Thursday, November 30, 2006

Oracle announces identity governance framework

Oracle announced a project around managing the proliferation of identity information across the enterprise. They called it...wait for it...the Identity Governance Framework (IGF). Hmmm, no points for creativity here. At least it's clear.

Apparently the goal is to hand this over to a standards body like OASIS or Eclipse eventually. It also as the support of the following vendors:
  • Ping Identity
  • Sun Microsystems
  • Securent
  • CA
  • Novell
There's 2 notable absentees. IBM and Microsoft. Maybe they're taking a "wait and see" approach. After all, this might go nowhere. Stranger things have happened before.

Update 8 Feb 2007: Oracle released this to the Liberty Alliance royalty free.

Wednesday, November 29, 2006

Commoditisation of Federated Identity software

Federated Identity software products will be commoditised. OK, so I'm not saying anything anyone couldn't have figured out for themselves. But this will happen much sooner than many of us expect.

Most software eventually goes the way of commoditisation unless the vendor innovates to the point where it morphs into something different. I won't even mention hardware as this market is largely commoditised and vendors are having to differentiate themselves using "bells and whistles" like performance improvements and aesthetic qualities (e.g. an Apple Mac laptop).

Back to software...

Take the following obvious examples of recent times:
  • HTTP web servers
  • J2EE application servers
  • Relational databases
  • LDAP servers
We can probably all agree that these are all are pieces of critical software infrastructure that form the basis of many of our IT environments. Microsoft is a different proposition. It is its own market and should be treated as such. Why? Because they are not known for interoperability. If you buy Microsoft, you will typically have non-commoditised products because they operate the "Microsoft way". ie. they are not like the other products on the market simply because they refuse to be. I don't mean this in a good way of course. It is simply a fact and makes life harder for the IT community at large because of it (unless an organisation goes 100% Microsoft - which is essentially Microsoft's preference).

So why did all these examples become commoditised? Not only did they become commoditised, then did it very quickly. There's 2 common threads between all of them:
  1. They are all essential building blocks for most IT environments.
  2. They all conform to standards.
Point number 2 is the key. The reason for the fast and widespread success of these technologies is the exact same reason why they became commodities so quickly. Open, standardised interoperability begets almost forced implementation of the relevant accompanying technology to "keep up with the Joneses". If you wanted to be able to "e-business-enable" your organisation, you better have an easy way lower ongoing development costs and reduce the risks involved with implementing ever-evolving technologies. Standardisation does that. Every software vendor of note wanted in. They saw these technologies as key pieces of software that would allow them to seed more software on top of them. The Operating system wars of years past were now being fought on a "higher plane" further up the application stack. These technologies put together have become the "operating system" of everyone's "e-business". As far as vendors were concerned, it would cost more in the longer term to NOT be in the game.

So it didn't matter that vendors did not make money from these technologies, as long as it meant they had a seat at the table for future software evaluation activities. In fact, most vendors give their LDAP and web servers away for free, with application servers just trailing behind in the "free stakes". Relational databases aren't explicitly free, but they are usually given away as part of another software offering. Or if someone is willing to go for the SMB option, they could download the open source relational database.

In the Identity and Access Management arena, the LDAP plays a big part. Like I said, this is usually free. Moving up the stack, we get to the meta-directories, synchronisation, provisioning and access control tools. It's been said for quite awhile that the access control solutions around have become commodities. To an extent, that is true. But that's simply what it looks like from the outside. The real reason in my opinion is that IBM Tivoli and CA Netegrity own most of the access control/application reverse proxy market. So if you talk access management, you're probably "standardised" the Tivoli way, or the Netegrity way. I know I'm ignoring RSA Cleartrust, but they have a MUCH smaller market so I'm treating them as a non-factor. In other words, this "commoditisation of access control" is only a perception. I dare say that's not really the case. Can you say "I want an access management solution so I'll do a design and just buy the cheapest product out there and my design will work"? Hell no! You could however, say this if you're talking about an LDAP design or a J2EE design (yes I know there are small differences between each vendor's implementation, but these end up being configuration, deployment/infrastructure and tuning tweaks rather than real business design issues). In other words, access management solutions are not really commoditised. They just seem to be because of the total market domination of IBM and CA in this space. I dare say, it'll be awhile before they truly become commoditised (disclaimer: "awhile" in the IT world is not really that long - I'm just saying this bearing in mind that we're talking within the IT context). XACML will need to be widely adopted and implemented in all access management products before we can say this area is anywhere near being truly commoditised. As for the meta-directories, synchronisation and provisioning tools, it may be awhile longer before we see commoditisation of these things. The next one after access management will probably be provisioning. Why? SPML goes some way towards some sort of standard. Even so, all that does is to give us a standard way to talk to the provisioning endpoints. It does not standardise the provisioning policies, processes, transactions, workflows, roles, delegation, reporting, audit and compliance requirements (and so on) and how they are implemented. ie. all the important business things. So, we have a ways to go here.

