Banks and Government cheek-by-jowl?
Shocked, shocked I tell you.
Personal data could be stored by banks and used to verify the identity of individuals that wish to use government digital services, according to a new report. A pilot study undertaken by Lloyds Banking Group found that there is scope for banks to act as identity (ID) assurance providers for online government services (14-page/ …
I moved to Helsinki a year ago and this is standard practice. The Finnish banks have been handling identity for government websites for years. And it's nothing about personal data. It's just your internet banking login used as a secure delegated access (think OAuth2) rather than creating yet another insecure username/password combo. In fact, it's pretty much the same as clicking the Login with Facebook/Google/Twitter button on any other website, except your bank probably has multifactor authentication (token generator, codebook, etc.).
Yes, it works, but the downside has been that the Finnish banks (being commerical operations) are very reluctant to provide net banking credentials to people with credit problems, who nevertheless have a need to access governement services like everyone else (or even more). This turns it into a human rights issue.
" Not being able to access the government's website using your bank login details is correctly known as a 'minor inconvenience'."
Well, it could mean queuing for hours at an actual office that has cut the staff to a minimum because everyone of course uses the internet service.
This is also a matter of principle. Private companies should not be allowed to act as gatekeepers to governement services.
Oh no, queuing. What a massive 'uman rights violation that is.
Private companies aren't. You're being offered ANOTHER WAY to do something. That's like saying that Stagecoach is acting as a gatekeeper to you travelling from London to Birmingham. Well, take a taxi or go on the train or take the megabus.
A human rights issue? What a load of sensationalist codswallop. Shame on you for polluting the environment for actual human rights issues by proclaiming false ones.
Yes, not everyone has Internet banking. So what. That's not the only way to access government services (it's not even the only way to login to a government website, before you go spouting off about having to queue at staff-cut-affected offices).
Being able to login with Internet bank credentials is just a sensible convenience.
Canada too. When I want to access many types of government business or personal service sites, I have a choice of signing in with my banking ID from certain approved private bank partners, or applying for a separate government web ID that takes several steps and several months to obtain (and no, it's not universal, various other government services require dozens of other unique IDs). I use the bank partner ID, but I'm not happy about it. The government leaks private information like a sieve if the history of the last few years is any indication.
There's more to government services than just the issuance of passports and driving licences.
And besides, you'd never have entered the circle of trust. If your ID couldn't be verified outside the circle, you wouldn't get the bank account or the passport in the first place to then be in the circle for future verification. See above comment about Finland and people with poor credit ratings.
I don't have a passport, don't have a driver's licence and most bills are in the other half's name. Identity verification comes down to my birth certificate, a letter from HMRC and a bank statement.
And that was just to get a Library Card. (No, I'm not joking. But at least it doesn't have a photo on it.)
I had her death certificate, all of her banking details (including a printed statement posted to our home and every Internet banking security response, because I was the one that set it up (I knew more about her account than she ever did)) and her bank debit card yet the bank whom I won't name (Halifax) (oh, did I type that out loud?) would not allow me to close my dead wife's account.
Because *I* did not have photographic ID.
HQ did not help. They wanted me to take "proper identification to your local branch". They didn't seem to be able to cope with the idea that I had already tried that.
Three years later and it's still open, and I still access the web login just to cost them a few pennies.
Just a word of (hopefully) assistance. Your late wife's official Executor MUST be allowed to close the account, once Probate is obtained. I had similar issues when my mother died also 3 years ago although in this case it might the NotWorthit Bank (!) who messed me about!
This post has been deleted by its author
To be fair, we may hate banks sometimes but I'd more readily trust my bank to provide secure identity services that any other organisation I regularly do business with. The way I understand the article, it would be a case of the bank offering a single sign-on service (e.g. OpenID / SAML) that government web sites can use to identify you: I would definitely use that sort of service rather than have to provide copies of bills and bank statements that can be accidentally forgotten on a train.
I agree in part with what Bruno says above but my thinking is (forgive me if I'm wrong) banks are in it for the money. So what is it going to cost us and the gov'?
Because banks will want to monetise anything they do, I don't trust them entirely with my details.
Yes Bank are in most things for the money, but in this case I would suspect that Lloyds and other banks will see the appeal from a customer retention perspective rather than a "how do i get paid" one... especially with the recent introduction of fast account switching between banks that was forced upon them. No doubt this will fall outside of that remit to some extent as it's "newer" and will be a reason the banks can use to try to convince you to stay...
Count me as out of this. I don't trust my bank any more than I trust government. Because they look one and the same. This is "outsourcing" the identification of individuals from the state to a private entity, nothing more, nothing less.
