- Email: [email protected]
UK fingers ID proposals
CTT Feb 2004.qxd
10/02/2004
15:28
Page 9
(Black plate)
feature
UK fingers ID proposals During 2003, the UK government appeared to blow hot and cold about the feasibility of introducing an entitlement – or identity – card. However, by the end of the year, the possibility of a roll-out of ID cards in the UK strengthened following the announcement in the Queen’s Speech (the centrepiece of the UK’s opening of parliament, and the process that sets out the legislative agenda for the year) of measures to create a national identity card system. This could pave the way for the publication of a draft bill during 2004. For some, the announcement of measures to create a national identity card system marks a major breakthrough, which could put smart card technology into the pockets of millions of UK citizens. However, debate continues as to how well a smart identity card containing a biometric will actually address the problems of terrorism, illegal immigration and working, benefit fraud, abuse of public services and identity theft, as outlined by the UK’s Home Secretary, David Blunkett. Such questions were considered during a consultation period, which concluded in 2003. The government published a paper of the summary of the findings from the consultation exercise on Entitlement Cards and Identity Fraud on 11 November 2003, and has since begun the process of building the base for a national compulsory identity card scheme. A Home Office spokesperson told CTT: “Opinion surveys have regularly shown a large majority – around 80% – in favour of identity cards. 62% of those who commented in response to the consultation paper were in favour. There was a preference that the term ‘identity card’ rather than the phrase ‘entitlement card’ was used in the consultation.”
Who’s it for? It is expected that if the proposals become law, all people aged 16 or over, who are resident in the UK, will be eligible for identity cards. The card scheme will include basic personal information, a digital photo and a biometric. For most UK citizens, existing passport and driving licences will be brought into the scheme as the first stage of converting to biometric documents. In addition to these measures, all EU and foreign nationals entering the country for more than three months will have to pay for a biometric residence permit.
Logistics On current plans, the government intends to address the logistics of a wide-scale roll-out by phasing in the introduction of plain identity
Card Technology Today February 2004
cards during 2007/08. This, together with the incremental roll-out of other biometric documents, such as passports, driving licences and residence cards for foreign nationals, is expected to cover 80% of the adult population by 2013. Following a decision by the Cabinet and a vote in Parliament, the smart ID card would then become compulsory. “There will be a set-up phase of around three years and cards will then be issued through an incremental programme, as has been done with the changeover to photocard driving licences,” comments a Home Office spokesperson. “There will be no ‘big bang’ with all cards being issued at once. We are working on the basis that most people will get a card when their passport or driving licence is due for renewal, but that they could apply at any time.”
Pilot The UK Passport Service has now begun a sixmonth biometric pilot to test face, iris and fingerprint capture and recognition. SchlumbergerSema is undertaking technical delivery under contract, and Mori is managing the recruitment of volunteers. During the pilot, 10,000 volunteers will have their fingerprint or iris biometrics put on cards. The trial will time how long it takes to enrol fingerprints and iris patterns, and will also examine the problems of building a database. Fingerprint and iris biometrics will be tested for one-to-many identification, and facial recognition will be tested for one-to-one verification. Customer perceptions and reactions will be assessed, issues and risks will be identified, and an outline implementation plan will be produced. The tests are taking place at four fixed sites, including a passport office (believed to be London’s), as well as using mobile units. The volunteers will be representative of the UK population, and will include disabled people and those who may have difficulties enrolling.
According to the Home Office, “A national ID card scheme would take advantage of the infrastructure being put in place to support these developments, significantly reducing the costs of the card.”
