Online Identity Theft: Changing the Game

Online Identity Theft: Changing the Game Protecting Personal Information on the Internet

The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of

publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the

part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of

this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means

(electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of

Microsoft.

Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter

in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document

does not give you any license to these patents, trademarks, copyrights or other intellectual property.

Microsoft, CardSpace, Internet Explorer, Outlook and Windows are either registered trademarks or trademarks of Microsoft Corp. in

the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of

their respective owners.

Microsoft Corp. • One Microsoft Way • Redmond, WA 98052-6399 • USA

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS

DOCUMENT. © 2008 Microsoft Corp. All rights reserved

Contents

Executive Summary ...................................................................................................................................... 1

Introduction.................................................................................................................................................... 2

Stolen Data Fraud and the Rise of “Phishing” .............................................................................................. 3

Sophisticated Spoofs .................................................................................................................................... 3

Principles for Mitigating Identity Theft Now ................................................................................................... 5

Principle One: Use Two-Way Verification .................................................................................................... 5

Visual Cues ................................................................................................................................................... 6

Principle Two: Secure “Shared Secrets” ....................................................................................................... 6

Principle Three: Maintain Strong Control over Data ..................................................................................... 7

Changing the Game: Protecting Personal Information on the Internet ......................................................... 8

Information Cards .......................................................................................................................................... 9

Identity Verification ...................................................................................................................................... 10

Tackling “Inside Job” Identity Theft ............................................................................................................. 11

How Governments and Enterprises Can Help ............................................................................................ 11

Adopting the Technology ............................................................................................................................ 11

Striving for Maximum Consumer Convenience........................................................................................... 12

Conclusion................................................................................................................................................... 13

Trustworthy Computing Microsoft Corporation

1

Online Identity Theft

Executive Summary

Identity theft threatens the growth of e-commerce and the provision of financial and government services online. The

issue requires a more comprehensive approach to protecting personal information, including consumer education,

new technology tools, responsible business practices, a strong legislative framework, law enforcement engagement

and expanded victim assistance.

The ad hoc way in which online identities are managed today cannot withstand the increasing assaults from expert

criminal attackers. A new approach to securely managing online identity is essential—namely, a system that uses an

interoperable, vendor-neutral framework and gives end users more direct control over their digital identity. One key

component of this system is a new technology called an “Information Card,” which enables the creation of very

secure digital entities.

Equally important is our ability to lessen or preferably eliminate the value of personal information, thereby drastically

reducing the incentives to commit identity theft.

Microsoft is committed to partnering with governments, law enforcement, businesses and consumers to advance this

vision. The steps include three key elements:

Adopting advanced digital identities in government, enterprise and online service environments, along with

better data governance processes

Creating a secure digital identification system that allows convenient online transactions and enables higher

levels of security—based on real-world verified identities—when appropriate

Convening stakeholders to build broad support for the use of digital Information Cards as a basic tool to

reduce online identity theft and increase confidence in e-commerce and other online services


2


Introduction

Personally identifying information (PII) in digital form is the lifeblood of the Internet age. Because individuals,

organizations, businesses and governments have been willing to trust service providers with such PII, the past

decade has seen a tremendous variety of new uses for the Internet. Access to PII has helped fuel explosive growth in

e-commerce and e-government applications as well as various online communities. Online banking and investing

services, travel and shopping Web sites, and electronic filing of tax returns and license renewals are all examples of

how the Internet is enabling economic opportunity, efficiency and personal convenience in addition to offering

countless other benefits.

But along with the benefits, concerns about protecting PII are also escalating. Armed with personal information

gathered online and offline through phishing1 attacks, spyware,

2 social engineering scams and other illicit methods,

identity thieves are stealing billions of dollars through unauthorized transactions and new lines of credit opened

fraudulently in the name of unwitting consumers. While financial losses from offline and online identity theft have

declined slightly, in 2007 they still totaled US$45 billion in the United States alone.3

Online fraud is undermining confidence in the Internet and slowing the growth of online commerce and other services.

In 2006, 12 percent of EU residents aged 16 to 74 said they avoided online purchases because of security concerns.

In comparison, 57 percent said they had used the Internet and 30 percent said they shopped online in 2007.4

Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle

growing volumes of PII and use it in more diverse ways. Widely publicized leaks of sensitive data from custodians

such as financial institutions, credit bureaus and government agencies are eroding public trust in the Internet and

threatening to dampen online commerce and services.