Back to my point. The next piece of technology in the Identity space to be commoditised (even before the access management products) will be the Federated products. The reason? Standardisation of the protocols. Yes I know we have a few around today:
  • WS-*
  • Liberty
  • SAML
  • Shibboleth
So there's 4 at the moment. This will very quickly become 2. Microsoft, and the rest of us. So what else is new. Shibboleth is the BIG thing in education circles, but it's essentially SAML 2.0 with some extra bits. Liberty is also a subset of SAML 2.0. So, what are we going to be left with? SAML and WS-*. Non-Microsoft vs Microsoft. Much like J2EE vs .NET. What this means is that we'll be left with everyone being able to "speak" SAML and some being bilingual and able to translate between SAML and WS-* and Microsoft only being able to converse in WS-*. So with everyone being able to interoperate (sort of), organisations will be left with 2 decisions to make. Which protocol to use (maybe both) and which vendor's product to buy or download for free. e.g. if I want to use SAML 2.0, I just need to pick a vendor that supports it. In other words, any vendor not named Microsoft. This means my decision will centre around the price, support agreements, company stability (whether I like them and if I think they'll still be around tomorrow) and business relationships I have with the vendor. Nothing technical in my decision making process. Of course, all the vendors will argue scalability, reliability, product maturity, ease of deployment, references, happy customers, blah blah blah - which is exactly what hardware manufacturers do. Sounds like a commodity to me!

All the identity vendors are in the federation game of course (there's also a few niche players out there like Ping Identity.). They can't afford not to be - except this time, they are positioning Services Oriented Architecture (SOA) as the endgame and saying that Federation is the key to security in the SOA world (it is of course key...if we're talking about identity exchange, propogation and trust - but there's more to security than just identity). So starting at the SOA and web services layer to get the "foothold", they are instead working down the stack. With this, vendors can now work at potential customers from both ends of the application stack. For example, if someone buys the application server, the vendor sells software up the stack leveraging the application server. If someone buys the SOA and federated stuff, vendors simple sell down the stack and push the "tight coupling" and "close integration" aspects of the non-commoditised software products.

I dare say, in a year or 2 the federated identity landscape may look like this:
  • JBoss application server will support SAML federation natively (JBoss is already working on JBoss Federation SSO using a SAML token. It's all Open Source of course...in the JBoss way).
  • BEA WebLogic will follow suit (BEA doesn't have identity products).
  • Microsoft will WS-* the hell out of anything and everything and include lots of "CardSpace working with WS-*" examples to "quick start your customer applications".
  • Apache Geronimo will have some sort of SAML federation extension.
  • Oracle Application Server will ship with Oracle Identity Federation "light".
  • WebSphere Application Server will have IBM Tivoli Federated Identity Manager "express" natively installed.
So which application server do you want? Hopefully it'll dawn on us at the time when we're all feeling a sense of deja-vu why it is so.

Wednesday, November 15, 2006

Yet more bank stupidity

I wasn't happy with the bank's answer that I could not transfer EVERYTHING from my old credit card to my new one (refer to my post on this issue) so I rang again for a 2nd opinion on the off chance that I'd be able to get someone to actually do it for me (either due to lack of training, or more training depending on how experienced the person I talked to the other day was).

