/dq/media/agency_attachments/UPxQAOdkwhCk8EYzqyvs.png)
Follow UsPersonally identifying information (PII) in digital form is the lifeblood of
the Internet age. Because individuals, organizations, businesses and governments
have been willing to trust service providers with such PII, the past decade has
seen a tremendous variety of new uses for the Internet. Access to PII has helped
fuel explosive growth in e-commerce and e-gov applications as well as various
online communities. Online banking and investing services, travel and shopping
websites, electronic filing of tax returns and license renewals are all examples
of how the Internet is enabling economic opportunity, efficiency and personal
convenience in addition to offering countless other benefits.
How would one define the word identity? In the case of work / business, it
may be the employee number or date of birth, online user name, MAC address, IP
address, IMEI number, etc. And in case of government, it may be the passport
number or your income tax permanent account number, driving license number, etc.
This is what is our identity and it is unique when only a single attribute helps
in identifying us in a situation. This is personal to us. When you impersonate
someones personal identity/PII in the online digital world it is a crime
commonly known as online identity theft. Identity theft is not only a threat
faced by consumers but also a significant concern for organizations as they
handle growing volumes of PII and use it in more diverse ways.
Broadly, tackling identity theft more effectively will require a concerted
investment in what Microsoft calls End to End Trust, giving people more usable
information about whom and what to trust online by building the infrastructure
required to help evaluate the people, devices, software and data that make up
the Internet. So you need to look at near-term tactics for mitigating online
identity theft. A longer-range strategic vision is also needed for fundamentally
addressing the issue with regard to how people assert their identity on the
Internet, and how such identity claims are verified by other parties during an
online interaction or transaction.
/dq/media/post_attachments/b843e86fb5c06b569d50346d2da88d27a38916a12a0de049d1cf3e1289866800.jpg)
Mitigating the Theft
In addition to building anti-phishing, anti-spyware and anti-malware
features and other security tools into its products, Microsoft works
collaboratively with governments, the IT industry, business partners and
customers to help reduce identity theft. Based on this work, we have identified
some core principles for helping consumers safeguard their identity from being
misused, helping organizations protect PII entrusted to them and discouraging
potential criminals from attempting identity thefts.
In order to authenticate users, online merchants and financial institutions
typically use a challenge such as asking for a username and password, to make
sure that the user is allowed to access an account or conclude a transaction.
However, the reverse is typically not true. Consumers do not have means to ask
website providers to prove their identity. While it is possible for a website to
prove its authenticity by obtaining an Extended Validation (EV) certificate
which requires investigation of the site by a reputed certificate authority.
These certificates are still in the gradual process of being adopted broadly.
Typically, the maximum that consumers can do is visually inspect the site to see
if it looks genuine. But the increasingly sophisticated thieves are creating
spoofed pages that appear virtually identical to those of an authentic website.
In the short term, consumers need better tools to identify signs of possible
fraud.
| Information Cards
Microsoft has worked with a variety of other These cards are not physical cards, rather, |
Most websites that manage access to private information use the shared
secret technique to protect that access. A shared secret is something that only
the user and the website know, such as a username and a password. It can also be
private data, the user chooses to share with the website, such as a credit card
number. While this approach makes it convenient for merchants, banks and
government agencies to identify users, it also creates incentives and
opportunities for identity thieves. One of the most basic steps consumers can
take is to avoid reusing passwords out of convenience and instead create
different passwords or pass phrases to access each individual website or online
system. Another helpful precaution is to create strong passwords that contain
not just letters but also at least one numeral and one symbol (such as &, *or
@). This approach is not effective for warding off phishing attacks but is
useful in other situations.
Many identity theft incidents still occur through offline methods such as
dumpster diving, robbery and deception. This is a complex problem that is best
addressed collaboratively by law enforcement, government, educational and
financial institutions, civic organizations, businesses and the technology
industry. It also requires heightened consumer awareness, responsible business
practices, effective law enforcement and appropriate legislation, along with
support from leading edge technology products.
The large databases of personal information maintained by merchants,
financial institutions and information brokers are a tempting target for
identity thieves. Data leaks can occur in a number of ways, including lost or
stolen computers, access to data under false pretenses by a rogue client, a
security breach from outside or an insiders job.
Protecting Personal Information
It is important to educate consumers and help them make informed judgments
about disclosing private information, to promote responsible data governance
practices among organizations and to punish those who commit identity theft
crimes. But an even better approach to enhancing security and privacy is to
reduce reliance on shared secrets such as usernames, passwords and government
ID numbers to establish the right to do something online. In addition, to being
relatively easy to steal, these can be difficult to remember, update and manage.
We need to employ new identity practices online that are just as reliable but
better protect against fraud and abuse, ones that leverage technology to give
end users more direct control over their digital identities. Instead of
requiring users to produce personal information to establish their identity, we
should think of personal information as too valuable to be shared directly.
We need to analyze this problem in depth, at both a policy level and a
technical level. Also, we should enable a system whereby users or electronic
systems can present not PII itself, but digital identities containing only the
minimum claims necessary to enable interactions and trust establishment online.
This type of system defines new identity practices for the web.
Tackling Insider Job
Establishing a framework for issuing and using more trustworthy digital
identities on the web also requires protections against inside job identity
theft, whereby a person working inside a government or a bank, creates
identities in the first place, gains access to someones information associated
with the Information Card or creates fraudulent Information Cards. Microsoft is
working to tackle insider threats through a technology called U-Prove. U-Prove
employs cryptography to safeguard the data needed for a transaction while
preventing systems from being able to pull together information about users from
various sources. Such linking of information across sources is a significant
risk to privacy because the more pieces of data a criminal has about an
individual, the more easily the criminal can take control of that persons
identity. The use of U-Prove can help reduce a criminals ability to steal
identities by accruing various pieces of information over time. It is possible
to make the internet safer for consumers and families, and therefore, make
reliable for individuals, businesses and governments.
Sanjay Bahl
The author is chief security officer, Microsoft