This paper outlines a set of near-term tactics for mitigating online identity theft as well as a longer-range strategic

vision for fundamentally “changing the game” with regard to how people assert their identity on the Internet and how

such identity claims are verified by other parties during an online interaction or transaction. It also offers

recommended actions for government and industry leaders to help establish the infrastructure necessary for creating

a more trustworthy Internet.5

1 Phishing: An act of Internet fraud in which the perpetrator seeks to trick people into providing personal financial information,

such as bank account or credit card information. This is often done by sending a fraudulent e-mail purporting to be from a bank, Internet provider or other trusted source and asking for verification of an account number or password. 2 Spyware: Computer software that is installed surreptitiously on a personal computer in order to intercept data or take partial

control of the user's interaction with the computer, without the user’s informed consent.

3 Javelin Strategy & Research, 2007 Identity Fraud Survey Report, February 2008.

4 Eurostat news release, “One person in eight in the EU27 avoids e-shopping because of security concerns,” February 2008.

5 While a number of the principles described in this paper also apply to mitigating offline identity theft, our primary focus here

is on the online realm. These steps will not eradicate the risk, but they can reduce the amount of theft of personal information online and limit the impact when it does occur.


3


Broadly, tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End

Trust—giving people more usable information about whom and what to trust online by building the infrastructure

required to help evaluate the people, devices, software and data that make up the Internet.6

Stolen Data, Fraud and the Rise of “Phishing”

At the time it was designed, the Internet was primarily a medium for sharing information. E-commerce and online

banking, which are prevalent today, were not yet envisioned. As such, the Web was not built with robust identity and

authentication capabilities—a fact that has spawned a number of unwelcome experiences. Four key attributes of the

Internet that malicious attackers thrive on are its global connectivity, practical anonymity, lack of traceability and

valuable targets. It is also difficult for computer users to determine what programs are running on their machines,

what machines they are connecting to and with whom they are conducting transactions online. This paper offers

some ideas for changing these fundamental conditions in ways that continue to respect anonymity and privacy but

“change the game” with respect to Internet-based identity theft.

The current Internet environment has allowed identity thieves to proliferate. They have developed a variety of clever

methods to steal personal information and even resell it online. For example, in a May 2008 posting on the McAfee

Avert Labs Blog, one investigator described his discovery of a Web site that invites criminals to buy and sell credit

card numbers, bank account log-in passwords and other data that have been stolen from unsuspecting consumers in

different parts of the world.7

Criminals previously relied on collecting information from lost or stolen laptops, using malicious software and

exploiting online services. As the technology community has enhanced software and hardware security, making

traditional exploits more difficult, these criminals have become highly adept at deceiving individuals into divulging

personal information through phishing and similar scams.

According to the Gartner research firm, “Phishing attacks in the United States soared in 2007 as $3.2 billion was lost

to these attacks.” A survey that the firm conducted in 2007 found that “3.6 million adults lost money in phishing

attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before.”8

Sophisticated Spoofs

As scam artists become more sophisticated, so do their phishing e-mail messages and pop-up windows, which often

include official-looking logos of real organizations and other identifying information taken directly from legitimate Web

sites. In a typical phishing scam, the bogus Web site’s operator aims to trick consumers into providing personal data

such as their name, address, account number and password. If successful, the “phisher” can then access the

6 For more information, see “Establishing End to End Trust” at http://download.microsoft.com/download/7/2/3/723a663c-

652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf.

7 McAfee Avert Labs Blog, “You have to pay for quality,” May 7, 2008.

http://www.avertlabs.com/research/blog/index.php/2008/05/07/you-have-to-pay-for-quality/.

8 Gartner, Inc., “Gartner Survey Shows Phishing Attacks Escalated in 2007; More than $3 Billion Lost to These Attacks,” Dec. 17,

2007. http://www.gartner.com/it/page.jsp?id=565125.

http://download.microsoft.com/download/7/2/3/723a663c-652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf

http://download.microsoft.com/download/7/2/3/723a663c-652a-47ef-a2f5-91842417cab6/Establishing_End_to_End_Trust.pdf

http://www.avertlabs.com/research/blog/index.php/2008/05/07/you-have-to-pay-for-quality/

http://www.gartner.com/it/page.jsp?id=565125


4


consumer’s accounts and transfer money or, with enough information, open new lines of credit in the victim’s name,

using his or her good credit and assets as collateral. A fraudulent home equity loan, for example, could reap tens of

thousands of dollars for a criminal in a single transaction.

