Guest Blog Post from Dan Schutzer, CTO Financial Services Technology Group, Division of the Financial Services Roundtable: 

The issue of identity impersonation and identity-related crimes has been a long-standing issue dating back before the dawn of the Internet. It has even been the subject of movies, books and articles. For example, in the movies Prince and the Pauper, two boys switch places, one impersonating the real Prince; in Double Trouble and its sequel Parent Trap, two twins separated at birth, each one living with a different parent, switch places. More recently Minority Report deals with a policeman in the future running from the law who actually replaces his iris to avoid detection in a world where people are uniquely identified by their iris patterns; and in Face-off a criminal and officer switch faces and identities. 

What has changed with the advent of the Internet? Why are we more focused on identity assurance today? I believe we are seeing a major shift in lifestyles that justifies this new sharpened focus. Our digital and physical lives have blurred and so has crime. We shop in stores and on-line. We get discount coupons via email. We visit physical bank branches, withdraw cash from Automated Teller Machines, and pay bills and transfer funds on-line. Similarly, criminals harvest sensitive information both from the physical (e.g. dumpster diving, stolen and skimmed credit cards, laptops and tapes) and the cyber world (ID’s, passwords and personal information are stolen). With the advent of the smart phone this trend will likely increase. 

In today’s world of the Internet and social networks there are fewer secrets.  Dates of birth, relatives, current and previous addresses, and passwords are often easily obtained. This is further aggravated by phishing, vishing and smishing social engineering attacks.  Identity credentials (e.g. driver’s license) and artifacts can be forged or spoofed.

The Internet and the greater accessibility of information and the improved technology for economically reproducing identity credentials, has made it easier for criminals to assume false identities or to impersonate other people 

The fight against account takeover and identity impersonation is a constant battle, where financial institutions need to continuously improve and strengthen their defenses at all stages of the life cycle:  

Identity proofing and issuance of an identity credential
Authentication of an individual using the issued identity credentials
Execution of a transaction, including changes to the individual’s identity attributes (such as change of address, or password reset) as well as financial transactions (such as transfer of funds)
Detecting and stopping or mitigating attempted fraud.
Investigating and prosecuting fraud after it has occurred.
Revocation of a credential or closing of an account. 

There are a number of BITS/FSTC initiatives launched in 2009 and continuing on to 2010 that addresses this issue. They include: 

  • Taking surveys of the state of Authentication amongst its members
  • Investigating Biometrics and their role in strengthening identity proofing and authentication
  • Taking steps to address and reduce fraud
  • Reviewing and commenting on regulations looking at providing authentication guidance
  • Establishment and operation of an industry Identity Assurance Theft Assistance Center
  • Running an Identity Assurance Special Interest Group to discuss issues and propose solutions in the Identity Assurance space
  • Running a secure web browsing initiative aimed at dealing with issues of strong mutual authentication aimed at preventing social engineering and man-in-the-middle/man-in-the-browser attacks
  • Working with the FSSCC on initiatives in the Identity management area, with initial focus in strengthening identity proofing through collaboration of identity credential providers. 

One topic of discussion revolves around the need for a unifying identity metasystem .

Why is this needed? The Internet was built without a way to know who and what you are connecting to. Since this essential capability is missing, everyone offering an Internet service that requires some form of identification has had to come up with a workaround. It is fair to say that today’s Internet, absent a native identity layer, is based on a patchwork of identity one-offs.

There is no consistent and comprehensible framework allowing users to evaluate the authenticity of the sites they visit, and they don’t have a reliable way of knowing when they are disclosing private information to illegitimate parties. At the same time they lack a framework for controlling or even remembering the many different aspects of their digital existence.

Creating an identity layer for the Internet is more than a technical issue. Especially when we are interested in high assurance (levels 3 and 4), it involves a number of legal and business issues as well as technical issues.

To succeed in evolving towards a high assurance trusted identity layer, we believe that, in addition to Kim Cameron’s Laws of Identity (e.g. User control and consent; Minimal disclosure for a constrained use; Justifiable parties; Directed identity; Pluralism of operators and technologies; Human integration; Consistent experience across contexts), we need to observe the following additional guidelines:

1. Provide secure and reliable identification and mutual authentication of all parties

2. Enable non-repudiation of financial transactions undertaken by authorized participants

3. Be open standards-based, easily interfaced to applications, and certifiable

4. Support public-private collaboration to strengthen identity-proofing and authentication, with a clear delineation of the accountability and liability associated with the issuance and verification of an identity credential

5. Capable of supporting continuous improvement across all phases of the Identity Management lifecycle

6. Include the necessary policies, rules and operation bodies to provide a stronger “trust” anchor in the US and internationally

7. Be easy and convenient to use (minimize the number of tokens and passwords required to carry and remember, without compromising security