Criticisms Some critics of the ID scheme have argued that although the use of a biometric provides strong identification of an individual, there is nothing stopping a person presenting forged or stolen documents and registering their biometric to somebody else’s identity. However, as Geoff Llewellyn, director of strategy and government relations, SchlumbergerSema explains: “The kind of process envisaged would make this type of fraud very difficult to perpetrate in the first place and very difficult to sustain over a period of time. Critically, the biometrics would effectively prevent a person from holding two identities and would thus remove most of the benefit that a fraudster would acquire from a fraudulent registration.” This view is backed up by the Home Office, whose spokesperson told CTT: “A number of steps have already been taken to tackle ID fraud…The UK Passport Service is piloting a system to undertake more background checks on passport applications. The Driver and Vehicle Licensing Agency (DVLA) is working with the Passport Service and other government departments to raise the quality of its identity checks using good practice already identified elsewhere. One example of this is that the DVLA now checks more thoroughly applications that use a new copy of an old birth certificate, in the way that the Passport Service does. In addition we are also proposing to change the law to align the penalty associated with fraudulently obtaining a driving licence with that for fraudulently obtaining a passport and making these offences arrestable…By making the offences arrestable we will ensure that the police are able to take immediate action against those suspected of these offences. Terrorists and organised criminals are unlikely to respond to a summons and if we are to target these groups we need to give the police the power to do so.” The Home Office is also proposing a new offence of possessing or controlling false identity documents without reasonable cause. “This would provide the police with the means to disrupt the activities of organised criminals and terrorists at an earlier stage of their activities, and to target those acting in support of more serious criminals and terrorists. At present, the authorities must wait until they have sufficient evidence to prove conspiracy or the main criminal offence. If they wait, they run the risk that the criminals might succeed or escape arrest, or the prosecution may fail because of the
9
CTT Feb 2004.qxd
10/02/2004
15:28
Page 10
(Black plate)
feature complexity of the case...The government envisages identity cards will provide every person in this country with an easy and secure way of demonstrating their right to be here and
of asserting their place in the community. With the proper safeguards on our privacy, not only will the benefits be realised individually but by society as a whole.”
Taking electronic transactions to the next level Without a doubt, 2004 is going to be a landmark year in the history of the smart card. While it will take years to realise the full potential of the technology, several important steps forward will be taken over the coming months. Of these, the use of the smart card for electronic financial transactions will be among the most significant. Barclaycard has already announced that it is launching a six-month pilot scheme to test the use of smart cards for e-transactions. Other banks and card issuers are sure to be watching the results of this trial very closely, as it is crucial for demonstrating that the smart card can genuinely become the de facto tool for authenticating all financial transactions. The expectations are that in addition to the use of smart cards for payments in the physical world, the widespread deployment of unconnected smart card readers will open up the potential for smart cards to become personal security modules. As such, they could be used to authenticate all channels of transaction, be it physical, online, telephone or commerce through interactive TV. The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have, as well as something you know, should reduce fraud. Given that the EMV smart card roll-out is predicted to increase dramatically Card Not Present (CNP) fraud, the parallel introduction of unconnected readers for smart card transactions is very timely.
Unconnected readers In terms of the technology behind unconnected smart card readers, the important innovation is the recent introduction of a common standard.
