[Home] [Current Edition] [Compendium] [Forum] [Web Archive]
[Email Archive] [Guestbook] [Subscribe] [Advertising Rates]
ARRAY Logo icon


Identity Cards and Financial Services: How Will the Introduction of ID Cards
Affect Financial Services Providers?


By Dave Birch, Consult Hyperion

David G.W. Birch is a Director of Consult Hyperion, the IT management consultancy that specialises in electronic transactions, which he helped to found in 1986. Prior to this he spent several years working as a consultant in Europe, the Far East and North America. He graduated from the University of Southampton with a B.Sc. (Hons.) in Physics. A member of the advisory board for European Business Review and the editorial board of Microsoft's Finance on Windows, he has lectured to MBA level on the impact of new information and communications technologies. He has written for publications ranging from the Parliamentary IT Review to Grocery Trader and is well-known for his column in The Guardian newspaper's "Online" section. He is a media commentator on electronic business issues and has appeared on BBC television and radio, CNN, CNBC and other channels around the world.

Web: http://www.chyp.com
Email: dave.birch@chyp.com or steve.pannifer@chyp.com


THE IDENTITY PROBLEM

It is clear that without significant change the identity problem will only get worse. In a recent US case, what the authorities there call the biggest case of identity theft ever, just two men orchestrated an identity fraud that hit 30,000 Americans and netted $50 million [1]. The financial services sector is at the forefront of the fight. More than half of all identity fraud in the US relates to banking and, as the fraudsters become more widespread and more wise, banks and other financial services providers will find more and more of their resources being tied up by identity problems of all kinds. The problem of identity and identity management can only increase in priority and trying to solve it by asking customers to remember more and more passwords is a waste of time. As the former US national security advisor Richard Clarke recently said, any system that relies on a password is insecure [2]. The industry's current defenses (i.e., passwords plus education) are at best an irritant to consumers and at worse an active incitement to fraudsters. Aside from phishing, as I discussed in my last article, it is trivial to defeat password "security" using simple software tools. For more than a year, PC users at 14 Kinko's stores in New York were having their every keystroke recorded by one Juju Jiang, who had installed secret logging software on the machines. He captured more than 450 user names, passwords and other details which he then used to access online bank accounts [3]. A similar fraud was uncovered in South Africa. Since, as with all of these kinds of criminal behavior, we only get to know about the minority of cases that are uncovered (and banks are, of course, notoriously reluctant to give out details of fraud), it seems reasonable to assume that the days of the password are numbered (or at least lettered and numbered). This isn't another case of hype and media sensationalism, it's about a real, growing and highly pernicious problem. If this kind of identity fraud continues it could well undermine the confidence of the general public in online transactions of all kinds: not just online banking, but online business and online government as a whole. We are already in a situation where legitimate communications from financial services providers are being deleted by customers because they are indistinguishable from spam (a recent example being the Paypal "class action" e-mails). What is to be done? Well, in some countries the government has decided to do something about identity and this something generally takes the form of identity cards. We will shortly see the beginning of the creation of a national identity management system in the UK. In this system, some form of national ID card will become familiar to customers. But what does this mean for the financial services industry? Will the national ID card make life better or worse? Will credit and debit cards become more secure or disappear? Will ?now your customer processes become simpler to the benefit of incumbents or less expensive to the benefit of potential new entrants? And how exactly might the national ID management scheme work at all? Here are a couple of short scenarios to illustrate the possibilities.

