BT (Robert McCausland & Peter Boyle) and Oracle (the ever dapper Christian Patrascu) accepting the European Identity Award from Martin Kuppinger & Tim Cole

The Solution

BT MFR brings together a comprehensive suite of fraud reduction capabilities under a single service. Device recognition, location recognition, behavior recognition and comprehensive policy enforcement through a customizable ruleset (powered by Oracle Adaptive Access Manager) provide granular risk assessments, returned in real-time so that even digital services requiring instantaneous delivery can be risk assessed for suspected fraud.

This functionality is all strung together and orchestrated by an Oracle Service Bus and accessed via web service calls. The routing and transformation layer that OSB provides allows for the augmentation of all the transaction data presented which can subsequently be used in a much richer risk assessment. The sources of such checks could be external URU or internal to the enterprise based on intelligence they’ve built up over years.

Risk assessments from multiple services can thus be aggregated to provide a single response to the protected application, containing all the information required to determine whether any transaction should continue forward.

Thanks to this unique design the service is also able to evolve, with new services integrated into the overall risk assessment procedure as they become required or available, without impacting the single web service call that the customer needs to access this battery of anti-fraud protection.

The Benefits

BTs Managed Fraud Reduction service has brought together a unique set of capabilities that address online fraud in ways that adapt to the organizations specific needs:

• Most online retailers cannot afford to issue password generating tokens to a fickle and ever-changing user-base. so a risk assessment based on transaction parameters such as device recognition and location provides a different way to achieve greater security.
• Online retailers providing digital goods or services cannot wait until shipping to review transactions (as delivery is immediate) so a system based on real-time assessment is greatly beneficial.
• Financial service providers need to assure funds transfers and payments within increasingly short windows (due to regulations such as ‘Faster Payments’) so real-time responses are essential.
• Gaming and leisure services are reliant on age-verification, so require identity verification score aggregated with the normal risk assessment. MFR allows the integration of such additional web services and will launch with BT’s URU identity verification available as an option.
• With the BT MFR service in place, customers can demonstrate to auditors that fraud prevention strategies are in operation and as a cloud service allows them to demonstrate this at a fraction of the cost compared to a self build strategy.
• With a robust fraud solution in place, customers can demonstrate to merchant acquiring banks that liability has been reduced.
• The architecture removes the need for the customer to contract separately with multiple vendors providing identity and fraud related services.

Addressing all market sectors and territories, fully customizable and simple to use, BT Managed Fraud Reduction service is an evolving one-stop solution to the ever-changing challenge of online fraud. And Oracle is proud to be a part of the solution.

Tags: BT, EIC11, European Identity Award, European Identity Conference, Fraud Prevention, Identity Proofing, Managed Fraud Reduction, OAAM, Oracle Adaptive Access Manager, Oracle Identity Management, Oracle Service Bus, Oracle_IDM, Risk Management

1. The answer cannot be easily guessed or researched [Safe]
2. The answer doesn’t change over time [Stable]
3. The answer is memorable [Recall-ability]
4. The answer is definitive or simple [Simplicity]

Good criteria to remember next time you are deciding between “What is your pet’s name?” and “What was the name of your first stuffed animal?”.

Of course, the service you are interacting with needs to allow you to choose from a large enough set or supply your own questions so you can adhere to this principle. And a highly sensitive application should go beyond just plain security questions. While most services are moving towards simpler yet more secure mechanisms – emailing the user short-lived password reset tokens, for instance – there are many cases where you still need a challenge-based mechanism (like when the forgotten password is the one used to access your email).

Knowledge-Based Authentication has gotten increasingly sophisticated over the last few years, and enterprises looking to leverage this can do better than just providing their users a few hard-coded questions to choose from. Oracle Adaptive Access Manager 11g brings features like Answer Logic (which employs fuzzy logic to increase the usability of security questions) and One-Time Passwords (delivered via SMS, email, IM or voice) into the mix, while also adding real-time risk analytics to make the overall process more secure, reliable, usable and cost-effective.

And all of this is delivered as a service so that enterprises can incorporate KBA into their various applications as needed. In fact, as part of the suite-wide integration design theme of Oracle Identity Management 11g, OAAM now has out-of-the-box integrations with Oracle Identity Manager and Oracle Access Manager. So if you deploy the suite, the real-time risk analytics and risk-based challenge mechanisms of OAAM are automatically leveraged by those other products. It is a sweet thing to behold.

