Banks are among the firms preparing identity services as a fee-based product to customers who want a single sign-on across Web sites, according to an executive. This follows last month's release of online identity technology specifications from the Liberty Alliance group, according to John Worrall, vice-president of worldwide marketing at RSA Security. Mr Worrall, who was in Hong Kong last week to brief banking customers on trends in the industry, said he saw local interest in this service and plans were under way in applying the technology in the United States. About 100 companies including RSA, Citigroup, NTT DoCoMo and America Online (AOL) have signed on to Liberty Alliance. Mr Worrall said both Internet service providers (ISPs) and banks were likely to offer federated identity services for a fee. The service would allow users to have their personal information shared with sites of their choice, eliminating the need to enter personal and payment information more than once. The concept of an identity and a 'wallet' that is portable across sites has also been attempted by Microsoft through its Passport service and by AOL, although actual user numbers are hard to quantify. ISPs have the advantage of usually being the first stop when a consumer accesses the Internet. 'I log into my ISP and from there I move on. But it's my first sign-on,' Mr Worrall said. Meanwhile, banks believe they can use federated identities for both communicating internally and as a for-fee service. 'Banks are interested because [they] clearly have a reputation for trust. If you sit back and say who do I trust the most, who's got my money? They've got my personal information, they've got all my financial information, so I'm already trusting them,' he said. Products built around Liberty Alliance should reach the market later this year, Mr Worrall said. Aside from collecting fees from consumers who use the services, companies could charge merchants who want to connect to the information. Similar plans from companies for products such as Passport and federated identities have raised privacy concerns, but Mr Worrall said linking of online information would be the responsibility of the user. 'It eliminates the privacy issue, or the concern about all their information being in one person's hand, or any third party's hand, because you actually have an identity provider that knows who you are and they do some linking with other places but they don't share any information about you,' he said. 'It also is very much a choice of the end users. There's no need to federate identities if you don't want to.' Liberty Alliance is one of several large industry initiatives addressing online security issues. Aside from Liberty Alliance, another high-level group called WS-Security was founded by Microsoft and IBM, and recently invited Sun Microsystems to join. Sun is the key founding member of Liberty and it is unclear whether Microsoft will become a group member. Agreement on standards could be key to the interoperability of the next generation of Internet identity products. On the network security front, Mr Worrall said a recent password fraud that was successful in Singapore could not be avoided, especially when computer users did not understand the ongoing threat from trojans. He said these were the back-door programs that could be downloaded from an e-mail and set to send passwords back to hackers' computers. 'The interesting thing about that attack is there's not a lot of magic there. You didn't have to be a supersmart PhD to do something like that,' Mr Worrall said. In that case 21 Singapore bank accounts were accessed via stolen passwords, with funds being transferred to a hacker's account and then withdrawn. While the institution involved, the Development Bank of Singapore, topped up the accounts, it also said it might not do so in future cases. Mr Worrall said this type of policy would only discourage people from using Internet banking and from trusting their banks. 'They don't understand security breaches, they just know that their money's missing. They probably don't think they've done anything wrong and I would agree with them. I think that the banks have to take some responsibility,' he said. Most banks take strong precautions when offering Internet banking. Links are often encrypted, firewalls are set up within systems and data sitting at the back end is also scrambled. The one thing that banks cannot yet verify is who is accessing the account, and as the Singapore experience has shown, a password can be easy for hackers to crack. Mr Worrall said banks were starting to introduce stronger verification for Internet banking, initially in smart cards embedded with identity certificates for use with high-value accounts. 'My belief is that over time they're going to introduce stronger levels of authentication. We have clients now that are doing that,' he said. Most of these clients are investment banks and brokerages using the technology for internal systems and high-end clients. Smart cards and similar technology might be introduced to general consumers, but not before the necessary readers were more widely available in the market, Mr Worrall said.
