Successfully reported this slideshow.

Online Identity Theft: Changing the Game


Published on

company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.

Published in: Education, Business, Technology
  • Be the first to comment

  • Be the first to like this

Online Identity Theft: Changing the Game

  1. 1. Online Identity Theft: Changing the Game Protecting Personal Information on the Internet
  2. 2. The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft. Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. Microsoft, CardSpace, Internet Explorer, Outlook and Windows are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2008 Microsoft Corp. All rights reserved
  3. 3. Contents Executive Summary ...................................................................................................................................... 1 Introduction.................................................................................................................................................... 2 Stolen Data Fraud and the Rise of “Phishing” .............................................................................................. 3 Sophisticated Spoofs .................................................................................................................................... 3 Principles for Mitigating Identity Theft Now ................................................................................................... 5 Principle One: Use Two-Way Verification .................................................................................................... 5 Visual Cues ................................................................................................................................................... 6 Principle Two: Secure “Shared Secrets” ....................................................................................................... 6 Principle Three: Maintain Strong Control over Data ..................................................................................... 7 Changing the Game: Protecting Personal Information on the Internet ......................................................... 8 Information Cards .......................................................................................................................................... 9 Identity Verification ...................................................................................................................................... 10 Tackling “Inside Job” Identity Theft ............................................................................................................. 11 How Governments and Enterprises Can Help ............................................................................................ 11 Adopting the Technology ............................................................................................................................ 11 Striving for Maximum Consumer Convenience........................................................................................... 12 Conclusion................................................................................................................................................... 13
  4. 4. 1 Online Identity Theft Executive Summary Identity theft threatens the growth of e-commerce and the provision of financial and government services online. The issue requires a more comprehensive approach to protecting personal information, including consumer education, new technology tools, responsible business practices, a strong legislative framework, law enforcement engagement and expanded victim assistance. The ad hoc way in which online identities are managed today cannot withstand the increasing assaults from expert criminal attackers. A new approach to securely managing online identity is essential—namely, a system that uses an interoperable, vendor-neutral framework and gives end users more direct control over their digital identity. One key component of this system is a new technology called an “Information Card,” which enables the creation of very secure digital entities. Equally important is our ability to lessen or preferably eliminate the value of personal information, thereby drastically reducing the incentives to commit identity theft. Microsoft is committed to partnering with governments, law enforcement, businesses and consumers to advance this vision. The steps include three key elements:  Adopting advanced digital identities in government, enterprise and online service environments, along with better data governance processes  Creating a secure digital identification system that allows convenient online transactions and enables higher levels of security—based on real-world verified identities—when appropriate  Convening stakeholders to build broad support for the use of digital Information Cards as a basic tool to reduce online identity theft and increase confidence in e-commerce and other online services Trustworthy Computing  Microsoft Corporation
