back to article What could possibly go wrong? Banks could provide ID assurance for Gov.UK – report

Personal data could be stored by banks and used to verify the identity of individuals that wish to use government digital services, according to a new report. A pilot study undertaken by Lloyds Banking Group found that there is scope for banks to act as identity (ID) assurance providers for online government services (14-page/ …

  1. Zog_but_not_the_first

    Cosy

    Banks and Government cheek-by-jowl?

    Shocked, shocked I tell you.

  2. larryk78

    Meh

    I moved to Helsinki a year ago and this is standard practice. The Finnish banks have been handling identity for government websites for years. And it's nothing about personal data. It's just your internet banking login used as a secure delegated access (think OAuth2) rather than creating yet another insecure username/password combo. In fact, it's pretty much the same as clicking the Login with Facebook/Google/Twitter button on any other website, except your bank probably has multifactor authentication (token generator, codebook, etc.).

    1. MacroRodent

      Re: Meh

      Yes, it works, but the downside has been that the Finnish banks (being commerical operations) are very reluctant to provide net banking credentials to people with credit problems, who nevertheless have a need to access governement services like everyone else (or even more). This turns it into a human rights issue.

      1. Anonymous Coward
        Anonymous Coward

        Re: Meh

        A 'human rights issue' is when the government locks you up for expressing an opinion. Not being able to access the government's website using your bank login details is correctly known as a 'minor inconvenience'.

        1. MacroRodent

          Re: Meh

          " Not being able to access the government's website using your bank login details is correctly known as a 'minor inconvenience'."

          Well, it could mean queuing for hours at an actual office that has cut the staff to a minimum because everyone of course uses the internet service.

          This is also a matter of principle. Private companies should not be allowed to act as gatekeepers to governement services.

          1. Anonymous Coward
            Anonymous Coward

            Re: Meh

            Oh no, queuing. What a massive 'uman rights violation that is.

            Private companies aren't. You're being offered ANOTHER WAY to do something. That's like saying that Stagecoach is acting as a gatekeeper to you travelling from London to Birmingham. Well, take a taxi or go on the train or take the megabus.

            1. jonathanb Silver badge

              Re: Meh

              Megabus is owned by Stagecoach, so that is a bad example, and Virgin is 49% owned by Stagecoach.

              However, I will give you three better examples. You could use the trains operated by Chiltern Railways or London Midland; or you could use a National Express bus.

      2. larryk78

        Re: Meh

        A human rights issue? What a load of sensationalist codswallop. Shame on you for polluting the environment for actual human rights issues by proclaiming false ones.

        Yes, not everyone has Internet banking. So what. That's not the only way to access government services (it's not even the only way to login to a government website, before you go spouting off about having to queue at staff-cut-affected offices).

        Being able to login with Internet bank credentials is just a sensible convenience.

    2. AJames

      Re: Meh

      Canada too. When I want to access many types of government business or personal service sites, I have a choice of signing in with my banking ID from certain approved private bank partners, or applying for a separate government web ID that takes several steps and several months to obtain (and no, it's not universal, various other government services require dozens of other unique IDs). I use the bank partner ID, but I'm not happy about it. The government leaks private information like a sieve if the history of the last few years is any indication.

      1. Barry Rueger

        Re: Meh

        An Canada. My Bank (Scotiabank) STILL refuses to use case sensitive passwords, and STILL refuses to allow "special" characters.

        However, the fact that they ask me the name of my first pet makes feel very secure....

  3. Paul Crawford Silver badge

    Out of cheese error

    So gov to use banks to verify individuals identity for issuing passports, driving licenses, etc..

    Banks use data like passports, driving licence, etc, to verify users when signing up.

    A small circular problem?

    1. Velv

      Re: Out of cheese error

      There's more to government services than just the issuance of passports and driving licences.

      And besides, you'd never have entered the circle of trust. If your ID couldn't be verified outside the circle, you wouldn't get the bank account or the passport in the first place to then be in the circle for future verification. See above comment about Finland and people with poor credit ratings.

      1. Brewster's Angle Grinder Silver badge

        Re: Out of cheese error

        I don't have a passport, don't have a driver's licence and most bills are in the other half's name. Identity verification comes down to my birth certificate, a letter from HMRC and a bank statement.

