The next story in the Privacy and Trust series will be coming shortly, but first will be an update or two from here in in Washington, D.C. at Inside ID. The conference has an exhibit area where dozens of vendors are showing digital identify solutions including smart cards, biometric technology, and middleware. There are almost 100 speakers from government, academia, and the private sector. I gave a talk at the opening general session where I shared a big-picture view about the shape of the future of the Internet. I talked about what the Internet has in store for our business and personal lives and why trust, in the form of secure digital identity and authentication, is critical. Since I have a meeting in Washington on Thursday, I decided to stay in town to visit the exhibition hall and attend as many of the seminar sessions as possible. I am very glad I decided to do that — I have learned a lot.
With three concurrent seminar tracks with expert speakers and panels, it was very hard to decide which to attend. The afternoon track today was focused on “Identity in Financial Systems”. The financial services industry is probably the most identity-sensitive market segment in the private sector. The conference organizers said, “Linking people and their money creates challenges on many levels, not the least of which is balancing privacy and security”. The seminar looked at identity management in emerging payment systems, and described efforts to curb identity theft.
I decided to attend a talk entitled “Deterring Fraud in OnLine Financial Services: Its All About Authentication” by John Gould, director for consumer credit at TowerGroup. I have known John for ten years. We collaborated on some encryption issues when he was one of the top executives at MasterCard and I was at IBM. John is an extremely smart guy who knows as much as anybody on Earth about credit cards and payment systems.
John’s overall premise is that e-commerce growth is being inhibited by consumer fears about identity theft and fraudulent use of personal data, that fraud is causing significant costs to be incurred by credit card issuers and merchants, and that revenue is being lost from uncompleted sales. Prior to today I would not have completely bought in to those assertions. As always, John Gould had data to back up his slides.
The chargeback rate for online purchases is four times higher than with in-store purchases. 5% of credit card transactions are denied by the card issuer. For online transactions it is 12%. e-tailers reject 6% of consumer purchase requests because they appear suspicious resulting in $950 million in lost sales in Q4/2002. 7% of shoppers surveyed said they had been victims of fraud in the past year. There were nearly ten million cases of identity theft. 30% of all credit card fraud is on Internet (U.S.) and Internet fraud was up 114% in 2002. He has much more data and it is not pretty. The worst part is that the problems are mostly caused by amateurs. The professional criminals are just beginning to get into the act and one expert said that in three years today’s environment will seem like “the good old days”.
John says “the anatomy of the problem is lack of strong authentication of customers, no authentication of servers, insecurity of data stored on servers, and poor security on the users PC”. The good news is that online sales are still growing rapidly and the glass is half full not half empty in my opinion. There is jeopardy, however, if things don’t change. We need digital identity management and authentication — and we need it urgently.
John discussed three solutions. The simplest is address verification. When we buy something online and provide our credit card number and address, the address you provide is compared to the address to which your credit card statement is sent. If they don’t agree, the authorization fails. Address verification helps but it is a relatively weak solution. A stronger approach is 3DSecure, a Visa initiative which they have branded as “Verified by Visa”. It is focused on cardholder authentication and results in reduced liability and a lower fee for merchants who use it. The problem is that 3DSecure requires the consumer to go through an enrollment process and yet there are no obvious benefits to the consumer. Even the online merchants seem hesitant since only 2,715 of them were participating as of Q3/2003 and the program has been around for more than two years.
The best approach from John’s perspective — and I strongly agree — is the smart card. The smart card is portable, it can securely store cryptographic keys and certificates, it can easily incorporate biometric technology, and it can be used with a disconnected device. Europe is way ahead of America with their GSM cell phone standard. They have also been ahead with smart cards but they may be ready to leap even further ahead in providing strong authentication by leveraging their past investments.
Two vendors in Europe have proprietary solutions for strong authentication using a “disconnected reader”, otherwise known as a “Hand Held Device” or HHD. The HHD is an inexpensive (probably less than $10), programmable smart card reader about the size of a deck of cards. It has a built-in display and keyboard, it supports passwords and digital signatures, eliminates connectivity issues, enables us of an existing PIN and it can support additional applications. The HDD can work in more than one way but the simplest to understand is that the consumer inserts the smart card in the reader . The consumer then uses the HDD keyboard to enter a numeric code that is presented to them on the web site based on the transaction they are doing. The HDD then displays a code which is then entered on the web page.
I was skeptical at first but after hearing John’s talk and thinking about it I can see large potential with the smart card + disconnected reader approach. It provides strong authentication and non-repudiation. It uses the existing payment PIN and leverages 3DSecure. It could work for any kind of web application. The approach works with Pocket PC; and is being tested with mobile phones.
There are many good solutions available for authentication. None of them are perfect but many of them are vastly better than what he have. The leaders of governments, financial services companies, hospitals, and universities now need to show the leadership and vision to use them.