To make these phishing e-mail messages look legitimate, scam artists often place a link in them that appears to go to

the legitimate Web site but actually takes the user to a phony site or possibly a pop-up window that looks exactly like

the official site. These copycat sites are commonly called “spoofed” Web sites.

Here’s a picture of what a phishing scam e-mail message might look like:

Example of a phishing e-mail message, which includes a deceptive URL address that links to a scam Web site. The

sender has made the link in the mail appear to be from a legitimate bank by including ”Contoso Bank” throughout the

text, but the actual URL does not lead to the Contoso domain. In this example, Microsoft Office Outlook®

2007 has

provided a warning that the e-mail looks suspicious.

Criminals also use a number of other techniques to gain access to personal information. For example, Web sites or e-

mail attachments may plant harmful software onto PCs to steal information directly. Such software may log

keystrokes or “scrape” the user’s screen—a technique in which one computer program extracts data from the display

output of another program—and send the data to the criminal for analysis. Another technique, “pharming,” involves

remotely changing Internet routing behaviors to redirect Web traffic to fraudulent but legitimate-looking destinations,

where ID thieves may be able to trick users into divulging personal data. Collectively, these types of fraud are a

serious threat to security on the Internet.


5


Principles for Mitigating Identity Theft Now

Later sections of this paper outline how the vision of End to End Trust can advance fundamental changes in how PII

is used. In the near term, consumers, governments and businesses can take important steps to help mitigate those

risks.

In addition to building anti-phishing, anti-spyware

and anti-malware9 features and other security

tools into its products, Microsoft works

collaboratively with governments, the IT industry,

business partners and customers to help reduce

identity theft. Based on this work, we’ve identified

some core principles for helping consumers

safeguard their identity from misuse, helping

organizations protect PII entrusted to them,

discouraging would-be criminals from attempting

identity theft and helping identity theft victims get

the relief they need.

Principle One: Use Two-Way Verification

When authenticating users, online merchants and

financial institutions typically use a “challenge”—

such as asking for a username and password—to

make sure the user should be allowed to access

an account or conclude a transaction. However,

the reverse is typically not true: consumers don’t

have a means to require Web site providers to

prove who they are. While it is possible for a Web

site to prove its authenticity by obtaining an

Extended Validation (EV) certificate, which

requires investigation of the site by a reputable

certificate authority, EV certificates are still in the

gradual process of being adopted broadly.

Typically, the most that consumers can do is

visually inspect the site to see if it looks genuine,

but increasingly sophisticated thieves are creating

spoofed pages that appear virtually identical to

9 Malware is a term used to describe software or program code that is designed with malicious intent; for example, to infiltrate

or damage a computer system without the owner's informed consent.

Consumer Tips for Avoiding Identity Theft

Be suspicious of any e-mail with urgent requests

for personal financial information. Phishers

typically include upsetting or exciting (but false)

statements in their e-mails to get people to react;

they might even address the recipient by name.

Valid messages from banks and online merchants

almost never ask users to reenter their login

credentials, update their records or reenter account

data.

Think before clicking links in e-mail, instant

messages or chat sessions. Avoid clicking on

such links to get to any Web page if you suspect

that the message might not be authentic or if you

don't know the sender. Instead, call the company on

the telephone or visit its Web site by typing the Web

address in your browser.

Install a Web browser toolbar. Look for one that

helps identify known fraudulent Web sites and alerts

the user if it finds a match. Internet Explorer 7

includes such a toolbar.

Request copies of your credit report at least

once a year. Check the report for suspicious

entries, such as accounts that have been opened

without your knowledge. Catching fraud early can

minimize the damage an identity thief can cause.

For more information on spotting potential scams and

helping to keep personal information safe, visit these

Web sites:

Microsoft Security at Home

http://www.microsoft.com/protect/default.mspx

Anti-Phishing Working Group

http://www.apwg.org

http://www.microsoft.com/protect/default.mspx

http://www.apwg.org/


6


those of an authentic Web site.

In the short term, consumers need better tools to identify signs of possible fraud.

