In March, Dubner and Levitt tackled the realities of identity theft. Now, with phishing scams getting ever cleverer, state government databases leaving sensitive private information accessible to the world, and identity thieves expanding their schemes into Web giants like Facebook, it’s worth asking: how will the problem of identity theft be solved?
Technology innovators have been plugging away, of course, to develop programs that safeguard sensitive information from prowling hackers. One product touted as a possible solution is OpenID, an online protocol that manages a user’s web identity by offering single sign-on for any participating Web site. Surfers never have to enter a username or password to access sites that demand registration, and can navigate between different sites without logging in or out — the equivalent of an online driver’s license. While the program has yet to hit the mainstream, reports estimate that it and similar products are “two to five years away from mainstream adoption.”
On its face, OpenID seems to offer solution-oriented options for managing identity, like allowing users to identify themselves as part of a demographic (i.e. “35-year-old single man in financial services”) instead of typing in birth dates or employment information during registration. Users can add plugins for extra protection like the “SeatBelt Extension,” which lets you know that you’re visiting phishing site like this one. Other benefits include an automatic age verification system for purchases (making online liquor stores a possibility in the U.S.) and the erection of additional spam barriers (though, as countless filters have found, the spammers find a way).
Fans of OpenID have leaped on its bandwagon, including online giants like AOL, Microsoft, and VeriSign, all of which publicly endorse the product. Dick Hardt, the CEO of the Internet security firm Sxip Identity, called it “the next generation of how we manage identity on the Internet.”
Still, the concept has one glaring weakness that even a non-computer science expert can figure out: reduce the number of names and passwords you use on the Internet, and you reduce the amount of information a thief needs to steal. This line of thinking led online security giant Ben Laurie to famously dub OpenID a “Phishing Heaven.” Mike Neuenschwander, vice president and research director of identity and privacy at the
Burton Group, explained Laurie’s logic as follows: “Today, phishers have to set up a site that mimics a legitimate site a user frequents, and then trick the user into offering credentials and other information. With OpenID, such mimicry isn’t even necessary — the user need only be motivated to log into a site using an OpenID.”
With pro and con arguments flying back and forth, the protocol has become a polarizing force in the technology community, as tech bloggers take sides and rarely miss an opportunity to sound off on the debate. Respected figures like Laurie are working with the OpenID community to help solve its problems, but in the short term, this supposed I.D. theft solution won’t be revolutionizing the Internet any time soon.
What does it all mean for the average consumer? As Dubner and Levitt pointed out in their column, almost three-quarters of identity theft victims incur no damages from the crime. Still, until the security community can reach a consensus, it’s worth triple-checking every time you enter your name and personal information into a “Sign In” box. Even if the site looks like CNN.
and 
. You can also watch it on 
The flaw of a common security login is the flaw of a digital fingerprint: if someone steals it once, they have access to everything.
Instinctively, I thought fingerprint scanning was a great idea. It was only after hearing the head of RSA security speak (in a B-school class) did I see the problem. Fingerprints are digitized and sent to the website in question. If someone is able to steal that digital combination of 1s and 0s, that person would be able to mimic one’s unique fingerprint.
It appears that OpenID poses the same problem. I can change a password easily enough (and diversify passwords across websites), but I can’t change who I am.
The flaw of a common security login is the flaw of a digital fingerprint: if someone steals it once, they have access to everything.
Instinctively, I thought fingerprint scanning was a great idea. It was only after hearing the head of RSA security speak (in a B-school class) did I see the problem. Fingerprints are digitized and sent to the website in question. If someone is able to steal that digital combination of 1s and 0s, that person would be able to mimic one’s unique fingerprint.
It appears that OpenID poses the same problem. I can change a password easily enough (and diversify passwords across websites), but I can’t change who I am.
OpenID (or anything similar) will never be the solution to identity theft… as the title of this blog assumes. It is a faulty assumption that all identity theft is driven by thieves who steal users’ IDs and passwords via phishing sites or key-logging software. That is not the case. Not even close.
A lot of identity theft is caused when companies expose the sensitive personal data (name, birthdate, SS#, etc.) of their customers, employees, and former employees. So, you can do everything correctly to protect your personal data and your IDs, and STILL become an ID-theft victim when your employer, or a prior employer, loses your personal data. And we ALL have prior employers. Many people don’t realize that companies archive our personal data for very long periods of time.
