URU — on-line identity verificationjtoal/papers/OnlineIdentity/online_ID.pdf · URU — on-line identity verification C J Gahan Establishing and protecting identity is an issue

BT Technology Journal • Vol 22 No 1 • January 2004 43

URU — on-line identity verification

C J Gahan

Establishing and protecting identity is an issue that affects us all. In many everyday transactions, you have to prove that youare you. This paper describes URU, an automated on-line identity verification service based on a Web Services architectureand delivery model. It discusses how identity verification will move from today’s model based on documentation, to a muchmore convenient, faster and lower cost Web Services model.

Applications such as URU are evidence of the transition of Web Services from a set of much talked about standards intoreal-world deployment.

1. Introduction — up front and personalIn many everyday transactions, the first thing you haveto do is to prove that you are you. This is not as simpleas it first appears.

1.1 Identity theft — the crime of the century?Successful crime is copied. Identity fraud is verysuccessful. In 2002, the Home Office estimated identityfraud cost the UK £1.3 billion and it is predicted to getmuch worse. Trials of chip and pin credit cards are underway in Northampton in an attempt to reduce credit cardfraud. Perversely, chip and pin will give a big boost toidentity fraud. Chip and pin will make the skimming ofcards very difficult, hence fraudsters will apply for cardsin other people’s names, rather than stealing or copyingthem.

1.2 But who am I?There are three categories of identity:

• attributed identity includes your parents’ namesand your place of birth,

• biographical identity includes your interactions withsociety as recorded in public and private databases,

• biometric identity includes your unique physicalcharacteristics such as fingerprint, voiceprint, irispattern and facial geometry.

Identity is built on documentation. The problem isthat these documents are relatively easy to obtain orforge. Recently, the BBC journalist Paul Kenyonobtained a provisional driving licence in the name anddetails of Home Secretary Blunkett. Kenyon also appliedfor and received credit cards in the name of author

Frederick Forsyth, whose book, Day of the Jackal,exposed the major weakness in the issuing of UKidentity documents thirty years ago. Kenyondemonstrated that the system was still vulnerable.

No one company has the resources to stop identityfraud. The credit reference agencies hold gigabytes ofdata on our financial transactions, but in cases ofidentity fraud, credit checks verify the identity of thevictim, not the real applicant.

This paper suggests an inclusive approach, tomobilise businesses, government and citizens, intotackling identity fraud.

On the Internet no-one knows you’re a dog — a well-known 1993 Internet cartoon highlighted the problemwith identity (see Fig 1).

Identity verification is a prerequisite to other checks(see Fig 2).

Before checking the background of a teacher or careworker, or a financial institution doing a credit check ona new customer, it is essential to establish with a highdegree of confidence that the person is who they claimto be.

The finance and gaming industries are subject toanti-money-laundering regulations. Their customersmust provide two proofs of identity and two of domicilewhen opening an account. Typically, the customer hasto post or take in documents such as a passport, adriving licence and two utility bills. The problem is thatfraudsters are using fake documents. The current


BT Technology Journal • Vol 22 No 1 • January 200444

process of checking documents is expensive and isvulnerable to identity fraud.

2. URU — a new, innovative, on-line serviceURU is a new, automated, on-line identity-verificationservice for organisations that need to check that theircustomers are who they say they are and live where theyclaim to live (see Fig 3).

With URU, the consumer enters identity informationinto a business/government Web site or provides it overthe telephone to a call centre. Importantly, theconsumer gives their consent for their information to bechecked to establish their identity. URU receives the

consumer’s identity data from the Web site or customerrelationship management (CRM) system and performs aseries of checks against national reference databases.URU confirms back to the Web site or CRM system that,for each piece of information checked, the item didmatch, partially matched, or did not match thecorresponding reference database record.

2.1 Cross-checking data gives a higher confidence in identity

Confidence in identity verification increases with thenumber of reference databases checked and theconsistency of the cross-matching of each data item(see Fig 4).

