View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Analysis
December 13, 2016updated 04 Apr 2017 3:56pm

Digital ID verification and mobile payments- one tough nut to crack

So far, digital identity credentials have been the missing piece in the mobile wallet puzzle, making mobile payments vulnerable to fraud involving stolen card accounts. Robin Arnfield profiles two US fintech firms that want to fill this gap with technology to store ID documents in digital form on smartphones

By Robin Arnfield

So far, digital identity credentials have been the missing piece in the mobile wallet puzzle, making mobile payments vulnerable to fraud involving stolen card accounts. Robin Arnfield profiles two US fintech firms that want to fill this gap with technology to store ID documents in digital form on smartphones

Birmingham, Alabama-based Credntia provides an app to verify the identity of people using mobile wallets to make in-store payments. The app is available worldwide with the exception of Brazil, China, France, India, Russia and Turkey. Mobile wallets are vulnerable to fraud if issuers do not institute effective verification processes for card onboarding, as criminals can load card numbers stolen through database breaches into them. Credntia In early 2015, several US banks experienced an average of 600 basis points of fraud from Apple Pay card onboarding due to security gaps in their card registration process, according to Julie Conroy, research director at US-based consultancy Aite Group.

Credntia enables consumers to scan driver’s licences, passports and health insurance cards into a Credntia-branded Android or iOS app, and use these digital credentials as proof of identity in a bricks-and-mortar store. “When you pay with a mobile wallet at the checkout, you can be asked for your physical driver’s licence,” says Credntia cofounder and CEO Cody Winton.

“Apple Pay and Android Pay are incomplete as they are susceptible to the fraudulent onboarding of stolen card numbers, and just focus on payments.

“However, if you pair them with an ID solution like Credntia, they become more secure.”

Credntia is seeking partnerships with retailers to accept its app in their stores.

“Existing Credntia users can prove their identity just by showing a merchant their digital ID in their phone’s Credntia app,” Winton says. “But Credntia can interface with a merchant’s payment system as well.

“In addition to face-to-face shopping, I envisage Credntia being used for verifying ID in card-not-present mobile commerce transactions.”

Verification  

Credntia’s onboarding verification process is designed to prevent someone from scanning a stolen ID document such as an altered driver’s licence.

“Our OCR process scans the details on the front of the driver’s license, and checks that data with the data stored in the barcode on the back, to see if the license has been tampered with,” says Winton.

“If that data doesn’t add up, we won’t accept the scan. We also check the format of the data – the textual data on the front and the barcode on the back – against different types of credential format, such as standard formats for US driver’s licences.

“For example, the location of the issue date on the front of a Californian driver’s license is different to a Hawaiian licence.”

Although several US States as well as countries such as the UK and Australia are experimenting with mobile driver’s licenses, there is no universal standard for scanning digital forms.

“That’s why our approach is to scan physical ID documents,” says Winton. “We want to set up partnerships so we can tap into Department of Motor Vehicles databases and use their digital driver’s licences in our app.

“Currently, we aren’t able to verify ID credentials against government agencies’ databases, but we plan to add verification features over time.”

Winton says Credntia uses military-standard AES 256 encryption to secure data in its app. All data is stored in the user’s phone, and Credntia is compliant with PCI DSS and the Health Insurance Portability and Accountability Act – a US regulation governing the privacy and security of individually identifiable health information.

“Even if someone could hack into an iPhone, they wouldn’t be able to access ID credentials stored in our app,” Winton explains.

The difficulties with proving validity

A key challenge with Credntia is how does a law enforcement officer determine that the credentials, such as a driver’s licence or passport which a consumer has loaded into the app, are valid and are issued by the appropriate authority?

Ben Knieff, senior research analyst at US-based Aite Group, says that US law-enforcement agencies are not yet ready to accept digital forms of ID such as driver’s licenses and car insurance documents.

“Digital ID isn’t yet well accepted, and there are a lot of questions about what forms of digital information are admissible in court, and how that information is obtained,” he explains.

ShoCard

California-based ShoCard has developed technology that lets users scan government-issued ID documents into its app. Users then write their ID information to the public blockchain for validation by a government agency, bank, telco or KYC services provider.

ShoCard uses public/private key encryption and data hashing to securely store and exchange ID data, which can include biometrics such as users’ fingerprints, voice recording or photos of their face or iris.

“ShoCard stores all the data fields on the blockchain in the form of a one-way hash using the private encryption key on the user’s mobile device,” says Ali Nazem, ShoCard’s vice-president of business development.

“The information includes biometrics and all the various fields on a driver’s licence, passport, or government ID, such as name, address, birth date, and ID number.

“A ShoCard app user can then access different types of service or travel on planes, without having to present physical documentation each time.

“They just present their ShoCard and authenticate themselves via Touch ID on their iPhone or other biometrics.” ShoCard says that its approach to identity is different from existing solutions, in that ShoCard users own and carry their personal data within their mobile app, and decide with whom to share it and which pieces of ID to share.

“Our clients are enterprises in the fintech, air travel, government and IoT verticals,” says Nazem. “ShoCard’s app can be used to verify a cardholder’s identity and authority to use their credit card for CNP transactions, verify bank customers’ identities when logging into their accounts without compromising their privacy, register for and log into websites, and register once and then travel through airports with simple facial recognition.”

Analyst comment

"A digital identity platform based on public key infrastructure, preferably blockchain-based, can improve many aspects of digital commerce in many areas: P2P, B2C, B2B, C2B,” says Knieff.

“The primary challenge today is that there are many digital identity schemes that attempt to connect an online and offline identity, and that these initiatives are at a very early stage.”

One example is the Fast IDentity Online Alliance, which has developed specifications for open, interoperable biometric- and physical token-based digital authentication mechanisms that reduce the reliance on traditional passwords.

“The key nut to crack – and the weakest link in the chain – is how to reliably bind a physical person to a digital identity,” says Knieff.

“After that, there are many tasks in encryption key management, but the binding of physical and digital identity is the number one requirement to build trust in digital ID among consumers and governments.”

ShoCard is one of several ID technology vendors that lets people manage their own digital information online.

"ShoCard lets you assert and manage your digital ID,” says Knieff. “There is a huge shift underway which will lead to individuals owning their ID data through the blockchain. The true owner of identity information will become in control of that identity information.”

Moving to digital ID credentials

Acuity Market Intelligence predicts that 650m (80%) of the world’s passports are now ePassports, with 826m (92%) of global passports in circulation set to incorporate RFID chips and biometrics by 2020.

The US consultancy says 611m smart card-based electronic National Identity Cards (eIDs) will be issued globally in 2016, with the figure growing to 786m issued annually by 2020.

By 2022, smart, biometric physical identity credentials – including ePassports, eIDs, and driver’s licenses – will start to be replaced by next-generation virtual credentials stored in mobile devices and accessed via biometric authentication, according to Acuity.

“By 2030, today’s standard identity credentials will be obsolete,” it says.

Maxine Most, Acuity’s principal and lead analyst, says biometrically enabled smartphones will drive the overall move towards digital ID.

“Over 220 biometrically enabled smartphone models are currently on the market,” she says.

“By 2018, all smartphones will include biometrics and by 2020, feature phones will be obsolete.

“The global deployment of this platform is the tipping point for full-scale adoption of digital identity.”

NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. A weekly roundup of the latest news and analysis, sent every Wednesday.
I consent to GlobalData UK Limited collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU

Thank you for subscribing to Electronic Payments International