  5. 5. 2 Online Identity Theft Introduction Personally identifying information (PII) in digital form is the lifeblood of the Internet age. Because individuals, organizations, businesses and governments have been willing to trust service providers with such PII, the past decade has seen a tremendous variety of new uses for the Internet. Access to PII has helped fuel explosive growth in e-commerce and e-government applications as well as various online communities. Online banking and investing services, travel and shopping Web sites, and electronic filing of tax returns and license renewals are all examples of how the Internet is enabling economic opportunity, efficiency and personal convenience in addition to offering countless other benefits. But along with the benefits, concerns about protecting PII are also escalating. Armed with personal information 1 2 gathered online and offline through phishing attacks, spyware, social engineering scams and other illicit methods, identity thieves are stealing billions of dollars through unauthorized transactions and new lines of credit opened fraudulently in the name of unwitting consumers. While financial losses from offline and online identity theft have 3 declined slightly, in 2007 they still totaled US$45 billion in the United States alone. Online fraud is undermining confidence in the Internet and slowing the growth of online commerce and other services. In 2006, 12 percent of EU residents aged 16 to 74 said they avoided online purchases because of security concerns. In comparison, 57 percent said they had used the Internet and 30 percent said they shopped online in 2007. 4 Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle growing volumes of PII and use it in more diverse ways. Widely publicized leaks of sensitive data from custodians such as financial institutions, credit bureaus and government agencies are eroding public trust in the Internet and threatening to dampen online commerce and services. This paper outlines a set of near-term tactics for mitigating online identity theft as well as a longer-range strategic vision for fundamentally “changing the game” with regard to how people assert their identity on the Internet and how such identity claims are verified by other parties during an online interaction or transaction. It also offers recommended actions for government and industry leaders to help establish the infrastructure necessary for creating a more trustworthy Internet. 5 1 Phishing: An act of Internet fraud in which the perpetrator seeks to trick people into providing personal financial information, such as bank account or credit card information. This is often done by sending a fraudulent e-mail purporting to be from a bank, Internet provider or other trusted source and asking for verification of an account number or password. 2 Spyware: Computer software that is installed surreptitiously on a personal computer in order to intercept data or take partial control of the user's interaction with the computer, without the user’s informed consent. 3 Javelin Strategy & Research, 2007 Identity Fraud Survey Report, February 2008. 4 Eurostat news release, “One person in eight in the EU27 avoids e-shopping because of security concerns,” February 2008. 5 While a number of the principles described in this paper also apply to mitigating offline identity theft, our primary focus here is on the online realm. These steps will not eradicate the risk, but they can reduce the amount of theft of personal information online and limit the impact when it does occur. Trustworthy Computing  Microsoft Corporation
  6. 6. 3 Online Identity Theft Broadly, tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End Trust—giving people more usable information about whom and what to trust online by building the infrastructure 6 required to help evaluate the people, devices, software and data that make up the Internet. Stolen Data, Fraud and the Rise of “Phishing” At the time it was designed, the Internet was primarily a medium for sharing information. E-commerce and online banking, which are prevalent today, were not yet envisioned. As such, the Web was not built with robust identity and authentication capabilities—a fact that has spawned a number of unwelcome experiences. Four key attributes of the Internet that malicious attackers thrive on are its global connectivity, practical anonymity, lack of traceability and valuable targets. It is also difficult for computer users to determine what programs are running on their machines, what machines they are connecting to and with whom they are conducting transactions online. This paper offers some ideas for changing these fundamental conditions in ways that continue to respect anonymity and privacy but “change the game” with respect to Internet-based identity theft. The current Internet environment has allowed identity thieves to proliferate. They have developed a variety of clever methods to steal personal information and even resell it online. For example, in a May 2008 posting on the McAfee Avert Labs Blog, one investigator described his discovery of a Web site that invites criminals to buy and sell credit card numbers, bank account log-in passwords and other data that have been stolen from unsuspecting consumers in 7 different parts of the world. Criminals previously relied on collecting information from lost or stolen laptops, using malicious software and exploiting online services. As the technology community has enhanced software and hardware security, making traditional exploits more difficult, these criminals have become highly adept at deceiving individuals into divulging personal information through phishing and similar scams. According to the Gartner research firm, “Phishing attacks in the United States soared in 2007 as $3.2 billion was lost to these attacks.” A survey that the firm conducted in 2007 found that “3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before.” 8 Sophisticated Spoofs As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows, which often include official-looking logos of real organizations and other identifying information taken directly from legitimate Web sites. In a typical phishing scam, the bogus Web site’s operator aims to trick consumers into providing personal data such as their name, address, account number and password. If successful, the “phisher” can then access the 6 For more information, see “Establishing End to End Trust” at 7 McAfee Avert Labs Blog, “You have to pay for quality,” May 7, 2008. 8 Gartner, Inc., “Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks,” Dec. 17, 2007. Trustworthy Computing  Microsoft Corporation
