Don’t bank on identity
[Dave Birch] More than one correspondent has asked me why no banks are on the initial list of approved identity providers (IDPs) for the British government identity assurance (IDA) framework. I belong to the IDA working group on privacy and security and, as you might imagine, Consult Hyperion has provided (and is providing) paid professional services to a number of organisations in the private and public sectors who are developing identity-based products and services. So I think I have a reasonable and well-informed perspective. Unfortunately, it also means that I have to be very careful about what I say, as you might also imagine. But speaking generally, and without reference to any specific clients or projects, I'd say there are three main reasons:
- I had an e-mail from a bank person (not Barclays) who said that they had looked at starting an identity business but as it would only generate net revenue of $200m/annum after five years, it wasn't worth pursuing. In other words, it's classic Christenson disruptive innovation - the new opportunity is too small compared to core business.
- It's a cross-silo and cross-sector opportunity covering both cost reductions and new businesses so it doesn't fit corporate structure very well. If some form of identity infrastructure is to address both of these opportunities then it is going to cut across the whole sector, let alone individual banks and there isn't much appetite for this at the moment.
- The business units don't understand the underlying technology, and I'm afraid it's one of those areas where you can't brainstorm the products and services that might be delivered without some rudimentary understanding of federation, digital signatures and such like.
I'm a Barclays Premier customer and I've had an account there since 1977. Barclays know absolutely everything about me and my finances and they've given me a dongle to authenticate myself to them (which works fine) but I can't use that dongle to log in to Barclaycard, let alone HSBC. What's more, under the government-mandated expensive (heading toward a billion quid) and pointless account switching system that will go live in a year or two, despite my 36 years with Barclays, if I walk into Lloyds to open an account they'll treat me as if I've just got off the boat and demand that I go home and come back with some high-security documentation (e.g., a photocopy of an old gas bill).
Identity Fraud accounts for over 50% of all frauds recorded in 2012… The takeover of customer accounts increased by 53% from 2011, meaning that data driven identity crimes now constitute the vast majority of all fraud in the UK.[From Fraud increase driven exclusively by identity crime, says CIFAS | 18 January 2013 | Stock Market Wire]
Identity fraud is out of control in the US as well, albeit for slightly different reasons, one of the key ones being the use of Social Security Numbers as "identity". Although, rather hilariously, it seems that the criminals principal source of social security numbers isn't dedicated teams of Eastern European super-hackers working under their direction but…
The most common method used for stealing identities appeared to be data breach notification letters. Approximately one in four recipients of these kinds of messages ended up being a victim.[From Javelin: Identity fraud reports increased by more than a million last year | ZDNet]
This is the Law of Unexpected Consequences on stilts, isn't it? No. Actually, it is the Law of Expected Consequences, since it is exactly as predicted at the time of the great HMRC CD debacle in the UK. I can remember saying, one more than one occasion, that the stupid decision to send out breach notification letters to every household in the UK -- a letter that included the full name, address and national insurance number (doh!) of the recipients -- would undoubtedly lead to more identity fraud being perpetrated than the loss of the CDs (if they ever existed, which, to be honest, I doubt).
We all need much better security around account access but to make it affordable we need standard, federated solutions operating inside cross-sector frameworks. We need to stop building bank-specific, or even banking-specific, solutions. And we need to make security into an essential element of the customer proposition, part of the business, not part of the back room technology infrastructure.
Here's one idea of what could happen. When you open a bank account, you should be given a UK financial services identifier (your "money name"), just like you get a Facebook name or a Twitter name. Let's say it's £Barclays_Dave. The bank should provide 2FA against that money name. When I go to Lloyds to open an account, I should be able use my money name to open an account on the spot with no messing around with old gas bills. Alternatively, I should be able to open an account with old gas bills and get a new money name (e.g., £Lloyds_Dave) if I prefer.
It wouldn't cost anything at all, or at least not very much. Banks could fund the system by having the Payments Council auction the "vanity" money names to the highest bidder. I'm sure Richard Branson would pay a million for £Virgin and Roger Moore another million for £007. It's about time banks had some innovation in the identity space before they simply give the business away to organisations with a better understanding of the technology and it's possibilities.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The English language version of this work is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License. If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.
Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.
Meet us at:
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010