Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress.

No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world of logical access control. ActivIdentiy makes most of its money selling often highly customized authentication solutions to businesses, but they derive a large chunk of their income (about 20 percent) from what they call “commercial business”, which essentially means online banking.

Now, conventional thinking says that European and especially German banks are light-years ahead of the rather archaic US banking system in terms of offering customers online access to their accounts and portfolios, as well as in many other respects (nobody in Europe has used a check in at least a decade!).

ActivIdentity, Julian says, has customers in the financial industry on both sides of the Atlantic, so they know what the differences are. In a nutshell, he says, European banks are more concerned with security, while American banks worry about the customer experience. Anything that would make it hard for US consumers to understand what to do next is more or less automatically a no-starter, and if that means there is a bigger danger of the customer’s account being hacked, then so be it. If necessary the bank will simple reimburse the customer without too many questions asked and swallow the damage. Better, anyway, than watching him switch to another bank.
Read the rest of this entry »

When identity pros get together and let their hair down, they like to swap stories about all the dumb and/or ill-advised things people do with their passwords. BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied. Which calls to mind George Bernard Shaw’s famous question “What’s better: eternal salvation or a ham sandwich. Well, nothing’s better than eternal salvation, but a ham sandwich is better than nothing…”

In fact, most of the stuff you hear about the risks of identity theft and sloppy password management are anecdotal. Which is why I really enjoyed listening to Lora Deeds of Quest Software, who used the RSA Conference in San Francisco as the venue to introduce a survey her company did with Harris Interactive on the use of policies and technologies to manage and protect users’ electronic identities, including provisioning and especially deprovisioning of those IDs.

What they did was ask some 1,500 white collar workers and an additional 500 IT decision makers to tell them the truth about some dirty little secrets surrounding identity and security. They didn’t really find out anything new, but they did provide much-needed proof for some of the things we ID Pros have been assuming for years, namely that people and companies are extremely negligent in their everyday care and feeding of digital identities.

Read the rest of this entry »

Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing.

I love listening to my friend Andy Müller-Maguhn, for instance. He’s one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there.

Andy is one of the good guys, of course, or so he says. And yeah, you can hire him as a security consultant, just in case. Which sort of reminds me of the young men in Naples who wash your windshield while you wait at a stoplight and rip your wiper blades off if you don’t tip them.

Which brings us in a very roundabout way to a security risk I somehow never thought of before, but now it worries me no end. The guy who stirred me up is David Ting, a charming IT professional who founded a small company a few years back called Imprivata that has been generating a lot of publicity recently for a product called “OneSIgn Secure Walk-Away”.  In fact, just last week they won the UK IT Industry’s prestigious “Security Innovation of the Year” award for it. Seems like folks in Britain were as disturbed as I was to find that there had been a serious security risk lurking under their very noses they had somehow overlooked.

Read the rest of this entry »

One of the best-held secrets in the German credit card industry was inadvertently revealed last night at an informal press dinner hosted by Bayern Card Services, an acquirer jointly operated by Bayerische Landesbank and the Bavarian community-owned savings and loan banks (“Sparkassen”). Asked just how much money banks were losing from credit card fraud, Monika Kummer, head of risk management for BCS, blurted out a figure of between 0.2 and 0.3 percent of total card turnover. When pushed for further details, she clamed up, but the genie was already out of the bottle.

After that, the math was simple. BCS handles the card business for about 70 percent of the 438 Sparkassen in Germany and reported total revenues of 16 billion Euros last year, so its member banks lost roughly 36 million Euros through identity theft.

Read the rest of this entry »