If government sets up an identification service that is independent from anything else, I'd be wary of banks using it, but that would make more sense. However, I seriously doubt that the public sector can accomplish such project on their own, at least without involving a massive outsourced project done by the same set of big name consultants that the banks would involve anyway and going massively overbudget and underperforming.
Guess we're screwed anyway.
They make you perform cartwheels to log in just to check your balance.
They send you personal information and PINs in letters with "if undelivered return to Internet Banking" on the back.
THEY phone YOU, withholding Caller ID (which can be spoofed anyway) and ask you "security questions".
They send emails that ape phishing emails, whose Received: lines indicate Cloud providers, not their own domains.
They invent textbook examples of Man-in-the-middle network attacks.
And they put your card's offline PIN on the chip (this is invariably the same as the online PIN)
Yes really. I acquired a smartcard reader recently and found it whilst looking at what was on various cards in my wallet using cardpeek. (http://www.amazon.co.uk/Konig-USB-Smart-Card-Reader/dp/B003KZXP0E + https://code.google.com/p/cardpeek/)
From the look of it the public key crypto on the cards is pretty weak too.
Much of this has been known about for ages: http://en.wikipedia.org/wiki/EMV
THEY phone YOU, withholding Caller ID (which can be spoofed anyway) and ask you "security questions"
The only response to that idiocy is to start by insisting they answer your security questions. Their only response is 'but I cannot give out any information'. I then report them to their fraud department as an attempted pishing. Probaby wasting my time as they still do it.
So not unlike how you'd get your first British passport then. You apply for a passport, it's countersigned by someone who already has one, which was in turn countersigned by someone who already has one, rinse, repeat.
Spice up the process with decades of fraud and false applications, and as proof of ID, passports are pretty flimsy (especially when sat upon).
Speaking as someone who had been abroad for a number of years, British bank security sucks (in fact only the Italian banks are worse in all aspects). In Benelux a card reader to generate secure codes is mandatory on all online banks (or at least the big ones) for at least the last ten years. When I asked Lloyds if they could provide that if I opened an account with them they said "wot?" - the people at the front door didn't even know what I was talking about. When I showed them a card reader it seemed as if I had produced the holy hand grenade of Antioch.
On top of this, twelve years ago when I moved *within* England they kept screwing up my address change, some statements went to the new address, some to the old, and some disappeared completely.
So let me get this straight, entities that: a) cannot track my address accurately; b) do not have the first clue about security; c) are notorious for outsourcing all my details to India; are going to provide security for my interaction with the government. Heaven help us...
Barclays has provided the pin reader thing for a while - one of the few competent things that have done.
But I agree with the poster above - caller id blocked security questions?
Almost as bad as some UK companies feeling authorised for you to email your *passport* to use a credit card...
I image this will end well...
Co-op Bank has a card reader code-generator thingy. You need it when you are setting up new Funds Transfers and such.
Halifax, OTOH sends a confirmation code to your smartphone. As I don't have one of those and wouldn't give a bank the number if I did that doesn't help me much.
Halifax used to supply the code things but that was umpteen years back. Well before iPhones.
"How does the bank know this? Because the person in question supplied the bank with photocopies of government supplied documents."
One of the documents they insist on as a base for building your identity being a birth certificate - which is explicitly NOT an identity paper. (I have my grandfather's birth certificate. That doesn't mean I was born in 1905)
When we registered the births of our children, there were BIG signs everywhere saying:
a) A birth certificate is NOT an identity paper.
b) It's illegal to photocopy a birth certificate.
The first one is because while you probably do need to have a record of birth to gain a birth certificate (or what if you gave birth at home with no help?) there was no validation at all that the "parents" were who they say they are, or that the child is their child.
The second caused fun when trying to claim a set of free nappies from the County Council, who asked for a photocopy of the birth certificate. They said to just ignore the legalities...
The question of identity is a lot more complicated than people think. Who am I? How can I be 100% certain?
It's all a matter of proportion. For really strong proof we (everyone in the whole world) should probably all have DNA tests, with the results stored along with links to our parents in some huge central database that only a tiny number of people can access, for a very limited number of purposes, for security reasons. Hmmm... I can see another circularity forming.
(Big Brother icon is relevant because I'm reading "Nineteen Eighty-Four", again, at the moment!)
This post has been deleted by its author
Given the need for probity here, it would be prudent to exclude any company which has been punished for fraud or dishonesty within the last five years from having any part in the management or oversight of the scheme.
After all if their internal oversight processes are that bad then they shouldn't be allowed anywhere near this.
So which banks does that leave?
"As a bank, our customers’ security and verification is of paramount importance, and we’re keen to help our customers access digital services securely."
He forgot, "and as our primary IT service provider is WiPro from India; we automatically share all of your details already with one of our countries economic competitors."