As usual, I had to authenticate myself verbally and proceed to explain to the person on the other end of the phone my situation. I should just record my explanation and replay it back to them each time. I've called them enough times to warrant such an action. Much to my surprise, the customer service representative I spoke to told me I could actually do it! I asked "does this mean my credit limit, balance and reward points get combined too?" He responded with a "yes". I then asked if it would cost me anything. He assured me it wouldn't. So he proceeded to do whatever it was that needed to be done in their crappy system and asked if I would mind being put on hold. I agreed. Next thing I knew, I was cut off. Now I don't know if it was because the telephone company coincidentally decided to cut me off at that particular point in time or if it was because he simply hit the wrong button. I'm inclined to think it was the latter. I waited for a few minutes to see if he would call me back (they have my number). Nothing! I wasn't surprised.

I'm quite used to bad service from this bank now, so I just called them again and had to authenticate myself once again (although this time, I knew the drill too well and gave them all the answers before they asked the questions - so they decided I sounded dodgy and asked me more questions) and explain the situation...again. This time however, I was told that I could NOT transfer EVERYTHING. I simply had to use all my points and then cancel the old card. This was what they told me before. I wish they could just get their story straight!

At this point, I'd had enough of the bank's crap and insisted that I was told by them it could be done. I decided I would settle for simply having my points transferred to my new account. Anything else just seemed to difficult for them. I eventually managed to get them to transfer me to their rewards department...whom I also had to explain my story to again! Once that was done, they somehow could not see that I had another card with them (although the customer service representative I spoke with before could). Beats me how they survive with such a bad CRM system. After some insistence on my part about how I was told it could be done and that I did not see why they could not just do it given that I owned both cards AND the rewards points. They put me on hold then came back and said that they would do it. I was put on hold again for a few minutes and they eventually came back to tell me it was done. I thanked them and was about to hang up only to have the "rewards department" now try to sell me more insurance and credit protection services (which they had tried to sell me every other time I'd called up in the past week). I'd had enough and just said I knew about it and had said no each time they offered me these same products. They then had the nerve to tell me that I was probably thinking of another product and then proceeded to tell me the name of the one they meant. I said I'd also said no to this one multiple times! They knew I wasn't a happy camper and eventually let me go. Oh the pain!

To further add to my pain, this bank had recently upgraded their online systems to have customers log in using a username rather than their account numbers. I use the term "upgrade" very loosely. First of all, they didn't tell me they had done it. I tried to log in only to find that it all looked different and I now had to register for the right to use their new "improved" system. So, I registered only to find that it only let me link my online username to one card. I thought that this surely could not be the case! A modern global bank like this one surely could not be so archaic - especially in light of the fact that the system was just "upgraded". I called them again (I should start charging them for my phone bill) to ask what the deal was. I was then advised that each username could only be linked to a single credit card. To have online facilities for my new credit card, I had to register again! In other words, I needed a separate login/username for my other credit card. We have enough trouble trying to remember all our logins to multiple websites and systems and here I have a single bank trying to get me to remember multiple usernames and passwords for the same system! I don't know how they can call this system an upgraded one without laughing!

Maybe I should go to talk to the IT department (I don't know if they deserve to be called that) and make myself (and the company I work for) some extra $$$ by fixing their sorry excuse for an IT infrastructure!

But for now...I have to go figure out a new username and password to use for my other credit card!!!!!

Monday, November 13, 2006

More on the bank credit card saga

Well, the credit card I made a previous post about finally arrived. They obviously approved it after my less than happy conversation with them where I told them to cross reference my existing credit card for the information they wanted.

I suppose I should give a little bit of background to set the context. The new card is EXACTLY the same as the old card. ie. same bank, same type etc. They are IDENTICAL except for the credit card number. The obvious question to ask here is why did I bother getting an identical card. Well, as with any typical credit card, the old one has an annual fee. About a month ago, I found out I was eligible to have this type of card with no annual fee as part of a "limited marketing promotion". Essentially, it's free (I know nothing's really free and we could get into a philosophical discussion about costs associated with giving up data for marketing and sales purposes and the potential long term effects, but in the simplistic sense of looking at it in terms of subscription costs, it's free).

