So far, digital identity credentials have been the missing piece in the mobile wallet puzzle, making mobile payments vulnerable to fraud involving stolen card accounts. Robin Arnfield profiles two US FinTech firms which want to fill this gap with technology storing ID documents in digital form on smartphones
Birmingham, Alabama-based Credntia provides an app to verify the identity of people paying in stores with mobile wallets such as Apple Pay or Samsung Pay. The app is available worldwide except in Brazil, China, France, India, Russia and Turkey.
Mobile wallets are vulnerable to fraud, as criminals can load card numbers stolen through database breaches into them, if issuers don’t institute effective verification processes for card on-boarding. In early 2015, several US banks experienced an average of 600 basis points of fraud from Apple Pay card on-boarding due to security gaps in their card registration process, according to Julie Conroy, research director at U.S.-based consultancy Aite Group.
Credntia enables consumers to scan driver’s licences, passports, health insurance cards or other ID credentials into a Credntia-branded Android or iOS app and use their digital credential as proof of identity in a bricks-and-mortar store.
“When you pay with a mobile wallet at the checkout, you can get asked for your physical driver’s licence,” says Credntia co-founder and CEO Cody Winton. “Apple Pay, Android Pay, etc. are incomplete as they are susceptible to fraudulent on-boarding of stolen card numbers, and just focus on payments. But, if you pair them with an ID solution like Credntia, they become more secure.”
Credntia is seeking partnerships with retailers to accept its app in their stores. “Existing Credntia users can prove their identity just by showing a merchant their digital ID in their phone’s Credntia app,” Winton says. “But Credntia can interface with a merchant’s payment system as well. In addition to face-to-face shopping, I envisage Credntia being used for verifying ID in card-not-present mobile commerce transactions.”
Credntia’s on-boarding verification process is designed to prevent someone from scanning a stolen ID document such as a driver’s license which has been altered, e.g. with a new photo, into its app.
“Our OCR process scans the details on the front of the driver’s license, and checks that data with the data stored in the barcode on the back, to see if the license has been tampered with,” says Winton. “If that data doesn’t add up, we won’t accept the scan of the driver’s licence.
“We also check the format of the data – the textual data on the front and the barcode on the back – against different types of credential formats, such as standard formats for US driver’s licenses. For example, the location of the issue date on the front of a Californian driver’s license is different to a Hawaiian driver’s licence.”
Although several US States as well as countries such as the UK and Australia are experimenting with mobile driver’s licenses, there is no universal standard for scanning digital forms of driver’s licence into an app. “That’s why our approach is to scan physical ID documents,” says Winton. “We want to set up partnerships so we can tap into DMV (Department of Motor Vehicles) databases and use their digital driver’s licences in our app. Currently, we aren’t able to verify ID credentials against government agencies’ databases, but we plan to add verification features over time.”
Winton says Credntia uses military-standard AES 256 encryption to secure data in its app. All data is stored in the user’s phone, and Credntia is compliant with PCI DSS and HIPAA (Health Insurance Portability and Accountability Act), a US regulation governing the privacy and security of individually identifiable health information. “Even if someone could hack into an iPhone, they wouldn’t be able to access ID credentials stored in our app,” Winton says.
A key challenge with Credntia is how does a law enforcement officer determine that the credentials such as a driver’s licence or passport which a consumer has loaded into the app, are valid and are issued by the appropriate authority.
Ben Knieff, a Senior Research Analyst at US-based Aite Group, says that US law enforcement agencies aren’t yet ready to accept digital forms of ID such as driver’s licenses and car insurance documents. “Digital ID isn’t yet well accepted, and there are a lot of questions about what forms of digital information is admissible in court and how that information is obtained,” he says.
Palo Alto, California-based ShoCard has developed technology that lets users scan their ID documents such as passports, driver’s licences or other government-issued ID into its app. Users then write their ID information to the public blockchain for validation by a government agency, bank, telco or KYC services provider.
ShoCard uses public/private key encryption and data hashing to securely store and exchange ID data, which can include biometrics such as users’ fingerprints, voice recording or photos of their face or iris.
“ShoCard stores all the data fields on the blockchain in the form of a one-way hash using the private encryption key on the user’s mobile device,” says Ali Nazem, ShoCard’s vice president, business development. “The information includes biometrics and all the various fields on a driver’s licence, passport, or government ID, such as name, address, birth date, and ID number.
“A ShoCard app user can then access different types of services or travel on planes, without having to present physical documentation each time. They just present their ShoCard and authenticate themselves via Touch ID on their iPhone or other biometrics.”
ShoCard says that its approach to identity is different to existing solutions, in that a ShoCard user owns and carries their personal data within their mobile app and decides with whom to share it and which pieces of ID to share.
“Our clients are enterprises in the fintech, air travel, government and IoT verticals,” says Nazem. “ShoCard’s app can be used to verify a cardholder’s identity and authority to use their credit card for CNP transactions; verify bank customers’ identity when logging into their account without compromising their privacy; register for and log into websites; and register once and then travel through airports with simple facial recognition.”
“A digital identity platform based on PKI (Public Key Infrastructure), preferably blockchain-based, can improve many aspects of digital commerce in many areas: P2P, B2C, B2B, C2B,” says Knieff. “The primary challenge today is that there are many digital identity schemes that attempt to connect an online and offline identity, and that these initiatives are at a very early stage.”
One example is the FIDO (Fast IDentity Online) Alliance, which has developed specifications for open, interoperable biometric- and two-factor (physical token) based digital authentication mechanisms that reduce the reliance on traditional passwords.
“The key nut to crack – and the weakest link in the chain – is how to reliably bind a physical person to a digital identity,” says Knieff. “After that, there are many tasks in encryption key management, but the binding of physical and digital identity is the number one requirement to build trust in digital ID among consumers and governments.”
ShoCard is one of several ID technology vendors that lets people manage their own digital information online. “ShoCard lets you assert and manage your digital ID,” says Knieff. “There is a huge shift underway which will lead to individuals owning their ID data through the blockchain. The true owner of identity information will become in control of that identity information.”
Moving to digital ID credentials
Acuity Market Intelligence predicts that 650 million (80%) of the world’s passports are now ePassports, with 826 million (92%) of global passports in circulation set to incorporate RFID chips and biometrics by 2020. The US consultancy says that 611 million smart card-based electronic National Identity Cards (eIDs) will be issued globally in 2016, growing to 786 million issued annually by 2020.
By 2022, smart, biometric physical identity credentials – including ePassports, eIDs, and driver’s licenses – will start to be replaced by next-generation virtual credentials stored in mobile devices and accessed via biometric authentication, Acuity says. “By 2030, today’s standard identity credentials will be obsolete,” it says.
Maxine Most, Acuity’s principal and lead analyst, says biometrically-enabled smartphones will drive the move to digital ID. “Over 220 biometrically-enabled smartphone models are currently on the market,” she says. “By 2018, all smartphones will include biometrics and by 2020, feature phones will be obsolete. The global deployment of this platform is the tipping point for full-scale adoption of digital identity.”