You have put yourself in a position where if we do not accept your terms, daily life is increasingly difficult. Where I live, it is no longer legal to pay cash for purchases over €300, so banks are implicated in everything. Our choice of bank is dictated not by who we trust most, but rather who we hate the least.
As for security - can you explain why the first response to account errors are that it is our fault? Can you explain why you contact us from withheld phone numbers and email addresses that reject replies? Can you explain why unknown random phone callers claiming to be from the bank ask a bunch of security questions and get very shirty when I ask them to name three direct debits? Why an I expected to know phone numbers, but a bank card PIN is a crappy four digits? Why do card readers asking for a PIN not provide a personal message registered with the bank? Look at the equipment in supermarkets, who knows what the hell that could be connected to. Can you explain why there are so many fundamental lapses of basic trust with chip and pin? Can you explain why I get letters telling me about phishing and then emails from you that do half the things you say you don't do? And finally, as has been noted, if you need ID to hold a bank account and banks hold ID, how does one even enter into the equation?
Oh, and if you have a bunch of info on me, are you willing to vouch that I am me? Are you sure?
When will businesses (who want to leverage my information to make money) understand that the only person I want to be in control of my information is ME (Primacy) and that I want to be able to define who then has access to it (Agency).
See the original work out the Jericho Forum on Identity, and now being moved forward by the Global Identity Foundation (www.globalidentityfoundation.org)
Does anybody seriously think that a link between you bank account and your driving licence for example would not lead to the government helping themselves to your cash whenever they saw fit.
The government are in essence thieves so given a direct link to your bank account, they would not be able to resist.
Yes, I know that it is only about validating identity at the moment but do you seriously think that function creep will not raise its ugly head once they have their foot in the door?
of 'their millions of customers such as name, address, phone numbers, financial history, etc.' Furthermore banks aren't immune to on-line attacks - as HSBC, and others, know.
I haven't been in any of my home bank branches for years, in one case over 20 years. And none know my telephone number.
If their security is so good, how come they don't know I'm married or in which country I actually reside in. Not only that, my wife has a copy of my bank card and can use it on one part of the world whilst I can use the original in another 10-12 time zones apart a few minutes later.
Obviously they don't know aircraft don't travel at the speed of light.
I tried to purchase a developers license for Microsoft SQL 2014 yesterday from the Microsoft site only to have my card declined. HSBC then phoned up an employee who left over a year ago and who had been removed from the company account at that time to ask about "suspicious" account activity on my company card. Yep, the banks know all about security....
AML regulations require "identification and verification" the latter being performed in almost all cases with reference to government issued documentation (or electronically to databases of government issued "numbers" - passport/identity/registration #'s).
Government outsourced policing of anti-money laundering and terrorist identification to financial institutions (FIs), passing the financial burden from themselves to banks, and FIs in turn have been able to pass the expense on to shareholders and customers. Not to mention that it is far easier to extract significant fines from financial institutions for "inadequate" AML/Sanctions programs than obtaining similar amounts from asset forfeiture and successful prosecution of AML/Terror offenses.
Simply evoking the word "terrorist" is enough to justify egregious privacy and human rights violations, with recourse taking years of litigation, if at all.
There are enough examples in the modern world where "previously designated" terrorists are now the "legitimate democratic" government (e.g. ANC - South Africa), to give pause to blindly following a current regime's list of "baddies".
A bank account is, IMHO, nearly as difficult as getting a passport, but it is also a prerequisite. The breeder document for all this is the birth certificate and even that is less prone to fraud since the inclusion of the Elvis database to eliminate Day of the Jackal type occurrences.
As far as trusting the banks, this falls into two spheres for me, one the process - do I trust their KYC? - and their processing security - do I trust their operations? I do trust the process and now that the majority of their processing is or can be outsourced, I am beginning to trust their security.
Any trust model built on multiple sources, the federated model do instance, will be inherently more secure than a stand alone model, but difficult to establish and operate unless the banks and other financial institutions have a joint regulation construct, perhaps like the Payment Council for example.
As a customer of a major UK bank for 40 years (and registered with them as a high net worth individual giving certain benefits and personal attention) and worked for them for 30 years I wanted to open a business account recently (with no need for a loan, credit card or overdraft facility). I had to go through all the palaver to prove I am me i.e. passport in person to a branch, a personal interview, copies of recent utility bills, specimen signature, business plan, projected cash flow, long and complicated application form. It took a month.
I phoned round the other banks to ask how long to open a business account. Barclays said it would take 3 to 5 days so I said "lets do it", she then said OK, first you'll need a personal interview with our business advisor, the first appointment date is in a month's time... (i.e. only then will the 3-5 day account opening clock start). (I think it was Lloyds who tried to represent their 4-6 week processing delay into positive marketing "...because our new business account offering is proving so popular..." )
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2021