I called the bank to ask if I could simply have the special rate code applied to my card instead of the one that says I have to pay an annual fee. I was advised that I had to apply for a new one. From a customer service perspective, this is a REALLY stupid and annoying thing to make your customers do and creates unnecessary paperwork at the back end (which means the customers just get charged more to fund this extremely inefficient process). Now, I'm no expert on bank regulations and there may indeed be laws prohibiting them from simply giving me the special rate code on an existing card, but I have a feeling it has more to do with an artificial process set up to ensure that someone in marketing or sales within the bank could have the marketing code linked to all "new" credit cards issues within the promotional period. So with this in mind, I accepted the fact that it just had to be done. The customer service representative however, decided that they would make me "feel better" by telling me that it wasn't a big deal to have to apply for the new IDENTICAL card because once it was approved they would automatically transfer EVERYTHING from my old card to the new one and automatically cancel the old one (once I had activated the new one) and notifying me. Now I took EVERYTHING to mean the balance, the credit limit and my reward points. So, I hung up at least satisfied in the fact there was some sanity in this inefficient and unnecessary process - although I was skeptical that this would be automated. I half expected that I would have to call to get it actioned.

I eventually called to activate my card and as with most bank IVR systems it didn't want to let me activate it the prescribed way. You know, the recorded voice tells you to enter the card number followed by "#" then it asks for your date of birth and then it should activate your card automatically without having to talk to a customer service representative. Well, true to form this didn't work and I was sent to a customer service representative. Problem with this was that I called to activate a card and while waiting what seemed an age, they managed to read a few pre-prepared statements trying to sell me insurance I don't need and offered the fact that I could get a cash advance on my credit card while paying their low interest rates. They're also taught to not ask if you want something. They're taught to say "would you like option 1 or option 2". I of course said that I would like neither and would just like my card activated. Then came the "are your sure sir" to which I replied "yes I'm sure I don't need that".

After a few more sales pitches, they finally came through and told me my card was now active and that I should remember to sign it. You know, the usual. I thought right then and there would be a good opportunity for me to ask about transferring EVERYTHING from my old card to my new card. I explained the situation (twice) and was met with the response "I'm sorry sir, but you cannot do that." I was incredulous! I started to explain the situation (again) but this time I mentioned that when I called the first time, I was told by one of their colleagues that this was indeed possible and was the norm and they fully expected that customers would ask for this and that they would do it willingly...actually, they said they would do it AUTOMATICALLY! Despite my insistence, they stood firm and said I simply had to pay off the balance on my old card and use my points up before cancelling it. So not only did they not do the transfer automatically (like I suspected they would not be able to do), they fed me incorrect information in the first place! I wonder if they did it on purpose just to get me to sign up for the new card.

I'm not unhappy at the fact that I had to get the new card. I would have done it anyway because of the "free" aspect. What I didn't like about the way they did it was that I was not told the real story up front. Now it may have truly been a lack of education on the part of the customer service representative I spoke to initially, but that's still a problem! If you don't know the answer, don't give one. Say you have to find out and get back to me with the right answer! It's all about customer perception and right now, this customer has a rather dim view of this bank! (Aside: Reminds me certain shady deals in Asia specifically targeting tourists where they do not fully disclose where they will take you. e.g. You sign up for a tour which promises 2 specific tourist attractions but what they "forget" to tell you is that there's about 5 other "tourist attractions" disguised as shops which pay the tour operators commission for bringing tour groups to the store.)

Now I'm stuck with 2 IDENTICAL credit cards, one of which I have to pay for until I figure out how to use all my reward points up on things I probably don't really need right now. It's either that or I simply lose all the points.