Visual Cues

A Web site should ideally display its authenticity in a way that makes sense to a user. One such technique is the use

of an image-based identification challenge—also known as a “visual secret.” The site displays a visual cue when

asking for the person’s username and password. This visual cue—such as photo of a boat or a horse—will be one

that the user previously selected when creating the account. If, when the user begins the login process, the image is

missing or incorrect, it serves as a warning that the Web site might not be legitimate. It is worth noting that this kind of

an approach is successful only if the user knows and remembers to look for the visual secret.

Windows CardSpace™, a type of Information Card technology from Microsoft that is described in more detail later,

also provides visual cues for consumers. CardSpace does this by displaying certificate data associated with the Web

site as well as by delivering a different user experience for a new or “spoofed” site than it does for a trusted site that

the consumer has previously visited.

In addition, consumers can look for evidence of security safeguards deployed by a Web site. This includes a symbol

of a lock displayed in the address bar or at the lower edge of the Web site, which indicates that data exchanged on

the site is protected by Secure Sockets Layer (SSL) encryption. In the Windows® Internet Explorer® 7 browser, as

well as in other browsers, users can hover over this lock symbol with the cursor or click on it to view more detailed

information about the site’s certificate and the issuing authority, such as VeriSign.

Principle Two: Secure “Shared Secrets”

Most Web sites that manage access to private information use the “shared secret” technique to protect that access. A

shared secret is something that only the user and the Web site know, such as a username and password or

government-issued identification number. It can also be a private piece of data the user chooses to share with the

Web site, such as a credit card number or the name of a childhood pet. While this approach makes it convenient for

merchants, banks and government agencies to identify users, it also creates incentives and opportunities for identity

thieves. These secrets can be relatively easy to obtain through interception, deception or theft and then used to

impersonate the victim, steal assets, commit fraud and initiate more criminal activities.

Users can and should take steps to ensure these secrets aren’t acquired by criminals. One of the most basic steps

consumers can take is to avoid reusing passwords out of convenience and instead create different passwords to

access each individual Web site or online system. This approach will help prevent thieves from using one intercepted

piece of information to compromise multiple accounts.

Another helpful precaution is to create strong passwords that contain not just letters but also at least one numeral and

one symbol (such as &, *or @). This approach is not effective for warding off phishing attacks but is useful in other

situations.


7


Identity Theft Enforcement and Relief

Local, state and federal law enforcement agencies should

make identity theft a higher priority for investigation and

prosecution. This does not necessarily require new

legislation but rather dedicating the resources needed to

enforce existing laws against identity theft. Greater global

and interagency cooperation and intelligence sharing would

also help investigators to identify cyber criminals, build

stronger cases for prosecuting them and leave fewer places

for thieves to hide.

This collaboration must include at least three components:

better enforcement tools, explicit penalties and better

protections for consumers.

Law enforcement and corporate security personnel need

access to technologies and programs that aggregate

identity theft data (taking personal privacy protections into

account) to spot patterns, track down the big players and

build cases for prosecution. One example of this is the

Identity Theft Clearinghouse created by the U.S. Federal

Trade Commission (FTC), which contains millions of

consumer complaints about identity theft plus information

on victims’ experiences with identity thieves.

Stronger laws can also help boost prosecution of identity

thieves in cases that cross multiple jurisdictions. By

changing local legal codes, governments can close

loopholes that frustrate prosecutions in such cases and can

create stronger deterrents against identity theft.

Finally, jurisdictions can enact legal changes that better

empower victims of identity theft to mitigate losses, restore

their credit and correct public records. This includes

strengthening the rights of identity theft victims to obtain

records regarding misuse of their information and get

fraudulent accounts and transactions wiped off their credit

report. Financial creditors and merchants can help by

establishing dedicated resources, such as a telephone

hotline and Web portal, that enable people to quickly report

incidents of actual or suspected identity theft and take steps

to minimize the impacts.

Principle Three: Maintain Strong Control over Data

Many identity theft incidents still occur through

offline methods such as “dumpster diving,”

robbery and deception.10

This is a complex

problem that is best addressed collaboratively

by law enforcement, government, educational

and financial institutions, civic organizations,

businesses and the technology industry. It also

requires heightened consumer awareness,

responsible business practices, effective law

enforcement and appropriate legislation—along

with support from leading-edge technology

products.

