Talking about knowing where and who the customer is, I attended a fascinating discussion earlier in the week.
We were brainstorming security, trust and protection of critical financial infrastructures and had a variety of breakout groups looking at different aspects of such systems.
The breakout group I joined started with a scenario of the near future.
The scenario stated that: “the European Commission agrees standards for user-centric identity management standards”, and the group facilitator asked for our thoughts.
It seemed innocuous enough to me, so I expected a five minute chat about how that seemed like an obvious thing to do and move on.
But no, this scenario caused a great deal of debate amongst the financiers in the room that lasted over an hour!
Here are a few select thoughts and comments from the four bankers who I’ve called Alfred, Bert, Charlie and David for the purposes of the blog:
Alfred: What is "user-centric"?
Bert: The user manages their own identity rather than some central control.
Alfred: Can consumers be trusted to manage their own identity when they give everything away on Facebook, Bebo, etc?
Bert: what’s the alternative?
Alfred: Net-centric identity management, with everything controlled centrally.
Charlie: that’s no good if the user gets locked out though.
David: but the issue is not about stealing someone’s identity. You’re still you whatever happens, so you still have your identity. The issue is someone copying your identity.
Bert: that’s why net centric doesn’t work because someone can easily steal bits and bytes of identity data.
Alfred: yes, this is why user centric doesn’t work either.
Charlie: what about biometrics. That's a way to maintain a unique identity isn't it?
Alfred: not really. Biometric identity management is also just bits and bytes of data that can be compromised and copied.
David: sure, but that’s why we need the government to be involved here, as they have a role to give a legal context to identities.
Alfred: so who manages identity? The user, the government or someone else?
David: not a bank then?
General guffawing in the room.
Alfred: what about federated identities?
Bert: I’m not sure that works as you cannot have multiple identities. That’s the issue we have today. And, coming back to your point about who manages identity, it should be the user as they are closest to their own identity. Therefore, if we are concerned about people giving that data away, we need to educate and incentivise users to manage their identity better.
David: it’s not about identity; it’s about proving your identity with something. That something is based upon knowledge (a PIN, maiden name, password) and/or a token (card, mobile, chip).
Bert: how about a mobile telephone with a biometric reader in the phone, combined with an account number, PIN and password. Surely you’re getting towards an unbreakable system that way?
Alfred: I could break that just by knowing that data. The data is harder to get but it wouldn’t stop me.
Charlie: but is our concern identity or the fraud that comes from compromising identity and, if the latter, it’s not so great that it should cause us concern.
David: what’s not so great?
Charlie: fraud losses. I’m more concerned about credit losses.
Alfred: yet if identity is compromised it can lead to massive loss.
Bert: sure, and net centric and government controlled identities are all easily compromised. I mean every time I check into a hotel they get a copy of my passport along with all my credit card data. Similarly, some stores ask for photo identity and can steal my credit card and driving licence information at the checkout. So how easy is all that?
David: again, let’s clarify what we’re talking about here. A credit card is just a number that provides an access right to a financial transaction, right? It’s an access right but it’s not an identity, ok? The access right is proof of who you are and what we’re saying is that this is no longer sufficient.
Charlie: that’s a big point. It’s not identity itself but proof of identity that we need to focus upon.
Bert: and today it’s not enough because we give our access right data at systems all over the world using American operating systems, Chinese hardware and Israeli security software, and so there’s plenty of holes in the architecture that can be compromised.
Alfred: the key is to have a safe and secure electronic data stream to manage identity as all identifiers are translated into data.
And so it went on, and on, and on, and on …
… unbelievable how complex this identity stuff can get isn’t it?