December 14 2007
Editorial - Microsoft and Experian launch a credit card
Experian and Microsoft have a half-baked idea for cutting fraud activity. See if you can pull more holes in that we have?
We talked to some nice people at Experian and Microsoft this week about a new initiative on password storage and authentication that they plan on bringing to market in the next year. The new initiative uses Microsoft’s Windows CardSpace technology for the security and storage of a users’ credit and debit card data and relies on Experian’s credit database to bring the authentication part of the story and together they plan on providing a solution to the retailers need for authentication and the consumers need for a single sign-on.
Although the system is still at the proof-of-concept stage the partners have gone a long way down the road towards thinking about how the actual product would work.
Here’s how it should work in theory
Windows CardSpace runs on the consumer’s computer desktop
and stores details of the consumer’s identity and details of their credit card
and debit cards, it also stores the usernames and passwords for all the sites
they want, in something called the “Experian Card”. Then if an individual wants
to renew their car insurance, they select their ‘Experian Card’, which would
contain confirmation of identity details and age plus, in this instance, other
facts that form part of money laundering legislation. Windows CardSpace then
sends a request to Experian, the identity provider, to validate the identity of
the website.
Once the requesting website is identified, Experian then forms and returns a
signed and encrypted ‘token’, which contains a confidence level as to whether
that person exists and is who they say they are to Windows CardSpace and thence
to the website.
All interactions between the individual, Experian and the organisation are
encrypted and digitally signed to protect the information from many forms of
data and identity attack.
Which all sounds very good. By using the “Experian Card” the retailer knows the Jack Spratt who is applying for car insurance is thee actual Jack Spratt, and the consumer only has to put their cc details in once and they never have to remember another username and password ever again.
Sounds simple? Sounds foolproof? No and No are the correct answers. The problems start when you start to think about how people actually buy stuff on the net. They buy it at home, at work, and they buy it wherever they have an internet connection. Unfortunately because the way the Experian system works you need to transfer the Card to a USB key if you want to be able to use it at work, which brings with it a whole load of problems. Next you need to have a footprint with Experian in order to be authenticated.
Microsoft think they know the answer to the portability problem and that’s to use a mobile, but that won’t be available for a long, long time, and unfortunately it relies on your mobile being able to speak to your PC via Bluetooth, which just adds complexity, plus it’s doubtful if the mobile operators would allow Experian or Microsoft to come anywhere near a potentially lucrative money spinner like this.
Then there’s the question of who pays. Experian expect the retailers will pay for the service and the revenue from the retailer will be based on a percentage of the transaction cost. Yeah right.
Finally there’s the problem with the ideas parentage. Microsoft and Experian are the best and worst candidates for a project of this kind. Retailers generally tend to like Experian, however there are plenty of consumers who hate their guts, you just have to read the Money sections of any Sunday newspaper to see that. And Microsoft may be fantastic when it comes to producing software for presentations and word processing, but their track record at secure online systems leaves a lot to be desired – Internet Explorer, Vista and XP get security patches that fix loopholes practically every week – and the last time they attempted to get everyone using a single sign-on password system was a disaster.
Experian “believe there will be enormous demand for such a service from both organisations and consumers” we beg to differ.