The more checks used, the harder it is for a fraudsterto succeed — they either have to steal more data or tobe more consistent in the data they fabricate. Ofcourse, every large-scale reference database will havesome data inaccuracies. URU will help to identify thoseinaccuracies, enabling the reference database owners toclean the data.

2.2 Easier implementation using Web ServicesThe URU service required a low-cost and simple way toconnect the many Web sites, CRM systems and front-office systems to URU and to enable end-usercredentials to be verified against disparate referencedatabases (see Fig 5).

Web Services were chosen as the underlyingtechnology for URU for a number of reasons. WebServices offer a widely supported and simple mechanismmaking URU easier to integrate with new and existingapplications. This reduces the complexity and costs ofconnecting to the URU service and ensures that it not

“On the Internet, nobody knows you’re a dog.”

Fig 1 The identity problem.

Fig 2 Establishing identity is problematic.

entitlementcard

benefits

careworkers

access todata

teacherchecks

telesales

Websales

protectchildren

reducefraud

drivinglicence

passport

digitalcertificate

issue proofsof identity

betting

bankaccounts

reduce moneylaundering

privacy

identityverification



only is technically available to a large number ofpotential customers, but also has a reduced initial set-up cost compared to many other approaches.

Since data will be interrogated and provided by awide range of organisations that internally use a diverserange of platforms and systems, it is sensible to makeuse of the open-standards-based distribution modelthat Web Services provide.

Besides the external benefits that Web Servicesdeliver, internal functional modules, such as registrationand billing, can be designed and implemented quicklyand flexibly.

2.3 URU has significant benefitsFor banks and other organisations, URU offers majorbenefits:

• significantly reduces the cost per transaction byremoving the need to check paper documents inthe majority of cases,

• reduces fraud and consequential bad debt bycatching more fraud up front at the customerengagement stage,

• provides better compliance and easier auditing ofcompliance to meet the guidelines laid down by theFinancial Services Authority and British BankingAssociation

For the consumer, the benefits are:

• convenience — no need to take in or post valuabledocuments,

• less delay — identity can be verified within twoseconds,

Fig 3 The URU Web Service.

Fig 4 Cross-matching of data.

URUidentity

verificationWeb Service

call centreCRM

Website

A

B

C

D

E

or

identifying data- name- postcode- utility information- driving licence data- passport details- telephone- ....- consent

referencedatabases

electoral register

name and address

name

address

meter number

telephone number

driving licence number

passport number

date of birth

deaths telephone (OSIS) MPAN DVLA UKPS CIFAS shareholders



• no personal data held in the reference databases isdisclosed — URU simply confirms that the identitydata the consumer provides either matches,partially matches or does not match the identityinformation in the reference databases,

• consumers will be alerted to the fact when theinformation they give does not match with thereference databases — consumers can then contactthe owners of the reference databases in cases oferror,

• consumers have more protection against identityfraud — if they register with URU, they will be toldevery time their identity is checked by URU.

2.4 Proactive anti-identity-fraud measureBeing told every time your identity is checked is asignificant benefit for consumers. If it was not youapplying to open an account, you can inform the bankor other organisation straight away, stopping the fraudthere and then. Traditionally, by the time the consumerbecomes aware of identity fraud, it is already a big

problem. Victims often take two years to get theirfinancial history back to where it was before theiridentity was stolen.

2.5 Making URU even betterSo consumers have a real reason to want to register withURU. When they register, they can provide additionalidentify information, including a biometric identity.

If banks and other organisations are to rely on andvalue checks against this additional, volunteeredinformation, the process of registration has to berigorous. Registration must ensure that the personreally is who they claim to be. High cost andinconvenience rules out a face-to-face registration,leaving remote registration as the only practical option.The remaining part of this paper looks at how this mightbe done.

3. VoiceprintsURU has chosen voiceprints as the preferred biometricfor two compelling reasons:

Fig 5 The URU Web Services interface.

example of potentialdata suppliers

GBgroup

DVLA

revenue

UKPS

counciltax

...