        And that was just to get a Library Card. (No, I'm not joking. But at least it doesn't have a photo on it.)

        1. HelpfulJohn

          Re: Out of cheese error

          I had her death certificate, all of her banking details (including a printed statement posted to our home and every Internet banking security response, because I was the one that set it up (I knew more about her account than she ever did)) and her bank debit card yet the bank whom I won't name (Halifax) (oh, did I type that out loud?) would not allow me to close my dead wife's account.

          Why not?

          Because *I* did not have photographic ID.

          HQ did not help. They wanted me to take "proper identification to your local branch". They didn't seem to be able to cope with the idea that I had already tried that.

          Three years later and it's still open, and I still access the web login just to cost them a few pennies.

          1. VBF

            Re: Out of cheese error

            Helpful John

            Just a word of (hopefully) assistance. Your late wife's official Executor MUST be allowed to close the account, once Probate is obtained. I had similar issues when my mother died also 3 years ago although in this case it might the NotWorthit Bank (!) who messed me about!

  4. Anonymous Coward
    Anonymous Coward

    Given what a huge expensive clusterfuck government IT projects tend to be, I'm not convinced that tying banking details in there is a good idea. And that's not even considering outfits like the DVLC who have been flogging off private information to anyone with a chequebook.

    1. This post has been deleted by its author

  5. Bruno Girin

    Trust

    To be fair, we may hate banks sometimes but I'd more readily trust my bank to provide secure identity services that any other organisation I regularly do business with. The way I understand the article, it would be a case of the bank offering a single sign-on service (e.g. OpenID / SAML) that government web sites can use to identify you: I would definitely use that sort of service rather than have to provide copies of bills and bank statements that can be accidentally forgotten on a train.

  6. Chris G

    Must have a think about this

    I agree in part with what Bruno says above but my thinking is (forgive me if I'm wrong) banks are in it for the money. So what is it going to cost us and the gov'?

    Because banks will want to monetise anything they do, I don't trust them entirely with my details.

    1. Shippwreck1

      Re: Must have a think about this

      Yes Bank are in most things for the money, but in this case I would suspect that Lloyds and other banks will see the appeal from a customer retention perspective rather than a "how do i get paid" one... especially with the recent introduction of fast account switching between banks that was forced upon them. No doubt this will fall outside of that remit to some extent as it's "newer" and will be a reason the banks can use to try to convince you to stay...

    2. Velv

      Re: Must have a think about this

      Some "banks" view some of the services they offer as a value add item, and it could be the same with your digital ID. Customers will be more reluctant to switch banks if they've got an established digital ID they'd need to move or possibly even recreate.

  7. Anonymous Coward
    Anonymous Coward

    "because of the trust consumers would have in that arrangement."

    Count me as out of this. I don't trust my bank any more than I trust government. Because they look one and the same. This is "outsourcing" the identification of individuals from the state to a private entity, nothing more, nothing less.

    If government sets up an identification service that is independent from anything else, I'd be wary of banks using it, but that would make more sense. However, I seriously doubt that the public sector can accomplish such project on their own, at least without involving a massive outsourced project done by the same set of big name consultants that the banks would involve anyway and going massively overbudget and underperforming.

    Guess we're screwed anyway.

    1. Donchik

      Re: "because of the trust consumers would have in that arrangement."

      Involving the government in the bank's verification system!

      Seriously?

      With the government's IT record that's bound to lead to a major security breach within days.

  8. Dr Paul Taylor

    But retail banks are clueless about security

    They make you perform cartwheels to log in just to check your balance.

    They send you personal information and PINs in letters with "if undelivered return to Internet Banking" on the back.

    THEY phone YOU, withholding Caller ID (which can be spoofed anyway) and ask you "security questions".

    They send emails that ape phishing emails, whose Received: lines indicate Cloud providers, not their own domains.

    They invent textbook examples of Man-in-the-middle network attacks.

    1. tirk
      Unhappy

      Re: But retail banks are clueless about security

      To misquote Douglas Adams, they are so primitive they still think Trusteer is a pretty neat idea.

