it is advertised as a great security feature. But the Malaysian man whose kidnappers cut (or threatened to cut) his fingers a few years ago may have a different view about it.

I hope within a few years we are able to look back and laugh at the current state-of-the-art that involves me remembering where I scribbled the PIN for the dynamic token generation gadget that displays an alphanumeric code that I enter along with a password which I noted down in a different diary. Not to mention I was forced to change it last time I logged in but forgot to update the diary... Oh, now I need to request a password reset by providing the answer to that cleverly cryptic question I thought up when hurriedly completing the registration formalities... AAARRGH!

A Finextra member
A Finextra member 24 April, 2009, 06:05Be the first to give this comment the thumbs up 0 likes

While innovation has been realized in most aspect of commerce, the business entity that needed to pull this together (financial entity) has severely fallen behind.

Identity is not a complex problem. Commerce wants your money. Banks hold your money and allow commerce to get your money. So far, commerce has come up with so many innovative ways of selling to you and enabling you to pay. Just as it enables you to buy and pay, it also enables fraudsters. So far, even fraudsters have been more innovative than Banks.

Banks need to keep up with innovation to ensure that your money is safe as well as to give you access to your own money when you want. Commerce and banks need to be at the same pace of innovation but banks are way behind.

A Fraud Prevention System must be placed where it technically belongs, down to the financial institution's level (specifically the spigot / system that authorizes the funds). As soon as (issuing) banks 'step up to the plate', then the commerce side of the market will no longer have reasons to complain about the interchange fees they pay because, truly the banks that charge for the cost of fraud (by way of interchange fees) will then be detecting and preventing fraud while allowing legitimate payments.

Cedric Pariente
Cedric Pariente - EFFI Consultants - Paris 24 April, 2009, 08:21Be the first to give this comment the thumbs up 0 likes

Hi Dave,

 

You obviously have understood what shall be the next generation of authentication: strong mutual authentication.

Hackers are not waiting for banks to be innovative, banks really need to be proactive and invest in new technologies, especially in times of crisis.

And I really mean invest because it can generate benefits for them if they actually correctly protect people's money. It would mean more accepted transactions, less charge back processing costs, and eventually better client retention and aquisition.

Rajeev Nair
Rajeev Nair - Accenture - Bangalore 28 April, 2009, 04:08Be the first to give this comment the thumbs up 0 likes

Hi,

Taking ahead Dave's point of mutual authentication, industry really needs to think about generating authentication modes for institution for the security and trust of customer. Drawing parallels from payments, similar feature viz. Bliateral Key Exchange (BKE) in SWIFT got replaced by RMA. During initiation of relationship between customer and Bank, both entities mutually define granularity in relationship. The essence of security is defining the granularity. Any time relationship is utilised for consumption of service, definition of relationship is verified with the intended service after authentication. We need to closely watch how this dynamic mutual authentication evolves in the coming days

Best Regards

Rajeev Nair