Feeds

Government pitches ID cards as fix for online ID fraud

But not entirely convincingly...

Top three mobile application threats

The Home Office is considering pitching the UK identity card scheme as a fix for online and 'card not present' fraud, according to answers given to parliamentary questions by Home Office Minister Andy Burnham earlier this week. The Home Office has previously indicated that it foresees the possibility of ID cards being used to support financial transactions at some point in the future (for example, when the deployment of future generations of ATMs might allow the ID card to 'piggy back' on the banking networks), but it now seems that it anticipates more immediate financial uses for the ID cards.

According to Burnham, there is "an opportunity for the identity card scheme to combat online fraud", and the Home Office is looking at possible mechanisms for secure remote authentication, "including use of one-time password technology." In recent debates on the ID card scheme, Home Office Ministers suggested that a PIN could be used to allow people to check information held on them in the National Identity Register via the Internet; however, PIN alone is clearly not an adequate gatekeeper for general Internet access to something in the region of 60 million records, and the latest statements suggest that perhaps the Government is beginning to grasp this.

But the Home Office's difficulties here will stem from its belated discovery of the need to bolt aspects of the right kind of ID system onto the wrong one. The UK ID scheme as originally envisaged and currently advertised hinges on the magic of 'biometric security' protecting your identity, but this security is worthless in transactions where the card isn't checked by a card reader or where the bearer's biometrics aren't checked online. It turns out that this will likely be the case with most transactions, and obviously in the case of online ones the basic ID scheme has no mechanism for determining whether the card or the user is actually present (wherever 'present' might be, online).

So the Home Office first considers PINs then, er, moves on to "one-time password technology" and makes aspirational statements about "secure remote authentication", which is a hell of a lot easier to say than to do. Government IT chief Ian Watmore put it rather better by outlining the right kind of ID system in his recent Transformational Government document: "Government will create an holistic approach to identity management, based on a suite of identity management solutions that enable the public and private sectors to manage risk and provide cost-effective services trusted by customers and stakeholders. These will rationalise electronic gateways and citizen and business record numbers. They will converge towards biometric identity cards and the National Identity Register."

That is, Watmore's plans for a radical, citizen-centric approach to Government services and IT will require highly sophisticated identity management systems, and these will (so long as they actually work) be able to underpin transactions in both the public and the private sectors. Watmore needs the right kind of ID systems for this, and we can perhaps allow ourselves a chuckle as we observe them 'converging' towards the wrong one, the national ID scheme - which, as it's a Government policy-totem, we're going to get, and Watmore is going to have to cater for, anyway.

According to Burnham the security technologies the Home Office is currently considering with the help of "representative groups from both private and public sectors" could give "greater assurance of the identity of credit card or account holders when conducting transactions over the internet, telephone or post in the future". But at what point will the Home Office's plans meet Watmore coming in the other direction?

The difficulty here lies in the fact that the Home Office's needs are more immediate than Watmore's. It definitely needs to do something about validating ID when there isn't a card reader available, so effectively it's going to have to add 'good enough' verification systems well in advance of any kind of national identity management systems being ready for deployment. And although representatives from the financial sector will undoubtedly be among the private sector bodies it's consulting, there seems little chance of the banks and credit card companies viewing the ID scheme in its first iteration as able to secure anything other than major transactions (where it might well be viable to check biometrics). So what is it about the forthcoming ID scheme security systems that will provide "greater assurance of identity" than the banks and credit card companies have already got online? We look forward to finding out, and we're also particularly interested in how they will protect, as Burnham suggests, postal transactions.

How the other half represses: Amusingly, David Blunkett's notions of the ID card as a mechanism for building community, a sense of belonging, and general inclusiveness flew like a brick in Home Office focus groups. In Egypt, however, we have ways of making inclusiveness work, and people are demanding (presumably, given the nature of the regime, quietly and politely) ID cards. According to Foreign & Commonwealth Office Minister Kim Howells, the new computerised Egyptian ID card requires citizens to be Moslem, Christian or Jewish, and "Egyptian citizens of other religions will not be entitled to an identity card, and may therefore suffer from lack of access to public services". Among other things, Kim... A resolution in the US House of Representatives earlier this year said that, according to the US Commission on International Religious Freedom's 2005 report on Egypt, "discrimination, intolerance, and other human rights violations committed by Egyptian authorities affect a broad spectrum of Egyptian society, including Muslims, Coptic Christians, Jews, Baha'is and members of other religious communities." So would you rather be suspect because you haven't got an ID card, or suspect because of what your ID card says you are? Decisions, decisions... ®

Top three mobile application threats

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
Sorry London, Europe's top tech city is Munich
New 'Atlas of ICT Activity' finds innovation isn't happening at Silicon Roundabout
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.