10
During 2003, APACS, in association with MasterCard, released specification standards for unconnected smart card readers. This has allowed leading smart card reader manufacturers to offer products for mass consumption at a commercially viable cost. At the moment, the maximum level of security available to consumers is user and password authentication, which is already seen as being inadequate for securing financial transactions. It is anticipated that over the next two or three years some, if not all, card issuers will wish to offer stronger levels of authentication based around EMV smart cards. To do this they will need to provide unconnected smart card readers to customers wishing to make e-transactions. With £1.17 billion (US$2.1 billion) worth of online shopping expected to have been done during Christmas 2003, in a market that has grown by over 40% over the year, banks have added incentives to provide increased security for such transactions. This is especially timely as on-line credit card fraud has now topped £100 million (US$180 million) a year, an increase of 33% over a two-year period. EMV migration is expected to push this value even higher as much of the annual £454 million (US$817 million) worth of credit card fraud will shift to CNP transactions. As the 10,000 Barclaycard trial participants will be finding out from February onwards, using the unconnected readers is a very straightforward process. The reader is a dumb
Contact: The Home Office, Web: www.homeoffice.gov.uk Geoff Llewellyn at SchlumbergerSema, Tel: +44 7733 315631, email:[email protected]
device that does little more than display a onetime passcode, which is generated by the user’s standard EMV smart card. The user then manually types this passcode into the computer at the appropriate prompt. This one-time passcode can only be authenticated by the issuing bank. To avoid replay attacks, the onetime passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction. Assuming there is no resistance from consumers, this unconnected reader system will have an extremely positive effect on fraud and, in turn, help boost consumer confidence in shopping on-line. From a business perspective, it will mean that CNP fraud can virtually be eliminated for the banks that implement this system, as the liability shifts from the retailer and acquirer, to the card issuer. This alone will almost certainly prove to be a large incentive for card issuers to roll out the unconnected readers. This is coupled with the fact that card issuers who do not participate in the scheme will undoubtedly see the CNP fraud migrate to them as a result of tighter security being provided elsewhere. Furthermore, card issuers who do not upgrade their systems will still be liable for CNP fraud if it can be proved that the fraud could have been prevented by the use of unconnected readers.
Authentication challenges One of the most representative examples of the need for increased security for user authentication for CNP transactions is the new initiative by card associations to tackle the problem of payment fraud over the internet. For handling internet-based payments, the technology backbone behind the system is the 3-D Secure protocol developed by Visa and adopted by MasterCard, which is known as Verified by Visa and MasterCard SecureCode, respectively. The 3-D Secure scheme has been specifically designed to handle internet transactions. As such, it will make the internet a more secure place to trade, reduce chargebacks, and increase card usage. Within the new 3-D Secure scheme, Visa and MasterCard provide all the necessary infrastructure for card issuers to implement secure authentication of their cardholders for all internet payment transactions. Today, nearly all
Card Technology Today February 2004
10/02/2004
15:28
Page 9
(Black plate)
feature
UK fingers ID proposals During 2003, the UK government appeared to blow hot and cold about the feasibility of introducing an entitlement – or identity – card. However, by the end of the year, the possibility of a roll-out of ID cards in the UK strengthened following the announcement in the Queen’s Speech (the centrepiece of the UK’s opening of parliament, and the process that sets out the legislative agenda for the year) of measures to create a national identity card system. This could pave the way for the publication of a draft bill during 2004. For some, the announcement of measures to create a national identity card system marks a major breakthrough, which could put smart card technology into the pockets of millions of UK citizens. However, debate continues as to how well a smart identity card containing a biometric will actually address the problems of terrorism, illegal immigration and working, benefit fraud, abuse of public services and identity theft, as outlined by the UK’s Home Secretary, David Blunkett. Such questions were considered during a consultation period, which concluded in 2003. The government published a paper of the summary of the findings from the consultation exercise on Entitlement Cards and Identity Fraud on 11 November 2003, and has since begun the process of building the base for a national compulsory identity card scheme. A Home Office spokesperson told CTT: “Opinion surveys have regularly shown a large majority – around 80% – in favour of identity cards. 62% of those who commented in response to the consultation paper were in favour. There was a preference that the term ‘identity card’ rather than the phrase ‘entitlement card’ was used in the consultation.”
Who’s it for? It is expected that if the proposals become law, all people aged 16 or over, who are resident in the UK, will be eligible for identity cards. The card scheme will include basic personal information, a digital photo and a biometric. For most UK citizens, existing passport and driving licences will be brought into the scheme as the first stage of converting to biometric documents. In addition to these measures, all EU and foreign nationals entering the country for more than three months will have to pay for a biometric residence permit.