...

creditrating

URU Web Service interface- customer number- transaction type- databases to be checked- customer agent reference- consumer provided dataoutput- match results- audit number

customers

consumer/citizen

retail banks

government

retailers

gambling

...



• voiceprints can be registered remotely,

• voiceprints can be checked remotely

All biometrics have their strengths and weaknesses[1], but none is foolproof. They all depend on optimisingthe ‘false accept’ and ‘false reject’ parameters. WithURU, the biometric is just part of the overall checkingundertaken to verify identity — it is not the sole check.

3.1 Rigorous, remote registrationTwo levels of registration have been defined for URU.Self-registration is where consumers are given a fullcross-check of all biographical identity data held aboutthemselves in URU. Endorsed registration is whereconsumers ask someone who knows them to confirmthat they are who they claim to be.

3.2 Self-registrationThe first step starts with the consumer accessing thesecure Prove-URU Web site and selecting the self-registration option (see Fig 6). The secure socket layer(SSL) protocol encrypts the dialogue preventingeavesdropping.

A Web page describes the process, making clear thepurposes for which the data will be held and warns thatit is an offence to assume a fictitious identity or theidentity of another person for the purposes of fraud ordeception. On acceptance of the conditions, theconsumer is then sent and completes the identityverification Web form. URU verifies the identity dataand if it matches the reference data, the consumer isprovided with a one-time number to be used in step 2(see Fig 7).

Fig 6 Self-registration — step 1.

Fig 7 Self-registration — step 2.

URUidentity


URUWeb site

A

B

C

D

E

consumer

self-registration 1● consumer goes to URU Web site and enters:

- preferred language- name- postcode- date of birth- utility information- driving licence data- passport details- telephone number- ...

● consumer gives consent● URU verifies identity● provides one time number

referencedatabases

URUidentity


URUIVR

A

B

C

D

E

consumer

self-registration 2● calls self-registration line from

home● enters one time number● URU checks CLI● enters date of birth● URU checks DoB● URU says reference words● consumer repeats words● URU stores voiceprints● sends consumer URU id number

referencedatabases

voiceprints



The second step starts with the consumer calling theregistration line from their home phone with calling lineidentity (CLI) enabled (Fig 7). The interactive voiceresponse (IVR) system answers the call and asks theconsumer to enter via the telephone keypad the one-time number. The IVR system checks the CLIcorresponds to the user for this one-time number and asan additional check asks the user to enter their date ofbirth. If this is correct, the IVR system then asks theconsumer to repeat a number of words. The voiceprintsare taken and stored. The IVR system thanks them forregistering and tells them that their URU uniquenumber will be sent to them.

The fixed cost of registration is collected from thecall to the premium rate registration number.

3.3 Endorsed registrationWhen you apply for a passport, you are required to haveyour application form and photograph endorsed bysomeone who has known you for some time. The personmaking the endorsement is rarely contacted by the UKPassport Service to confirm that they made theendorsement.

The ‘endorsed confirmation’ level of URU assuranceis the electronic equivalent of the passport en-dorsement. However, with URU, every endorsement ischecked directly with the person endorsing aconsumer’s identity.

The consumer has to self-register successfully beforeapplying for endorsed registration.

Step 1 of endorsed registration starts with theconsumer accessing the secure Prove-URU Web site andselecting the endorsed registration option (see Fig 8).The user is asked to enter their URU identity number. A

Web page describes the process, making clear thepurposes for which the data is being held and warns thatit is an offence to assume a fictitious identity or theidentity of another person for the purposes of fraud ordeception. On acceptance of the conditions, theconsumer is provided with a search facility where theycan find someone who knows them who has alreadyachieved endorsement registration status. The creationof a critical mass of endorsed registrations is discussedlater.

Having found someone who knows them, they selectthe endorser’s name. The Web site generates a one-time number for use in step 2 (Fig 9).

The consumer calls the registration line from theirhome telephone with CLI enabled. The IVR systemanswers the call, checks the CLI and asks the consumerto enter via the telephone keypad the one-time number.The IVR system asks the consumer to repeat threewords chosen at random from those recorded at self-registration. If the voiceprints match, the consumer isprovided with a new one-time number for use in step 3.