  7. 7. 4 Online Identity Theft consumer’s accounts and transfer money or, with enough information, open new lines of credit in the victim’s name, using his or her good credit and assets as collateral. A fraudulent home equity loan, for example, could reap tens of thousands of dollars for a criminal in a single transaction. To make these phishing e-mail messages look legitimate, scam artists often place a link in them that appears to go to the legitimate Web site but actually takes the user to a phony site or possibly a pop-up window that looks exactly like the official site. These copycat sites are commonly called “spoofed” Web sites. Here’s a picture of what a phishing scam e-mail message might look like: Example of a phishing e-mail message, which includes a deceptive URL address that links to a scam Web site. The sender has made the link in the mail appear to be from a legitimate bank by including ”Contoso Bank” throughout the ® text, but the actual URL does not lead to the Contoso domain. In this example, Microsoft Office Outlook 2007 has provided a warning that the e-mail looks suspicious. Criminals also use a number of other techniques to gain access to personal information. For example, Web sites or email attachments may plant harmful software onto PCs to steal information directly. Such software may log keystrokes or “scrape” the user’s screen—a technique in which one computer program extracts data from the display output of another program—and send the data to the criminal for analysis. Another technique, “pharming,” involves remotely changing Internet routing behaviors to redirect Web traffic to fraudulent but legitimate-looking destinations, where ID thieves may be able to trick users into divulging personal data. Collectively, these types of fraud are a serious threat to security on the Internet. Trustworthy Computing  Microsoft Corporation
  8. 8. 5 Online Identity Theft Principles for Mitigating Identity Theft Now Later sections of this paper outline how the vision of End to End Trust can advance fundamental changes in how PII is used. In the near term, consumers, governments and businesses can take important steps to help mitigate those risks. Consumer Tips for Avoiding Identity Theft     Be suspicious of any e-mail with urgent requests for personal financial information. Phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react; they might even address the recipient by name. Valid messages from banks and online merchants almost never ask users to reenter their login credentials, update their records or reenter account data. Think before clicking links in e-mail, instant messages or chat sessions. Avoid clicking on such links to get to any Web page if you suspect that the message might not be authentic or if you don't know the sender. Instead, call the company on the telephone or visit its Web site by typing the Web address in your browser. Install a Web browser toolbar. Look for one that helps identify known fraudulent Web sites and alerts the user if it finds a match. Internet Explorer 7 includes such a toolbar. Request copies of your credit report at least once a year. Check the report for suspicious entries, such as accounts that have been opened without your knowledge. Catching fraud early can minimize the damage an identity thief can cause. In addition to building anti-phishing, anti-spyware 9 and anti-malware features and other security tools into its products, Microsoft works collaboratively with governments, the IT industry, business partners and customers to help reduce identity theft. Based on this work, we’ve identified some core principles for helping consumers safeguard their identity from misuse, helping organizations protect PII entrusted to them, discouraging would-be criminals from attempting identity theft and helping identity theft victims get the relief they need. Principle One: Use Two-Way Verification When authenticating users, online merchants and financial institutions typically use a “challenge”— such as asking for a username and password—to make sure the user should be allowed to access an account or conclude a transaction. However, the reverse is typically not true: consumers don’t have a means to require Web site providers to For more information on spotting potential scams and helping to keep personal information safe, visit these Web sites: prove who they are. While it is possible for a Web  Microsoft Security at Home requires investigation of the site by a reputable  Anti-Phishing Working Group gradual process of being adopted broadly. site to prove its authenticity by obtaining an Extended Validation (EV) certificate, which certificate authority, EV certificates are still in the Typically, the most that consumers can do is visually inspect the site to see if it looks genuine, but increasingly sophisticated thieves are creating spoofed pages that appear virtually identical to 9 Malware is a term used to describe software or program code that is designed with malicious intent; for example, to infiltrate or damage a computer system without the owner's informed consent. Trustworthy Computing  Microsoft Corporation