Logistics On current plans, the government intends to address the logistics of a wide-scale roll-out by phasing in the introduction of plain identity
Card Technology Today February 2004
cards during 2007/08. This, together with the incremental roll-out of other biometric documents, such as passports, driving licences and residence cards for foreign nationals, is expected to cover 80% of the adult population by 2013. Following a decision by the Cabinet and a vote in Parliament, the smart ID card would then become compulsory. “There will be a set-up phase of around three years and cards will then be issued through an incremental programme, as has been done with the changeover to photocard driving licences,” comments a Home Office spokesperson. “There will be no ‘big bang’ with all cards being issued at once. We are working on the basis that most people will get a card when their passport or driving licence is due for renewal, but that they could apply at any time.”
Pilot The UK Passport Service has now begun a sixmonth biometric pilot to test face, iris and fingerprint capture and recognition. SchlumbergerSema is undertaking technical delivery under contract, and Mori is managing the recruitment of volunteers. During the pilot, 10,000 volunteers will have their fingerprint or iris biometrics put on cards. The trial will time how long it takes to enrol fingerprints and iris patterns, and will also examine the problems of building a database. Fingerprint and iris biometrics will be tested for one-to-many identification, and facial recognition will be tested for one-to-one verification. Customer perceptions and reactions will be assessed, issues and risks will be identified, and an outline implementation plan will be produced. The tests are taking place at four fixed sites, including a passport office (believed to be London’s), as well as using mobile units. The volunteers will be representative of the UK population, and will include disabled people and those who may have difficulties enrolling.
According to the Home Office, “A national ID card scheme would take advantage of the infrastructure being put in place to support these developments, significantly reducing the costs of the card.”
Criticisms Some critics of the ID scheme have argued that although the use of a biometric provides strong identification of an individual, there is nothing stopping a person presenting forged or stolen documents and registering their biometric to somebody else’s identity. However, as Geoff Llewellyn, director of strategy and government relations, SchlumbergerSema explains: “The kind of process envisaged would make this type of fraud very difficult to perpetrate in the first place and very difficult to sustain over a period of time. Critically, the biometrics would effectively prevent a person from holding two identities and would thus remove most of the benefit that a fraudster would acquire from a fraudulent registration.” This view is backed up by the Home Office, whose spokesperson told CTT: “A number of steps have already been taken to tackle ID fraud…The UK Passport Service is piloting a system to undertake more background checks on passport applications. The Driver and Vehicle Licensing Agency (DVLA) is working with the Passport Service and other government departments to raise the quality of its identity checks using good practice already identified elsewhere. One example of this is that the DVLA now checks more thoroughly applications that use a new copy of an old birth certificate, in the way that the Passport Service does. In addition we are also proposing to change the law to align the penalty associated with fraudulently obtaining a driving licence with that for fraudulently obtaining a passport and making these offences arrestable…By making the offences arrestable we will ensure that the police are able to take immediate action against those suspected of these offences. Terrorists and organised criminals are unlikely to respond to a summons and if we are to target these groups we need to give the police the power to do so.” The Home Office is also proposing a new offence of possessing or controlling false identity documents without reasonable cause. “This would provide the police with the means to disrupt the activities of organised criminals and terrorists at an earlier stage of their activities, and to target those acting in support of more serious criminals and terrorists. At present, the authorities must wait until they have sufficient evidence to prove conspiracy or the main criminal offence. If they wait, they run the risk that the criminals might succeed or escape arrest, or the prosecution may fail because of the
9
CTT Feb 2004.qxd
10/02/2004
15:28
Page 10
(Black plate)
feature complexity of the case...The government envisages identity cards will provide every person in this country with an easy and secure way of demonstrating their right to be here and
of asserting their place in the community. With the proper safeguards on our privacy, not only will the benefits be realised individually but by society as a whole.”
