Identity theft is fast becoming the new bete noire of the cyberworld, crowding out spyware, spam and viruses for that dubious honour. During the past several months, the media have splashed increasingly frightening cover stories, consumer alerts and other breaking news about people who’ve had their identities spoofed, credit cards hijacked and assets looted by unseen strangers lurking on the Internet.
Amid the growing hysteria, the identity-management industry sees a big black eye in the making, and it’s beginning to formulate strategies for identity theft prevention, detection and remediation.
Trust is in jeopardy if the industry doesn’t proactively address identity theft on many levels. The stakes couldn’t be higher. What’s most worrisome is the growing prevalence of phishing, pharming and other social-engineering ploys to steal user information. These frauds strike at the very heart of the federation: users’ trust in the authenticity of identity providers.
In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to affected users, but only after reputable agents have proofed those users to strong assurance, and only if the new credentials rely on biometrics for strong authentication. Clearly, this theft-unfriendly identity-management environment is a long way from being implemented in the real world and would be quite expensive, complex and cumbersome to universally deploy.
Some have argued that federated identity-management is a fundamentally flawed approach that encourages identity theft. Nothing could be further from the truth. There’s nothing inherently unsecure about federation protocols, such as Security Assertion Markup Language and Liberty Alliance Identity Federation Framework, or the way vendors and users have implemented them.
Rather, most identity theft originates in the massive online market for bulk user personal data that many consumer-facing businesses collect in normal operations.
To its credit, the industry realizes that technical standards alone aren’t the answer to identity theft and fraud. The threat is so multifaceted, pervasive and stubborn that it must be addressed with federated identity-management best practices that also take into account business, legal, consumer education and other considerations. A cross-disciplinary approach to identity theft protection — not purely technical approaches — should be the ongoing focus of Liberty Alliance and other industry groups.
–Kobielus is a senior technical systems analyst at Exostar LLC, a B2B trading exchange serving the aerospace and defense industry. He can be reached at (703) 924-6225 or [email protected].