Print
Discuss
Send to friend
RSS feedsWhen someone says 'get a life', they don't generally mean 'take mine'. But that's exactly what happened to more than 100,000 people in the UK last year.
ID theft - where someone steals the identity of another by conventional and electronic means - has become a huge problem.
According to fraud prevention service CIFAS, the number of cases of identity fraud in the UK has increased dramatically since 1999, when 20,000 cases were reported.
By 2001, this figure rose to 53,000, and last year that number had almost doubled again.
The organisation cites Cabinet Office figures suggesting that ID theft cost the UK economy £1.3bn in 2002 - just under one-tenth of the total cost of fraud in the UK.
This is not surprising, given that the top target areas for identity and impersonation fraudsters, as identified by CIFAS, are plastic cards, communications, retail finance, and banking.
Gareth Jones, director of fraud products at customer relationship management company Experian - which runs a service for the victims of fraud in the UK - says 90 per cent of ID fraud is prevented at the point of application.
That raises the question: how can we be sure, given that some ID fraud is presumably never detected?
There are signs that neither companies nor individuals are being as vigilant as they could be when it comes to ID fraud.
Statistics gathered by Experian's service for fraud victims indicate that accounts remained open for an average of 16 months before owners discovered they had been compromised.
High-tech fraudsters use phishing emails to coax account information out of unwitting internet users, but there are other more traditional ways to steal someone's identity.
According to Peter Dorrington, head of fraud solutions at software vendor SAS, many ID thieves will use the Electoral Roll to discover your name, address, and marital status.
Information about parents and birthplaces can be found in genealogy databases, and birth certificates can easily be requested.
Searching through bins is a good way to find old credit card slips and other correspondence to identify your bank, mobile phone account number, or other sensitive information. These documents can often easily be scanned and altered.
While much identity fraud still happens offline, and must be addressed by other means, IT vendors and customers alike are nevertheless working on mechanisms to reduce the opportunity for internet-based ID theft.
One of the most popular movements in this area is federated identity management.
The Liberty Alliance, a consortium including companies such as American Express, American Airlines, Sun Microsystems and Intel, is its key proponent.
Federated identity works on the principle that any friend of company A is also a friend of company B, as long as the two companies have established a trusted relationship with each other.
Theoretically, it will resolve one of the biggest issues for users of the internet: password management. Most people are bad at managing passwords for different online services such as banking, retail, and chatrooms.
Instead, they tend to use the same usernames and passwords for everything, meaning that if one of their accounts is compromised, thieves can easily gain access to everything else.
Federated identity management allows users to retain just one password and username for a group of companies that have established a circle of trust.
Entering those credentials on the web site of any one of those companies results in the exchange of an opaque handle (that doesn't include any of your personal information), which lets one company verify your identity with another.
Vendors are pushing the technology hard. "What you need is a runtime operational model, and it takes an established trust relationship," says Kevin Cunningham, director of identity marketing at Sun Microsystems, which has folded support for the Liberty specification into its server identity management product.
"Liberty as an operating model for federation is definitely a large part of the future."
However, not everyone is convinced that this future is rosy. Chris Wysopal, research and development director at security consultancy @Stake, doesn't think that companies want to be separated from their customers, even by a mechanism that the Liberty group defends as non-intrusive.
"People who are building applications want to have that one-to-one relationship with the customer,' he maintains. "They don't want anyone in between."
Building trusted relationships between companies may be a challenge, but Liberty is addressing this by offering advice to implementers in the form of White Papers.
Providing materials and developing the specifications is Liberty's sole role. It is up to member companies to fold the specifications into their systems, as Ping Identity has done.
The company, which sells an open source federated identity management system called SourceID, also operates PingID, a framework supporting numerous federated identity protocols, including Liberty's.
Linda Elliott, network president, says the framework encompasses legal frameworks and agreements to make the creation of trusted relationships possible.