Even as we sound out the call to kill passwords (an NPT for passwords; I like that), KBA will continue to be a critical tool in the identity proofing arena. So keep an eye out for all the innovation that will take place in this field.

Tags: Identity Proofing, Knowledge-Based Authentication, OAAM, OIM, Oracle Identity Management, Oracle Identity Management 11g, Password Management, Password Recovery Techniques, Security Questions, Service-Oriented Security

TechCrunch blogged about Michael Arrington’s twitter account getting verified without appearing to be verified (no one contacted him). This Mashable post may explain how this happened:

…Twitter will look to see if an official channel of the person in question links to his or her Twitter account from a place like an official website.

This is a good model for verifying a channel -  to look at a known official channel to see if it (officially) links to the channel being verified. However, it doesn’t scale beyond the celebrity use case, because the vast majority of users (like me) do not have anything that Twitter will recognize as an official channel. And Twitter will never have the manpower necessary to run an in-person verification program. But is there a clue buried in how Twitter is approaching this to how we could potentially do this at scale?

An emerging discussion in the identity space has been the topic of reputation as the basis of trust (which is what verified accounts are ultimately about). In the Twitter model, the reputation of the account is enhanced 100% because of it being cited on a well-known, officially recognized website. I recently read a Wired article about a new system for ranking/rating scientists based on number of citations as opposed to publications. Twitter has multiple (similar) variables that could potentially be used to calculate the reputation of a twitter account – number of followers, number of retweets, number/nature/participants of conversations (replies).

If these could be used to calculate the reputation of a twitter account, then you could get to the point where you could calculate the trustworthiness of an account. And then the whole “log in with your twitter account” feature that for now is only getting used in blog commenting systems could take on a much more significant role in the identity metasystem.

Tags: Identity Proofing, Personal Identity Management, Reputation Management, Twitter, Twitter Verified Accounts

I’m not going to recap all the interesting sessions that I attended. If you followed my twitter postings (and a big “Hi and Thank You” to everyone who tripled my following last week by connecting, including some folks who signed up for Twitter just to follow me), you got a sense of what was being talked about, and my thoughts on the same. For some great reporting on the key sessions, read Mark Dixon’s blog postings (this post is a map to the various posts he has written covering the conference).

I’ll simply present what I saw as the theme of the conference: Reality Hits The World Of Identity. People are realizing that the only way this identity stuff is going to work is if the online experience and constructs mirror how we operate in the real world. And this opens up a whole set of new areas to explore.

You Complete Me
A key realization that is taking hold is that relationships must be made a key part of the fabric of identity, and that relationships can form the trust basis for identity related transactions. While I don’t completely agree with Jamie’s assertion that a lot of work in the real world happens before any contracts are drawn up (no contractor can even begin work for Oracle until a contract is signed; similarly I can’t work for Oracle and get access to systems till an employment agreement is in place), I do recognize that the value proposition of transactions is a continuum, along which are different levels that require different levels of assurance. Assurance can be built up over time as a function of relationships (user is related to this company, user has X friends, user is certified by this identity provider, etc). Eve Maler gave a very interesting talk on how relationships can be nurtured and made available in the online world, and connected it to some of the work being done on R-Cards and Project VRM.

I Need An Authority Figure
Another sign that real world concepts are seeping into the online world was the increased discussion on the topic of Identity Proofing, and the externalization of Authoritative Identity Providers. Just like in the real world, companies are realizing that in order to scale  and distribute liability, they would like someone else to be responsible for vetting identity data and providing a validated, trustworthy identity into their environments. This is the first sign of a legitimate market emerging for the Identity Oracle that Bob Blakely has defined, and that I have discussed so often in the context of Identity Services. The Liberty Alliance has jumped in here to help out by proposing an Identity Assurance Framework (our old friend Frank Villavicencio is co-chair of the effort) that can define a trust language in this context. And everyone knows that I consider the work being done on the IGF a critical part of such an infrastructure.

I Got Your GRC Right Here (Not!)
Burton decided to take the IAM vendors to task for using GRC as a crutch to sell all manner of products. Referring to GRC as a four letter word, Bob attempted to blow up the myths surrounding GRC and posited that all the bluster around GRC has made companies lose sight of what they really need to address. He stated that each discipline conflated within GRC should be looked at independently by businesses with regards to its objectives, and that tools and processes should be put in place that address the specific needs identified. The message was clear – there is no such thing as a GRC product; instead there are a multitude of products that provide tools for addressing specific problems that fall under one of these disciplines, and enterprises should take a fresh look at what GRC means to them and how to approach it.