Taking electronic transactions to the next level Without a doubt, 2004 is going to be a landmark year in the history of the smart card. While it will take years to realise the full potential of the technology, several important steps forward will be taken over the coming months. Of these, the use of the smart card for electronic financial transactions will be among the most significant. Barclaycard has already announced that it is launching a six-month pilot scheme to test the use of smart cards for e-transactions. Other banks and card issuers are sure to be watching the results of this trial very closely, as it is crucial for demonstrating that the smart card can genuinely become the de facto tool for authenticating all financial transactions. The expectations are that in addition to the use of smart cards for payments in the physical world, the widespread deployment of unconnected smart card readers will open up the potential for smart cards to become personal security modules. As such, they could be used to authenticate all channels of transaction, be it physical, online, telephone or commerce through interactive TV. The security benefits are clear to see. The inclusion of a smart card in every financial transaction will add a crucial second layer of authentication. This two-factor authentication process of something you have, as well as something you know, should reduce fraud. Given that the EMV smart card roll-out is predicted to increase dramatically Card Not Present (CNP) fraud, the parallel introduction of unconnected readers for smart card transactions is very timely.
Unconnected readers In terms of the technology behind unconnected smart card readers, the important innovation is the recent introduction of a common standard.
10
During 2003, APACS, in association with MasterCard, released specification standards for unconnected smart card readers. This has allowed leading smart card reader manufacturers to offer products for mass consumption at a commercially viable cost. At the moment, the maximum level of security available to consumers is user and password authentication, which is already seen as being inadequate for securing financial transactions. It is anticipated that over the next two or three years some, if not all, card issuers will wish to offer stronger levels of authentication based around EMV smart cards. To do this they will need to provide unconnected smart card readers to customers wishing to make e-transactions. With £1.17 billion (US$2.1 billion) worth of online shopping expected to have been done during Christmas 2003, in a market that has grown by over 40% over the year, banks have added incentives to provide increased security for such transactions. This is especially timely as on-line credit card fraud has now topped £100 million (US$180 million) a year, an increase of 33% over a two-year period. EMV migration is expected to push this value even higher as much of the annual £454 million (US$817 million) worth of credit card fraud will shift to CNP transactions. As the 10,000 Barclaycard trial participants will be finding out from February onwards, using the unconnected readers is a very straightforward process. The reader is a dumb
Contact: The Home Office, Web: www.homeoffice.gov.uk Geoff Llewellyn at SchlumbergerSema, Tel: +44 7733 315631, email:[email protected]
device that does little more than display a onetime passcode, which is generated by the user’s standard EMV smart card. The user then manually types this passcode into the computer at the appropriate prompt. This one-time passcode can only be authenticated by the issuing bank. To avoid replay attacks, the onetime passcode can also be linked to the individual transaction by a more secure, yet still simple, challenge–response process. In that case, should the passcode be intercepted, it is of no use whatsoever beyond that single transaction. Assuming there is no resistance from consumers, this unconnected reader system will have an extremely positive effect on fraud and, in turn, help boost consumer confidence in shopping on-line. From a business perspective, it will mean that CNP fraud can virtually be eliminated for the banks that implement this system, as the liability shifts from the retailer and acquirer, to the card issuer. This alone will almost certainly prove to be a large incentive for card issuers to roll out the unconnected readers. This is coupled with the fact that card issuers who do not participate in the scheme will undoubtedly see the CNP fraud migrate to them as a result of tighter security being provided elsewhere. Furthermore, card issuers who do not upgrade their systems will still be liable for CNP fraud if it can be proved that the fraud could have been prevented by the use of unconnected readers.
Authentication challenges One of the most representative examples of the need for increased security for user authentication for CNP transactions is the new initiative by card associations to tackle the problem of payment fraud over the internet. For handling internet-based payments, the technology backbone behind the system is the 3-D Secure protocol developed by Visa and adopted by MasterCard, which is known as Verified by Visa and MasterCard SecureCode, respectively. The 3-D Secure scheme has been specifically designed to handle internet transactions. As such, it will make the internet a more secure place to trade, reduce chargebacks, and increase card usage. Within the new 3-D Secure scheme, Visa and MasterCard provide all the necessary infrastructure for card issuers to implement secure authentication of their cardholders for all internet payment transactions. Today, nearly all
Card Technology Today February 2004