I recently moved house, to Leuven in Belgium actually. This is one of the reasons for a lack of postings in January. We needed a break so after returning the U-Haul van we headed off to a beach down-under, where it’s summer and rather more pleasant than in the freezing low countries..
So back to the reality of opening removal boxes and notifying a zillion or so of relying parties that in the course of their business with us require to know my new address. It was in the midst of this that it struck me how wildly differently my various suppliers deal with security issues relating to the change of personal details, i.e. customer contact details on their various CRM systems.
Some required a simple telephone call; others used a convenient web form. While the convenience is nice while it lasts, you wonder how easy it would be for a complete stranger to pretend they are someone moving house and have important business communications diverted to an unverified address, as a first step in identity theft.
Let’s put it this way. Some organisations require you to bring a couple of utility bills, to prove you are resident at a certain address. But if those utilities redirected those bills you pay by direct debit to a new address on the say-so of a fraudster, how long before you would notice? Might that fraudster meanwhile establish a fake identity edifice, from which he could open new accounts in your name and saddle you with the bills, destroy your credit rating. Setting up an identity theft con requires patience and attention to small details, which sometimes can be found in garbage cans as we know.
An example of an organisation that at least seems to have done some sort of risk assessment around the ‘Change of Address’ process is the Department of Vehicle Licensing (DVLA) in the UK. They have a web form where you log-on with your Government Gateway User ID and password. Then they ask you to provide some things ‘you know’ like your home phone number and they inform you they will make on-line checks that this phone number indeed belongs to you. A slight feeling of panic gripped me, as I had already cancelled my old landline contract and hadn’t yet signed up with a new service provider. Was I being set up for failure? It seemed to me that while I approved of the extra rigour applied before changing the address on an important Identity Document, there were still plenty of weak spots in the DVLA procedure, that could result in my new drivers licence being sent to a place I didn’t like!
The companies that employed a call centre asked silly security questions that would not be hard to find out about me on social networking sites, like what is my mother’s maiden name and what is my birth date? When I forgot a few of my own security question’s answers the operator helpfully reminded me I could have one further guess, but if I called again and spoke to a different operator I could start guessing all over what my secret answer should have been.
To come to the crux of this blog post: Wouldn’t it be nice if I could strongly authenticate myself to a Public Identity Provider just once to organise my change of address in a secure and timely fashion. I imagine a flurry of signed XML messages alerting a plethora of relying parties. All my old utilities would know where to send my final bill. I could authorise new utilities that service my new residence to be alerted and send me mouth watering new contracts, that I could sign up to with just a click on my updated Information Card. What a brave new world this would be!
This is why like the old Senator Cato I now routinely end my emails with the mantra:
– The world needs an Identity Meta System –
Let’s start building it!