Could this be the final nail in the coffin of online scammers?

Produced in association with YOTI

Enter the Ejit – like Enter the Dragon with neither the Kung Fu nor the intelligence!

I will hold my hands up from the start. When it comes to smart phones and digital technology, I have a skill level somewhere between inept and pre-Neolithic. My cell phone (nobody says cell phone anymore, Sanny –Ed) has gone full circle and may kindly be referred to as both retro and a feature phone.

I can text and talk to folk with it and, err, that is pretty much the extent of it. Apps? APPS? Cue maniacal laugh and shaking of head. Even my eight year old daughter is savvier than me when it comes to working a smartphone. However, when it comes to information security and protecting your online identity, I have to admit to having been a (whispers it) Finance and IT Director in a previous life. Which is probably why Mark at the mag thought I was the perfect candidate to try out the new identity app which has been developed by Yoti.

As he so kindly put it “Sanny. You’re a bit of an idiot when it comes to smartphones but you know your onions when it comes to protecting data. If you can work the app, anyone can!” I believe that they call this being damned with faint praise. No matter. With a borrowed smartphone in hand (just don’t tell the wife), I was ready to test Yoti’s not inconsiderable claim as to having solved the age old problem of easily proving your identity online and checking those of other people.

But isn’t this a bike website?

But just why should you care about this? Isn’t this a cycling website? What the hell has this got to do with bikes? Read on, dear reader and I will tell you a story about a chap we shall call Chris (That’s his name. You’re meant to change someone’s name for these types of stories! – Ed) Now Chris is your typical reader of Singletrack and like so many of you, he decided to dip his toe into the world of the classifieds.

Seeing a bike he liked on the classifieds for a reasonable price, he decided that he wanted it. After a bit of back and forth over e mail, he transferred a couple of hundred quid to the seller and wait for his new pride and joy to arrive. And waited. And waited a bit more……..until eventually, no bike appeared and the seller had gone dark on him. No money, no bike, no happy.

With a bank that couldn’t care less, Chris had been the victim of a classic scam. Unfortunately, not everyone in the online community is trustworthy as Chris found out to his cost. Now normally, that would be the end of it but not for Chris. He was going to take on the scammers and hit them where is hurts. Balls? Err, no, their pockets.

By happy coincidence, it was at this time that Chris was approached about a role with Yoti. Never heard of them? Neither had I but having spent some considerable time familiarising myself and using their online identity app, I reckon that is about to change and the heat is going to be well and truly turned up on the online scammers. For the little guy and gal, this could be a bit of a game changer.

So who are Yoti and just what is the Yoti app?

Yoti or Your Own Trusted Identity is a start-up organisation borne out of the desire to solve a real world problem that has the potential to impact on any online user at some time in their life. Funded by the founders of Gamesys, Yoti don’t strike me as your typical dot com start up where it’s all about the money. At the heart of the organisations purpose is a strong social ethic that doesn’t conform to the economic norm of money being the primary driver.

With some 190 employees working from their base in that there London, Chris is typical of their team. With a background of having worked for JustGiving, he gives the impression of someone who enjoys his job as he sees it making a positive difference to people’s home and work lives. At the heart of Yoti is an app that allows you to prove to other individuals, businesses and organisations that you are who you claim to be.

Take a moment to think about that and the problems it could help address.  Just how many would be classified scammers do you think would be willing to share their true identity with you if you could easily identify them? Or say you are going on an internet date, how can you be sure that the person you are meeting is who they say they are? Or if you meet someone online, how can you make sure that they aren’t some creep who thinks grooming isn’t just for pets?

Or how about you want to be served in a bar or nightclub but don’t have photo id with you? Or you want to buy alcohol at a self-service till in a supermarket but don’t want to be fifteenth in line behind the fellow customers with unexpected items in the fecking bagging area…..aaaaaaand breathe.

So simple even an idiot like Sanny can use it?

Having gotten the permission of a responsible adult (thanks Ginger!) to use their iPhone, I was ready to see just how easy Yoti is to use. Installing the app was achieved in a matter of seconds with only a couple of swipes. First task achieved. The next step was to figure out how to take a selfie. Fortunately, my on-site tech support expert (my eight year old daughter) was on hand to help me work out what buttons to press.

Next step – verify my phone number. I even managed that one on my own. They say self-praise is no praise but who cares! Well done me!

Now on an unstoppable technological roll, I then chose a five digit access code. This works as a log in to Yoti over and above a normal password or thumbprint control to unlock the smartphone that the account is linked too. In effect, to access my Yoti account, someone would have to steal my phone, unlock it and then enter the access code to unlock my account.

