Thursday 9 November 2017

Trust me, I know a shortcut

One of the greatest digital innovations of recent times is the SatNav.  When Satellite Navigation was first introduced to the motoring public, it was a custom device, with a custom map downloaded to it.  This handy device allowed you to plan your route to a fixed set of destinations with turn-by-turn instructions to get you there safely.  The biggest impact it had in the early days was that no longer did you have to argue with your passenger when you got lost; you could now argue with a machine instead.

Yet it is the digital age where SatNav’s have been taken to another level.  The accessibility of the smartphone and communications networks gave it a platform; driven by the data economy it discovered an entirely new business model.  Whereas once a new road or change in layout would’ve required you to wait for the next annual map pack; and a traffic jam would’ve been something to drive into – using real-time data from the users of SatNav your arrival time is based on current information, constantly updated along your journey, to get you there as expediently as possible.

Whilst the opportunities to show that man still better than machine have dwindled – currently, even the best SatNav in the world is no match for a little local knowledge, mixed with eyes on the ground and the ability to push the boundary of the highway code right to the edge.  If there are five cars ahead at the lights, the SatNav still doesn’t know to take a left, do a u-turn at the next junction and hop across number 38’s flower bed; a route that doesn’t exist on any map.

Where this becomes an issue is when you’re the passenger rather than the driver.  There are two things that erode trust.  The first is when the car starts taking on water because the river on your shortcut was deeper than expected.  The second is when the arrival time goes up.  And it seems that once you’ve eroded that trust it doesn’t matter how excited you become that you can save 26 seconds on the journey time – the SatNav’s instruction becomes more credible than your own.



In the world of identity, this erosion of trust is often expensive, and sometimes fatal to a scheme.  The Estonian Government are busy re-issuing their identity cards after a theoretical security flaw was found.  Fortunately, they acted swiftly to restrict access to services.  One benefit that Estonia have with their identity scheme is that it is mandatory; so whilst a costly and embarrassing episode for them – the inconvenience to the customer is unlikely to lead to a public revolt against their much vaunted service. 

Estonia have always had an enviable position when it comes to digital government, and how they have designed and implemented their digital identity scheme to support it.  Being able design services and architecture from the ground upwards, and mandating some of the more awkward parts of the identity solution (physical step out for example) upon the population have helped them to grow adoption at a rapid pace.  In other countries, how services are accessed comes with choice, and digital identity is optional rather than mandated.  These countries have to create compelling reasons for their citizens to engage with digital government.

Similar considerations exist in the private sector – the sweet spot of security, user experience and cost needs to be hit.  If you don’t hit this you won’t create a service that users want to engage with.  Digital identity is hard.  How we can reliably identify customers in the digital era when identity is based on legacy physical constructs is always going to grate against customer experience.  The data, systems and services that we need to leverage are going to be costly. 

It may be tempting to take shortcuts on security in order to minimize costs and maximize customer experience though we have to consider how easily trust can be eroded when we get it wrong.  Customers understand that checks and hurdles are intended to keep them safe, and they expect them.  Though they don’t expect to be put through the mill for access to a service that doesn’t warrant it. 

Identity fraud is a growing problem, whether in the context as a citizen of a government, or a customer of a private sector organisation.  We shouldn’t take shortcuts on identity unless we’re confident that the outcome is going to be better than following the route our more conservative security conscience us tells us that we should.  If your digital identity experience seems too easy, the chances are that you’ve taken shortcuts in either cost or security.  It may work for you in the short term, though eventually you’ll run out of luck.  The challenge is how to avoid being the one flapping their arms wildly because you know a shortcut – and realising why everyone else is ignoring you.


Read my other posts
The rise of synthetic identity - Fraudsters are playing the long game, we need to think ahead
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan

Saturday 23 September 2017

The rise of synthetic identity

In an increasingly digital world, we’re constantly being hamstrung by analogue thinking.  As individuals, our data has been given away quite freely by governments and organisations.  It would seem a huge invasion of our privacy if our mobile phone provider told anyone who wanted to know our personal information without any checks and balances being in place.  Yet for years our fixed line provider published huge paper directories with our names, addresses and telephone numbers; and governments happily share our personal details through electoral and other public registers.

