The way we handle identity in this country, many believe, is broken.
To identify themselves on websites, including online banking pages, consumers must provide valuable personal information. Subsequent access is often a simple matter of providing a user name and password (for which people frequently choose something that is easily remembered, but also easily guessed by hackers). With so much data being shared with so many parties that are far from information security specialists (cough, Target), and so many millions of records already compromised in breaches, many are questioning the present architecture of digital identity management.
"The ubiquity of user name and password on the Internet, which from the beginning was a security method that was not good enough, is a key problem," said Stephen Ranzini, CEO of University Bank, a community bank in Ann Arbor, Mich. "When I was an undergrad at Yale, some computer science majors were always stealing each other's mainframe machine time, with user names and passwords being so easy to break."
When the movement of money is involved, the problem becomes more acute, he noted.
"Security experts will tell you that in a secure Internet-based system, the security keys must be encrypted at all times and shared only as necessary to complete a transaction," Ranzini said. "We have a situation today where our fundamental payments systems were architected for a non-Internet world, they're not appropriate for the internet world and we're using them for that anyway." (This and most of the other comments in this article are drawn from an American Banker webcast, New Thinking About Identity Management, that aired March 26.)
Consequently, criminals harvest user names and passwords and personally identifiable information about customers and use them to steal customers' identity and their money "because they can, because of the weak enrollment processes we use," Ranzini said.
"If we moved to another paradigm where stealing data doesn't get you anywhere, that would be very useful," Ranzini said.
Knowledge-based identity and authentication (such as asking for a mother's maiden name or where someone attended grade school) is also not a good idea, Ranzini said. "I call it the 20 questions method of identity management," he said. It just encourages more theft of personally identifiable information about customers. "In order to have good security, you have to have something you know, but you also need something that you have, like a trusted platform module chip at the base of your mobile phone or your personal computer."
Who Should Control Identity?
Many constituencies would like to be the keyholders for consumers' digital identities, including telecom providers, the government, Visa, MasterCard, Apple, Google and Facebook. And some even argue that the consumer should be in charge of her own identity and credentials.
"One plausible hypothesis is that those multiple, competing tactical views are essentially going to be overwhelmed by a bottom-up, crowd-sourced version of identity that will wash them away," Dave Birch, director of Consult Hyperion in the U.K. and author of a book called Identity is the New Money.
Email and social media providers have become de facto managers of identity on the internet, pointed out Thomas Hardjono, the technical lead and executive director for MIT's Consortium for Kerberos and Internet Trust.
"We've seen the emergence of email providers who have become identity providers," Hardjono said. "Google and Facebook did not set out to be identity providers but they are, in fact, identity providers. So there is that dependence and social trust on a few players out there."
Facebook is already an international identity management solution, Birch noted.
"To forge a convincing Facebook profile is a damned sight harder work than forging a convincing passport or Social Security number," he said. LinkedIn is also taking on the role of authentication for many, he noted.
Although people can lie on social media, Birch argues that with a service like LinkedIn, the ability to see and contact people you know in common provides effective identity management.
"A convincing social media profile with convincing interconnections is very hard to forge," Birch said. "It's very cost effective, it's very trustworthy," he said. "The idea that I would be able to trust someone more because they could show me a Social Security card is crazy."
Banks as Digital Gatekeepers
Banks could get together, agree on standards for identity management and authentication, and collectively become the gatekeepers for their customers' identities. They could let consumers log into any website using their bank ID.
"The most trusted party is the banking industry because we're trusted with people's money," Ranzini said.
Accenture released a study this week backing this up this assertion. The consulting company asked 4,000 consumers what type of company they trust to securely manage their data. The vast majority of respondents 86% chose banks and financial institutions.
"If we were to step forward and take that role, I believe we would be successful," Ranzini said. "Whether or not the leaders [of the banking industry] have that ambition is still an open question."
A solution to the identity problem would also address the challenges banks face in compliance with Know Your Customer, Bank Secrecy Act and anti-money laundering rules.
"A tremendous amount of potential innovation is held back because of the whole KYC/BSA/AML issue," Ranzini said. "If we were able to separate that issue away from this problem, it would greatly reduce the task at hand of actually fixing this broken ecosystem."
Ranzini has a vision for how banks could deal with all of these challenges at once.
His idea is for the industry to form an independent, back-office platform that would receive all pending loan and transaction data from the participating banks. The utility would analyze the data and send back to each bank drafts of any suspicious activity reports or other paperwork that might be required under the BSA. Then the bank's BSA officer would decide whether or not to file the SAR. If the bank files the draft SAR as presented by the industry utility, it would earn a safe harbor from the Financial Crimes Enforcement Network, an acknowledgement the institution was in full compliance with the Bank Secrecy Act.
"If they changed a single comma or didn't file something that was recommended, then they would be fully at risk," Ranzini said.
This would eliminate a lot of work for banks, Ranzini pointed out. Today, if one bank sends a wire or electronic payment to another bank, both banks have to examine and know their customer and the other bank's customer.
The staff of the central utility would liaise with intelligence agencies and undergo internal audits by Fincen. "They could then probably get access to some of the confidential government data that we as bankers today don't have access to," Ranzini said.
"Not only would banks save money but they would be able to do a better job of doing this work, which is important for the security of our country," he said.
Each bank would do the initial information gathering on each customer. Then the industry utility would look through industry, public, and any available confidential government databases to see if there's anything there that raises red flags.
The utility would be better able to detect fraud and security risks, Ranzini said.
"One of the problems now is sophisticated criminal enterprises do things like layer where money is transmitted through not just two banks, but through five or 10 banks in multiple countries," he said. "If you had a global view of where the money is coming from and moving to, you'd be able to do a much better job of detecting the true criminal networks out there. Today we're mostly relying on luck."
Need for Standards
No matter who ultimately claims identity management supremacy, some kind of standard will be needed to make the chosen identity scheme work.
In the early days of the Internet, there was a major push to create a single sign-on service for the entire web, the SAML [Security Assertion Markup Language] 2.0 specification.
"That was the nirvana of people including myself who created the spec back in 2001 and 2002," said Hardjono. SAML has been successfully implemented inside companies, including Morgan Stanley, Goldman Sachs, and Fidelity, he observed.
But at Internet scale, SAML has not been universally deployed as hoped.
A standard may emerge from some tactical project already under way.
"It's entirely possible that we may be able to take standards from, say, Apple Pay and tokenization or other things," Birch said. "Perhaps a way of short-circuiting the technical problem is to go outside the banking industry and just re-use something else that was meant for some other purpose."
Putting Consumers in Control
Privacy advocates would like consumers to direct how information is collected about them and used by Facebook or a bank.
"We're a deep believer that consumers should own their own data," said Dan Harple, managing director of investment firm Shamrock Ventures, which has offices at Amsterdam and in Cambridge, Mass.
"The thing is to put together a principles-based framework because there are so many smart people out there who can contribute to this," he said. "The biggest danger is to let a company like Apple define what the system will be."