URU links the one-time number to the consumer andthe selected endorser. URU e-mails the endorser withthe consumer’s contact details and tells them to expecta visit or telephone call from the consumer. Theendorser is advised to ask questions of the consumer,especially if they are contacted over the telephone.

In step 3 (Fig 10), the consumer either visits ortelephones the endorser and provides the endorser withthe latest one-time number.

Step 4 (Fig 11) follows the visit or telephone call. Theendorser calls a freephone number from their hometelephone with CLI enabled. The IVR system answers

Fig 8 Endorsed registration — step 1.

URUidentity


URUWeb site

A

B

C

D

E

consumer

endorsed registration 1● consumer enters their URU

identity number● URU provides a ‘find an endorser’

function● consumer selects an endorser● URU provides one time number

referencedatabases



the call and asks the endorser to enter via the telephonekeypad the one-time number.

The IVR system checks the CLI and asks the endorserto repeat three words chosen at random from thoserecorded at self-registration. If the voiceprints match,the IVR system confirms the name of the personrequesting endorsed registration and asks the endorserto key in how many years they have known theconsumer and, on a scale of 1 to 5, how well they know

the consumer. The IVR thanks the endorser and updatesthe status of the consumer to ‘endorsed registration’. Itis envisaged that endorsers will not charge their friendsfor endorsing their registrations.

URU maintains the chain of who has endorsedwhom. If any registration is subsequently found to befalse, URU will know all related endorsements that aresuspect.

4. Creating the first endorsersIn order for ‘endorsed registrations’ to be practical,there has to be a large number of endorsers from theoutset. Two approaches are being considered, theknown employee process and the known customerprocess. Both processes are based on additionalinformation being available to increase the confidence

endorsed registration 3● consumer calls or visits endorser● endorser ensures it is the person they know● consumer tells the endorser one time number



URUidentity


URUIVR

A

B

C

D

E

consumer

endorsed registration 2● consumer calls endorsed

registration line from home● enters one time number● URU checks CLI● enters date of birth● URU chooses at random and says

three registration words● consumer repeats words● URU checks voiceprints● URU tells consumer new one

time number● URU e-mails consumer’s details

to endorser

referencedatabases

voiceprints


URUidentity


URUIVR

A

B

C

D

E

endorser

endorsed registration 4● consumer calls free endorsed

registration line from home● enters one time number● URU checks CLI● URU chooses at random and says

three registration words● endorser repeats words● URU checks voiceprints● URU tells endorser the

requester’s name and address● endorser confirms identity● endorser keys in how long and

how well they know consumer● URU thanks endorser

referencedatabases

voiceprints



level about the first endorsers. In addition, the length oftime the employee has been employed or the consumerhas been a customer is also a factor.

4.1 Creating initial endorsers from known employees

The Times 100 companies and selected governmentdepartments would be provided with a voiceprint-basedpassword reset service. Password reset requestsrepresent more than 50% of IT helpdesk calls. Helpdeskcosts could be significantly reduced if all passwordresets were automated, using voiceprints as theauthentication method. This is a more secure way thanasking for personal data over the telephone or using e-mail.

Employees would self-register with URU. Additionalchecks are made against their firm’s pay-roll andpersonnel databases. Self-registered employees thathave worked for the company for more than 5 years areautomatically upgraded to endorser status. Other self-registration employees are encouraged to go throughthe normal endorsed registration process.

When an employee wants to reset their password,they telephone a password reset line. URU answers thecall and asks the employee to key in their URU identitynumber and repeat three words chosen at random fromthose recorded at self-registration. If the voiceprintsmatch, the IVR system resets their forgotten passwordand tells them the new password.

