Cedric Pariente - EFFI Consultants - Paris 20 October, 2009, 10:37 0 likes

Interesting.

However, the list of people we are supposed to trust is quite surprising.

If I had to list people we can absolutely not trust right now I would list exactly

"Credit reference agencies, banks, doctors, dentists, government employees"

How would it work in such a case?
What if I do not trust anyone? (which is a reasonable approach when talking about ID Theft according to a lot of people who are blogging here)

Ainsley Ward - CGI - Glasgow 20 October, 2009, 14:47 0 likes

And of course the third party company should be run by Dean Proctor, master of the secret identity solution...

Once again you're off spouting all of this theoretical nonsense that has absolutely no grounding in the real world. Mobile phones are not a good basis for any all-encompassing scheme because NOT EVERYONE HAS ONE. Indeed saturation is high in many markets, but in a global population of 6 billion, only around half have an active mobile - even if you make the poor assumption that each person only owns one mobile (I myself have 2). And many folk, particularly the young, will change their phone at least every 12 months. So there is fatal flaw number 1.

Fatal flaw number 2 comes in your assumption that all the 'trusted' people that you've listed actually give a crap about identity theft. A bank doesn't care who you are if they get their money back. A doctor will treat you and get paid regardless. A dentist even more so. The Government only cares if you are taking money out of the system - and only then if you're better at it than an MP. In the real world banks have not addressed ecommerce fraud in the UK because it would currently cost them more than they're losing. Basic rules of a free market economy.

In fact, the only person that really cares about your identity is you. And so you have a choice to either prepare plan B and work out how to mop up when (not if) things go wrong, or turn into one of those anal folk that shred their mail and have seperate PCs for each application.

In the free market economy, Customers will declare their position through their actions. Banks like Capital One that are building their reputation on security and authentication will capture those that are worried about these things. Others will focus on ease of use and capture the folk with plan B. It's as simple as that.

A Finextra member 20 October, 2009, 14:48 0 likes

Cedric,

I would propose that people were given the opportunity, perhaps with the assistance of legislation where required, to decide who could access their information and in what context.

For instance - should credit reference agencies be able to supply your credit rating to a lender without your participation?

It has proven to be unwise. I would propose that you should be part of the process, a process which would fail with just scavenged documents and a printer in the hands of a fraudster.

If you choose not to apply for credit you should be able to choose to have your credit file locked. That is a no-brainer. I propose it should only be unlocked by you.

The only effective solution will be to enable you to, by default, disable things like loan applications, opening new accounts and other opportunities for fraud - by require you to actively participate, using your mobile to authenticate that it is you applying.

In the case of health care, you may choose not allow a doctor to have access to your medical records, however that would probably be counterproductive.

If, however your health insurer were footing some or all of your medical bill they may be keen to be sure it is you getting the work done at their expense (and it is in your best interests) and you must be enabled to reassure your co-payers that it is you they are paying for.

I would imagine a visit to your doctor might include a couple of actions on your mobile to confirm your attendance and permit the doctor to access your medical records. The receptionist need not even know your name if you preferred that level of privacy. The system will still work for you.

Your confirmation at the conclusion of treatment might also confirm to perhaps VA or the government healthcare system that you are in fact receiving treatment from the doctor who is billing them. The process would be fast and simple, removing the need for documents, cards and paperwork and could also confirm payment of your contribution to the cost.

You cannot be forced to participate so long as you have the means to pay your own way.

At times we all have no choice but to 'trust' someone somewhere. Repairman, policeman, government employee, dentist - only you won't have to trust just their word, plastic or paper as to who they are.

Does it not seem logical? Forget about how it is done, preconceptions of cost or difficulty - what if it was just plain easy and simple?

I believe we would all benefit from the power to control our identity and at least confirm the identity or authority of those we interact with and in so doing - dis-empower the information thieves.

Do you have a mobile?

A Finextra member 21 October, 2009, 14:09 0 likes

To me, there is a fine line between insightful comment, using your own products as examples because that's what you know best, and out-and-out astro-turfing. Ainsley Ward clearly feels this post falls on the wrong side of the line, and I'd tend to agree. Does FinExtra need a bit less of the 'world hunger is soluble by a product I just happen to sell' type of posting?

Joe Pitcher - Irrelevant - Wirral 21 October, 2009, 14:20 0 likes

Chris, I'd have to agree with you (and Ainsley). Unfortunately Finextra blogs are turning into adverts for products which purport to save all the ills of the world. Try and get any further information though and all you get is stone walls. I fully support anyone promoting a solution that they claim resolves all issues where others fail but only if they can back these claims up.

