In an earlier blog post, Lee Newcombe (employee, husband, father, and at weekends, Elven Wizard) outlined the philosophical case regarding Identity. Lee pointed out the less-than-obvious facts that an Identity is just a set of claims, and those claims can vary depending upon the situation. What is also not well-known is that in the UK at least, there are only two official proofs of identity. One of them is a birth certificate and the other, surprisingly, is a death certificate. If someone presents the latter as a proof of their identity, I’d suggest calling Ghostbusters…
So, Lee has pretty much nailed the concepts surrounding Identity. But what does that actually mean to an organisation? How does knowing who someone claims to be actually help them?
It all depends, as Lee intimated, on the context – what are you actually trying to achieve?
In Government, fraud is a major concern, so for the purposes of this blog post I’ve taken a good, hard look at what the Cabinet Office is doing with the Government Citizen Identity Assurance (IDA) programme.
IDA will use the concept of an Identity Provider (IDP), to verify someone’s claims of who they might be. As you would expect, there are a number of organisations who can do that, and most of them use a financial footprint to verify an identity claim. So the model is that, for example, a citizen will use Experian as their IDP, and Experian will take them through a number of challenging questions, based on their financial affairs. The result is that Experian will issue the citizen with some form of credentials – perhaps using something trendy like a smartphone soft token - to use in future.
So, a government department that uses IDA can be pretty certain that a citizen is, in fact, who they claim to be. That’ll help defeat fraud, won’t it?
Or will it?
Let’s use a silly example to highlight the potential flaws.
Little Johnny has a shady past, and has defaulted on bills, credit cards and has failed to pay for goods received and has a very poor financial history that shows some very shady dealings indeed. Little Johnny needs to interact with HMG in order to claim benefits and so on. So he selects an IDP that just happens to be a credit reference agency, verifies his identity, and gains some login credentials.
So the HMG department knows that Little Johnny has logged in and is attempting to claim benefits or some other means of extracting funds. However, the HMG department has no way of knowing that his IDP, whilst verifying his identity, thinks he’s untrustworthy. After all, even undesirables need access to HMG services.
This is because the IDA model specifically denies the capability for the HMG department to know which IDP was used to login, and indeed the IDP is not allowed to know what HMG service was being accessed. This is to keep IDP and HMG apart in terms of sharing information and so remove any hints of the Big Brother fears that caused the National Identity Card programme to be abandoned.
So we have this slightly odd situation that an IDP, whilst verifying someone’s identity, cannot confer any other risk data about that citizen to HMG at the same time.
That’s a really important aspect to understand – IDA does not provide any mechanism whatsoever to confer risk information pertaining to a citizen to an HMG department – or indeed vice versa.
And there’s more. A citizen can use as many IDPs as they like, so they could have credentials with all of them - five, at the time of writing, with a further three planned. IDPs cannot share data either, so if one IDP finds out that Little Johnny is in fact, not Little Johnny at all and blocks his access, they cannot tell other IDPs and Little Johnny (or whoever is is) can just use another one that hasn’t realised yet. The HMG department will be blissfully unaware that at least one of the IDPs think Little Johnny is a crook.
Similarly, if HMG find out that Little Johnny is a crook, they have no intrinsic way of telling the IDPs though the IDA solution.
In short, IDA is a good solution for Identity, but because of the requirement for a ‘privacy screen’ between IDPs and HMG, is not a solution for verifying the trustworthiness of a claimed Identity, or indeed for sharing risk or trustworthiness information about a citizen. This has significant implications that need to be understood.
Don’t forget that real people commit fraud under their real identity. Just because you know who they are does not prevent fraud, and that is before the HMG department tries to match the Identity asserted data from IDPs with the data they hold.
Even if the Identity is perfect, all that allows the person to do is log on to a service. To actually commit fraud requires the exploitation of a vulnerability, or indeed lack of control, in the business process that allows the fraudster to fill their pockets.
So, where does this leave us?
Well, sort of back where we started. People commit fraud. Having an idea about who that person claims to be is handy, but not a panacea for fraud. You still need all of the capabilities in terms of intelligence, device fingerprinting, defined business rules and so on to catch them – preferably in the act before the money leaves the coffers.
Where knowledge of Identity will disrupt fraud are where Identities have been compromised and thence misused, or where the deterrent factor puts off the petty criminal or someone just seeing what they can get away with, feigning ignorance (a common defence, apparently, is “I didn’t realise….”).
So remember, just because you know someone’s claim to an Identity, does not mean to say you should implicitly trust them.
That crook, Little Johnny, has logged in. It’s definitely him… But don’t tell anyone he’s a crook…