    2. Anonymous Coward
      Anonymous Coward

      Re: But retail banks are clueless about security

      And they put your card's offline PIN on the chip (this is invariably the same as the online PIN)

      Yes really. I acquired a smartcard reader recently and found it whilst looking at what was on various cards in my wallet using cardpeek. (http://www.amazon.co.uk/Konig-USB-Smart-Card-Reader/dp/B003KZXP0E + https://code.google.com/p/cardpeek/)

      From the look of it the public key crypto on the cards is pretty weak too.

      Much of this has been known about for ages: http://en.wikipedia.org/wiki/EMV

    3. peter 45

      Re: But retail banks are clueless about security

      THEY phone YOU, withholding Caller ID (which can be spoofed anyway) and ask you "security questions"

      The only response to that idiocy is to start by insisting they answer your security questions. Their only response is 'but I cannot give out any information'. I then report them to their fraud department as an attempted pishing. Probaby wasting my time as they still do it.

  9. Version 1.0 Silver badge
    Happy

    Confirmed Identity?

    So if this goes through maybe the Banks will finally be able to figure out which of their managers and directors are responsible for all the fraud and doggy practices of the last 10 years?

    1. Rich 11

      Re: Confirmed Identity?

      Doggy practices? I honestly don't want to know what they get up to in the evenings.

  10. Anonymous Coward 101

    Circularity

    How does the government know they are giving benefits to the correct person? A bank assured them they were.

    How does the bank know this? Because the person in question supplied the bank with photocopies of government supplied documents.

    1. G Fan

      Re: Circularity

      So not unlike how you'd get your first British passport then. You apply for a passport, it's countersigned by someone who already has one, which was in turn countersigned by someone who already has one, rinse, repeat.

      Spice up the process with decades of fraud and false applications, and as proof of ID, passports are pretty flimsy (especially when sat upon).

  11. ZSn
    Holmes

    Security

    Speaking as someone who had been abroad for a number of years, British bank security sucks (in fact only the Italian banks are worse in all aspects). In Benelux a card reader to generate secure codes is mandatory on all online banks (or at least the big ones) for at least the last ten years. When I asked Lloyds if they could provide that if I opened an account with them they said "wot?" - the people at the front door didn't even know what I was talking about. When I showed them a card reader it seemed as if I had produced the holy hand grenade of Antioch.

    On top of this, twelve years ago when I moved *within* England they kept screwing up my address change, some statements went to the new address, some to the old, and some disappeared completely.

    So let me get this straight, entities that: a) cannot track my address accurately; b) do not have the first clue about security; c) are notorious for outsourcing all my details to India; are going to provide security for my interaction with the government. Heaven help us...

    1. phil dude
      FAIL

      Re: Security

      Barclays has provided the pin reader thing for a while - one of the few competent things that have done.

      But I agree with the poster above - caller id blocked security questions?

      Almost as bad as some UK companies feeling authorised for you to email your *passport* to use a credit card...

      I image this will end well...

      P.

    2. jonathanb Silver badge

      Re: Security

      RBS/Natwest, Nationwide and Barclays have card readers. HSBC has a code generator. Lloyds and a few other banks send SMS codes to your phone to verify you.

      1. HelpfulJohn

        Re: Security

        Co-op Bank has a card reader code-generator thingy. You need it when you are setting up new Funds Transfers and such.

        Halifax, OTOH sends a confirmation code to your smartphone. As I don't have one of those and wouldn't give a bank the number if I did that doesn't help me much.

        Halifax used to supply the code things but that was umpteen years back. Well before iPhones.

  12. Alan Brown Silver badge

    Circularity

    "How does the bank know this? Because the person in question supplied the bank with photocopies of government supplied documents."

    One of the documents they insist on as a base for building your identity being a birth certificate - which is explicitly NOT an identity paper. (I have my grandfather's birth certificate. That doesn't mean I was born in 1905)

    1. Fonant
      Big Brother

      Re: Circularity

      When we registered the births of our children, there were BIG signs everywhere saying:

      a) A birth certificate is NOT an identity paper.

      b) It's illegal to photocopy a birth certificate.