Institutions that manage data must take steps to

keep it safe. The large databases of personal

data maintained by merchants, financial

institutions and information brokers are a

tempting target for identity thieves. Data leaks

can occur in a number of ways, including lost or

stolen computers, access to data under false

pretenses by a rogue client, a security breach

from the outside or an “inside job” by an

employee.

When a major data custodian experiences this

type of leak, the repercussions can be huge. For

example, in November 2007, the UK tax agency

Her Majesty’s Revenue and Customs disclosed

that it had lost computer disks containing the

records of 25 million UK residents—about 40

percent of the population—including confidential

information such as names and addresses

associated with birth dates and bank account

data. Preventing such an incident requires tight

controls over the collection, storage and use of

personal information. Successful data

10

Federal Trade Commission – 2006 Identity Theft Survey Report, pp. 27–31. http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.

http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf


8


governance demands that an organization’s policies, people, processes and technology be aligned at all levels

toward responsibly managing and strongly protecting PII.

An even more basic and effective means of safeguarding PII is to not collect it in the first place. Traditionally,

business leaders have simply collected a large set of PII with the view that it could provide some future business use.

This has resulted in organizations being obligated to safeguard information for which they may not have a direct

business use. Adopting a commitment to collect only the minimum information required in order to provide the

requested service—rather than all of the PII possible—is a more responsible way to manage the threat of identity

fraud.

Many businesses either do, or should, have basic legal obligations to protect some types of data, ensure fair credit

reporting and give consumers opportunities to correct information stored with the business. But businesses can also

benefit from guidance and education in these areas. As the example above indicates, governments are among the

large organizations that need to be especially conscious of effective and efficient data governance practices.

Government officials also play an important role in helping to evangelize such robust practices. By creating blue-

ribbon panels or other advisory groups and by drawing on business management and privacy experts in both the

public and private sectors, government can help develop guidance. Other important roles for government include

raising awareness of responsible privacy protection practices through public education campaigns and incorporating

that guidance into programs that assist businesses or organizations that maintain data.

Changing the Game: Protecting Personal Information on the Internet

It is important to educate consumers and help them make informed judgments about disclosing private information, to

promote responsible data governance practices among organizations and to punish those who commit identity theft

crimes. But an even better approach to enhancing security and privacy is to reduce reliance on “shared secrets” such

as usernames, passwords, birthdates and government ID numbers to establish the right to do something online. In

addition to being relatively easy to steal, these shared secrets can be difficult to remember, update and manage.

We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse—

ones that leverage technology to give end users more direct control over their digital identities. Instead of requiring

users to produce personal information to establish their identity, we should think of personal information as too

valuable to be shared directly.

Microsoft has analyzed this problem in depth, at both a policy level and a technical level. Kim Cameron, Microsoft’s

chief architect of Identity, has defined several Laws of Identity11

that help define ground rules for designing services of

all types to allow individuals to access those services while disclosing a limited amount of PII. To put it in technical

terms, we should enable a system whereby users—or electronic systems—can present not PII itself, but digital

identities containing only the minimum claims necessary to enable interactions and trust establishment online. This

type of system defines new identity practices for the Web.

11

See http://www.identityblog.com/stories/2004/12/09/thelaws.html. The Laws of Identity offer a framework for use by systems of many types and purposes.

http://www.identityblog.com/stories/2004/12/09/thelaws.html


9


Think of how a check represents a right to claim certain assets of an individual or organization that are held at a bank

or other financial institution. Similarly, we can use technology to create a token that represents certain rights and

therefore serves as a medium of trade and exchange. As long as personal information is used for authentication on

the Web, the incentive to steal it is high. But if better practices provide no personal information and reveal no

information of value to anyone other than the holder, the incentives and opportunities for identity theft will be

drastically reduced.

To open a bank account on which checks can be written, or to cash a check, one needs to provide some form of

identification. Commerce and other online activities also require a form of identification. You have to show both that

you have the right to claim certain assets and that you are the person entitled to that right. To better secure this

aspect of online activity, Microsoft has worked with a variety of other organizations to create a system based on

Information Cards. Information Cards are intended to work within an interoperable, neutral framework. Microsoft’s

Information Card client software is called Windows CardSpace, but users of other software can also create

Information Cards. Information Cards complement other Internet identity architectures and are built on a commonly

accepted set of Web protocols. Interoperable Information Card technology is being deployed in, and works between,

a wide variety of systems supplied by different vendors.12

Information Cards

Information Cards are not physical cards; rather, they are sets of data pointers that sit on a PC or a mobile phone.

