Last night’s debate,
“This house believes our current authentication and identification
methods are good enough”, was a healthy one and focused primarily upon
card authentication in retail transactions.
We started with the case for.
The motion was proposed by one of the major card processing firms,
who said that the card firms are trying to do more than enough to
They talked about the Chip Authentication Protocol (CAP), a method of making card present even when remote by asking the cardholder to use a calculator style terminal to authenticate.
This program has just been rolled out in the UK and means that each
time you make an online payment, you enter your PIN plus a special
one-time system generated code into a special card reading terminal.
In addition 3D secure,
the pop-up window where you enter a unique and personal password for a
transaction, provides an additional layer of security, as do the use of
IP addresses and other location-aware services.
Combine this with Chip & PIN and all the other ways in which we
are protecting cardholders, and our current authentication and
identification systems are good enough.
This view was refuted by a representative of one of the credit
reference agencies, who claimed that authentication goes further than
just card protection and must look at the process for client account
opening. This process is subjected to rules for AML and KYC which are
clearly flawed, as they are totally reliant upon paper. These
paper-based processes are easily subjected to fraudulent activity
because utility bills, driving licences and even passports are easily
Back to the proposal and the UK’s leading payments authority made it clear that we are doing what we can with what we have.
Governments are responsible for issuing identities – passports and
driving licences – and we need better management of this part of the
process. In other words, the identity card systems are not within our
control, and we can only use systems that are within our control.
Given this constraint the industry has achieved a lot and, where we
have control, it works. In fact, where it is within our control, we go
as far as we need to go in order to satisfy our appetite for risk. The
whole authentication process therefore is built around acceptable
levels of risk.
Finally, the representative of a firm that provides remote identity
confirmation determined that the views of both proposers were flawed.
Chip & PIN had had a little success when first introduced, but was
proving to be broken already as the systems is regularly undermined by
petrol station attendants.
The CAP reader is a good idea, but means that anyone who gets our
card, PIN and CAP reader can now spend excessively online too, making
our online purchasing protection even more compromised.
Meanwhile, 3D Secure is a neat idea, but only 10 million of the UK’s
140 million card users have signed up for it, which shows it is not
In other words, for all the efforts of the industry, the customer is
not buying into our authentication processes and therefore they must be
Following these open gambits, with the proposers saying that we’ve
done what we need to do and the opposers retorting that it’s not
enough, the floor was open for debate.
Points were raised, such as the fact that claiming identity
management is the government’s job is a cop-out, isn’t it? Waiting for
the government to issue ID Cards will be a long wait, and surely the
industry should do some work beforehand?
There were questions about the speed of change, and why the industry
takes so long to implement and improve processes. For example, with
mobile and biometric authentication available, why are we not
implementing these systems?
The answer was that the industry can only move as fast as its
slowest players, which is not necessarily the banks, but the merchants
and retailers who must also be brought on board. Many of these
retailers are SMEs and mid-caps, and so embracing all UK business in
the process is a key barrier to speed of change.
Surely customers also have some responsibility for their own
protection of identity. The fact that customers expect the industry to
make them secure, without taking any responsibility themselves, is just
But customers only like security when it’s convenient, which is why
CAP and 3D Secure are proving tough to make a success. 30 percent of UK
consumers are abandoning online payments due to the inconvenience of
CAP for example.
Is there a point at which we move from customers being idiots and
responsible for their own protection versus the industry being at
fault, because we should have educated the customer to be more
The evening wound its course to conclusion, with the conclusion
being the motion: This house believes our current authentication and
identification methods are good enough.
All those in favour? 27%.
All those against? 63%
The motion is rejected.