  9. 9. 6 Online Identity Theft those of an authentic Web site. In the short term, consumers need better tools to identify signs of possible fraud. Visual Cues A Web site should ideally display its authenticity in a way that makes sense to a user. One such technique is the use of an image-based identification challenge—also known as a “visual secret.” The site displays a visual cue when asking for the person’s username and password. This visual cue—such as photo of a boat or a horse—will be one that the user previously selected when creating the account. If, when the user begins the login process, the image is missing or incorrect, it serves as a warning that the Web site might not be legitimate. It is worth noting that this kind of an approach is successful only if the user knows and remembers to look for the visual secret. Windows CardSpace™, a type of Information Card technology from Microsoft that is described in more detail later, also provides visual cues for consumers. CardSpace does this by displaying certificate data associated with the Web site as well as by delivering a different user experience for a new or “spoofed” site than it does for a trusted site that the consumer has previously visited. In addition, consumers can look for evidence of security safeguards deployed by a Web site. This includes a symbol of a lock displayed in the address bar or at the lower edge of the Web site, which indicates that data exchanged on the site is protected by Secure Sockets Layer (SSL) encryption. In the Windows® Internet Explorer® 7 browser, as well as in other browsers, users can hover over this lock symbol with the cursor or click on it to view more detailed information about the site’s certificate and the issuing authority, such as VeriSign. Principle Two: Secure “Shared Secrets” Most Web sites that manage access to private information use the “shared secret” technique to protect that access. A shared secret is something that only the user and the Web site know, such as a username and password or government-issued identification number. It can also be a private piece of data the user chooses to share with the Web site, such as a credit card number or the name of a childhood pet. While this approach makes it convenient for merchants, banks and government agencies to identify users, it also creates incentives and opportunities for identity thieves. These secrets can be relatively easy to obtain through interception, deception or theft and then used to impersonate the victim, steal assets, commit fraud and initiate more criminal activities. Users can and should take steps to ensure these secrets aren’t acquired by criminals. One of the most basic steps consumers can take is to avoid reusing passwords out of convenience and instead create different passwords to access each individual Web site or online system. This approach will help prevent thieves from using one intercepted piece of information to compromise multiple accounts. Another helpful precaution is to create strong passwords that contain not just letters but also at least one numeral and one symbol (such as &, *or @). This approach is not effective for warding off phishing attacks but is useful in other situations. Trustworthy Computing  Microsoft Corporation
  10. 10. 7 Online Identity Theft Identity Theft Enforcement and Relief Local, state and federal law enforcement agencies should make identity theft a higher priority for investigation and prosecution. This does not necessarily require new legislation but rather dedicating the resources needed to enforce existing laws against identity theft. Greater global and interagency cooperation and intelligence sharing would also help investigators to identify cyber criminals, build stronger cases for prosecuting them and leave fewer places for thieves to hide. This collaboration must include at least three components: better enforcement tools, explicit penalties and better protections for consumers. Law enforcement and corporate security personnel need access to technologies and programs that aggregate identity theft data (taking personal privacy protections into account) to spot patterns, track down the big players and build cases for prosecution. One example of this is the Identity Theft Clearinghouse created by the U.S. Federal Trade Commission (FTC), which contains millions of consumer complaints about identity theft plus information on victims’ experiences with identity thieves. Stronger laws can also help boost prosecution of identity thieves in cases that cross multiple jurisdictions. By changing local legal codes, governments can close loopholes that frustrate prosecutions in such cases and can create stronger deterrents against identity theft. Finally, jurisdictions can enact legal changes that better empower victims of identity theft to mitigate losses, restore their credit and correct public records. This includes strengthening the rights of identity theft victims to obtain records regarding misuse of their information and get fraudulent accounts and transactions wiped off their credit report. Financial creditors and merchants can help by establishing dedicated resources, such as a telephone hotline and Web portal, that enable people to quickly report incidents of actual or suspected identity theft and take steps to minimize the impacts. Principle Three: Maintain Strong Control over Data Many identity theft incidents still occur through offline methods such as “dumpster diving,” 10 robbery and deception. This is a complex problem that is best addressed collaboratively by law enforcement, government, educational and financial institutions, civic organizations, businesses and the technology industry. It also requires heightened consumer awareness, responsible business practices, effective law enforcement and appropriate legislation—along with support from leading-edge technology products. Institutions that manage data must take steps to keep it safe. The large databases of personal data maintained by merchants, financial institutions and information brokers are a tempting target for identity thieves. Data leaks can occur in a number of ways, including lost or stolen computers, access to data under false pretenses by a rogue client, a security breach from the outside or an “inside job” by an employee. When a major data custodian experiences this type of leak, the repercussions can be huge. For example, in November 2007, the UK tax agency Her Majesty’s Revenue and Customs disclosed that it had lost computer disks containing the records of 25 million UK residents—about 40 percent of the population—including confidential information such as names and addresses associated with birth dates and bank account data. Preventing such an incident requires tight controls over the collection, storage and use of personal information. Successful data 10 Federal Trade Commission – 2006 Identity Theft Survey Report, pp. 27–31. Trustworthy Computing  Microsoft Corporation