They are analogous to tangible cards in a person’s wallet. In much the same way that a person might use a student

ID card to get free admission to a museum or a frequent-shopper card to get a discount on groceries, a digital

Information Card issued by one entity can be used to verify the card owner’s identity with another entity, as long as

the card includes the necessary data.

How does this work? The creation and use of Information Cards involves three parties. The first party is the entity that

issues the card. In the case of a card for use in sensitive interactions, the issuer might be a government, business or

nonprofit organization. For less sensitive uses, individuals might issue themselves a card. The second party, or

relying party, is whoever needs to accept the card during a transaction. The third party is the cardholder, who decides

which card to present in a given transaction.

How does the use of Information Cards reduce the risk of identity theft? For starters, the person’s username and

password aren’t transmitted when an Information Card is presented to a Web site, so they can’t be stolen. Information

Card technology also supports a range of robust encryption methods that help prevent tampering with the data on the

card or snooping to intercept it in transit. Information Cards also allow relying parties to request the minimum amount

of personal information needed to authenticate an identity in a given transaction. For example, a particular card might

have 10 fields—for name, address, birth date, credit card number, frequent flyer number and so on—but depending

on the situation, a relying party might need only two fields of information to complete the transaction (such as name

and birth date).

12

For a further description, see http://research.microsoft.com/~mbj/papers/CardSpace_One-Pager.pdf.

http://research.microsoft.com/~mbj/papers/CardSpace_One-Pager.pdf


10


Information Cards are designed to prevent data that is shared in one context from being reused in a different context.

This is accomplished through creating a unique set of keys for each combination of Information Card and relying

party. Through the use of this security technique, the information used for transactions on one Web site is not

available to other Web sites. Finally, because Information Cards allow the user to supply additional authoritative

information (such as name and e-mail address) on demand to Web sites for authentication or other purposes, there is

less need for organizations to store this data in their systems for long periods of time—and thereby run the risk of it

being stolen.13

To further advance the interoperability and adoption of this technology, Microsoft and an array of other prominent

companies recently formed the non-profit Information Card Foundation.14

Members of this foundation—including

Equifax, Google, Novell, Oracle and PayPal—share Microsoft’s commitment to fostering a simpler, more secure and

more open digital identity on the Internet, increasing users’ control over their personal information, and enabling

mutually beneficial digital relationships between people and businesses.

Identity Verification

For uses such as e-commerce, online banking and online government services, it’s vital that the Information Card’s

contents be verifiable with a high degree of certainty. Indeed, the identity claims we typically use in sensitive

situations—such as name, driver’s license number and government ID number—are generally based on previous

verification when we were physically present. For example, hospitals issue birth certificates based on eyewitness

evidence of a newborn’s entry into the world. Later, when we’re older, we might use that birth certificate to get a

driver’s license or passport from a government agency. We might then take this other document to a bank to open an

account or to an airline counter to check in for a flight.

A safer Internet must support a variety of options for establishing confidence in digital identities. These options may

be based directly on, or be derived from, in-person verification by a reliable entity, guarantors, existing relationship

data, or companies that provide this type of reputation service. For example, merely entering a driver’s license

number on an online credit application does not carry the necessary degree of trustworthiness. The driver’s license

might be a stolen one, or the person using the number might be someone other than the person who was issued the

license.

A more trustworthy approach for the Internet would involve designating mechanisms and processes for establishing

validated digital identities. One such mechanism might involve places where people could go to present validated

physical identification based on in-person verification and then obtain a digital form of identification with similar

reliability. Depending on the country and required level of assurance, such designated locations might include post

offices, libraries or even licensed private enterprises such as notaries public, copy centers, banks or mobile phone

stores. Governments and private institutions could also strengthen their digital identities based on in-person

verification and embed them in Information Cards for use on the Web.

13

A more detailed overview of this technology can be found at http://www.identityblog.com/wp-content/resources/Identity_Metasystem_EU_Privacy.pdf.

