Wednesday, July 06, 2005

fyi Phishing Attacks Reach All-Time High


Pointer to article:

Kobielus kommentary:
Identity theft is fast becoming the most ferocious new bete noire of the cyberworld, crowding out spyware, spam, and viruses for that dubious honor. Over the past several months, the mass media have splashed ever scarier cover stories, consumer alerts, and other breaking news on people who’ve had their identities spoofed, credit cards hijacked, and assets looted by unseen strangers lurking out there on the Internet.

Indeed, identity theft is potentially more damaging to people’s lives than spyware, spam, and all the other online threats put together. Amid the growing hysteria, the IdM industry sees a big black eye in the making. Naturally, they’re worried, and they’re beginning to formulate strategies for identity theft prevention, detection, and remediation. In June, for example, Liberty Alliance formed a working group to develop best practices that will help business and consumers to prevent online identity frauds. In a similar vein, Microsoft recently announced a retooled IdM federation strategy—the Identity Metasystem—that underlines the need for identity-theft and privacy protection.

The unspoken subtext behind these initiatives is that trust—the foundation of IdM federation--is in jeopardy if the industry doesn’t proactively address identity theft on many levels. The stakes couldn’t be higher. What’s most worrisome is the growing prevalence of phishing, pharming, and other social-engineering ploys to steal user passwords, credit card numbers, bank account numbers, and other critical information. These frauds strike at the very heart of federation: users’ trust in the authenticity of IdPs. If you can’t trust that the party to whom you’re presenting credentials is in fact who they claim to be, then nothing’s truly secure and people will be much less likely to transact business online.

Likewise, the growing range of well-publicized break-ins to corporate databases, some of which resulted in theft of hundreds of thousands of user credit card numbers, have further shaken people’s trust in IdPs’ ability to safeguard this critical data. Massive theft of passwords, credit cards, and other credentials creates a corresponding trust loss: IdPs who’ve been victimized can no longer trust that the individual presenting these credentials is who they claim to be.

In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to the impacted users, but only after those users have been proofed to strong assurance by reputable agents, and only if the new credentials rely on biometrics for strong authentication. Clearly, that theft-unfriendly IdM environment is a long way from being implemented in the real world, and would be quite expensive, complex, and cumbersome to deploy universally.

Some have argued that federated IdM is a fundamentally flawed approach that encourages identity theft. Nothing could be further from the truth. There’s nothing inherently insecure about federation protocols—such as SAML and Liberty Alliance ID-FF—or in the way they’ve been implemented by vendors and enterprises.

Rather, most identity theft has its origins in the massive online market for bulk user personal data of the sort that many consumer-facing businesses collect in normal operations. Identity merchants indiscriminately buy, sell, and resell this information to anybody who can put up the bucks. By the same token, enterprises, carriers, and other IdPs frequently implement lax controls on external access to identity information in their databases and directories, thereby encouraging frequent hack attacks. This is wholesale identity harvesting, as opposed to the low-yield but persistent phishing and pharming attacks that undermine popular confidence in IdM environments but result in relatively few criminal-fraud incidents.

For sure, the federated IdM industry isn’t the only sector of our economy that’s looking for solutions to the multifaceted problem of identity theft. But the federated IdM market realizes that this is a showstopper bread-and-butter issue for them. It threatens to overshadow all of their other efforts to create a universal trust environment for interoperable e-business.

To their credit, the industry realizes that technical standards alone aren't the answer to identity theft and fraud. The threat is so multifaceted, pervasive, and stubborn that it must be addressed with federated IdM best practices that also encompass various business, legal, consumer education, and other considerations. That cross-disciplinary approach to identity theft protection—not purely technical approaches--should be the ongoing focus of work at Liberty Alliance and other industry groups.