  11. 11. 8 Online Identity Theft governance demands that an organization’s policies, people, processes and technology be aligned at all levels toward responsibly managing and strongly protecting PII. An even more basic and effective means of safeguarding PII is to not collect it in the first place. Traditionally, business leaders have simply collected a large set of PII with the view that it could provide some future business use. This has resulted in organizations being obligated to safeguard information for which they may not have a direct business use. Adopting a commitment to collect only the minimum information required in order to provide the requested service—rather than all of the PII possible—is a more responsible way to manage the threat of identity fraud. Many businesses either do, or should, have basic legal obligations to protect some types of data, ensure fair credit reporting and give consumers opportunities to correct information stored with the business. But businesses can also benefit from guidance and education in these areas. As the example above indicates, governments are among the large organizations that need to be especially conscious of effective and efficient data governance practices. Government officials also play an important role in helping to evangelize such robust practices. By creating blueribbon panels or other advisory groups and by drawing on business management and privacy experts in both the public and private sectors, government can help develop guidance. Other important roles for government include raising awareness of responsible privacy protection practices through public education campaigns and incorporating that guidance into programs that assist businesses or organizations that maintain data. Changing the Game: Protecting Personal Information on the Internet It is important to educate consumers and help them make informed judgments about disclosing private information, to promote responsible data governance practices among organizations and to punish those who commit identity theft crimes. But an even better approach to enhancing security and privacy is to reduce reliance on “shared secrets” such as usernames, passwords, birthdates and government ID numbers to establish the right to do something online. In addition to being relatively easy to steal, these shared secrets can be difficult to remember, update and manage. We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse— ones that leverage technology to give end users more direct control over their digital identities. Instead of requiring users to produce personal information to establish their identity, we should think of personal information as too valuable to be shared directly. Microsoft has analyzed this problem in depth, at both a policy level and a technical level. Kim Cameron, Microsoft’s 11 chief architect of Identity, has defined several Laws of Identity that help define ground rules for designing services of all types to allow individuals to access those services while disclosing a limited amount of PII. To put it in technical terms, we should enable a system whereby users—or electronic systems—can present not PII itself, but digital identities containing only the minimum claims necessary to enable interactions and trust establishment online. This type of system defines new identity practices for the Web. 11 See The Laws of Identity offer a framework for use by systems of many types and purposes. Trustworthy Computing  Microsoft Corporation
  12. 12. 9 Online Identity Theft Think of how a check represents a right to claim certain assets of an individual or organization that are held at a bank or other financial institution. Similarly, we can use technology to create a token that represents certain rights and therefore serves as a medium of trade and exchange. As long as personal information is used for authentication on the Web, the incentive to steal it is high. But if better practices provide no personal information and reveal no information of value to anyone other than the holder, the incentives and opportunities for identity theft will be drastically reduced. To open a bank account on which checks can be written, or to cash a check, one needs to provide some form of identification. Commerce and other online activities also require a form of identification. You have to show both that you have the right to claim certain assets and that you are the person entitled to that right. To better secure this aspect of online activity, Microsoft has worked with a variety of other organizations to create a system based on Information Cards. Information Cards are intended to work within an interoperable, neutral framework. Microsoft’s Information Card client software is called Windows CardSpace, but users of other software can also create Information Cards. Information Cards complement other Internet identity architectures and are built on a commonly accepted set of Web protocols. Interoperable Information Card technology is being deployed in, and works between, 12 a wide variety of systems supplied by different vendors. Information Cards Information Cards are not physical cards; rather, they