I've managed to come up with the following observations as a result of this rather painful experience:
  • If this bank cannot have their internal systems linked in such a fashion where they can provide an efficient and single view of a customer (which one can argue are the most important pieces of information/data held in ALL of the bank's systems), what hope do they have of providing me with acceptable security on my identity data and my banking experience let alone anything with privacy implications? They don't even "identity manage" my data from a customer management perspective (classic CRM stuff) - so based on my experience with companies in my day job (companies fix business related things before they fix IT related things), there's no chance in hell that they'll have any acceptable security measures in place from an identity and security standpoint! Or in IT speak, they don't manage my identity in their business critical applications, so it's unlikely they'll bother with proper identity management at the IT infrastructure level. BIG problem. Somebody at this bank better fix this...and SOON!
  • I've pointed out that their processes leave a lot to be desired from a security standpoint. My previous post on this issue showed how they are subject to phone phishing. They should really get someone in to fix their enterprise security. Right from the policies and procedures to their infrastructure and application security.
  • Training of call centre employees is of the utmost importance. To us customers, they are the voice/face of the bank. An experience like the one I've just had sullies the whole bank's image, even if it's the fault of a single employee (who may not have been at fault - you could argue it is the bank's fault for not training this person properly).
  • This bank uses an offshore call centre. I don't want to get into a "to offshore or not to offshore, that is the question" debate. It obviously made financial operational sense to do it in the case of this bank otherwise they would not have done it. But is it really worth saving that kind of money if you annoy the crap out of all your customers? I'm sure I'm not the only one who's been jerked around by the bank and their call centre (or indeed any bank with an offshore call centre). All I want to say is, if you offshore, it is even MORE critical that you ENSURE the employees are properly trained and are provided with the correct information and relevant internal support infrastructure to allow them to get the right messages out to customers. Don't give an answer if you don't know it! Because if you do and you're wrong, then the customer just feels like the bank lied to them! Not good!
  • I will NEVER use this bank for anything other than my "free" credit card from now on.
  • Where's the bank's customer feedback form?!

More pet peeves

In a similar vein to my previous post regarding the use of "your" and "you're"...here's another common mistake made by people. Knowing the difference between "their", "there" and "they're".

Again, it's not difficult to get right!
  • Their - Implies ownership or possession. e.g. "This is their book".
  • There - Location or at a particular place. e.g. "He is over there at the moment."
  • They're - Short for "They are". Need this be any clearer?
Fools who get this confused will have a fun time trying to write something like "They're there at their home".

Wednesday, November 01, 2006

Now for the compelling event

I applied for a new credit card the other day with a bank that shall remain unnamed. I won't go into why I did so given the numerous other credit cards I already have because that's not the point. As with any new application, the process involves verification checks on the details I provided as per the mandatory fields in the application form. Why some of the details are mandatory is beyond me...probably for marketing and sales purposes, but I digress.

Interestingly enough, I'd only just read the Burton Group's post about the Law of Relational Symmetry. Essentially, it notes that natural interpersonal relationships between people don't rely on IDs (as is the case with IT systems) but rather the relative symmetry of the connection between endpoints (or identities). The more symmetrically balanced a relationship is, the less chance there is of exploitation of one party by the other because each participant shares rights equally. In other words, if a friend begins to really annoy me or take advantage of me, it is no longer a symmetric relationship and I'm more than likely to terminate the relationship with that person. This is all within my control. IT systems however, are inherently asymmetrical. More often than not, IT relationships involve a corporation (e.g. a bank) on one end, and a user on the other.

How many times do we give up information about ourselves for the right to have an "identity" created at an institution without requiring that we get any information back? I'd dare say 99% of the time. Take a bank for example. We fill in mandatory details to apply for a bank account. We're not even guaranteed an account. We give up the information hoping we get one. We have to, otherwise we don't get the service we want be it a bank account or a credit card. We're so accustomed to this fact that we simply accept it as a fact of life and move on (in my humble opinion, this is also part of the reason why Phishing attacks work on certain people). The bank's attitude is "I don't care if you don't like it. This is how it is". And we just sit there and take it. This is partly the reason why there's so much focus on user Identity and privacy nowadays. We need to get away from being forced to engage in these asymmetric relationships where we have to give up all sorts of private information that in most cases are simply not required.

Bob Blakley's (ex-IBM and now of the Burton Group) blog is one which I read from time to time. His comments on the need for a Meta-Identity System (read the post here) are spot on. We do NOT need to give up specifics relating to pieces of information about ourselves. We should only have to give up meta-data (e.g. yes/no answers to specific questions). For example, does the bank really need to know someone makes $50,000 a year or do they really only need to know that they make "more than $35,000" a year? After all, that's the criteria for being allowed to have a certain type of credit card. That and the fact the person is "Over 18". Must they know someone is 30 years old? Not really. I'd be more comfortable knowing that all the bank knows about me is that I make more than $35,000 a year and that I'm over 18. They don't need to know I'm X years old and that I make Y dollars a year! I don't care that if they know how much I make and how old I am, it helps their bottom line by using targeted marketing campaigns on me. It does not benefit me one iota!

