Feeds

Government pitches ID cards as fix for online ID fraud

But not entirely convincingly...

SANS - Survey on application security programs

The Home Office is considering pitching the UK identity card scheme as a fix for online and 'card not present' fraud, according to answers given to parliamentary questions by Home Office Minister Andy Burnham earlier this week. The Home Office has previously indicated that it foresees the possibility of ID cards being used to support financial transactions at some point in the future (for example, when the deployment of future generations of ATMs might allow the ID card to 'piggy back' on the banking networks), but it now seems that it anticipates more immediate financial uses for the ID cards.

According to Burnham, there is "an opportunity for the identity card scheme to combat online fraud", and the Home Office is looking at possible mechanisms for secure remote authentication, "including use of one-time password technology." In recent debates on the ID card scheme, Home Office Ministers suggested that a PIN could be used to allow people to check information held on them in the National Identity Register via the Internet; however, PIN alone is clearly not an adequate gatekeeper for general Internet access to something in the region of 60 million records, and the latest statements suggest that perhaps the Government is beginning to grasp this.

But the Home Office's difficulties here will stem from its belated discovery of the need to bolt aspects of the right kind of ID system onto the wrong one. The UK ID scheme as originally envisaged and currently advertised hinges on the magic of 'biometric security' protecting your identity, but this security is worthless in transactions where the card isn't checked by a card reader or where the bearer's biometrics aren't checked online. It turns out that this will likely be the case with most transactions, and obviously in the case of online ones the basic ID scheme has no mechanism for determining whether the card or the user is actually present (wherever 'present' might be, online).

So the Home Office first considers PINs then, er, moves on to "one-time password technology" and makes aspirational statements about "secure remote authentication", which is a hell of a lot easier to say than to do. Government IT chief Ian Watmore put it rather better by outlining the right kind of ID system in his recent Transformational Government document: "Government will create an holistic approach to identity management, based on a suite of identity management solutions that enable the public and private sectors to manage risk and provide cost-effective services trusted by customers and stakeholders. These will rationalise electronic gateways and citizen and business record numbers. They will converge towards biometric identity cards and the National Identity Register."

That is, Watmore's plans for a radical, citizen-centric approach to Government services and IT will require highly sophisticated identity management systems, and these will (so long as they actually work) be able to underpin transactions in both the public and the private sectors. Watmore needs the right kind of ID systems for this, and we can perhaps allow ourselves a chuckle as we observe them 'converging' towards the wrong one, the national ID scheme - which, as it's a Government policy-totem, we're going to get, and Watmore is going to have to cater for, anyway.

According to Burnham the security technologies the Home Office is currently considering with the help of "representative groups from both private and public sectors" could give "greater assurance of the identity of credit card or account holders when conducting transactions over the internet, telephone or post in the future". But at what point will the Home Office's plans meet Watmore coming in the other direction?

The difficulty here lies in the fact that the Home Office's needs are more immediate than Watmore's. It definitely needs to do something about validating ID when there isn't a card reader available, so effectively it's going to have to add 'good enough' verification systems well in advance of any kind of national identity management systems being ready for deployment. And although representatives from the financial sector will undoubtedly be among the private sector bodies it's consulting, there seems little chance of the banks and credit card companies viewing the ID scheme in its first iteration as able to secure anything other than major transactions (where it might well be viable to check biometrics). So what is it about the forthcoming ID scheme security systems that will provide "greater assurance of identity" than the banks and credit card companies have already got online? We look forward to finding out, and we're also particularly interested in how they will protect, as Burnham suggests, postal transactions.

How the other half represses: Amusingly, David Blunkett's notions of the ID card as a mechanism for building community, a sense of belonging, and general inclusiveness flew like a brick in Home Office focus groups. In Egypt, however, we have ways of making inclusiveness work, and people are demanding (presumably, given the nature of the regime, quietly and politely) ID cards. According to Foreign & Commonwealth Office Minister Kim Howells, the new computerised Egyptian ID card requires citizens to be Moslem, Christian or Jewish, and "Egyptian citizens of other religions will not be entitled to an identity card, and may therefore suffer from lack of access to public services". Among other things, Kim... A resolution in the US House of Representatives earlier this year said that, according to the US Commission on International Religious Freedom's 2005 report on Egypt, "discrimination, intolerance, and other human rights violations committed by Egyptian authorities affect a broad spectrum of Egyptian society, including Muslims, Coptic Christians, Jews, Baha'is and members of other religious communities." So would you rather be suspect because you haven't got an ID card, or suspect because of what your ID card says you are? Decisions, decisions... ®

3 Big data security analytics techniques

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Ex–Apple CEO John Sculley: Ousting Steve Jobs 'was a mistake'
Twenty-nine years later, post-Pepsi exec has flat-forehead moment
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.