For me, the highlight of the conference was the talk by Nick Leeson, the securities trader who brought down Barings Bank. Not a technical talk at all, his explanation of how his actions exploited failings in the areas of governance and compliance drove home the point about process and tools being complementary parts of the puzzle.

The rest of the conference had some interesting announcements and decent discussions on the usual topics of Authentication, Provisioning and Role Management. I did what little I could to break the monotony and generate some controversy, but I’ll cover all of these in my upcoming posts.

Tags: Burton Catalyst Conference, BurtonGroupCatalyst08, GRC, Identity Assurance Framework, Identity Governance Framework, Identity Oracle, Identity Proofing, IGF, Nick Leeson, Relationship Management

Most often, identity proofing is part of the registration process that will lead to the issuance of an authentication token to someone. However, it is becoming increasingly desirable for identity proofing to be used as part of a contextual authentication process when a deeper level of assurance is needed (for instance, when I decide to transfer all my money to another bank account).

Having made the distinction between authentication and proofing, it is unfortunate that two out of the three identity proofing methods that Mark explains in the article have the word “authentication” in their industry names. Mark does a good job explaining the difference between these three methods – Knowledge-Based Authentication, Dynamic Knowledge-Based Authentication, and Out Of Band Proofing. As he points out, OOB Proofing is probably the most interesting of these mechanisms, as it doesn’t rely on some data source that could be infiltrated by someone intent on fraud. Interestingly enough, in my recent post on the Bharosa acquisition, I talked about their VoicePad product that provides something called Voice-based Authentication. This is a tool that enables OOB Proofing, by relying on a voiceprint biometric token, similar to the mechanism alluded to by Mark in the article (System calls the registered phone number, or sends a text to it asking the person to call back, and verifies the identity using a voiceprint match).

Give it a read. We are going to see increasing importance placed on the ability to leverage identity proofing as part of business transaction processing, which has some interesting implications for the whole Identity-As-A-Service discussion.

Tags: Authentication Management, Bharosa, Identity Proofing, Oracle Identity Management

The company’s proprietary technology keeps
unwanted adults out of social- networking sites by verifying each
user’s identity with fingerprint technology backed by in-person
registration. In addition to identity and age verification, the
safeTspace process obtains parental consent for users under 18 years
old. The technology protects the child – and not the computer -
allowing them to log on and be protected at any computer.

Very Interesting!
Intrigued, I headed over to their website to find out more. In their initial rollout, safeTspace is only dealing with social-networking sites for children, so it essentially is trying to ensure that you know who is an adult and who is a child (and not an adult posing as a child), thereby restricting access to child-only services and chat rooms. The verification process essentially involves an adult parent going online, creating an account with all their personal information (name, DOB, gender, address, …) and providing the information of their children that they want to register. They will receive an invitation letter that the child takes to school along with one form of identification. The child’s identity is verified and they have their fingerprint taken by a safeTspace representative (usually a safeTspace certified teacher), and their account is activated. From that point on, they can access child-friendly social-networking sites by first logging into safeTspace using their account id, password and fingerprint. The site then sends them to the unlocked member site. The safeTspace website optimistically says:

The only hardware required is a lowcost fingerprint ID reader. Registered
children simply login to safeTspace by entering their ID, password and
fingerprint. Once there, they can access a wide variety of child-only
content and chat, IM and explore with complete freedom.

My Thoughts
This is obviously one of the first attempts to create a sort of internet identity provider, even if it seems to operate on the Web SSO principle more than the identity-as-a-service principle.

It incorporates one of the key elements to making identity verification possible. It uses an in-person process, which is the only way to truly verify someone’s identity (never ask a computer to do a human’s job). It also brings in a ubiquitous institution – schools – into the process (in my post on identity verification I had singled out banks as the institution of choice).

The biggest hole seems to be its reliance on biometric authentication. While this ensures that an adult will not log in with a child’s account (actually, I think determined people will find a way around that, but it’s better than nothing), it imposes a burden that I don’t think the user community is ready for. Social networking sites today have tens of millions of users, know no global boundaries, are accessed on all manner of devices (cellphones, communicators, public internet terminals) and are free. All of which do not jive with fingerprint based authentication.