14 “Technology Community forms Information Card Foundation to Simplify Secure Online Digital Identity,” June 24, 2008.

http://informationcard.net/files/ICFPressRelease6-24-08.pdf.

http://www.identityblog.com/wp-content/resources/Identity_Metasystem_EU_Privacy.pdf

http://www.identityblog.com/wp-content/resources/Identity_Metasystem_EU_Privacy.pdf

http://informationcard.net/files/ICFPressRelease6-24-08.pdf


11


It’s also important to recognize that digital identities go through a regular life cycle, from issuance to use and

ultimately to retirement. An identity system must take into account all aspects of this life cycle because a weak

process at any stage will reduce assurance of identity to the lowest level. For example, if an identity is issued based

on a high-assurance process but is inadequately safeguarded in its use, the assurance of that identity ultimately is

reduced.

Tackling “Inside Job” Identity Theft

Establishing a framework for issuing and using more trustworthy digital identities on the Web also requires

protections against “inside job” identity theft, whereby a person working inside a government or a bank—an institution

that creates identities in the first place—gains access to someone’s information associated with the Information Card

or creates fraudulent Information Cards.

Microsoft is working to tackle insider threats through a technology called U-Prove. U-Prove employs cryptography to

safeguard the data needed for a transaction while preventing systems from being able to pull together information

about users from various sources. Such linking of information across sources is a significant risk to privacy because

the more pieces of data a criminal has about an individual, the more easily the criminal can take control of that

person’s identity. The use of U-Prove can help reduce a criminal’s ability to steal identities by accruing various pieces

of information over time.

How Governments and Enterprises Can Help

Advanced technology such as Information Cards and U-Prove can do much to “change the game” with respect to

identity theft by helping to discourage criminals from gathering PII and minimizing the damage when security

breaches occur. But making this approach the standard practice for online commerce will require much more than

just rolling out the technology. To truly change the game requires a collective effort and changes not just to

technology but to information-handling practices, how technology is deployed, and the creation of both legal and

business infrastructure to support the use of digital identities, rather than personal information, to enable interactions

on the Web.

Microsoft has learned through past experience why important efforts sometimes fail. One reason is misalignment

between technology, social forces and policy values, and market dynamics. We believe that these important aspects

can be aligned in the effort to address digital identity on the Web, and we offer some suggestions on how they should

be aligned. In many respects, governments are well positioned to lead the effort to reduce identity theft because of

their role in passing laws, protecting market incentives and preserving social values.

Adopting the Technology

First, governments can advance this vision by adopting and supporting the Laws of Identity and beginning to deploy

advanced technologies such as Information Cards and other related identity technologies in their own operations.

This spans both internal systems, such as computer networks used by government employees, and e-government


12


systems, such as online services used by the public to obtain government benefits, pay license fees and contribute

comments to administrative proceedings.

These government enterprise systems are among the largest creators, consumers and processors of identity

information and therefore hold tremendous influence over how private and secure it can remain. As noted earlier, the

Information Card technology is intended to be deployed in an interoperable, vendor-neutral framework. It won’t matter

which vendor’s servers or software are deployed in an enterprise or government system, and most if not all systems

should be capable of making the system changes needed to handle identity-based transactions through an

Information Card approach.

Governments can also help encourage this transition by working with the technology and business community to

agree on approaches for data governance and the types of robust technology infrastructures needed to support those

processes. While governments use technology within their own operations to reduce the extent to which personal

information is exchanged, they can also drive change by encouraging other organizations to use tools that limit the

disclosure of PII and the unnecessary aggregation of data, which can lead to a host of security and privacy risks.

From there, governments and organizations can help build greater trust in the online realm by promoting, both

through legal and procedural means, the availability of easily obtained digital identities—the piece of software code

that makes identity assertions in order to authorize people’s online access to data and services. For example,

government agencies are logical avenues for providing in-person verification of identity claims at venues such as

government service desks.

As noted above, in-person verification of identity may serve as the basis for identity claims presented by Information

Cards. This offers a much stronger form of identity than is currently used online (e.g., a username and password

created by the user). However, we recognize that users and businesses will not want to sacrifice convenience and

ease of use when it comes to online identity methods. In that light, we suggest that governments help foster the

creation of additional means of obtaining verified digital certificates.