It already has several members, she claims, including a Finnish telecommunications company.
This is important, because telecommunications and financial services firms are likely to pioneer the federated identity movement if it takes off, simply because they are conduits for so many consumer accounts and are generally trusted by customers.
But for now, at least some of the federated identity case studies available are focused on business-to-business use.
Market analyst Burton Group has published a report on Boeing's use of the Liberty system as a means of letting business customers access its range of 'My Boeing Fleet' customer-focused applications through their own portals.
Boeing, which deals with more than 12,000 suppliers worldwide, partnered with Southwest Airlines for the federated identity system.
Under the initiative, customers log onto their own portal and receive an encrypted cookie, which is then fed to a server inside the airline that provides data wrapped in the Software Assertion Markup Language (SAML) - a building block of the Liberty specification that encodes authorisation data.
The SAML data is then sent to the Boeing server, which verifies the data and generates a Boeing cookie for the customer's browser before redirecting the browser to the relevant internal Boeing application.
The benefit is that the user only has to sign on once to their own portal, rather than signing separately to the Boeing server.
While organisations such as Liberty look after identity management on the server, Microsoft (notable by its absence from the Liberty member roster) is tackling the client.
The Longhorn Windows client will support the Next Generation Secure Computing Base (NGSCB), Microsoft's attempt to lock down PCs so that they cannot be tampered with by unauthorised software.
Users will be able to secure their personal details in protected memory that can only be accessed by user-authorised software, meaning that legitimate programs can hide data such as credit card details from malicious Trojan horse software.
The best protection against ID fraud is awareness of the dangers, and to teach both staff and customers to be diligent.
The basic steps are very low-tech. For consumers, protecting personal information and thinking twice before giving it out is vital, while for companies, technical wizardry will be useless unless you instigate policies to properly vet customer identity.
Common sense is the best security application of all.
What protection is available now?
There are several technologies available to help protect against identity fraud. The most promising is chip-and-Pin, which began its rollout last October.
Instead of signing a slip of paper when paying by plastic card, users enter a Pin. This avoids signature fraud, while the chip verifies that the card is genuine.
Visa's Verified by Visa initiative is designed to protect online shoppers. Customers access Visa's secure server to create a password that is linked to their card. They can then enter the password to confirm their identity while shopping online with participating suppliers.
Biometric devices make it more difficult for ID fraudsters to use forged or stolen documents. By requesting a fingerprint or iris scan, organisations can be more confident that someone accessing a system is legitimate.
Heathrow Airport has already successfully trialled iris-scanning systems to help identify frequent travellers, and they are to be introduced at other airports by this summer.
BEST PRACTICE IN STOPPING IDENTITY FRAUD
- Enforce password policies
Left to their own devices, users often opt for the simplest, easiest-to-crack passwords. Enforcing minimum character lengths and suggesting changes at set periods can help keep password thieves on their toes. - Look for suspicious activity
Depending on the nature of your business, it may be possible to spot abnormal activity on accounts and check with customers to verify their actions. - Watch your rubbish
Bin divers target company bins just as readily as consumer rubbish, looking for personal information. Invest in a shredder to properly protect discarded documents. - Tighten customer verification
There is no point employing identity protection at the back end unless you take the trouble to check details on customer applications for new accounts. - Issue guidelines
Customers and employees alike are often unaware of the dangers. A best practice guidebook can help them to look after their identities.
See also:
Tivoli Federated ID Manager promises fewer passwords and enhanced security 10 May 2005
Worldwide organised crime network dealing in ID theft and fraud 29 Oct 2004
Fears over credit card security and ID fraud still hampering e-commerce 06 Jul 2004Credit card giant uses NameProtect technology to detect online scams in real time 22 Jun 2004Eastern Europeans under arrest as Hi-Tech Crime Unit swoops on addresses in London and Kent 05 May 2004
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004All Hacking
del.icio.us
Digg this
reddit!