In the digital age, this becomes a huge problem.  The ability to link disparate data sets together to create a rich picture of our identity makes us vulnerable to fraud.  Add to this data breaches that spew further details of our lives.  The response is to tell us to change our password, or cancel our credit cards.  Whilst we can fairly easily change these attributes that create links to us, we can’t change the fundamental core of our existence.

Synthetic identity, the process of amalgamating fake information with real identity data, is today involved in 80% of all credit card fraud.  The true scale of the problem is likely to be far greater as fraudsters are happy to play the long game.  The effort involved in creating and growing a synthetic identity is relatively little, because of the data that is available.  Taking information that is in the public domain, linking it with information that shouldn’t be – either from data breaches, phishing scams, or careless social media postings – isn’t sophisticated.  The same technology that organisations use in their CRM systems allow fraudsters to link this to create a “good enough” essence of identity from which to grow their synthetic version of a real-world entity.



For example, social media companies don’t offer much in the way of a barriers to their customers creating a profile.  An email and password is a fairly standard way to get started.  From this, real world identity attributes can be linked.  In a couple of minutes I can be anyone I want to be.  At this point, I’ve done nothing illegal (I may have breached the T&Cs) though if I know the real-world identity I’m targeting, I can lay the first foundations of my synthetic identity.  If I know where my target lives, I can even use a VPN to link the social media profile to the right location.

With bot technology, my social media profile can happily go off and make friends, have opinions, and most importantly build lineage of my synthetic identity.  Depending on how successful my bot is at making friends, and how much other data I can link to it from real identity information, I can start to do other more interesting things.  I might for example want to get pre-pay mobile SIM.  For a few bucks I can use my social media profile to get a mobile number to associate to my synthetic identity.  I have now built a footprint that others trust.  A few messages from my mobile, and I can decide that it’s time for my synthetic identity to get a credit footprint.  Migrating from pre-pay to post-pay is unlikely to trigger any fraud alerts – real people do it every day.

Of course, at this point we do have controls.  Post-pay means credit, and credit means regulation.  As my synthetic identity isn’t real, here’s where it will fall down.  The credit check will fail – and a handy marker will be raised against it.  So now my synthetic identity has a credit file too.  More applications, more failures, more footprint.  Now I can apply to the credit card companies who are designed for people just like my synthetic identity.  “Poor or no credit rating? Minimal identity footprint?  No problem.”  Sound familiar?

At some point the fraudster needs to make money.  Today, we can see that credit card fraud is where the burst-out moment comes.  Take the cards, max the limits, burn the identity.  Yet what we don’t know is how many other identities are still being percolated.  The fraudsters may be using their synthetic identities to make phone calls with their mobile and buy things with their credit cards; paying their bills off each month like model credit citizens.

The good news is that all the organisations mentioned above, and many more besides, are tackling this problem.  Technology, processes and controls are continually evolving ways of spotting the synthetic identities amongst the real ones.  This will always be an ongoing battle.  The other issue to address, is to bring about standards and interoperability for identity across these different nation, sector and organisational boundaries.

There will always be varying requirements for identity.  What I need to prove, and how much assurance is required in order to post a photo of what I had for dinner varies greatly from the requirements for me to walk into the cockpit of the plane.  Where standards are invaluable, is that the reliance placed upon a low-level process and the increment to a higher-level of assurance are understood, controlled and properly mitigated.  If all parties adhere to interoperable standards we can have progressive assurance of identity.

Too often, the “not invented here” attitude, or competitive advantage through a lower assurance standards serve to undermine the entire system.  Standards that allow for innovation must become the benchmark for organisations whose data is trusted by others within the marketplace.  As digital identity schemes become more prevalent there is an opportunity to evolve away from the analogue processes that blight the digital world.  A collective and collaborative push is required to accelerate the rate of adoption.  If we’re to prevent fraudsters targeting the weaknesses, we need to have collective responsibility to drive standards upwards.


The digital age allows fraudsters to play the long game – we need to think ahead.


Read my other posts
Let's get physical - how to get fit for the digital era by leveraging the offline world
Trust me, I know a shortcut - Digital identity is hard.  Take shortcuts at your own risk
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
You don't know what you're doing Poor security practices are putting users at risk 
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The Kids Are All Right - Convenient authentication: the minimum standard for the younger generation
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA



Connect with Bryn on Linked In: Bryn Robinson-Morgan