are sets of data pointers that sit on a PC or a mobile phone. They are analogous to tangible cards in a person’s wallet. In much the same way that a person might use a student ID card to get free admission to a museum or a frequent-shopper card to get a discount on groceries, a digital Information Card issued by one entity can be used to verify the card owner’s identity with another entity, as long as the card includes the necessary data. How does this work? The creation and use of Information Cards involves three parties. The first party is the entity that issues the card. In the case of a card for use in sensitive interactions, the issuer might be a government, business or nonprofit organization. For less sensitive uses, individuals might issue themselves a card. The second party, or relying party, is whoever needs to accept the card during a transaction. The third party is the cardholder, who decides which card to present in a given transaction. How does the use of Information Cards reduce the risk of identity theft? For starters, the person’s username and password aren’t transmitted when an Information Card is presented to a Web site, so they can’t be stolen. Information Card technology also supports a range of robust encryption methods that help prevent tampering with the data on the card or snooping to intercept it in transit. Information Cards also allow relying parties to request the minimum amount of personal information needed to authenticate an identity in a given transaction. For example, a particular card might have 10 fields—for name, address, birth date, credit card number, frequent flyer number and so on—but depending on the situation, a relying party might need only two fields of information to complete the transaction (such as name and birth date). 12 For a further description, see Trustworthy Computing  Microsoft Corporation
  13. 13. 10 Online Identity Theft Information Cards are designed to prevent data that is shared in one context from being reused in a different context. This is accomplished through creating a unique set of keys for each combination of Information Card and relying party. Through the use of this security technique, the information used for transactions on one Web site is not available to other Web sites. Finally, because Information Cards allow the user to supply additional authoritative information (such as name and e-mail address) on demand to Web sites for authentication or other purposes, there is less need for organizations to store this data in their systems for long periods of time—and thereby run the risk of it 13 being stolen. To further advance the interoperability and adoption of this technology, Microsoft and an array of other prominent companies recently formed the non-profit Information Card Foundation. 14 Members of this foundation—including Equifax, Google, Novell, Oracle and PayPal—share Microsoft’s commitment to fostering a simpler, more secure and more open digital identity on the Internet, increasing users’ control over their personal information, and enabling mutually beneficial digital relationships between people and businesses. Identity Verification For uses such as e-commerce, online banking and online government services, it’s vital that the Information Card’s contents be verifiable with a high degree of certainty. Indeed, the identity claims we typically use in sensitive situations—such as name, driver’s license number and government ID number—are generally based on previous verification when we were physically present. For example, hospitals issue birth certificates based on eyewitness evidence of a newborn’s entry into the world. Later, when we’re older, we might use that birth certificate to get a driver’s license or passport from a government agency. We might then take this other document to a bank to open an account or to an airline counter to check in for a flight. A safer Internet must support a variety of options for establishing confidence in digital identities. These options may be based directly on, or be derived from, in-person verification by a reliable entity, guarantors, existing relationship data, or companies that provide this type of reputation service. For example, merely entering a driver’s license number on an online credit application does not carry the necessary degree of trustworthiness. The driver’s license might be a stolen one, or the person using the number might be someone other than the person who was issued the license. A more trustworthy approach for the Internet would involve designating mechanisms and processes for establishing validated digital identities. One such mechanism might involve places where people could go to present validated physical identification based on in-person verification and then obtain a digital form of identification with similar reliability. Depending on the country and required level of assurance, such designated locations might include post offices, libraries or even licensed private enterprises such as notaries public, copy centers, banks or mobile phone stores. Governments and private institutions could also strengthen their digital identities based on in-person verification and embed them in Information Cards for use on the Web. 13 A more detailed overview of this technology can be found at 14 “Technology Community forms Information Card Foundation to Simplify Secure Online Digital Identity,” June 24, 2008. Trustworthy Computing  Microsoft Corporation