So that was the first issue. Now, the real compelling event that pushed me onto the "Blogosphere" occurred when the bank called me as part of their verification process.

Here's how it went:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application. For verification purposes, can I just confirm a few details with you?
Me: Uhhhh...ok.
Bank: What's your full name?
Me: Ian Yip
Bank: What's your date of birth?
Me: (I gave it to them)
Bank: What's your mother's maiden name?
Me: (I gave it to them)
Bank: What's your full address including postcode?
Me: (I gave it to them)


OK, even those among you that aren't in the security business can see that this conversation has all the hallmarks of something very suspicious. I don't know why I didn't notice it at the time...maybe for the same reasons why people on the street will give up their passwords for a small "reward" (I'm not kidding - this was a proper study done by some scientists...or some journalists...can't remember). We're simply too trusting and have been conditioned to just give our private information up! In my own defence, they DID know my mobile phone number (they called me), they knew my name and they knew I applied for a credit card so perhaps that's why I let my guard down. If you think about it though, this could easily have been a standard line used against a whole list of people and they may get a few who actually fit the criteria of having applied for a credit card. It's essentially phishing by phone.

They then proceeded to ask me to authorise my employer to validate my information for them. You know, things like proof of employment and the fact that my salary in the application form was indeed correct. I agreed...at the time. This then brings me to the question of how my employer is supposed to actually validate that it is REALLY the bank calling them for my information? I have no idea, but I'm thinking there isn't a nice answer here so I'm probably better off not knowing...which brings me to my next reaction.

After kicking myself (metaphorically speaking) for the rest of the day after the call, I eventually decided I was going to do whatever it took to NOT have to authorise my employer to give up that information. I was also still unsure if I had just been "Phone Phished". So, I called them today to validate they did indeed call to ask me those questions and to authorise the release of information from my employer. Luckily for me, it was them (phew). So I had just established that I dodged a bullet. I then proceeded to ask them if there was any other way for them to validate my information. I may be a little paranoid, but apart from the reason I mentioned above (how does my employer validate that the bank is indeed the bank), I also didn't want to authorise my employer to release any of my information to ANYONE in case they screw up in future and take my authorisation as meaning they can freely give it up to anyone claiming to be a bank. I tried getting the bank to allow me to fax them a payslip. They apparently also wanted proof of employment via my letter of employment (which has outdated pay information anyway, so they would probably have called me to ask what the deal was) and they also wanted proof of address. So I would have had to fax them a copy of my driver's licence. Fun...NOT. They wanted more information that one could argue they didn't need. I then piped up (because I was getting rather frustrated at their lack of customer management procedures and processes) by saying...

Me: "I know this is all standard process for a new credit card, but may I ask why I need to provide all this information again when I already have an account (I actually have an existing credit card) with the bank and you have no doubt already validated I am who I am when you issued me that card?"
Bank: Oh you have an account sir? Would you like us to cross reference against that"?
Me: Yes. If that is possible and would save me all this hassle. Would you like my existing account number?
Bank: Oh no sir, that's ok. I can find it on the system and you have also quoted it here in your application.
Me: Yes I did.
Me (in my head, not out loud): and why the F*$& did you not notice that in the first place rather than putting me through all this?
Bank: Thank you sir. Will there be anything else today?
Me: No.


Now, if I've learned something from this, it's that banks should REALLY change how they verify things with customers on the phone...AND that we should behave differently to force them to change their procedures. They are all so busy locking down their Internet facing systems (as they should) that they've neglected trying to secure the traditional means of communication. As people commonly say, they try to deadbolt the back door with all sorts of locks, but forget the front door is wide open.