I mention this because a company I never worked for (IBM) lost my personal data. IBM got my data when it bought a company (Lotus) I used to work for. I left Lotus in 1991. IBM bought Lotus in 1995. IBM suffered its data breach in 2007. IBM chose to archive my data for at least 16 years and a lot longer… 20 or 30 years… for other former employees. I blog about my experience with identity theft, how I deal with the mess IBM created for me, and related issues about corporate responsibility:
http://ivebeenmugged.typepad.com
George
OpenID (or anything similar) will never be the solution to identity theft… as the title of this blog assumes. It is a faulty assumption that all identity theft is driven by thieves who steal users’ IDs and passwords via phishing sites or key-logging software. That is not the case. Not even close.
A lot of identity theft is caused when companies expose the sensitive personal data (name, birthdate, SS#, etc.) of their customers, employees, and former employees. So, you can do everything correctly to protect your personal data and your IDs, and STILL become an ID-theft victim when your employer, or a prior employer, loses your personal data. And we ALL have prior employers. Many people don’t realize that companies archive our personal data for very long periods of time.
I mention this because a company I never worked for (IBM) lost my personal data. IBM got my data when it bought a company (Lotus) I used to work for. I left Lotus in 1991. IBM bought Lotus in 1995. IBM suffered its data breach in 2007. IBM chose to archive my data for at least 16 years and a lot longer… 20 or 30 years… for other former employees. I blog about my experience with identity theft, how I deal with the mess IBM created for me, and related issues about corporate responsibility:
http://ivebeenmugged.typepad.com
George
I believe there is a solution, but OpenID is not it.
I have come up with something called the Private Identity Network (read more at replacegoogle.com) that is based more on economic principles than technical ones.
The idea is to build another level of abstraction around the existing Internet. When you go to use any device, you log in with your Private Identity Provider. Your Private Identity Provider then provisions your real, artificial, or anonymous identity to sites visited based upon your preset parameters.
The economics comes in because the Private Identity Providers are peers in the Network. The way they get more users is to compete for them by offering the most trustworthy experience. But they also cooperate by having secure connections with one another to form the Network as a gated community where users can trust other Private Identity Network users.
The Private Identity Network is a network of people, not machines or non-personal entities. Each person can only have one active presence on the Network at any time. This one person-one presence is guaranteed by a Network Guardian. The Network Guardian is the regulatory entity and it keeps a copy of just the most essential identity data to make sure the one person- one presence is maintained. Non-personal entities may be represented on the Network by natural persons who are members and document their affiliation with the entity.
The Private Identity Providers should be very profitable because everything a user does on the Network will flow through them. They will monetize this by selling only access to their users- if they were ever to sell any user data they would likely face a “run” and lose their users.
This is a dynamic solution because the market competition between the Identity Providers will continuously lead to technical developments that will benefit all over time. This is a big picture structure, not a technical specification.
There are a lot of details to this, if you would like to learn more, please check out replacegoogle.com.
I believe there is a solution, but OpenID is not it.
I have come up with something called the Private Identity Network (read more at replacegoogle.com) that is based more on economic principles than technical ones.
The idea is to build another level of abstraction around the existing Internet. When you go to use any device, you log in with your Private Identity Provider. Your Private Identity Provider then provisions your real, artificial, or anonymous identity to sites visited based upon your preset parameters.
The economics comes in because the Private Identity Providers are peers in the Network. The way they get more users is to compete for them by offering the most trustworthy experience. But they also cooperate by having secure connections with one another to form the Network as a gated community where users can trust other Private Identity Network users.
The Private Identity Network is a network of people, not machines or non-personal entities. Each person can only have one active presence on the Network at any time. This one person-one presence is guaranteed by a Network Guardian. The Network Guardian is the regulatory entity and it keeps a copy of just the most essential identity data to make sure the one person- one presence is maintained. Non-personal entities may be represented on the Network by natural persons who are members and document their affiliation with the entity.
The Private Identity Providers should be very profitable because everything a user does on the Network will flow through them. They will monetize this by selling only access to their users- if they were ever to sell any user data they would likely face a “run” and lose their users.
This is a dynamic solution because the market competition between the Identity Providers will continuously lead to technical developments that will benefit all over time. This is a big picture structure, not a technical specification.
There are a lot of details to this, if you would like to learn more, please check out replacegoogle.com.
OpenID is not, nor was even intended, to mitigate identity theft. The purpose of OpenID is to eliminate the need for repetitively entering in the usual information when registering for a new site. It actually improves security by reducing the number of places a user’s information is stored.
OpenID is not, nor was even intended, to mitigate identity theft. The purpose of OpenID is to eliminate the need for repetitively entering in the usual information when registering for a new site. It actually improves security by reducing the number of places a user’s information is stored.