You can tell how busy I’ve been with Pitch recently - the announcement that Microsoft will be including support for OpenID totally passed me by.

My comment: Yay!

I’ve always been partial to the idea of OpenID, especially as it’s similar to my own thoughts on transient identity. I’m also planning on implementing an OpenID server into Pitch.

I think the comment from one Home Office spokesman “It is hard to see why anyone would want to access the information on the chip.” says more about the fundamental lack of understanding of the problems with RFID-enabled passports than anything else.

Whilst the spokesman rightly goes on to mention that the information stored on the RFID chip is exactly the same as that printed on the passport itself, he avoids, either deliebrately or accidentally, the underlying problem: If the passport can be read electronically, that means there’s less need for the actual data printed in the passport to be checked, especially when trying to meet targets for processing travellers.

So, as soon as passport controls are put in place where all that is required is a valid RFID passport, which is not checked, then cloning passports becomes incredibly valuable, as it allows you to travel across borders as someone else, without having to have a very good passport forgery - all you actually need is a clonded RFID chip.

In any place where this type of checking becomes the norm, what’s the likelyhood of being stopped and asked to show a real passport?

Of course, if passport control stations retain human operators, who check that the photograph on the RFID chip matches the person standing in front of them, all someone needs to do is clone the RFID data and exchange the digital photo for a matching one, and you immediately have someone else’s details with your photo, and you can move through passport control quickly and easily.

Still, since it only takes 5 minutes to clone an ePassport now, so I guess you could do it whilst standing in line at the airport and become whomever you like.

I think the title says it all. I know I’ve not been posting much (well, at all) for a while, but this really deserves a mention..

A story in today’s Guardian reveals that a team of researchers cracked the protection on the UK’s new biometric RFID passports in 48 hours, using less than £200 of over-the-counter electronics equipment.

“If you can read the chip, then you can clone it,” [Lukas Grunwald, founder of DN-Systems Enterprise Solutions in Germany] says. “You could use this to clone a passport that would exploit the system to illegally enter another country.”

Here’s a link to BoingBoing’s coverage as well…

The following is a crost-post from the Dark and Light forums.

I’ve eagerly awaited Dark&Light, and with the launch comes a few major teething problems that I am yet to overcome.

Firstly, as a UK resident, I have to pay in either Euros of US Dollars. Of course, at today’s exchange rates, this works out as:

US$54.99 = UKP£29.23
€54.99 = UKP£37.34.

I think I’ll pay in US$ thanks. Almost £10 cheaper to pay in US$?

Second problem - trying to pay via Click&Buy redirects me to the local UK partner BT Click&Buy - or rather, to an error page, telling me there’s a problem with the URL. OK, we can get around this by going to the main page.

Third problem, and I know this isn’t DnL’s fault - BT Click&Buy can’t seem to recognise the credit card I use for every other MMORPG I play. Oddly, it’s the same one I’ve been using for two years now. Worked fine for Everquest 2, World of Warcraft, Anarchy Online, DDO and a few others as well (including some in Asia). It’s also the one linked to my Amazon account, and I never have any problems buying stuff from there.

I know this has been thrashed out before, but I really have to question why the decision was made to use the services of Click&Buy when Worldpay has a standard creditcard payment interface that just… works. Sure, have alternate payment systems to allow people to pay (as in my case) through their phone bill, but if your chosen payment provider can’t even process a VISA from a major international bank (it made about US$8billion in profit last quarter), it indicates a wider problem for your potential customer base.

Following the game & forums over the past year (I was almost a Settler, but the DnL site failed with an error every time I tried to reply to the invite email), the decision to use Click&Buy has been one that rankled me. I’ve never been comfortable with using a third party intermediary when it comes to buying things - I like to deal direct (and I sideline as an Identity Architect, so the philosophy of Identity and who has copies of my details is one I am very conscious of).

I really do want to play Dark & Light, but the company has erected too many barriers to entry. The first, and largest barrier, is the decision to outsource payment services to a third party. I don’t know who Click&Buy are, I’ve never used them, and I have no reason to trust them.

I’ll keep an eye out and see how things go, but until subscriptions are offered directly I think I will have to skip becoming a paying subscriber. I think I might spend my US$55 on another MMORPG instead.

One of the things I find interesting is that as a potential customer, the decision to use a third party identity provider (effectively) has been the primary factor in my decision not to play. The question here in my mind is entirely one of trust: I simply don’t trust the payment provider the service provider requires me to use.

In the current climate I would much prefer to deal direct with the company whose services I am purchasing, as there is no Identity Infrastructure in place that I trust to act on my behalf - there’s no Transient Identity providers, no centralised Identity Providers, and certainly no user-centric identity service that I could use. The company behind Dark and Light has chosen to require potential customers to jump through a series of hoops with a third party provider (in some reported cases including telephone verification of an account created with a credit card) before they can participate. Not entirely sure that’s a sound business practise…

Technorati Tags: Dark and Light, BT Click & Buy, MMORPG, PC Game Online Game, Online Payments, Privacy

Mark’s raised the idea that credit bureaus could act as Identity Providers under the concept of User-centric Identity (I’m still catching up on the reading!). My only comment to this is:

I bloody well hope they don’t.

