Mobile payment is fun, but mobile ID might be indispensable
We hardly notice identity fraud any more.
Every day the wires bring more tales of fraud, theft, mischief and mayhem. Our antediluvian identity infrastructure, still based on the pre-industrial infrastructure of paper and signatures, has shifted from being a business irritant to a fundamental barrier to progress.
To my horror, I discovered my savings were nearly wiped out. Over the previous two business days, a woman claiming to be me had used a fake photo ID to make five large, in-person cash withdrawals from different branches of my bank in two faraway states. The largest withdrawal was $4,800; the smallest was $2,400.
Now, you might think that this is a little odd. Surely, you would imagine, if someone walks into a bank to draw out a few thousand dollars in cash then the bank would take their identity document and authenticate it — let’s say take their secure microchip on a plastic card and get them to enter a PIN, or take their e-passport and verify via digital signature and online lookup — before doling out the dosh. But apparently not.
Why was it so easy for a petty criminal to get away with so much cash? It doesn’t take many brains to understand that data breaches have created a thriving market for confidential financial information. And modern technology apparently provides the means to create authentic-looking fake IDs… In many of today’s bank branches, it seems in-person transactions still rely heavily on paper and trust. “If the teller feels that the person standing in front of them is indeed the customer, they’ll give out the cash,” several bank employees explained to me. Am I really to believe that with more tools available than ever to detect crime, a major bank relies on employees’ “feelings” to verify customers’ identities?
This is indeed puzzling. Not that anyone should be using driver’s licenses as identity documents anyway, since bank tellers and bar bouncers are not anti-terrorist geniuses capable for spotting fake IDs from around the world in an instant — note that if they actually did want to verify these documents properly, they could always use technology to do it (e.g., Au10tix) — when everyone that walks into the bank or the bar is carrying a piece of technology that can easily provide the combination of identification and strong authentication that is more than adequate for business.
Mobile financial services can’t expand fast enough, in my opinion. Though nothing is foolproof, a mobile phone seems like a good starting point for verifying a customer’s identity and immediate physical location
If I walk into a branch of Barclays (I can’t off the top of my head imagine why I might do this, but let’s just say) then the Barclays mobile app is more than capable of telling the branch who I am. It seems like an obvious way forward. But there is another reason why a mobile app might be a better basis for establishing identity than a scrawled signature or a trivially-counterfeitable utility bill or whatever, is the principle of identity symmetry. When the bank asks your mobile app to authenticate you, your mobile app can simultaneously verify the digital signature on the requests so that it knows it is dealing with your real bank. The Secure Enclave that hosts my tokens could also validate other peoples’ tokens to close the security loop. Ah, you might think, that might apply online but why would you need that in a physical branch? Well,
A Chinese man made thousands of dollar by opening a fake branch of one of the world’s largest banks. The man, whose surname is Zhang, equipped the fraudulent China Construction Bank outlet with card readers, passbooks and three teenage girls at the teller counter. One of the girls posing at the branch near Linyi, Shandong province, was the man’s 15-year-old daughter.
Brilliant. I love this story. No-one spotted that this entire bank branch was fake, not until a woman who deposited $6,200 at the fake branch could not withdraw it from a real branch a month later. The managers there spotted the fake deposit and contacted the police!
We can use mobile phones to prevent this kind of thing. But who will do so? Why don’t we all have working mobile ID already given that the idea has been around for years? The key question is: will the banks and the mobile operators and the handset manufacturers and the platform providers the government be able to work together to deliver a mobile ID infrastructure just as they did not work together to deliver a mobile payments infrastructure? Assuming the answer is no, then we are relying on Apple to once again perform its sheepdog role of corralling the banks so that the next time I access my bank online, use an ATM, walk into a bank branch or phone the bank from home, I will expect my bank app to pop open on my iPhone and ask for authentication. Once I’ve used TouchID or entered my PIN then I will know that I’m dealing with my real bank web site, ATM, call centre or branch and I’ll be able to get my banking service with a minimum of fuss.
The ability to recognise each other (as I’ve written many times before) is the fundamental precursor to relationships (and therefore transactions). If there were a cost-effective and convenient mechanism to do this that could be used for governments and citizens to recognise each other, for businesses and consumers to recognise each other and for banks and their customers to recognise each other, we would see an inevitable growth in transactions and open up the virtual world to even more innovation and entrepreneurship. If my “Apple ID” provides a convenient mechanism for mutual recognition in person and on line, it will be indispensable in short order. I am heartily sick of usernames and passwords, account numbers and one-time codes, call centres and secret words and I can’t wait for my mobile to do away with them.