Rampant identity theft is eroding users’ trust in the Internet, and could threaten to erase some of the progress companies have made in doing business online, security experts warned Friday.
One possible solution is to create digital identities to curtail the incidents of ID theft, but this also comes with some liabilities, the experts said while speaking on a panel at the Cebit trade show in Hanover, Germany.
“We actually run the risk of taking a step back on the Internet. We’re starting to see a lack of confidence and even worse companies are scaling back what they are doing on the Web,” said Art Coviello, president and chief executive officer of RSA Security Inc.
Beat Perjés, head of IT security architecture at Credit Suisse, said that the customers at his bank are still doing online transactions but are also asking a lot more questions about whether it’s secure.
This is a concern because what banks actually sell customers is trust, Perjés said.
Cases of online identity theft have ramped up in recent months, and the U.S. Federal Trade Commission has labeled such theft as one of the fastest growing types of consumer fraud. Internet users are reporting cases of unauthorized access to their online bank accounts due to phishing scams and the increased prevalence of spyware, which can record users’ passwords and log-ins.
Digital identities, which provide two measures of authentication, could help improve Internet security, as well as having various other uses, such as digital passports, the experts said. Dual authentication often involves something a user knows or possesses, such as a smart card, and something that he or she is, which can be represented by biometric information, Coviello explained.
“Password-only IDs should be a thing of the past,” said Detlef Eckert, Microsoft Corp.’s chief security adviser for Europe, the Middle East and Europe.
In addition to improving online security, digital identities would also allow users to reduce the number of credit cards, loyalty cards and other proofs of ID that they carry, the experts said.
Smart cards, digital passports and national ID cards could carry information for multiple purposes, as long as the authenticating body is trustworthy. So, if multiple credit cards were stored on a smart card, each credit card company would have to trust the other company’s means of identifying and authenticating users, the experts said.
Authentication done by one body and then trusted by another is called federated identity, explained Hellmuth Broda, chief technology officer at Sun Microsystems Inc. Broda is also the spokesman for the Liberty Alliance Project, a consortium of over 150 companies working to develop a standard for network identity. For a federated ID system to work, specifications need to be open and interoperable, he said, and Liberty and other industry groups are working toward this.
“After the dot-com crash vendors realized how interdependent they are,” Coviello said. “We really must all stand together because we won’t make advances on the Internet otherwise.”
While digital identities done right would improve online security and bring user convenience, they bring with them certain liabilities and levels of complexity, the experts said. How to safely store, share and authenticate data are just some of the issues that need to be resolved.
All the experts agreed that data should not be stored in one central repository, which could be compromised. And while they also agreed that certain agencies and businesses should control data relevant to their relationship with customers, sharing information is a bit trickier.
One way to share data without allowing one organization to have too much information about a person would be to separate the person’s identity from the data by giving it another identifier. One company could identify a person as “customer 51” while another could identify the same person as “customer 254,” for example, Coviello said. That way, they could share buying trends and other information without revealing who bought what, for example.
While there are some difficulties in implementing digital IDs, the challenges can be overcome with technological and regulatory solutions, the experts said. For making further progress on the Internet, making digital IDs work is crucial, Broda added.
“We will never make a system that’s impossible for thieves to break, but we can make it very, very hard,” Broda said.