• First off, I don’t see schools in developing countries (some of which have the most active children communities) being able to get online with this program soon.
• Those same children may not be able to afford the fingerprint reader this scheme needs. The site FAQ states: the cost will depend on the content provider providing the technology, but the general price is around $30 per year -
  less than the cost of one cup of premium coffee a month. Yeah, here in the US maybe, but in China, India or Thailand?
• Also, how this is supposed to work when kids are increasingly using cellphones to blog, photoblog, chat, IM and twitter on social-networking sites leaves a gaping hole in the story.
  The FAQ does state that the technology works with mobile devices, but offers no specifics.

It’s an interesting challenge. Technologies like CardSpace and OpenID promise user-centric identity selectors, but impose no requirements on authentication done to get access to the Identity Cards. Security is only as strong as the weakest link, and the reliance on a PIN to access an Identity Card seems to be the weak link. I for one will be interested in seeing how safeTspace does in the market. What do you think?

Tags: Identity in Social Networking, Identity Proofing, User-Centric Identity

Why am I talking about this on my blog? Well, in a recent statement on their official blog, Linden Labs announced that it will be introducing an age and identity verification system. Residents will have to provide proof of identity (driver’s license, passport or ID card) that asserts their identity as well as their legal participation in SL as an adult (above 18). SL states that

“The verification system will be run by a third party specializing in age and identity authentication. No personally identifying information will be stored by them or by Linden Lab, including date of birth, unless the Resident chooses to do so. Those who wish to be verified, but remain anonymous, are free to do so.”

Yet More Proof (as if we needed it)
Well, if there ever was a shining example of why we need an identity layer for the internet, this is it. Linden Labs has made the decision that the existing information they have (credit card and Paypal accounts of residents) is not enough. They need full-fledged identity verification (including age information), presumably to protect themselves in an attempt to prevent cases of child abuse in their online world. But to provide sensitive PII credentials like a driver’s license or passport? Concerns of identity theft are springing up all over (see Mitch Wagner’s blog post on the subject).

The Theory
I would venture that most of the people accessing SL are sophisticated web users that have online banking accounts. My bank already took all the same information (driver’s license, passport) when I opened my account with them. Wouldn’t it be great if our banks could issue a signed identity assertion that I could take to SL that informs them of my being of legal adult age? I could access a special SL webpage using my bank issued InfoCard, that allows SL to link up my account information to the fact that my bank asserted that I am legally an adult. And I don’t have to worry about who might receive the scan or jpg I upload of my most sensitive documents.

Similar Experiences Across The Web
I recently had the same experience at iStockPhoto, where I was trying to sign up as a user allowed to sell photographs I took. The “application” required me to upload a digital image of my drivers license and upload it to their website. This was a simple identity verification process that took on larger significance for me, because I had no way of gauging how well iStockPhoto would protect my information. I don’t know if the image will be securely destroyed once age is verified, if it will be kept on a server (the backup DVD of which may end up falling out the back of a Fedex van somewhere), or who has access to see that image.

In the identity management community, it has long been understood that the most important, and difficult, part of the self-registration process is the identity verification process. Most websites never really require anything more than an email address that they know you own (verified through a simple email-based verification method). But as child protection regulations force more and more online sites to take the sort of step SL is taking, the issue of identity verification will become an even greater challenge. The only way to avoid the next wave of identity theft and phishing attacks is to get an identity layer in place, and motivate the right identity providers. The last part is probably key, as without incentive, no worthwhile identity provider (like banks) will be willing to take on the liability. SL states that

“Premium Second Life Residents will have access to the identity verification system for a nominal Linden Dollar fee as part of their subscription. Free-account owners (Basic membership) can pay a larger Linden Dollar fee for the service, can upgrade to Premium to access the system, or simply decline to verify their age and continue enjoying Second Life without access to adult content.”

Maybe banks can charge their customers a nominal fee everytime their identity is verified somewhere using a bank issued identity selector (not that I am saying I want this model).

I can just see the email landing in my inbox one day. “Dear Second Life Resident, it has come to our attention that we do not have your age verification on file. Please click on this link to …”

Interesting Reads: FIPS 201 Standard on Personal Identity Verification

Tags: Identity Proofing, Identity Services, Personal Identity Management, Second Life, User-Centric Identity