      The first one is because while you probably do need to have a record of birth to gain a birth certificate (or what if you gave birth at home with no help?) there was no validation at all that the "parents" were who they say they are, or that the child is their child.

      The second caused fun when trying to claim a set of free nappies from the County Council, who asked for a photocopy of the birth certificate. They said to just ignore the legalities...

      The question of identity is a lot more complicated than people think. Who am I? How can I be 100% certain?

      It's all a matter of proportion. For really strong proof we (everyone in the whole world) should probably all have DNA tests, with the results stored along with links to our parents in some huge central database that only a tiny number of people can access, for a very limited number of purposes, for security reasons. Hmmm... I can see another circularity forming.

      (Big Brother icon is relevant because I'm reading "Nineteen Eighty-Four", again, at the moment!)

    2. Mike Smith

      Re: Circularity

      "(I have my grandfather's birth certificate."

      So do I. As I'm feeling puckish, 'cos it's Friday, I'm toying with seeing if I can slip it past a counter droid somewhere. Be interesting to see if they pick up on the 1874 birth date.

      1. jonathanb Silver badge

        Re: Circularity

        They probably will. Most of them can't cope with a date of birth that is earlier than 1/1/1900.

        1. Oldfogey

          Which is why..

          1/1/1900 is the default date I put down when a site asks for date of birth for no good reason.

          Often along with their corporate address and phone no.

    3. HelpfulJohn

      Re: Circularity

      I have the wife's but I can't find mine.

      Still, fifty quid and a few details about some bugger born around the same date and I can buy another copy of one. Maybe even a copy of mine.

      How is that in any way "secure"?

  13. This post has been deleted by its author

  14. Anonymous Coward
    Thumb Up

    Demonstrable integrity

    Given the need for probity here, it would be prudent to exclude any company which has been punished for fraud or dishonesty within the last five years from having any part in the management or oversight of the scheme.

    After all if their internal oversight processes are that bad then they shouldn't be allowed anywhere near this.

    So which banks does that leave?

  15. Annoyed Grunt

    Brilliant.

    "As a bank, our customers’ security and verification is of paramount importance, and we’re keen to help our customers access digital services securely."

    He forgot, "and as our primary IT service provider is WiPro from India; we automatically share all of your details already with one of our countries economic competitors."

  16. heyrick Silver badge
    Stop

    No, banks, we do NOT "trust" you

    You have put yourself in a position where if we do not accept your terms, daily life is increasingly difficult. Where I live, it is no longer legal to pay cash for purchases over €300, so banks are implicated in everything. Our choice of bank is dictated not by who we trust most, but rather who we hate the least.

    As for security - can you explain why the first response to account errors are that it is our fault? Can you explain why you contact us from withheld phone numbers and email addresses that reject replies? Can you explain why unknown random phone callers claiming to be from the bank ask a bunch of security questions and get very shirty when I ask them to name three direct debits? Why an I expected to know phone numbers, but a bank card PIN is a crappy four digits? Why do card readers asking for a PIN not provide a personal message registered with the bank? Look at the equipment in supermarkets, who knows what the hell that could be connected to. Can you explain why there are so many fundamental lapses of basic trust with chip and pin? Can you explain why I get letters telling me about phishing and then emails from you that do half the things you say you don't do? And finally, as has been noted, if you need ID to hold a bank account and banks hold ID, how does one even enter into the equation?

    Oh, and if you have a bunch of info on me, are you willing to vouch that I am me? Are you sure?

  17. Anonymous Coward
    Anonymous Coward

    "Moreover they go through rigorous verification processes to ensure this information is accurate and that their customers are who they say they are (in compliance with Anti Money Laundering (AML)"

    So not HSBC then

  18. teebie

    "We will switch your account within the next 28 days, but please bear in mind that, in the meantime, you won't be legally considered to be a person."

    I'd rather my identity not be determined by a company that claims that verified by visa enhances my security.

  19. simmondp

    Primacy & Agency

    When will businesses (who want to leverage my information to make money) understand that the only person I want to be in control of my information is ME (Primacy) and that I want to be able to define who then has access to it (Agency).