  14. 14. 11 Online Identity Theft It’s also important to recognize that digital identities go through a regular life cycle, from issuance to use and ultimately to retirement. An identity system must take into account all aspects of this life cycle because a weak process at any stage will reduce assurance of identity to the lowest level. For example, if an identity is issued based on a high-assurance process but is inadequately safeguarded in its use, the assurance of that identity ultimately is reduced. Tackling “Inside Job” Identity Theft Establishing a framework for issuing and using more trustworthy digital identities on the Web also requires protections against “inside job” identity theft, whereby a person working inside a government or a bank—an institution that creates identities in the first place—gains access to someone’s information associated with the Information Card or creates fraudulent Information Cards. Microsoft is working to tackle insider threats through a technology called U-Prove. U-Prove employs cryptography to safeguard the data needed for a transaction while preventing systems from being able to pull together information about users from various sources. Such linking of information across sources is a significant risk to privacy because the more pieces of data a criminal has about an individual, the more easily the criminal can take control of that person’s identity. The use of U-Prove can help reduce a criminal’s ability to steal identities by accruing various pieces of information over time. How Governments and Enterprises Can Help Advanced technology such as Information Cards and U-Prove can do much to “change the game” with respect to identity theft by helping to discourage criminals from gathering PII and minimizing the damage when security breaches occur. But making this approach the standard practice for online commerce will require much more than just rolling out the technology. To truly change the game requires a collective effort and changes not just to technology but to information-handling practices, how technology is deployed, and the creation of both legal and business infrastructure to support the use of digital identities, rather than personal information, to enable interactions on the Web. Microsoft has learned through past experience why important efforts sometimes fail. One reason is misalignment between technology, social forces and policy values, and market dynamics. We believe that these important aspects can be aligned in the effort to address digital identity on the Web, and we offer some suggestions on how they should be aligned. In many respects, governments are well positioned to lead the effort to reduce identity theft because of their role in passing laws, protecting market incentives and preserving social values. Adopting the Technology First, governments can advance this vision by adopting and supporting the Laws of Identity and beginning to deploy advanced technologies such as Information Cards and other related identity technologies in their own operations. This spans both internal systems, such as computer networks used by government employees, and e-government Trustworthy Computing  Microsoft Corporation
  15. 15. 12 Online Identity Theft systems, such as online services used by the public to obtain government benefits, pay license fees and contribute comments to administrative proceedings. These government enterprise systems are among the largest creators, consumers and processors of identity information and therefore hold tremendous influence over how private and secure it can remain. As noted earlier, the Information Card technology is intended to be deployed in an interoperable, vendor-neutral framework. It won’t matter which vendor’s servers or software are deployed in an enterprise or government system, and most if not all systems should be capable of making the system changes needed to handle identity-based transactions through an Information Card approach. Governments can also help encourage this transition by working with the technology and business community to agree on approaches for data governance and the types of robust technology infrastructures needed to support those processes. While governments use technology within their own operations to reduce the extent to which personal information is exchanged, they can also drive change by encouraging other organizations to use tools that limit the disclosure of PII and the unnecessary aggregation of data, which can lead to a host of security and privacy risks. From there, governments and organizations can help build greater trust in the online realm by promoting, both through legal and procedural means, the availability of easily obtained digital identities—the piece of software code that makes identity assertions in order to authorize people’s online access to data and services. For example, government agencies are logical avenues for providing in-person verification of identity claims at venues such as government service desks. As noted above, in-person verification of identity may serve as the basis for identity claims presented by Information Cards. This offers a much stronger form of identity than is currently used online (e.g., a username and password created by the user). However, we recognize that users and businesses will not want to sacrifice convenience and ease of use when it comes to online identity methods. In that light, we suggest that governments help foster the creation of additional means of obtaining verified digital certificates. Striving for Maximum Consumer Convenience To increase the adoption of more secure identity systems, consumers will need convenient opportunities to obtain digital identification based on verification. Many enterprises—such as vendors that provide notary services, copying centers and mobile phone retailers—may be inclined to offer this service as a logical extension of their existing business. However, these private businesses could be vulnerable to litigation if they are victims of fraud—if, for example, someone presents a fake passport or if an identity that the