The Great Liability Sinkhole

| 3 Comments
| More

Building identity management systems is a doddle, it really is. All you've got to do is to knock up a web interface with a database behind it, offer a store for trusted attribute data, tie the lot to a federation standard like OpenID, market to the target user base and wait for the money to come flowing in. Simples.

Oh hang on, that's wrong, I think I may have dreamed that last bit - building identity management systems is very difficult indeed. The problem is there are are still a lot of dreamers out there, and in consequence we see some good, some bad and some downright ugly identity management systems out on the interwebs. I was reminded of this as I examined a service recently - let's call them Yaoids (Yet Another Online ID Service). Like many similar offerings, Yaiods claims to be able to protect every aspect of my modern lifestyle by helping me to prove who I am online (we'll overlook the fact that I rarely feel the need to prove who I am, I already know who I am; what I want to know is who the hell I'm talking to online, and to have assurance that they're not going to talk to anyone else purporting to be me. Top tip for the sales people there).

Like any similar identity service, Yaoids has to overcome a number of challenges, including registering users in a trusted way so that the market can be confident that Yaoids' users are who they claim to be; and maintaining that trust level so that when things go wrong (which sooner or later they always do) then the users don't ditch the service.

These challenges are potentially huge for any provider, and in the majority of cases prove insurmountable. PayPal is an example of a company that has tackled them very well indeed: whilst it has a number of registration mechanisms, for the majority of users, they need to already be in possession of a credit card to obtain service, and PayPal runs a couple of small transactions, with refunds, to confirm the details, and hence that there must be an issuer's KYC check. PayPal has made it easy for service providers to integrate the platform, particularly through its X sandbox environment. Genius.

Yaoids, on the other hand, has attempted to achieve the same outcomes through slightly different means. The service also rides on the back of another company's registration efforts (which isn't a bad thing), but in this case it's an online bank account: the customer provides their e-banking details, and Yaoids uses a third-party service to log in on their behalf to check the account is real, and that therefore someone must have conducted a KYC check on the user.

Have you spotted the problem yet? If not, then I'd like to introduce you to a mate of mine in Lagos who'd appreciate your help in transferring some funds from the estate of a deceased dictator out of the country, because I think you two would hit it off just fine.

Because PayPal uses a credit card transaction to build and maintain trust, the customer is assured that if anything goes wrong they are protected by consumer credit legislation, which generally falls in favour of the customer. If their PayPal account is hacked or phished, then the liability for the loss is transferred onto the card issuer. Of course the credit card companies don't like that, but because PayPal has been so effective at encouraging adoption, they've got little choice but to play along.

But Yaoids has instead left the customer at the mercy of banking regulations, and that's a very different liability story. If you've signed up for Yaoids' service, and my mate in Lagos has somehow emptied your bank account (oops, given the game away there) by some or other unrelated means, then regardless of whether or not the Yaoids service was compromised, you're going to have a very difficult conversation with the bank:

"Hello, this is the Grabbit & Run Online Banking fraud department, how may I help you?"

"My online service has been used to transfer all the funds from my account to Toby's mate in Lagos, I'd like it back please."

"Oh we're so sorry to hear that. Have you shared your online credentials with anyone?"

"No, of course not. Oh, except with Yaoids, who passed it on to their registration subcontractor, but they're all lovely trustworthy people."

"That's as maybe sir, but Grabbit & Run's online banking policies make it clear that we will not repay funds to customers who have handed their online banking credentials to a third party. Sorry sir but we cannot pay you back. Have a nice day. You muppet." <click> <beeeeeeeeep>

And there you go. Out of pocket, out of luck, and left with little choice but to resort to being patronised by the Watchdog team as they interview you about how hard done by you are, blaming Yaoids because that must have been the source of the loss, whether or not Yaoids did anything wrong at all. Yaoids customers then turn and flee, revenues dry up and the service closes.

What Yaoids have created here is a sinkhole for transaction liability: they've sidestepped the very necessary and often expensive step of building a trusted customer relationship, and there is now a mountain of commercial liability being swallowed into a sinkhole, and sooner or later that toxic liability will come pouring out in an unexpected place, destroying customer confidence and taking Yaoids - and its customers - with it.

Not in my back yard

 

This sort of problem isn't confined to Yaoids: most KYC checks want a passport as the document of choice, and there's nothing in the front cover which says:

"Her Britannic Majesty's Secretary of State requests and requires in the Name of Her Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance and to afford the bearer such assistance and protection as may be necessary ... oh, and she'll see you right if this passport turns out to be dodgy."

It's only society's conventions and habits which render the passport a trusted document for proof of ID outside of border control use cases. The doomed National Identity Scheme expected businesses to rely on ID Cards as their credential of choice, yet made it clear that no liability would be accepted for fraud or error, and that was a key factor in the total disinterest of UK.plc in that scheme (with the exception of those major IT providers who stood to profit).

It's this registration and liability conundrum that the Cross-Government Identity Assurance Scheme is intended to address at the root of its proposition, and at the moment there's every indication that it might just work. By federating existing trust relationships under trust schemes, the identity assurance approach should allow users to reuse their existing credentials - such as online banking - without liability issues, because there is no inappropriate third party, such as an independent commercial identity provider, involved in the relationship. There is no requirement to reveal banking passwords because the bank becomes the identity provider.

But until that happens, take care that when you sign up for an online ID service, it's not trying to hide your liability in a sinkhole somewhere - otherwise the Lads from Lagos will be in touch sooner than you might expect.

3 Comments

  • Fantastic article Toby - good to see recomendations from 10 years ago are finally gaining traction - but whilst you articulate the problem well, there is little in the article communicating how the solution will be different this time around - and little to suggest acknowledgement of the very real problem in solving timley revocation of a trusted id in a legally compliant way. Please call to discuss further.

  • P.S. I perhaps should have qualified by revocation of trusted id - I meant to say revocation of entitlements to that trusted id ;-)

  • Scarcely a week goes by, without another revelation of stolen passwords, stolen PIN codes, stolen bank user ID's each leading to mass thefts of ever-increasing value, from banks, building societies and ordinary everyday users. A couple of U.S banks, and one in Hong Kong are implementing a scheme which, it is said, will make all of this a thing of the past.
    Picture the scene: You've had your ATM/Cashpoint card stolen, along with the piece of paper on which you wrote your PIN. While they were at it, the thieves also took the other piece of paper, on which you wrote your online banking user ID and (of course) your password.
    Under normal circumstances, this would not constitute a Good Situation. However, your bank has followed the example of those banks mentioned above, and has implemented a scheme detailed on the website http://www.designsim.com.au and, even with the theft of all of that vital information, the thieves still can't access your account. Really.

  • Leave a comment

    Disclaimer

    The views expressed in this blog are my own, and do not necessarily reflect those of any client or other organisation.

    Subscribe to blog feed

    Archives

    Categories

    Toby on Twitter

      Recent Comments

      Toby Stevens on A Coalition for Consent?... : Martin, contrary to your assertion I do actually k...
      Martin Pross on A Coalition for Consent?... : Hi, I read this, and must comment. I suspect you k...

       

      -- Advertisement --