Feeds

Government pitches ID cards as fix for online ID fraud

But not entirely convincingly...

Secure remote control for conventional and virtual desktops

The Home Office is considering pitching the UK identity card scheme as a fix for online and 'card not present' fraud, according to answers given to parliamentary questions by Home Office Minister Andy Burnham earlier this week. The Home Office has previously indicated that it foresees the possibility of ID cards being used to support financial transactions at some point in the future (for example, when the deployment of future generations of ATMs might allow the ID card to 'piggy back' on the banking networks), but it now seems that it anticipates more immediate financial uses for the ID cards.

According to Burnham, there is "an opportunity for the identity card scheme to combat online fraud", and the Home Office is looking at possible mechanisms for secure remote authentication, "including use of one-time password technology." In recent debates on the ID card scheme, Home Office Ministers suggested that a PIN could be used to allow people to check information held on them in the National Identity Register via the Internet; however, PIN alone is clearly not an adequate gatekeeper for general Internet access to something in the region of 60 million records, and the latest statements suggest that perhaps the Government is beginning to grasp this.

But the Home Office's difficulties here will stem from its belated discovery of the need to bolt aspects of the right kind of ID system onto the wrong one. The UK ID scheme as originally envisaged and currently advertised hinges on the magic of 'biometric security' protecting your identity, but this security is worthless in transactions where the card isn't checked by a card reader or where the bearer's biometrics aren't checked online. It turns out that this will likely be the case with most transactions, and obviously in the case of online ones the basic ID scheme has no mechanism for determining whether the card or the user is actually present (wherever 'present' might be, online).

So the Home Office first considers PINs then, er, moves on to "one-time password technology" and makes aspirational statements about "secure remote authentication", which is a hell of a lot easier to say than to do. Government IT chief Ian Watmore put it rather better by outlining the right kind of ID system in his recent Transformational Government document: "Government will create an holistic approach to identity management, based on a suite of identity management solutions that enable the public and private sectors to manage risk and provide cost-effective services trusted by customers and stakeholders. These will rationalise electronic gateways and citizen and business record numbers. They will converge towards biometric identity cards and the National Identity Register."

That is, Watmore's plans for a radical, citizen-centric approach to Government services and IT will require highly sophisticated identity management systems, and these will (so long as they actually work) be able to underpin transactions in both the public and the private sectors. Watmore needs the right kind of ID systems for this, and we can perhaps allow ourselves a chuckle as we observe them 'converging' towards the wrong one, the national ID scheme - which, as it's a Government policy-totem, we're going to get, and Watmore is going to have to cater for, anyway.

According to Burnham the security technologies the Home Office is currently considering with the help of "representative groups from both private and public sectors" could give "greater assurance of the identity of credit card or account holders when conducting transactions over the internet, telephone or post in the future". But at what point will the Home Office's plans meet Watmore coming in the other direction?

The difficulty here lies in the fact that the Home Office's needs are more immediate than Watmore's. It definitely needs to do something about validating ID when there isn't a card reader available, so effectively it's going to have to add 'good enough' verification systems well in advance of any kind of national identity management systems being ready for deployment. And although representatives from the financial sector will undoubtedly be among the private sector bodies it's consulting, there seems little chance of the banks and credit card companies viewing the ID scheme in its first iteration as able to secure anything other than major transactions (where it might well be viable to check biometrics). So what is it about the forthcoming ID scheme security systems that will provide "greater assurance of identity" than the banks and credit card companies have already got online? We look forward to finding out, and we're also particularly interested in how they will protect, as Burnham suggests, postal transactions.

How the other half represses: Amusingly, David Blunkett's notions of the ID card as a mechanism for building community, a sense of belonging, and general inclusiveness flew like a brick in Home Office focus groups. In Egypt, however, we have ways of making inclusiveness work, and people are demanding (presumably, given the nature of the regime, quietly and politely) ID cards. According to Foreign & Commonwealth Office Minister Kim Howells, the new computerised Egyptian ID card requires citizens to be Moslem, Christian or Jewish, and "Egyptian citizens of other religions will not be entitled to an identity card, and may therefore suffer from lack of access to public services". Among other things, Kim... A resolution in the US House of Representatives earlier this year said that, according to the US Commission on International Religious Freedom's 2005 report on Egypt, "discrimination, intolerance, and other human rights violations committed by Egyptian authorities affect a broad spectrum of Egyptian society, including Muslims, Coptic Christians, Jews, Baha'is and members of other religious communities." So would you rather be suspect because you haven't got an ID card, or suspect because of what your ID card says you are? Decisions, decisions... ®

Beginner's guide to SSL certificates

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Google Glassholes are UNDATEABLE – HP exec
You need an emotional connection, says touchy-feely MD... We can do that
Lawyers mobilise angry mob against Apple over alleged 2011 Macbook Pro crapness
We suffered 'random bouts of graphical distortion' - fanbois
Just don't blame Bono! Apple iTunes music sales PLUMMET
Cupertino revenue hit by cheapo downloads, says report
US court SHUTS DOWN 'scammers posing as Microsoft, Facebook support staff'
Netizens allegedly duped into paying for bogus tech advice
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Verizon bankrolls tech news site, bans tech's biggest stories
No agenda here. Just don't ever mention Net neutrality or spying, ok?
Inside the EYE of the TORnado: From Navy spooks to Silk Road
It's hard enough to peel the onion, are you hard enough to eat the core?
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.