    See the original work out the Jericho Forum on Identity, and now being moved forward by the Global Identity Foundation (www.globalidentityfoundation.org)

  20. FreeBrad

    Hi Mr. Burglar, would you like the keys to my house?

    Does anybody seriously think that a link between you bank account and your driving licence for example would not lead to the government helping themselves to your cash whenever they saw fit.

    The government are in essence thieves so given a direct link to your bank account, they would not be able to resist.

    Yes, I know that it is only about validating identity at the moment but do you seriously think that function creep will not raise its ugly head once they have their foot in the door?

  21. Captain Hogwash
    Facepalm

    Banks? Trust?

    Those who don't learn from history etc.

  22. JaitcH
    FAIL

    Banks have long been the holders and 'guardians' of personal information ...

    of 'their millions of customers such as name, address, phone numbers, financial history, etc.' Furthermore banks aren't immune to on-line attacks - as HSBC, and others, know.

    I haven't been in any of my home bank branches for years, in one case over 20 years. And none know my telephone number.

    If their security is so good, how come they don't know I'm married or in which country I actually reside in. Not only that, my wife has a copy of my bank card and can use it on one part of the world whilst I can use the original in another 10-12 time zones apart a few minutes later.

    Obviously they don't know aircraft don't travel at the speed of light.

  23. Anonymous Coward
    Anonymous Coward

    I tried to purchase a developers license for Microsoft SQL 2014 yesterday from the Microsoft site only to have my card declined. HSBC then phoned up an employee who left over a year ago and who had been removed from the company account at that time to ask about "suspicious" account activity on my company card. Yep, the banks know all about security....

  24. Anonymous Coward
    Anonymous Coward

    Many Pounds and (no) Sense.

    AML regulations require "identification and verification" the latter being performed in almost all cases with reference to government issued documentation (or electronically to databases of government issued "numbers" - passport/identity/registration #'s).

    Government outsourced policing of anti-money laundering and terrorist identification to financial institutions (FIs), passing the financial burden from themselves to banks, and FIs in turn have been able to pass the expense on to shareholders and customers. Not to mention that it is far easier to extract significant fines from financial institutions for "inadequate" AML/Sanctions programs than obtaining similar amounts from asset forfeiture and successful prosecution of AML/Terror offenses.

    Simply evoking the word "terrorist" is enough to justify egregious privacy and human rights violations, with recourse taking years of litigation, if at all.

    There are enough examples in the modern world where "previously designated" terrorists are now the "legitimate democratic" government (e.g. ANC - South Africa), to give pause to blindly following a current regime's list of "baddies".

  25. chrismeggs

    Difficulty in obtaining....

    A bank account is, IMHO, nearly as difficult as getting a passport, but it is also a prerequisite. The breeder document for all this is the birth certificate and even that is less prone to fraud since the inclusion of the Elvis database to eliminate Day of the Jackal type occurrences.

    As far as trusting the banks, this falls into two spheres for me, one the process - do I trust their KYC? - and their processing security - do I trust their operations? I do trust the process and now that the majority of their processing is or can be outsourced, I am beginning to trust their security.

    Any trust model built on multiple sources, the federated model do instance, will be inherently more secure than a stand alone model, but difficult to establish and operate unless the banks and other financial institutions have a joint regulation construct, perhaps like the Payment Council for example.

  26. Anonymous Coward
    Anonymous Coward

    Know your customer?

    As a customer of a major UK bank for 40 years (and registered with them as a high net worth individual giving certain benefits and personal attention) and worked for them for 30 years I wanted to open a business account recently (with no need for a loan, credit card or overdraft facility). I had to go through all the palaver to prove I am me i.e. passport in person to a branch, a personal interview, copies of recent utility bills, specimen signature, business plan, projected cash flow, long and complicated application form. It took a month.

    I phoned round the other banks to ask how long to open a business account. Barclays said it would take 3 to 5 days so I said "lets do it", she then said OK, first you'll need a personal interview with our business advisor, the first appointment date is in a month's time... (i.e. only then will the 3-5 day account opening clock start). (I think it was Lloyds who tried to represent their 4-6 week processing delay into positive marketing "...because our new business account offering is proving so popular..." )

  27. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like