A very quick search using your favourite search engine throws up reams of examples where such credit bureaus hold incorrect information about consumers, often to the point of holding outright lies, and not providing a mechanism whereby consumers can correct - or in many cases even check - the information held about them.

Even a recent piece in the Consumerist illustrates problems with credit bureaus and the information they hold about people, and the lack of care taken in cleaning the data and informing associated agencies of the change.

The major problem with credit bureaus being providers of identity information is that there is no benefit to them in expending the time and effort in either checking that the information held about someone is correct, or in implementing procedures to allow consumers to check and correct such information. The first is time consuming and costly, and the second is time consuming, costly and will require the implementation of identity checks, which makes it even more time consuming and costly.

Technorati Tags: Identity Management, Digital Identity

I recently posted about Robin Wilton being interviewed for the Story of Digital Identity, and a posted comment from Robin remined me that I never revisted that post and made comment on the actual interview.

At least not on this blog, although I did pass my comments back to Aldo Castañeda via email.

All in all I thoroughly enjoyed the interview. It was also interesting hearing a little about Robin’s background with Sun and the area he’s working in, and as always it was very interesting listening to his thoughts on digital identity.

A lot of the discussion was on the subject of User Centricity in digital identity, a concept I agree with in many ways. One of the key points made as well was the general lack of awareness of potential responsibility in terms of ‘ownership’ of digital identity, and as usual Robin made his points and explained his thoughts clearly and concisely, bringing in various real-world examples of problems with digital identity and the idea of personal responsibility for a person’s own digital identity.

So, if you haven’t already downloaded the interview, the you should do so now.

I’ve just seen that Robin Wilton has been interviewed for the Story of Digital Identity. I have a lot of respect for Robin and his thoughts on Identity, so I’m off to listen to this one.

Technorati Tags: Identity, Digital Identity, Story of Digital Identity

SuperPat posted a link to a white paper [PDF] called Offering SIM Strong Authentication to Internet Services.

I’ve read through this paper now, as using mobile devices for authentication to web services (and identifying users through the use of mobile devices) is an area I am greatly interested in. I’ve already dabbled with web authentication systems that make use of the mobile as a confirmation path (by requiring users to send a text message with a one-time PIN when they register on a website, which doubles as MSISDN confirmation and setup of the billing channel for mobile content), and I’m quite impressed with the way T-Mobile deals with passing SSO-style authentication confirmation information to third parties through their API (this lets T-Mobile customer’s be pre-identified on the network, letting them make purchases on third party websites - like our own GTIP service - without ever exposing personally identifiable information to the service provider).

I like the idea, although I’m concerned that not enough attention has been paid to the issue of lost or stolen SIM cards, along with the prevalence of pre-pay cards, especially in the UK, where customers may not necessarily have an account with their mobile carrier, just a pre-pay SIM.

I’m also concerned about the reliance on an Internet Explore-only ActiveX control as part of the authentication chain. If this reliance, which to me is a show-stopper, can be broken, then I think this style of credential will be very interesting.

Technorati Tags: SIM, identity, digital identity, mobile identity, authentication

Froghop are a new company that’s popped up in my onbox because of an upcoming web chat. The basic premise behind Froghop’s offering is to allow players the opportunity to remain connected to their chosen persistent world game through the use of their mobile handset.

Which is pretty much what I’ve been banging on about for the past few years.

Technorati Tags: games, online games, mobile games, massively multiplayer games, multiplayer games persistent worlds

I’ve been thinking about this on and off for quite a while now, but an announcement today that referenced Valve’s ‘Steam’ service got me thinking about it again.

Launched in late 2003, Steam now has more than 6 million registered users, Valve spokesman Doug Lombardi said in an e-mail.

If you look closely, you’ll find that I am a ‘registered Steam user’, even though I don’t use the service (and don’t have it installed. The primary reason I’m still listed is that I have been unable to unregister and have my details removed from their systems. It is (or was) part of their policy that people who register their details cannot have them removed from their systems ‘to prevent hacking and the re-enabling of banned accounts’.

The same is also true of a number of other companies who have refused to remove my details or effectively let me ‘unregister’ from their service, notably Gamespy (now owned by IGN) who actively refused to remove my details, claiming they weren’t a registration service (even though you had to register to use their software) and Electronic Arts (whose privacy office dismissed my concerns that an account I thought I had deleted turned up a couple of years later in an active and useable state.)

I wonder how much this is true, how many accounts people think they have deleted (or asked to be deleted) on various services are actually still active. I had a similar experience just last night with Codemasters and their imported MMO game RF Online. The game experience was rather uninspiring, so I decided to cancel my subscription - however I was not given the option of deleting my account, although there is an option buried deep within the EULA that lets you contact customer support to change, remove or amend data.

Thinking further on this, it goes way back to managing your own digital identity online. Whilst it may be convenient for a company to encourage me to register just once to obtain services from them, for me it may be (and often is) far easier to maintain multiple accounts under multiple names so that I know which ones are active, which relate to which service and so forth, as well as letting me carefully control what information is released about me through online services.

The Gamespy one is an interesting one, as I tried to have my details removed a couple of years before the sale to IGN, and after the sale I have no idea if my details were passed on to IGN, meaning I may have an account with a company I have never done business with in the past, and no way of controlling, accessing or checking if such an account even exists.

Technorati Tags: RF Online, codemasters, gamespy, EA, online games, privacy, steam, valve