28.09.2007 10:49Martin Kuppinger

Identity Theft ? state of affairs

Identity Theft is anything but new, but still an exigent as well as unsolved problem. Only recently, Reto Hartinger, initiator of internet-briefing-ch, told me about a rather glaring case of Identity Theft, described and discussed in detail in his blog

It´s about mails distributed under the name of an attorney, calling on the recipient to make a payment. The attorney himself had no idea what was going on, his data had been abused. In Switzerland, more mail shots of this kind seem to circulate and some banks, e.g. the Credit Suisse, have placed warnings about them in their online banking application. Remarkably, the purpose of these mails is not to make the recipient pay the money to the attorney, but to open the attachment.

Such spam mail is quite common, as we all know. They turn up in all kinds of variations. In this special case, however, identity information of a real person is abused in an extraordinary way, because the damage done to the attorney makes it almost impossible for him to continue business as usual.

Though spam filters today are capable of identifying and marking this kind of mail, the problem of abuse remains unaddressed. You could say that these control mechanisms are up to combat the symptoms, but do not explore the real cause.

This makes clear that at present we have anything but a secured identity for the Internet. Generally, everyone can easily send mails under the name of somebody else or use a false name in a blog, just to name two examples. Sometimes, not always, misuse of a name is made out by an experienced user. But a really secured identity in internet is still wishful thinking. The use of digital certificates and signed mails would change things for the better, but is unfortunately not very widespread in communication outside the enterprise. And also in cases when they are used, users mostly lack the knowledge necessary for example in order to reliably control a signature.

On the other hand, approaches like OpenID zoom in on the – admittedly obligatory – user comfort rather than security and reliability of the mechanisms – at least in their first drafts. So the immediately raised vehement discussions about the security of OpenID and the risk of Identity Thefts were not in the least a surprise.

The span to be covered is to successfully create user friendly, simple mechanisms such as Open ID or Infocards (at least managed cards provide a high degree of security) on the one hand, and on the other hand to focus an improved protection of identities in the Internet. I doubt if there will be an efficient way of combining comfort with security in all phases, for instance the acquisition and the use of certificates. However, adding a little bit more comfort to an improved security level should not be Utopian.

A widespread use of digital certificates, which I do think are the basis of security, has up to now been largely inhibited by several factors: First, the users are not able to handle them properly – which among other things is the result of poor usability. Second, there is the requirement of a third authority to prove at least once the identity in a conventional way, such as post, bank, or notary.

And even if all this worked, the problem would rather than being solved be transferred, to certificate-based transactions, to be precise. The crucial point here would be a widespread use of “identity-aware” and secure hardware. “Identity-awareness” is targeted e.g. by Intel`s Identity Capable Platform, and secure hardware is one of TPM´s goals with Trusted Platform Module.

In any case, there is need for an in-depth revision of protocols such as SMTP, POP, and IMAP and making them “identity-aware”, which means introducing a compulsory authentication of all systems and persons involved. For it is exactly these rather antiquated protocols which are to a high degree responsible for all our spam, security and Identity Theft problems. And these problems cannot be thoroughly solved on a higher level by the use of concepts like S/MIME or PGP.

To sum up, today´s technologies are suitable to tackle part of the problem, but far from offering a satisfying answer to Identity Theft.

Seraphinite AcceleratorBannerText_Seraphinite Accelerator
Turns on site high speed to be attractive for people and search engines.