4.2 Creating initial endorsers from known customers

In this start-up model, URU works with a company thathas a reliable customer database of stable customers

about which they hold accurate detailed personal data.The company encourages their customer base toregister with URU. Customers self-register with URU asdescribed earlier; however, additional checks are madeagainst the company’s database. Self-registeredcustomers that have been a customer for more than 5years are automatically upgraded to endorser status.Other self-registration customers are encouraged to gothrough the normal endorsed registration process.

5. Using voiceprints to check identity remotely

Organisations who use the URU service will be able tospecify voiceprint checks as well as biographical datachecks. The following two scenarios illustrate howremote voiceprint verification works — a consumercalling into a call centre and a consumer accessing aWeb site.

5.1 Call-centre voiceprint verification scenarioIVR systems are commonly used to pre-categoriseconsumers before they are put through to a call-centreagent. One of the menu options could be ‘key 1 if youare registered with URU’. On pressing 1, the consumeris switched into the URU voiceprint checking system(see Fig 12).

URU asks the consumer to enter via the telephonekeypad their URU identity number. The IVR system asksthe consumer to repeat three words chosen at randomfrom those recorded at self-registration. If the voiceprintmatches, URU provides the next available call agentwith the consumer’s name and address details togetherwith confirmation that they have passed the voiceprintverification. URU stores the company name andconsumer details in the audit trail.

Fig 12 URU call-centre remote voice verification.

URUidentity


customercall

centre

A

B

C

D

E

consumer

remote voice verification● consumer telephones call centre● consumer keys 1 for URU● consumer keys URU number● URU chooses at random and says

three registration words● consumer repeats words● URU checks voiceprints● URU passes call to agent,

confirms ID and name andaddress of consumer

● URU logs verification

referencedatabases

voiceprints

URUIVR



5.2 Web site voiceprint verification scenarioIn this scenario the consumer is trying to open anaccount and has accessed a financial institution’s Website (Fig 13). The consumer is asked if they areregistered with URU. If they are, they are asked to entertheir URU identity number and a telephone number onwhich they can be immediately contacted.

The financial institution’s Web site makes a WebServices call to URU. URU dials the consumer and asksthe consumer to enter via the telephone keypad theirURU identity number. The IVR system then asks theconsumer to repeat three words chosen at random fromthose recorded at self-registration. If the voiceprintmatches, URU sends back confirmation to the financialinstitution’s Web site via the Web Service, that theconsumer has passed the voiceprint verification.

6. ConclusionsEstablishing and protecting identity is an issue thataffects us all. In many everyday transactions, you haveto prove that you are you. Proving you are you is movinginto the electronic age, driven by a cheaper, faster,more reliable and auditable service called URU. WebServices have provided an effective and extensible

architecture and delivery model for this highly sensitiveand commercially important new service.

Voice is set to become the pervasive, low-cost wayof adding a biometric identity check to complementexisting checks based on biographical and attributedidentity. BT plans to conduct a mass trial of voiceprintsas part of the European Union Government User Id forEurope (GUIDE) project.

Reference1 Rejman-Greene M: ‘Biometrics — real identities for a virtual

world’, BT Technol J, 19, No 3, pp 115—121 (July 2001).

Fig 13 URU Web site remote voice verification.

URUidentity


customerWeb site

A

B

C

D

E

remote voice verification● consumer goes to Web site● consumer enters ID data and

telephone number● customer wants voice check● URU calls consumer● consumer keys URU number● URU chooses at random and says

three registration words● consumer repeats words● URU checks voiceprints● URU sends the results of all

checks to customer Web site● URU logs verification

referencedatabases

voiceprints

URUIVR

consumer

Chris Gahan holds an honours degree inMathematics and Computer Science.

He has worked extensively in IT becomingBT’s European IT Manager for NorthernTelecom. He has product and businessdevelopment expertise within thetelecommunications and networkingindustries, specialising in high-speedsecure networks and network-based WebServices applications.

He holds a US patent for securenetworking, and would welcome email

feedback, at [email protected], on the project described in thispaper.

Documents

URU — on-line identity verificationjtoal/papers/OnlineIdentity/online_ID.pdf · URU — on-line identity verification C J Gahan Establishing and protecting identity is an issue