business issued is compromised. To address this concern, legislators could develop frameworks to address the liability issues associated with the use of digital identities in the context of business transactions, so that potential litigation does not unduly constrain this opportunity for businesses and for consumers. For instance, if an Information Card somehow falls into the wrong hands and is used to commit a crime, to what extent should the issuer, the relying party and the ID holder be held accountable? This question could apply to governments as well, such as in the case of school-issued ID tokens being stolen. It will be important to address these questions, and to think carefully about who is authorized to provide digital identity credentials in this new system. We believe, however, that consumers, merchants and IT system managers will want to minimize the disruption to their current services in the trade-off between security and convenience. Trustworthy Computing  Microsoft Corporation
  16. 16. 13 Online Identity Theft This is a bold proposal. To achieve these goals, it is important to address all of the complicated social, political, economic and technical issues involved and to do so through open dialogue aimed at common objectives. Governments can serve as crucial conveners in this regard, both locally and internationally. On a variety of other issues that affect the public, governments have successfully created expert panels, convened discussion forums and fostered opportunities for generating input from business and industry, academia and nongovernmental organizations. All of these interests and perspectives should be reflected in discussions about this approach to digital identity— including how to implement the infrastructure needed to support digital identities and how best to incorporate these identities into government systems that issue identities, process benefit claims or provide other services. Such a dialogue will also be crucial to driving consensus on important policy decisions, such as how to effectively use digital identities to replace PII and appropriately balance anonymity with accountability on the Internet. Governments can play a key role as conveners of, and participants in, this dialogue. Conclusion Combating the complex problem of identity theft demands a holistic strategy that combines effective consumer education programs, robust technology tools, responsible business practices, a strong legislative framework, law enforcement engagement and expanded victim assistance. Recommended starting points include:  Increasing consumer education about identity theft and its prevention  Implementing appropriate identity authentication mechanisms  Identifying and developing data governance policies and processes in support of digital identities  Ensuring high levels of privacy and security throughout the Internet technology infrastructure, while also preserving social values and consumer expectations regarding anonymity on the Web  Adopting and advocating practices that limit the required disclosure of PII by consumers and limit its use by governments and enterprises to the minimum necessary to fulfill a specific purpose  Educating consumers to disclose only the minimal PII needed when conducting a transaction or requesting a service  Enacting and enforcing criminal penalties for identity theft and other online criminal activities  Ensuring that identity theft victims have ready access to assistance in reclaiming their identity and repairing the damage to their financial standing These actions are very important, but on their own they are not enough to prevent further costs to our society from identity theft. The ad hoc way in which online identities are managed today cannot withstand the increasing assaults from expert criminal attackers. Identity theft not only has serious implications for the individuals whose assets and livelihoods are violated, but it also threatens the credibility of economic transactions at a time when advances in broadband communications and online services should be driving greater acceptance of these transactions. Trustworthy Computing  Microsoft Corporation
  17. 17. 14 Online Identity Theft One of the keys to changing the game in identity protection is to establish an interoperable, vendor-neutral framework that uses technology to give end users more direct control over their digital identity. This is crucial to the objective of limiting the value of personal information as a key to online access and reducing the incentives to commit identity theft. The immediate steps toward this approach involve three key elements:  Adopting advanced digital identities in government, enterprise and online service environments, along with better data governance processes  Creating a secure digital identification system that allows convenient online transactions, and also enables higher levels of security—based on real-world verified identities—when appropriate  Convening stakeholders to help generate broad support for “changing the game” on identity theft and taking steps to create business and consumer awareness and adoption of information cards, regardless of what computing system or technology they may use Collaboration across all of these fronts will improve our collective efforts to target the root causes of identity theft, minimize the incentives to commit identity theft, reduce its impact and limit such opportunities for criminals in the future. Microsoft is committed to partnering with government, law enforcement, business partners and consumers to advance this vision. We believe it is possible to make the Internet safer for consumers and families and therefore more reliable for individuals, businesses and governments. Trustworthy Computing  Microsoft Corporation