Print
Discuss
Send to friend
RSS feedsSome people get socks for Christmas. Others get handkerchiefs. But not Jay Heiser. His wife gave him a replica of a Mesopotamian clay tablet this year. Why? Because the Mesopotamians used them as receipts, an early form of security.
"That receipt lasted 6,000 years," said Heiser, chief analyst at security risk management vendor TruSecure.
In his spare time Heiser studies the history of security, and says that it generally lags behind the development of any new delivery media, be it clay tablets, wood stamps or paper cheques.
Inevitably, someone will develop a fraud that exploits a given medium, meaning that it has to be altered to foil the fraudsters. The medium becomes more secure as it matures.
The problem for today's employees, customers and credit card holders is that modern computers are less than 60 years old, the internet is a long way from its 40th birthday, and the commercial web is only about 10 years old.
Compared with Mesopotamian tablets they are embryonic, leaving lots of loopholes for potential fraudsters.
The unique nature of the internet also gives cyber-criminals some huge advantages, including a potentially massive base of victims, and the ability to defraud without physical forgery. And this has resulted in a rise in identity fraud.
Phishing is a good example. Phishers target a company's customers by email, pretending to be from the service or sales department, and asking for their account details as part of a routine procedure.
Customers who fall for the scam and send their details, assuming that the request is genuine, can suddenly find their online identities compromised.
Anti-spam company Brightmail, which processes about 80 billion emails a month, indicated that half of these are spam, and phishing comprises between two and three per cent of them.
Add other means of identity fraud, such as password theft, rummaging through rubbish for personal information, and social engineering to obtain details over the phone, and it is clear that many people are susceptible to identity theft.
Neil McEvoy, founder of identity fraud consultancy Consult Hyperion, suggested that identity fraud can broadly be prevented at three levels.
You can confirm someone's identity by asking for something they know (such as a password), something they have (such as a smartcard), and something they are (which is where biometric security comes in). The more of these the fraudster can obtain, the better.
"Any two of the three is pretty good, but just one of the three is looking pretty weak," said McEvoy.
A problem can arise when online banks or retailers only ask for the first item. And because customers are human and opt for the easiest route, you'll often find them using the same password and username for many services. Crack one, and in many cases you've cracked them all.
For a time, digital certificates issued using a public key infrastructure (PKI) looked as if they may be the answer. But their identity management potential, where a certificate is held persistently by the end user to prove their identity, still hasn't taken off.
Part of the problem is that PKI is difficult for end users to manage, according to McEvoy. Try getting a digital ID from a third-party certificate authority in Outlook, and you'll instantly rule out a large percentage of non-technical users.
Another problem has been the diversity of certificate authorities, which has generated a fragmented industry. But things are changing.
David Lacey, director of security and risk management at the Royal Mail, believes that PKI's time is nigh.
"The golden age of PKI was always going to be 2004-7," he said. "Unifying companies to use connected, regulated certificate authorities will be one way to propel PKI forward, while another will be the use of smartcards to make things more manageable."
Smartcards are certainly useful as a means of maintaining identity certificates in a corporate context, but they can drain a company's resources if deployed in certain customer scenarios. It would be too expensive for a company such as Amazon to issue smartcard readers to all its customers, for example.
Other technologies that could assist in identity management include federated identity, championed by organisations such as the Liberty Alliance, a consortium of technology and end-user companies that wants to make it easier to authenticate each others' customers using a network of trust.
Member companies, such as retailers, credit card providers and travel firms, want to be able to build relationships between themselves so they can authenticate and authorise each others' customers, in a 21st century interpretation of the 'any friend of X is a friend of mine' concept.
This sounds great in theory but in practice requires companies to put a level of faith in their partners' identity verification techniques.
But in many sectors the verification process has been traditionally weak, according to Heiser, because suppliers want to make it easy for people to identify themselves. Credit card applications are a good example.
"You have the situation now where people can apply for credit by mail without having to present strong authentication," he explained. "If they know a name, a social security number and an address, they can request credit and say that they just moved. And often they get it."
And this is the nub of the problem. All the technological solutions in the world won't solve the identity theft problem if banks, large retailers, travel firms and credit card companies don't implement proper identity checks from the outset.
Without that, identity fraudsters will be able to pull the same tricks that they always have, smartcard or not.
See also:
Credit card giant uses NameProtect technology to detect online scams in real time 22 Jun 2004
The latest wave of cyber-crimes and acts of vandalism have demonstrated once again that many systems are still vulnerable to attack. 15 Apr 2004All Hacking
del.icio.us
Digg this
reddit!