I could easily post I have a cure for cancer, can run faster than Usain Bolt and a better job than Rafa Benitez.....please just don't ask me to prove any of this.

A Finextra member 21 October, 2009, 15:13 0 likes

This is exactly what I've been recommending for over six years, through a variety of published research reports and public presentations. I've even said as much in presentations to US government officials and in keynotes to financial industry executives, but I mostly get blank stares. Anyone who's followed the research of my company, Javelin Strategy & Research, knows that we've said ID fraud (we avoid the term "identity theft") is a unique crime because it involves two categories of victims (identity-holders and financial providers) who don't generally cooperate with one another on a proactive basis. The privacy and victim advocates are sometimes the biggest impediment to protecting individuals (do I really dare say this?) because their well intended efforts at protecting individuals result in a furthering of the victim mentality. The technology exists to enable individuals, and while mobile phones are ideal, tellers in bank branches can suffice as well for the have-nots. 

We'll only defeat identity criminals when we get identity-holders and various institutions to get as organized as the criminals already are. We now have survey results from 246,000 identity-holders, bankers, vendors, merchants and others from which we draw this conclusion. 

Paul Penrose - Finextra - London 21 October, 2009, 15:21 0 likes

The Finextra Community has strict guidelines on the use of blogs posts to promote third party products and services - ie, it's not allowed and we're quick to clamp down on malfeasants. We also have an abuse reporting mechansim where members can report infringements of the rules.

Now Dean may not actually have a commercially available product to punt - which is why some of these posts slip through.

However, the Community has spoken and it seems to be mightily fed up. As the Community bobby I reluctantly accept that we have to take action.

Dean, you're contribution to the general Community debate is still welcome - but when it comes to your mystery product, I think it's time to put up, or shut up.

Nick Green - ISD Consultants - Northampton 21 October, 2009, 21:01 0 likes

Here, Here!

John Dring - Intel Network Services - Swindon 21 October, 2009, 21:49 0 likes

I for one enjoy the doom mongering and conspiracy theories of Dean (even concur with quite a few), but would agree that its a bit tedious hearing snippets of some ethereal system which frankly just revolves around a 'trusted third party' approach.

there's always an attack vector, and in the case of trusted third parties one is the integrity of the people and systems in it.

A Finextra member 22 October, 2009, 11:58 0 likes

So I take that as a No.

A Finextra member 22 October, 2009, 12:58 0 likes

Dean,

You should take the comments on the chin.  You have been identified as what you are.

A Finextra member 26 October, 2009, 14:48 0 likes

I agree with Deans approach in that a real time solution is required and we should encourage customer participation.

We just need to look at the way we use data to confirm identity.

Identity can be confirmed by verifying different pieces of personal information against seperate databases and checks.

It is imperative that this data is held in different places and it is only used to check the data you have and doesn't return any information for the individual.

So for example you would be able to check that a passport number was a correct number for a person with the enterered information however if you did not have the passport number you would not be able to return that information.

It is basically non-disclosure multi-source identity checking. The sources and checks would be dynamic and only the method of access and risk scoring methodology remaining the same.

A Finextra member 27 October, 2009, 00:39 0 likes

Anyone like some egg?

https://www.finextra.com/blogs/fullblog.aspx?blogid=3442

A Finextra member 27 October, 2009, 03:19 0 likes

http://news.bbc.co.uk/2/hi/uk_news/england/cambridgeshire/8325477.stm

The right link. Online banking anyone? Perhaps not with eggs.

Joe Pitcher - Irrelevant - Wirral 27 October, 2009, 09:37 0 likes

I think the key sentence in this article is:

"the strongest practical solution available and was just part of the multi-layered security employed"

Its not a perfect solution - far from it but at least its real! Theoretical systems that are yet to exist in the real world cannot be attacked by Cambridge University students so therefore cannot have their flaws identified.

A Finextra member 29 October, 2009, 01:27 0 likes

"the strongest practical solution available and was just part of the multi-layered security employed"

Not perfect is an understatement.

Not secure is the reality.

I am constantly amused at how quickly the snake oil evaporates.

I look forward to UK and all banks being forced to carry the risks in internet transactions.

I would suggest that executive bonuses could be tied to the level of internet fraud, in reverse of course. Perhaps directors personally liable? Sort the men from the boys.