Striving for Maximum Consumer Convenience

To increase the adoption of more secure identity systems, consumers will need convenient opportunities to obtain

digital identification based on verification. Many enterprises—such as vendors that provide notary services, copying

centers and mobile phone retailers—may be inclined to offer this service as a logical extension of their existing

business. However, these private businesses could be vulnerable to litigation if they are victims of fraud—if, for

example, someone presents a fake passport or if an identity that the business issued is compromised.

To address this concern, legislators could develop frameworks to address the liability issues associated with the use

of digital identities in the context of business transactions, so that potential litigation does not unduly constrain this

opportunity for businesses and for consumers. For instance, if an Information Card somehow falls into the wrong

hands and is used to commit a crime, to what extent should the issuer, the relying party and the ID holder be held

accountable? This question could apply to governments as well, such as in the case of school-issued ID tokens being

stolen. It will be important to address these questions, and to think carefully about who is authorized to provide digital

identity credentials in this new system. We believe, however, that consumers, merchants and IT system managers

will want to minimize the disruption to their current services in the trade-off between security and convenience.


13


This is a bold proposal. To achieve these goals, it is important to address all of the complicated social, political,

economic and technical issues involved and to do so through open dialogue aimed at common objectives.

Governments can serve as crucial conveners in this regard, both locally and internationally. On a variety of other

issues that affect the public, governments have successfully created expert panels, convened discussion forums and

fostered opportunities for generating input from business and industry, academia and nongovernmental

organizations.

All of these interests and perspectives should be reflected in discussions about this approach to digital identity—

including how to implement the infrastructure needed to support digital identities and how best to incorporate these

identities into government systems that issue identities, process benefit claims or provide other services. Such a

dialogue will also be crucial to driving consensus on important policy decisions, such as how to effectively use digital

identities to replace PII and appropriately balance anonymity with accountability on the Internet. Governments can

play a key role as conveners of, and participants in, this dialogue.

Conclusion

Combating the complex problem of identity theft demands a holistic strategy that combines effective consumer

education programs, robust technology tools, responsible business practices, a strong legislative framework, law

enforcement engagement and expanded victim assistance.

Recommended starting points include:

Increasing consumer education about identity theft and its prevention

Implementing appropriate identity authentication mechanisms

Identifying and developing data governance policies and processes in support of digital identities

Ensuring high levels of privacy and security throughout the Internet technology infrastructure, while also

preserving social values and consumer expectations regarding anonymity on the Web

Adopting and advocating practices that limit the required disclosure of PII by consumers and limit its use by

governments and enterprises to the minimum necessary to fulfill a specific purpose

Educating consumers to disclose only the minimal PII needed when conducting a transaction or requesting a

service

Enacting and enforcing criminal penalties for identity theft and other online criminal activities

Ensuring that identity theft victims have ready access to assistance in reclaiming their identity and repairing

the damage to their financial standing

These actions are very important, but on their own they are not enough to prevent further costs to our society from

identity theft. The ad hoc way in which online identities are managed today cannot withstand the increasing assaults

from expert criminal attackers. Identity theft not only has serious implications for the individuals whose assets and

livelihoods are violated, but it also threatens the credibility of economic transactions at a time when advances in

broadband communications and online services should be driving greater acceptance of these transactions.


14


One of the keys to changing the game in identity protection is to establish an interoperable, vendor-neutral framework

that uses technology to give end users more direct control over their digital identity. This is crucial to the objective of

limiting the value of personal information as a key to online access and reducing the incentives to commit identity

theft.

The immediate steps toward this approach involve three key elements:

Adopting advanced digital identities in government, enterprise and online service environments, along with

better data governance processes

Creating a secure digital identification system that allows convenient online transactions, and also enables

higher levels of security—based on real-world verified identities—when appropriate

Convening stakeholders to help generate broad support for “changing the game” on identity theft and taking

steps to create business and consumer awareness and adoption of information cards, regardless of what

computing system or technology they may use

Collaboration across all of these fronts will improve our collective efforts to target the root causes of identity theft,

minimize the incentives to commit identity theft, reduce its impact and limit such opportunities for criminals in the

future.

Microsoft is committed to partnering with government, law enforcement, business partners and consumers to

advance this vision. We believe it is possible to make the Internet safer for consumers and families and therefore

more reliable for individuals, businesses and governments.

Online Identity Theft: Changing the Game

Education

Transcript of Online Identity Theft: Changing the Game