Unless you are like someone I know (who shall remain nameless to save their blushes) writes their passwords on their back of their phone in case they forget them, it’s going to be extremely difficult for someone to access your Yoti account from your smartphone without your permission.  They also a fingerprint option for those of you with one of those fancy phones with fingerprint recognition.

What next you ask? Simples. A video of myself saying three random words to camera. Steven Spielberg beware. At this point, my devious mischief side kicked in and I contemplated using a picture of someone else to see if I could fool the system into creating a fake id. However, given that I had to speak three prompt words on the video, no photo was going to fool Yoti (and no fool was either! – Ed)

By this point, I was reaching tech guru status. I was beginning to feel like Bill Gates on a Berroca binge. I was living the tech dream. Was there no end to my awesomeness? Well actually there was and I met my Waterloo in the shape of the passport optical character recognition scanner. As hard as I tried to line up my passport with my phone for it to be scanned, I proved to be singularly useless. Just when I thought I had it….nothing.

I was Nul Points Sanny in the Yoti Eurovision contest. I knew it was too good to be true. It’s like following the Scottish football team. It’s the hope they give you that I can’t stand. But wait, what’s this? You can take a photo instead. Brilliant! I was back in the game with a last minute winner. Speaking to Chris, he acknowledged that their Optical Character Recognition software is constantly being developed and improved. For dumbasses like me, there is an automatic time out that results in the photo option being offered automatically.

A couple of weeks later, I went back to try again. True to his word, Chris was right about the tech being constantly developed and approved as I was able to scan my passport first time.

Keen to see how it worked with my driving licence (you only have to add one form of photo ID) , I am happy to report that it worked a charm. My general klutzery had been but a minor blip in my quest to create my online identity. And with that, I was good to go. Engaging the assistance of a friend who specialises in data security, we played about with the sharing data functions and to be blunt, they just worked. No fanfare. No razzmatazz. Just plain old fashioned worked.

Thinking back to Chris’s unfortunate encounter with a scammer, it became immediately apparent to me how much harder it would have been for this to happen had Yoti been employed. Putting myself in his shoes, what would I have done using Yoti? First off, I would have decided what information I wanted to share. Perhaps my verified name and photo of myself. The seller wouldn’t need to know my age or where I lived but I could share that too if I really wanted to.

One of the benefits of sharing a photo, we would know what each of us looked like in order to exchange cash for product. No need for a carnation in my lapel, a copy of the FT tucked under my arm and my bowler hat worn at a jaunty angle!

Given the choice, would you rather embrace the tech and buy or sell with someone who can prove they are who they claim to be and have been verified by a third party or would you prefer to take a chance with user “chatroomgroomer-ripoffmerchant”. As someone who still has a Betamax video recorder (ask your dad), I know which I would rather do (assuming Ginger lets me still borrow her smartphone!)

Hang on, what happens to all the data?

Convinced yet? Yoti is a great idea but I still had lots of unanswered questions. If, like me, the idea of sharing ID data makes you squirm uncomfortably in your seat then you’ll understand why I pressed Chris hard on what happens to the personal data when it is uploaded.

How do you verify a person to their scanned documents?

We run a series of automated checks on the document to detect fakes and then use facial recognition technology to match the selfie of the user to their photo ID.  Our human security team of super recognisers then run additional checks on both the document and matching the face to the photo ID.  Super recognisers are people that have an innate skill of recognising people – very few people are able to do it and they have to pass a series of tests before being offered the role.  If you fancy doing the test get in touch with hello@yoti.com.

How is the data stored?

The data is separated into separate attributes (i.e. name, DOB, address etc.) and each attribute is encrypted with a separate cryptographic key. We use AES256 bit encryption anyone in the know. That data is then stored separately in our Tier 3 local data centres.  There are no ‘user profiles’ stored in the database. Just individual attributes that cannot be associated with each other.  The images of the documents are not stored.  The cryptographic keys needed to access your data are stored on your device.  Nobody else has access to them.

If you were subject to a successful web attack, what data could be compromised?

For example, could a hacker walk away with thousands of driving licence or passport images?

There are no images of documents stored in the database once your account has been verified.  If they hacked our data centres (no mean feat!) and were able to beat the AES256 bit encryption, they would only be able to decrypt random single attributes and have no way of linking them all together.  They might get a name, a date of birth or a person’s address.  All are meaningless in isolation.  I should say that even decrypting those single attributes would be EXTREMELY difficult…The only way of uniting the ‘attributes’ is by having the keys and those are on your device.

What level of pen testing do you undertake?

(Pen testing being a targeted attack to break into an organisation’s computer systems)

We have had two independent pen tests already and have also had more unconventional pen testing from hacker groups who we offered a bounty to.  Nothing was breached. We will also be opening ourselves up to more bounty programmes in the future and holding more pen tests.  Security is our utmost priority here at Yoti!

