Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Personally identifying information (PII) in digital form is the lifeblood of the Internet age. Because individuals, organizations, businesses and governments have been willing to trust service providers with such PII, the past decade has seen a tremendous variety of new uses for the Internet. Access to PII has helped fuel explosive growth in e-commerce and e-gov applications as well as various online communities. Online banking and investing services, travel and shopping websites, electronic filing of tax returns and license renewals are all examples of how the Internet is enabling economic opportunity, efficiency and personal convenience in addition to offering countless other benefits.

How would one define the word identity? In the case of work / business, it may be the employee number or date of birth, online user name, MAC address, IP address, IMEI number, etc. And in case of government, it may be the passport number or your income tax permanent account number, driving license number, etc. This is what is our identity and it is unique when only a single attribute helps in identifying us in a situation. This is personal to us. When you impersonate someones personal identity/PII in the online digital world it is a crime commonly known as online identity theft. Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle growing volumes of PII and use it in more diverse ways.

Broadly, tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End Trust, giving people more usable information about whom and what to trust online by building the infrastructure required to help evaluate the people, devices, software and data that make up the Internet. So you need to look at near-term tactics for mitigating online identity theft. A longer-range strategic vision is also needed for fundamentally addressing the issue with regard to how people assert their identity on the Internet, and how such identity claims are verified by other parties during an online interaction or transaction.

Mitigating the Theft
In addition to building anti-phishing, anti-spyware and anti-malware features and other security tools into its products, Microsoft works collaboratively with governments, the IT industry, business partners and customers to help reduce identity theft. Based on this work, we have identified some core principles for helping consumers safeguard their identity from being misused, helping organizations protect PII entrusted to them and discouraging potential criminals from attempting identity thefts.

In order to authenticate users, online merchants and financial institutions typically use a challenge such as asking for a username and password, to make sure that the user is allowed to access an account or conclude a transaction. However, the reverse is typically not true. Consumers do not have means to ask website providers to prove their identity. While it is possible for a website to prove its authenticity by obtaining an Extended Validation (EV) certificate which requires investigation of the site by a reputed certificate authority. These certificates are still in the gradual process of being adopted broadly. Typically, the maximum that consumers can do is visually inspect the site to see if it looks genuine. But the increasingly sophisticated thieves are creating spoofed pages that appear virtually identical to those of an authentic website. In the short term, consumers need better tools to identify signs of possible fraud.

Most websites that manage access to private information use the shared secret technique to protect that access. A shared secret is something that only the user and the website know, such as a username and a password. It can also be private data, the user chooses to share with the website, such as a credit card number. While this approach makes it convenient for merchants, banks and government agencies to identify users, it also creates incentives and opportunities for identity thieves. One of the most basic steps consumers can take is to avoid reusing passwords out of convenience and instead create different passwords or pass phrases to access each individual website or online system. Another helpful precaution is to create strong passwords that contain not just letters but also at least one numeral and one symbol (such as &, *or @). This approach is not effective for warding off phishing attacks but is useful in other situations.

Many identity theft incidents still occur through offline methods such as dumpster diving, robbery and deception. This is a complex problem that is best addressed collaboratively by law enforcement, government, educational and financial institutions, civic organizations, businesses and the technology industry. It also requires heightened consumer awareness, responsible business practices, effective law enforcement and appropriate legislation, along with support from leading edge technology products.

The large databases of personal information maintained by merchants, financial institutions and information brokers are a tempting target for identity thieves. Data leaks can occur in a number of ways, including lost or stolen computers, access to data under false pretenses by a rogue client, a security breach from outside or an insiders job.

Protecting Personal Information
It is important to educate consumers and help them make informed judgments about disclosing private information, to promote responsible data governance practices among organizations and to punish those who commit identity theft crimes. But an even better approach to enhancing security and privacy is to reduce reliance on shared secrets such as usernames, passwords and government ID numbers to establish the right to do something online. In addition, to being relatively easy to steal, these can be difficult to remember, update and manage. We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse, ones that leverage technology to give end users more direct control over their digital identities. Instead of requiring users to produce personal information to establish their identity, we should think of personal information as too valuable to be shared directly.

We need to analyze this problem in depth, at both a policy level and a technical level. Also, we should enable a system whereby users or electronic systems can present not PII itself, but digital identities containing only the minimum claims necessary to enable interactions and trust establishment online. This type of system defines new identity practices for the web.

Tackling Insider Job
Establishing a framework for issuing and using more trustworthy digital identities on the web also requires protections against inside job identity theft, whereby a person working inside a government or a bank, creates identities in the first place, gains access to someones information associated with the Information Card or creates fraudulent Information Cards. Microsoft is working to tackle insider threats through a technology called U-Prove. U-Prove employs cryptography to safeguard the data needed for a transaction while preventing systems from being able to pull together information about users from various sources. Such linking of information across sources is a significant risk to privacy because the more pieces of data a criminal has about an individual, the more easily the criminal can take control of that persons identity. The use of U-Prove can help reduce a criminals ability to steal identities by accruing various pieces of information over time. It is possible to make the internet safer for consumers and families, and therefore, make reliable for individuals, businesses and governments.

Sanjay Bahl
The author is chief security officer, Microsoft

Page(s)   1