[Dave Birch] We’ve often looked at the natural strategy of using identity infrastructure as the “front end” to payment infrastructure. To put it simply, if you have an id card in your pocket (or, more likely, your phone) wherever you go, then what’s the point of carrying other cards around? Well, one reason is that if you only have one ring to rule them all, and that ring is lost, you’re in schtuck (I think there’s an idea for a book there somewhere). This is a valid concern.
A junior, who wishes to remain anonymous to protect her identity, had her ID card number stolen.
Now, of course, in a developed nation (such as Germany, for example) this shouldn’t matter, since there is nothing remotely secret about ID card numbers and they cannot be used to effect any transactions — you need the smart ID card for that. But when the ID number is attached to something that has no inherent security, like a piece of cardboard, then it can be the root of mischief.
A week later, she decided to check her account balance at the Help Desk. The help desk printed her receipts, and she realized her laundry money account had decreased from $21 to $2.
“I saw a lot of Marvin’s, but I hadn’t ordered from Marvin’s at all this year,” the student said.
“I looked at the transactions to compare them,” she said. “When I was in Chicago, my card was being used here, and once of my receipts said that I had charged for Marvin’s at 6:46 p.m., when I had also bought food at the Hub at 6:48 p.m.”
This is the inevitable consequence of 1-factor authentication, just like magnetic stripes on credit cards. Fortunately, the story has a modern, happy ending.
Public Safety, who traced the Marvin’s orders to a cell phone number, caught the perpetrator.
Too funny: the master criminal who copied the ID card number down used his own mobile phone to order food using the number. Still, it’s a serious point, and it has been discussed with relation to some of the national smart ID schemes that we have advised on: there’s a reasonable concern that ID cards might be a target for crime if they can be used for payments, which is true, if the ID cards have no security. But suppose the ID cards have not only a chip on to prevent counterfeiting, but also a biometric cardholder verification method.
The much talked about Unique Identity Project (UID) is not just about providing citizens with biometric cards. In fact, the new identity cards can be used for multiple purposes and can even replace the debit or credit cards one day.
So, once again, let’s be clear about these implications. An effective digital identity infrastructure sitting on top of a standardised “payments cloud” will completely reshape the sector. It will substantially reduce the cost and complexity of starting a new payment scheme, and will further substantially reduce the cost and complexity of running a new payment scheme.
I think there’s a lot to be said for a mobile-based solution. My kids already use their mobile phones to log in to important services, such as World of Warcraft, and to be honest although I find my Barclays PINSentry pretty convenient most of the time, I’d much rather use my phone to log in to the bank as well. Back in February, I wrote that the new developments in online payments were crying out for simple 2FA to make them work.
Google is developing a micropayment platform that will be “available to both Google and non-Google properties within the next year,” according to a document the company submitted to the Newspaper Association of America. The system, an extension of Google Checkout, would be a new and unexpected option for the news industry as it considers how to charge for content online.
While currently in the early planning stages, micropayments will be a payment vehicle available to both Google and non-Google properties within the next year. The idea is to allow viable payments of a penny to several dollars by aggregating purchases across merchants and over time. Google will mitigate the risk of non-payment by assigning credit limits based on past purchasing behavior and having credit card instruments on file for those with higher credit limits and using our proprietary risk engines to track abuse or fraud. I’d be more than happy to use such a system (of Kachingle, or whatever) on the web but only if the login is secure and easy (like putting my phone on my laptop or something).
So who is going to provide the simple, ubiquitous 2FA for the web? Not banks with their dongles. Logically, I’m sure it should be MNOs, but I don’t think any of them have a strategy for this sort of thing (some do: Turkcell, for example). So perhaps some third party will come along and solve the problem for a specific application (such as payments) but do it in an elegant way that spreads.
With Facebook Credits already being successfully sold in Target Stores, the social network announced today that Walmart and Best Buy will also begin selling the sites virtual money.
The news that Facebook is taking its Facebook Credit payment system is new directions is not unexpected, but notable nonetheless. So what does this mean? Well, I think it means that there is more reason for Facebook to develop some kind of two-factor authentication (2FA) involving hardware. The more valuable the Facebook identity becomes – especially now that payments are involved – the greater the temptation for phishers to try and get hold of the passwords.
If this is done, then there is an expectation that the existence of a secure and convenient micropayment scheme for Facebook users (of which there are hundreds of millions, remember) will stimulate the development of new marketplaces within Facebook’s “barbed wire”. This seems plausible to me — if it had been up to me, I would have added a spurious green element to the proposition somehow (getting merchants and other organisations to give out Facebook credits to reward environmentally desirable behaviour) — and I hope they succeed. I wonder who else might enter a more competitive currency market?
There are plenty of candidates. If the mobile operators were to focus on a long-term strategy for identity and authentication, they could offer a standardised, scaleable and economic service to all of them.
These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]