Feeds

Government pitches ID cards as fix for online ID fraud

But not entirely convincingly...

Boost IT visibility and business value

The Home Office is considering pitching the UK identity card scheme as a fix for online and 'card not present' fraud, according to answers given to parliamentary questions by Home Office Minister Andy Burnham earlier this week. The Home Office has previously indicated that it foresees the possibility of ID cards being used to support financial transactions at some point in the future (for example, when the deployment of future generations of ATMs might allow the ID card to 'piggy back' on the banking networks), but it now seems that it anticipates more immediate financial uses for the ID cards.

According to Burnham, there is "an opportunity for the identity card scheme to combat online fraud", and the Home Office is looking at possible mechanisms for secure remote authentication, "including use of one-time password technology." In recent debates on the ID card scheme, Home Office Ministers suggested that a PIN could be used to allow people to check information held on them in the National Identity Register via the Internet; however, PIN alone is clearly not an adequate gatekeeper for general Internet access to something in the region of 60 million records, and the latest statements suggest that perhaps the Government is beginning to grasp this.

But the Home Office's difficulties here will stem from its belated discovery of the need to bolt aspects of the right kind of ID system onto the wrong one. The UK ID scheme as originally envisaged and currently advertised hinges on the magic of 'biometric security' protecting your identity, but this security is worthless in transactions where the card isn't checked by a card reader or where the bearer's biometrics aren't checked online. It turns out that this will likely be the case with most transactions, and obviously in the case of online ones the basic ID scheme has no mechanism for determining whether the card or the user is actually present (wherever 'present' might be, online).

So the Home Office first considers PINs then, er, moves on to "one-time password technology" and makes aspirational statements about "secure remote authentication", which is a hell of a lot easier to say than to do. Government IT chief Ian Watmore put it rather better by outlining the right kind of ID system in his recent Transformational Government document: "Government will create an holistic approach to identity management, based on a suite of identity management solutions that enable the public and private sectors to manage risk and provide cost-effective services trusted by customers and stakeholders. These will rationalise electronic gateways and citizen and business record numbers. They will converge towards biometric identity cards and the National Identity Register."

That is, Watmore's plans for a radical, citizen-centric approach to Government services and IT will require highly sophisticated identity management systems, and these will (so long as they actually work) be able to underpin transactions in both the public and the private sectors. Watmore needs the right kind of ID systems for this, and we can perhaps allow ourselves a chuckle as we observe them 'converging' towards the wrong one, the national ID scheme - which, as it's a Government policy-totem, we're going to get, and Watmore is going to have to cater for, anyway.

According to Burnham the security technologies the Home Office is currently considering with the help of "representative groups from both private and public sectors" could give "greater assurance of the identity of credit card or account holders when conducting transactions over the internet, telephone or post in the future". But at what point will the Home Office's plans meet Watmore coming in the other direction?

The difficulty here lies in the fact that the Home Office's needs are more immediate than Watmore's. It definitely needs to do something about validating ID when there isn't a card reader available, so effectively it's going to have to add 'good enough' verification systems well in advance of any kind of national identity management systems being ready for deployment. And although representatives from the financial sector will undoubtedly be among the private sector bodies it's consulting, there seems little chance of the banks and credit card companies viewing the ID scheme in its first iteration as able to secure anything other than major transactions (where it might well be viable to check biometrics). So what is it about the forthcoming ID scheme security systems that will provide "greater assurance of identity" than the banks and credit card companies have already got online? We look forward to finding out, and we're also particularly interested in how they will protect, as Burnham suggests, postal transactions.

How the other half represses: Amusingly, David Blunkett's notions of the ID card as a mechanism for building community, a sense of belonging, and general inclusiveness flew like a brick in Home Office focus groups. In Egypt, however, we have ways of making inclusiveness work, and people are demanding (presumably, given the nature of the regime, quietly and politely) ID cards. According to Foreign & Commonwealth Office Minister Kim Howells, the new computerised Egyptian ID card requires citizens to be Moslem, Christian or Jewish, and "Egyptian citizens of other religions will not be entitled to an identity card, and may therefore suffer from lack of access to public services". Among other things, Kim... A resolution in the US House of Representatives earlier this year said that, according to the US Commission on International Religious Freedom's 2005 report on Egypt, "discrimination, intolerance, and other human rights violations committed by Egyptian authorities affect a broad spectrum of Egyptian society, including Muslims, Coptic Christians, Jews, Baha'is and members of other religious communities." So would you rather be suspect because you haven't got an ID card, or suspect because of what your ID card says you are? Decisions, decisions... ®

Build a business case: developing custom apps

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
Phone egg, meet desktop chicken - your mother
White? Male? You work in tech? Let us guess ... Twitter? We KNEW it!
Grim diversity numbers dumped alongside Facebook earnings
Microsoft: We're making ONE TRUE WINDOWS to rule us all
Enterprise, Windows still power firm's shaky money-maker
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
ITC: Seagate and LSI can infringe Realtek patents because Realtek isn't in the US
Land of the (get off scot) free, when it's a foreign owner
Dude, you're getting a Dell – with BITCOIN: IT giant slurps cryptocash
1. Buy PC with Bitcoin. 2. Mine more coins. 3. Goto step 1
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.