Do you share data with outside organisations?

No.  Only the user can share data so they may well choose to share their data with an organisation that uses Yoti. But we have no ability to do so.

Do you verify data and images to any non-user supplied sources?

We run checks on addresses with approved identity providers. We use Call Credit. This means you may see a ‘check’ on your credit report but it will not have any impact on your credit score.

If I wanted to share scanned images of my passport with another user, could I do that? Should I?

No and no we don’t believe people should. It is a feature some users and businesses have asked for so we may at some point in the future allow people to do something like this, but we encourage people to share as little data as possible and do not think you should ever disclose that much sensitive data if you don’t have to.

If Yoti folds, what happens to the data?

The user will be able to move their data to another identity provider or delete their data.

Can Yoti operatives access all of the data?

Basically, what controls are in place to prevent a rogue employee accessing and using data for illegal purposes?

No. Yoti staff can only see the data when they need to verify it and only our security team, who are based in a ‘clean room’ can see the data.  All staff are required to leave their personal devices outside of the clean room before entering. There is a seven day period when the security team can view the data to review (if any issues etc.) after which nobody can access the data.

Do you plan to use anonymised data to create ad revenue streams?

No.

What happens if a user wants to delete their account?

They simply go to settings and delete their account by taking a selfie (to make sure Yoti knows it’s them deleting the account).

How will the passport scan be improved in the next iteration?

We are constantly working on improving the app.  OCR (optical character recognition) is very hard to do on such a wide variety of documents but we’re always working hard to improve.  In the next release there will be a shorter period of time before the user is prompted to take a picture if they are struggling with the OCR.  And as more people use the app our algorithms will improve.

Can you envisage the scanned passports being used at passport control or driving licence scans for presentation at a police station?

Not scanned passport images no – because we don’t hold them.  But border control may decide that Yoti offers them enough confidence that they are a legitimate passport holder and likewise the police for Driving licences.  We are constantly talking to regulators and government bodies to see how we can help improve the way people prove their ID in a more secure fashion – it’s a case of watch this space.

What do, for example, nightclubs see when they use Yoti to check identity and age?

Depends what the nightclub requires.  It is usually name, photo and date of birth.  We would like to restrict it to simply over 18 but at the moment nightclubs are asked by licensing to ask for more info.

Is it possible to link Yoti to tablet devices?

Not yet because you need a phone number to verify you’re the rightful owner of the device.

Yoti is free for users to use. What does it cost businesses to use Yoti?

It costs businesses around 30p to verify identity details e.g. name, photo, DOB.  If they are using for simply age verification, it is considerably lower.  And if they are using for anonymous login it’s fractions of a penny. In fact we let websites with fewer than 100,000 monthly users’ use our biometric login tool free of charge.

What makes Yoti better than anything else on the market?

Yoti is not really like anything else on the market.  There are some products that businesses can buy and embed into their systems to take selfies and scan documents but this means the user needs to do this on each service.  With Yoti, if a site accepts Yoti, the individual can prove their details in seconds.  No need to enter any information, scan any documents etc because they’ve already done it once.  Yoti gives you a digital identity you can use time and time again in different places.  Online and offline.

In some ways, Facebook is a competitor with their Facebook Connect service. But Yoti will offer verified identity vs Facebook’s self-verified attributes. But critically we keep the user in control of their identity and let them choose what data they share. We don’t mine it. Because we can’t. We don’t sell it. Because we can’t. Businesses do pay us to check you are real and legit, but you always know exactly what data you’ve shared and who with.

So is Yoti for you?

I have had ample opportunity to play about with the app and to dig deep into how my personal data is stored and how it can be shared. Chris has been nothing but open with me and has answered all of the questions which I have asked him. Having been responsible for data protection and computer security in a previous life, I am keenly aware of how sensitive people’s personal data is and the consequences of data being lost or stolen. The Information Commissioner can impose hefty fines on organisations that suffer a data breach but to be blunt, at that point the horse has already bolted and protecting it in the first place is key. Yoti clearly understand this.

Despite my gadget phobia, Yoti was easy for me to use and I found myself contemplating the various uses it could have in the real world. For readers of this illustrious publication, the most obvious application would be when using the Classifieds. Being able to exchange details with the person you are dealing with, whether as a buyer or a seller, has obvious benefits not least of which is that it reduces the likelihood of you being ripped off.

So over to you, the good readers of Singletrack. What do you think? Try it out and share your experiences with fellow readers. If a complete technophobe like me can easily work it, imagine just how easy it will be for you to use!

Disclosure

This article was produced in association with YOTI. Find out more about YOTI on their website

---