A small Canadian company is hoping to take a big bite out of the growing problem of identity theft.

Calgary-based Tygus, Inc. is pushing a technology that’s already signed up more than a million customers at First National Bank (FNB), one of South Africa’s largest financial institutions.

“About 21/2 years ago, another South African bank had a public relations debacle when quite a number of their customers suffered fund withdrawals via the Internet,” says Charl Coetzee, director of product development at Tygus.

The South Africans came up with some smart ways to fight back. One is to have each customer choose a passphrase to access their online banking. Instead of asking for the whole phrase at each log-on, the system requests a randomly chosen part of the passphrase, e.g. the second, fourth and 10th characters. Even if somebody tapped into your connection, or “shoulder surfed” while you typed, they’d only know a small portion of your passphrase.

Another innovative idea is to provide notification to customers when their accounts are being accessed. FNB’s inContact service, launched in August 2002, signals customers each time their accounts are accessed, either by SMS messages on their cellphones or by e-mail. The bank does not charge for the service.

But do you really want to be pestered every time the gas company takes its monthly bite out of your account?

“Customers can tailor the service to meet their individual needs,” says Coetzee. “For instance, notification of transactions over certain amounts can be stipulated, notification during office hours or 24 hours a day can be arranged, and the customer can also select the accounts from which notifications are to be sent.”

He envisions extending this system to warn you whenever somebody uses or checks your identity. So for example, if The Brick requests a credit report from Equifax, you would know about it. This could go a long way toward curtailing identity theft, which, according to the RCMP-sponsored Phonebusters service, claimed more than 13,000 victims in Canada in 2003 for a loss of more than $21 million.

The Tygus technology appears to have a lot of room for growth. “For example, you can compare the location of the credit-card purchase to the positioning information from your mobile phone,” says Coetzee. “These solutions allow for much better pinpointing of suspect transactions than do the current fraud-scanning algorithms of the credit-card companies.”

He realizes that you probably wouldn’t want to spoil the ambiance of a fine restaurant meal with a beeping cellphone message, so initially at least, the notifications would be silent and the purchase would go through whether you read them or not.

Of course, if somebody is trying to buy a boat or a mobile home on your credit card, you might want to know about it on the spot and perhaps even stop them. Adding this “authorization layer” poses big technical challenges but, according to Coetzee, they are not insurmountable. “That’s part of what makes our approach so attractive,” he says. “You can build the solution incrementally, starting with just notification, and with time put layers on top of it, such as authorization, positioning data, even biometrics.”

He’s quick to point out that his company has worked out a way to send you the notification without compromising your privacy, since they will not be storing any of your personal information.

If this is such a great idea, why isn’t it already happening in Canada?

“The issue,” says Coetzee, “is that each bank on its own only covers a limited spread of how your identity can be used. Any solution which only the banks implement is fundamentally limited, and it would be hugely inconvenient if each bank had its own solution. Ideally, what’s needed is a single solution that covers all aspects of your identity.”

Protecting an idea such as this one is challenging. Rather than go for patents, Coetzee says that “for us, the protection lies in specific aspects of this which are really trade secrets. So, for example, we have a way to send notifications without having to store personal information on people.”

He wasn’t aware of any competitors, but I learned of an Ontario-based company that is developing a similar system and plans to unveil it at a trade show called Inside ID in Washington, D.C., Nov. 15-17. And yes, they also claim to have all sorts of proprietary technology, as well as patents pending to help them stake their claim in what could be a multibillion-dollar industry.

Most experts agree that dealing with identity theft is the most pressing issue for banks, credit-card companies and online shopping firms. Getting it right, from a human factors viewpoint, is going to be the first challenge for companies such as Tygus and its competitors. The system has to work, and work well.

The other, perhaps more significant step, will be to get those big players on board. Coetzee says they already have a commitment from a cellphone company interested in lots of newfound messaging traffic. He admits that banks and credit-card companies are notoriously hard to convince, especially about things that might annoy their customers.

This is probably going to turn into a game of “who goes first?” with the banks, credit-card companies and even the government all playing. Our federal and provincial bureaucrats keep important identity data such as passport, driver’s licence and SIN numbers. Coetzee thinks they should take a leadership role in protecting it.

In reality, it will probably take a lot more identity fraud, and screaming consumers demanding solutions, before Canada actually sends ID thieves packing to greener pastures.

Web watch:
www.tygus.com

(Tom Keenan is a professor at the University of Calgary and an expert on technology and its social implications. He can be reached at keenan@businessedge.ca)