Here's how my first conversation should have gone:

Bank: Hello Mr. Yip this is (Bank X) calling you regarding your credit card application which you submitted on (exact date). For verification purposes, can I just confirm a few details with you?
Me: Ok.
Bank: What's your full name?
Me: Ian Yip
Bank: I will now tell you what year you were born in. (Tells me the year I was born in). Now please tell me your date of birth?
Me: (I give it to them)
Bank: I will now tell you the last letter of your mother's maiden name. (Tells me the last letter of my mother's maiden name). What's your mother's maiden name?
Me: (I give it to them)
Bank: I will now tell you the street you live in. (Tells me the street I live in). What's your full address including postcode?
Me: (I give it to them)


Now, while this is not perfect, it is definitely more secure than the current standard practice we all accept when speaking with the bank over the phone whenever the call is not initiated by us. Sure, the bank is not giving me any details about them but that's not the point. They are authenticating themselves to me by giving me exact details about myself. i.e. My surname, exact date of application (this is KEY - there is no way to know this unless you are the bank, you were looking over my shoulder when I submitted the application, I told you when I did it or you have a keystroke logger or network sniffer on the machine that I used), year I was born, last letter of mother's maiden name and the street I live in. And I'm authenticating myself by filling in the blanks. This is mutual authentication (albeit rather low-tech). The way they do it now is simply by performing client authentication. There is no authentication by the bank to the person involved, which is just plain wrong and lends itself to the proliferation of "Phone Phishing". In other words, the bank is not protecting users from identity theft over the phone.

From now on, we should ALL force our hand by taking the necessary steps on our end to ensure that we are actually speaking to who we think we are speaking to, especially when we are not the initiator of the phone call. Hopefully the banks wake up soon and change this procedure. I applaud any banks who have already realised this problem and are taking the necessary steps to rectify the HUGE potential problem. If we think "Phishing" attacks online are a big issue, I'd dare say this poses a far greater risk due to the fact that Internet banking users are only a subset of all banking customers. All customers (especially non-Internet banking users) still communicate with their banks over the phone at some stage do they not?!

I'm not the first person to write about this issue. Many have talked about this so I'm not exactly saying anything groundbreaking. I just felt the need to make myself heard and hopefully feel a little less silly.

Disclaimer: I know I'm picking on a single bank here, but I have dealt with other banks for other issues and they are not much better when on the phone so this has the potential to be a VERY big problem.

Before I move on...a pet peeve

I'll keep it brief.

Why don't people know the difference between when to use "you're" and "your"?!?!?!


It's infuriating. I see the incorrect use of these terms more often than I see them used correctly. What's so hard about it? "You're" is the abbreviated version of "you are" and "your" is usually used when referencing something belonging to you. e.g. "This is your needless rant on the deterioration of the English language". This sends a chill down my spine more than fingernails on a chalkboard...well, maybe not but almost as much.

Phew. Finally got that one off my chest. It's been bugging me for years and I've had no one to complain to.

I've finally relented and joined the masses

New blogs are being added daily at an astounding rate (I could find out exactly what this is, but where's the fun in that) so I thought I'd add to the clutter. It also gives me somewhere to jot (Gees, it's been awhile since I used that word - consequence of the computer generation I suppose - no one jots anymore. Now they ping, type and blog) down my thoughts that I think are worth taking down for future reference...who knows, maybe one day I'll look back and realise what I fool I was when I made various posts.

Note: I live (and grew up) in Australia hence I use the "Queen's English" to spell. So for me, "realise" is the correct spelling and NOT "realize".

I'm not a diary writer. I did that once and my brother decided it would be funny to spend his days looking for it and when he found it, he read it...all of it. I vowed never to write another diary again. A blog isn't a diary I suppose...or at least I'll be sure only to publish thoughts that have been through my "embarrassment filter".

I've always thought about starting a blog. It usually takes a compelling event however, for me to relent to doing something I think about doing...but never get around to. I'll post about this in a separate entry to keep the thread "pure".

It also dawned on me as a result of the aforementioned compelling event that I've now been cursed (or blessed depending on your point of view) with having my day job seep into my subconscious and actually dictate how I feel about certain issues and how I behave in relation to certain everyday situations.

Lastly, my day job is very much about what is currently commonly referred to as "Identity Management" and I've realised the dearth of information and opinions relating to this topic (that is now apparently close to my heart given I'm now blogging about it) outside of North American (and some European) "Identity luminaries". So, being the patriot I am, I thought Australia (being one of the most stringently regulated countries in the world in terms of privacy) should be represented!

Of course, if no one ever reads this, then I'm pretty much talking to myself...so it's pretty much like what happens to me daily then.