Adventures in identity: are you paranoid or schizophrenic?

For a while now, the industry has struggled with secure identities. It’s not an easy thing y’see.

For example, the Economist this week has a special 16-page supplement looking at the issues of a deluge of data:

“Information has gone from scarce to superabundant. That brings huge new benefits but also big headaches ... ensuring data security and protecting privacy is becoming harder as the information multiplies and is shared ever more widely around the world.”

Yep, data sure is a pleasure and a pain.

The real issue with so much data around is how to handle it all securely.

Most of Google’s job is to index all the insecure stuff – about 1.2 zetabytes worth, or 1.2 billion terabytes if you want that in easier language, is the total amount of information in existence this year with a further 0.7 Zb's produced every year on top - but what about the rest?

Maybe that’s why Google’s Chief Economist, Hal Varian, forecasts that the sexiest job in town will soon be that of ‘statistician’ ... and my ambition was always to be an accountant. Such excitement!

This still doesn’t answer the rest of the question though.

The secure and protected data that travels around the world, particularly the data related to risk which the Economist blames the financial crisis for:

“During the recent financial crisis it became clear that banks and rating agencies had been relying on models which, although they required a vast amount of information to be fed in, failed to reflect financial risk in the real world. This was the first crisis to be sparked by big data ... In the age of big data; algorithms will be doing more of the thinking for people. But that carries risks. The technology is far less reliable than people realise. For every success with big data there are many failures. The inability of banks to understand their risks in the lead-up to the financial crisis is one example. The deficient system used to identify potential terrorists is another.”

And a third area where I have most concern right now is the ability to use big data to unlock accounts and transfer monies.

This has been top of mind for a while, as more and more data is shared between banks and third party service providers through offshore customer service centres. Equally, the issues of data insecurity is growing rapidly, as we increase access to account services through the internet.

Customers’ leaving PIN numbers in wallets alongside cash cards; customers’ using the same password for their bank accounts as they do for their Facebook profile; customers’ main account unlocking system being account number and date of birth, information that is easily found by those who seek to find it.

Therefore, we have tried for years to come up with secure systems to manage secure data.

By the end of the 1990s, the banks thought they had solved the issues by creating a secure identity management system which, in the absence of a SWIFT appetite for it, was originated as a bank collaborative venture viz-a-viz the SWIFT style operation called Identrus.
Identrus bubbled along providing a solution for a problem that only a few banks could see existed way back then.  But back then the issues of secure identity management were but a squeak.  Today, it's a ROAR.

How big a roar is illustrated by this line from the Economist: “decoding the human genome involves analysing three billion base pairs which took ten years the first time it was done, in 2003, but can now be achieved in one week”.

The criminal fraternities’ ability to sift through data now means they are always one step ahead.

Fraudsters work with foresight; regulators work with hindsight; and banks work in the here and now.

So what can banks do in the here and now, today?

Use IBAN and BIC to uniquely identify customers?

No.

As regularly discussed here, IBAN and BIC doesn’t work because it is not unique or standardised.

In addition, IBAN and BIC provides the ability for the user to be schizophrenic with multiple identities. I want users to be paranoid – a single entity worried about who’s trying to steal their identity – rather than schizophrenic.

So IBAN and BIC doesn’t work as an identifier.

And even if it did, it would be too weak to manage secure interactions.

For example, I just had a chat this week about banks providing straight through processing (STP),and the bankers said to me that in order to deliver STP they purely use IBAN and BIC.

This approach however has proven to be the cream on the cake for the fraudsters.

The fraudsters feed through a range of small payments to a selection of IBANs and BICs and discover the accounts that are live and accurately numbered. Then they drip-drip-drip direct debits from those accounts and make a mint.

This is because banks STP smaller payments purely using IBAN and BIC. The verification of account number with account name is detached and, for the purposes of STP, is irrelevant. This basic identity check – your name – has been dropped in the interests of straight through efficiency.

It’s all about the trade-off’s between processing versus fraud versus service.

But that’s not good enough in the age of the internet, where the schizophrenic identities can siphon funds on a small transaction by transaction basis, whilst the paranoid are left to track the trail of destruction.

Maybe it is for this reason that we are seeing newer developments, such as the launch of SWIFT’s Personal Digital Identity (PDI) programme for corporates, scheduled for release this June.

Announced at SIBOS last year, the PDI is designed to provide corporate users with a technology based method of recognising a payer and payee based upon a bank issued token. In this case, the bank provides the user with a token to provide trust in their identity.

Here’s the official notice of developments from this quarter's Corporates on SWIFT journal:

SWIFT reinvents the personal digital signature

In response to demand from its clients, SWIFT is developing a multi-bank personal digital identity solution enabling the issuance of PKI certificates. “Today, many banks operate a PKI infrastructure and issue their own certificates,” says Willy Verhanneman, head of messaging product management, SWIFT. “The solution proposed by SWIFT involves a personal signature based on PKI certificates stored on secure tokens and interoperable on a global scale.”

Sounds good in principle, but in practice it feeds the schizophrenic surely. For example Elie Lasker, head of corporate market at SWIFT, is quoted in last November’s Banking Technology:

“In a nutshell, we will issue a digital certificate that will be distributed through the banks to their customers. The tokens will be anonymous, with a unique identifier, and corporate users will have to register that certificate with each bank they are working with.”

So that means that a corporate has to get a token from their favoured bank and then register it with every other bank they deal with.  That is a lot of effort and complexity for both the corporate to register and the bank to deal with the registration process.  Each bank has to build that registration process and I am sure they won't do it in a standardised way - when does a bank ever do anything in a standardised way? - so how does a bank do it?  Does it vary from bank to bank?  What are the liability, repudiation and other implications ... one thing is certain: it will create a lot of opportunity for schizophrenic identities rather than paranoid ones.

Meanwhile, the big question is why invent a SWIFT solution to an issue that IdenTrust has been nibbling away at for a decade?

Elie Lasker says SWIFT thought about this, but “banks were pushing for independent registration processes, as opposed to the IdenTrust model, in which the issuing bank vouches for the user's identity to other institutions. ‘The banks felt they would prefer to do their own registration, because typically each institution has its own way of doing KYC and registering users.’”

Is this really true?

Can it really be that counterparty bank trust has sunk so low that they do not even trust the digital signatures executed under a set of predefined requirements for correspondents anymore?

Would they rather repeat their correspondent’s KYC processes a second time, a third time, a fiftieth time, in order to rely upon a token of trust?

All in all, it seems that the PDI approach is a technology-based solution to a problem that may already be solved with a significant overhead, in terms of the registration process.

Seems like a lot of work for the large, multi-banked, international corporate client. Equally, it begs me to ask that, if this is the case, arelarge banks like Citi, Bank of America, Standard Chartered, RBS, Lloyds and more wrong?

Would they rather have tokens for every user of every bank, rather than a single, portable identity across all banks?

Would they rather be schizophrenic than paranoid?

This is a key question in relation to whether the PDI is the right way to go in an age of data abundance. I’m not saying that the IdenTrust route is right either, but it seems nearer maybe?

All in all, the real solution has to be to rationalise data down to its lowest common attribute for unique data identifiers related to secure transactions.

That’s a mouthful, but that’s surely what it comes down to: an agreed approach that all can use, whereby an attribute in secure data transactions is clear and unique, standardised and uniform, works for the individual and the corporate, and is global in acceptance.

Hmmmm ... sounds like a single identity key to me and, if I’m paranoid, watching one key and ensuring nobody steals it sounds far better than being the paranoid schizophrenic who has to watch all of them.

They’re coming to take me away, ha-ha!