SCENARIO ONE

In the first scenario, let's imagine in a decade the UK national ID management system has been implemented on time and on budget and it works (this is science fiction, after all!). All citizens have a number of ID "cards": most of them are not cards at all but watches, hats, badges, key rings and mobile phones. Everyone does have a standard government-issue ID card, but by and large they leave these at home in a safe place. Opening a new bank account is trivial: you take your ID card, put it in your home entertainment centre (note that the millions of Sky digital TV set top boxes in the UK already have a spare slot for smart cards) and select the relevant financial service. A list of banks offering current accounts comes up (in order of the amount of interest paid: this is a Government requirement to stop banks from doing deals with media companies to get themselves to the top of the list). You pick one, the bank asks the home entertainment centre to check your fingerprint (all home entertainment centers have a fingerprint reader to enforce the World Copyright Agreement signed in 2010) and, assuming everything is in order, goes ahead and opens the account. No paperwork, no forms, no delays. All retailers accept ID cards for payment. In Tesco, you fill your trolley with goods and simply walk to the exit: there are no check-outs any more. When you get to the door, you look into the camera which performs an iris scan and then checks it against the biometric template in your mobile phone: assuming it matches, a menu of payment choices appears on the phone: 1 for direct debit, 2 store credit, 3 for your PlatinumPlus SuperVisa and so on. The door opens, and you leave. A digitally-signed receipt is e-mailed to you and the contents are copied in GovXML to the Department for Citizen Health and Well-Being. There are lots more financial services providers to choose from: it's so easy to do business online with the ID card now that there are no forms to sign. If you want to switch your mortgage, you can do it all sitting in front of the TV. I can't remember who my mortgage is with at the moment (I switched when I was shopping online and they were giving out frequent flyer miles) but it doesn't really matter: what do I care if they go bust!

SCENARIO TWO

In the second scenario, the government-led standardization of identity management technologies has had the natural consequence of falling prices and therefore widespread private sector deployment. The chips embedded into millions of passports, the smart identity cards, the PKI built-in to software clients and biometric authentication in consumer devices are commonplace. Many businesses wanted to have their own identity card and everyone thought that their identity management system would generate competitive advantage when linked to ERP, CRM and the rest. As a result, consumers were presented with a potentially confusing range of identity providers and, even though many of them were interoperable (thanks to the Liberty Alliance standards), consumers were unclear about where and when they could use their identities. Given the wide choice, most people opted for tribal identities: major brands were slow to see this trend, so football clubs and pop groups became, almost by default, the biggest suppliers of identity. A great many people, in person and on the Internet or via mobile phones, communicate through these tribal identities without ever knowing the "real" identity of their counterparties. I'm sitting on the sofa watching the eBay Channel, the top-rated channel on Sky Broadband, when I decide I want to bid for a pair of ceramic monkeys. I put my thumb on the remote control authentication pad and punch a couple of keys. The TV, which has picked up half-a-dozen different identities from the remote control, displays a menu and asks me "who do you want to be?" and I choose "Dave Birch of Manchester City Football Club". I pay 10 Lions every year to Manchester City for that identity. (Lions, or "Ls", are the currency used in London and the rest of the South East of England that remains outside the eurozone.) Then I enter my bid. Incidentally, the eBay identity "Dave Birch of Manchester City Football Club" (let's call it dave.birch!mcfc for short) has a very high reputation built up over the years. This reputation is very important to me: I often need it to get into physical locations because many retail therapy centers won't allow access to people with low eBay reputations (generally known as eReps) and it's not unknown for people going on a date for the first time to ask their potential partner to show an identity with high eReps. Within the spectrum of identities available, bank identities still have a privileged position. There are certain things that you can only do with a bank identity so I have two: Dave Birch, which Barclays gave me for free, and Cayce Pollard (which costs me 200 euros, or about 1L, per annum). I keep my Dave Birch "chip and PIN and fingerprint" card safely at home and I usually just carry my Cayce Pollard Barclays keyring with me. Then, if I drop the keys, my identity is safe since only Barclays know that the Cayce Pollard keyring belongs to Dave Birch: the bank is not only and identity provider but a privacy provider.

FOR MORE INFORMATION

Whether the future will look more like scenario one or scenario two is hard to say, but the scenarios do at least indicate that the financial services industry should begin developing its strategic responses to the introduction of national identity management schemes in many countries. Please note that this, and many and other related issues, will be discussed at the 5th annual Digital Identity Forum to be held in London on November 10th/11th. See www.digitalidforum.com for further details.

References

1. O'Brien, T. Identity Theft Is Epidemic. Can It Be Stopped? in New York Times (24th Oct. 2004).

2. Richard Clarke Addresses Smart Card Industry, Sees Government Use of Smart Cards as Step to Widespread Corporate Use in PR Newswire (25th Oct. 2004).

3. Kinko's spy case in CNN.com. (23rd Jul. 2003).