Do You Need a Digital ID?

R.A. Hettinga rah at shipwright.com
Mon Mar 14 11:47:33 EST 2005 

<http://www.pcworld.com/resource/printable/article/0,aid,120008,00.asp>
 
 PCWorld.com -

Topics > Privacy & Security > Online Security >


 Do You Need a Digital ID?
 
Security experts debate new ways to curb identity theft and boost e-commerce.

Scarlet Pruitt, IDG News Service
Friday, March 11, 2005



HANOVER, GERMANY -- Rampant identity theft is eroding users' trust in the
Internet, and could threaten to erase some of the progress companies have
made in doing business online, security experts warn.
AdvertisementOne possible solution is to create digital identities to
curtail the incidents of ID theft, but this also comes with some
liabilities, the experts say. They spoke on a panel at the CeBIT trade show
here.

"We actually run the risk of taking a step back on the Internet. We're
starting to see a lack of confidence and, even worse, companies are scaling
back what they are doing on the Web," says Art Coviello, president and
chief executive officer of RSA Security.

Beat Perjés, head of IT security architecture at Credit Suisse, says that
the customers at his bank are still doing online transactions but are also
asking a lot more questions about whether it's secure.

This is a concern because what banks actually sell customers is trust,
Perjés says.

Fraud on the Rise

Cases of online identity theft have ramped up in recent months, and the
U.S. Federal Trade Commission has labeled such theft as one of the fastest
growing types of consumer fraud. Internet users are reporting cases of
unauthorized access to their online bank accounts due to phishing scams and
the increased prevalence of spyware, which can record users' passwords and
log-ins.

Digital identities, which provide two measures of authentication, could
help improve Internet security as well as having various other uses, such
as digital passports, the experts say. Dual authentication often involves
something a user knows or possesses, such as a smart card, and something
that he or she is, which can be represented by biometric information,
Coviello explains.

"Password-only IDs should be a thing of the past," says Detlef Eckert,
Microsoft's chief security adviser for Europe, the Middle East, and Europe.

In addition to improving online security, digital identities would also
allow users to reduce the number of credit cards, loyalty cards, and other
proofs of ID that they carry, the experts say.

Smart cards, digital passports, and national ID cards could carry
information for multiple purposes, as long as the authenticating body is
trustworthy. So if multiple credit cards were stored on a smart card, each
credit card company would have to trust the other company's means of
identifying and authenticating users, the experts say.

Working Together

Authentication done by one body and then trusted by another is called
federated identity, explains Hellmuth Broda, chief technology officer at
Sun Microsystems. Broda is also the spokesperson for the Liberty Alliance
Project, a consortium of more than 150 companies working to develop a
standard for network identity. For a federated ID system to work,
specifications need to be open and interoperable, he says, and Liberty and
other industry groups are working toward this.

"After the dot-com crash, vendors realized how interdependent they are,"
Coviello says. "We really must all stand together because we won't make
advances on the Internet otherwise."

While digital identities done right would improve online security and user
convenience, they bring with them certain liabilities and levels of
complexity, the experts say. How to safely store, share, and authenticate
data are just some of the issues that need to be resolved.

All the experts agree that data should not be stored in one central
repository, which could be compromised. And while they also agree that
certain agencies and businesses should control data relevant to their
relationship with customers, sharing information is a bit trickier.

One way to share data without allowing one organization to have too much
information about a person would be to separate the person's identity from
the data by giving it another identifier. One company could identify a
person as "customer 51" while another could identify the same person as
"customer 254," for example, Coviello says. That way, they could share
buying trends and other information without revealing who bought what, for
example.

While there are some difficulties in implementing digital IDs, the
challenges can be overcome with technological and regulatory solutions, the
experts say. For making further progress on the Internet, making digital
IDs work is crucial, Broda adds.

"We will never make a system that's impossible for thieves to break, but we
can make it very, very hard," Broda says.

CeBIT runs through Wednesday.
To see PC World's complete CeBIT coverage, check out our CeBIT 2005 news page.



Related Topics: Shopping, Scams & Hoaxes




-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list