Identity Management Best Practices

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Good day, fellow members;

I am looking for a set of best practices for Identity Management (IdM)
and had googled and wiki, but to no avail.

Any ideas / help are appreciated.

Thanks and have a nice weekend.

A Monk

Re: Identity Management Best Practices

I have a paper on that, part of which is posted on my web side under the Ideas tab:

Identity Issues - 6 R's and what a bank can learn from a casino

When a "whale" (a.k.a. Private Banking customer) walks into a
casino they are recognized, greeted at the door, and shown to their
free suite and their favorite VIP gaming tables. When a "shark" (cheat,
fraudster) shows his face he too is greeted, but with an entirely
different response.

Can your bank do this?

Probably not. But banks have several reasons to be looking to advanced
technologies to address identity issues and the casinos are where such
technology has been pioneered. Those reasons include:

Know your customer regulations - There is a difference between
knowing a customer and knowing an account holder. A customer may have
multiple accounts and their pattern of activity overall may be deemed
suspicious even if no individual account looks suspicious on its own.

Fraud reduction potential - No one is committing fraud today using
their own name, address, and Social Security Number. Frauds involve
creating or stealing identities, taking over real customers' accounts,
and using real customers' identity tokens (codes, checks, cards,
passwords, personal data) to steal from the customers' accounts.

Customer management - It is just good business to know who your
customers are, who they are related to, what their total product mix
is, and then use that information for marketing and in the daily
decision-making processes of the bank. Do you really want to cancel the
credit card of the daughter of the CEO of your largest Corporate Trust

Recognition capabilities - the 6 Rs

Knowing who is who actually requires several distinct capabilities to
be effective:

Resolve - Is Jane Smith also Jane Brown and/or Jane Brown-Smythe?
Banks have long talked about "scrubbing the CIF," trying to create a
customer information file that accurately relates account holders
across their entire enterprise.Research - What is known about her? Is
she a known criminal?

Relate - Who is she related to and how? (Is she Gotti's limo driver
or the wife of a CEO?)

Recognize - In the branch, on the phone, on the Internet site, at an
ATM, by mail...

Respond - All the above is wasted without the capability to
differentiate the bank's response

Recover - If all else fails, do we have all of the information to
make a recovery or support an arrest?

 Banks need to consider the need for each of these capabilities.  Many
"Identity solutions" address one or more of these needs but none
fully address all of them.  It takes more than simply buying and
installing a "solution" to develop and implement full identity
recognition capabilities

Jim G. George

a_monk wrote:
Quoted text here. Click to load it

Re: Identity Management Best Practices

Quoted text here. Click to load it

this is something of a difference between strong identification and
strong authentication. at places like point-of-sale ... it is
desirable to have strong authentication (is the entity authorized to
use the account) as opposed to strong identification (is the entity
john doe) because of privacy issues.

current infrastructure has included indentification somewhat because
of poor authentication technology; you name is on the payment card at
point-of-sale ... allowing clerk to ask for gov. photo-id and
cross-check the name on the payment card with the name on the
gov. photo-id ... as an authentication mechanism ... but relying on
identification to achieve authentication ... and as a result results
in privacy problems.

at various points the EU has passed directives that payment cards were
no longer to carry people names ... reducing level of privacy
invasiveness (and hoping to promote strong authentication technology
differentiated from identification technology); aka retail payments
should be similar privacy invasive as cash.  

there have even been some US banks issuing payment cards w/o names on
the cards ... i.e. while financial instituations have "know your
customer" regulations ... that doesn't mean that your name needs to be
publicly, boldly displayed on every retail transaction.

the x9a10 financial standards working group had been given the
requirement to preserve the integrity of the financial infrastructure
for all retail payments (internet, point-of-sale, debit, credit,
stored-value, aka "ALL"). the result was x9.59 financial standard.
i've periodically claimed it to be privacy "agnostic" ... it uses
strong authentication for transaction integrity w/o requiring names to
be plastered all over every transaction.

whether a financial institution keeps a mapping between the account
holder to a name ... is outside the x9.59 protocol.

as to identity theft ... FTC and other institutions have made some
attempts to differentiate betwen using personal information to
establish new accounts (i.e. identity fraud) and account fraud
... where criminals use compromised information to perform fraudulent
transactions against existing accounts. strong authentication in x9.59
retail transactions is targeted at account fraud compromises.

there has been some observations that just strengthening
countermeasures to identify fraud won't actually reduce overall fraud
as long as it is so easy to perform account fraud (differentiating
between identification and authentication).

Site Timeline