Microsoft Privacy & Safety : Identity Theft

Phishing – what is is, and how it relates to your webmail credentials

Microsoft Privacy Team — Fri, 13 Nov 2009 23:52:00 GMT

The Windows Live team blogs writes : Thanks to coordinated efforts across the tech industry, and partnerships between industry players who are a part of the Anti-Phishing working group , over the years most web services, users and other applications have...(read more)

Phishing scheme affecting some Hotmail customers

Microsoft Privacy Team — Wed, 07 Oct 2009 18:51:00 GMT

The Windows Live Team Blog writes : Over the weekend Microsoft learned that several thousand Windows Live Hotmail customers’ credentials were exposed on a third-party site due to a likely phishing scheme. Upon learning of the issue, we immediately requested...(read more)

IE 8 SmartScreen Protects Against Identity-Stealing Malware

Microsoft Privacy Team — Fri, 27 Mar 2009 03:04:00 GMT

From the IE8 team : Over the last year, we’ve published two posts about how the IE8 SmartScreen ® filter helps to prevent phishing and malware attacks. In this post, I’d like to share some real-world data on the protection provided to IE8 pre-release...(read more)

Kim Cameron on Information Cards as a solution to site redirection

Microsoft Privacy Team — Mon, 27 Oct 2008 21:25:00 GMT

Kim Cameron, Chief Architect of Identity in the Connected Systems Division at Microsoft has an interesting post up about at his Laws of Identity blog on the vulnerability of passwords to "site redirection", a problem that Information Cards don't have:

The UK's Register has been running a a series of articles by John Leyden  (here, here and here) about Verified By Visa. (VByV)  Verified By Visa uses the same kind of "site redirection" I've written about many times with respect to OpenID and other password-based federation technologies - but in this case it is a banking password that can be stolen.

The phishing scenario is simple enough. If you happen onto an "evil" site and are tricked into purchasing something, it can "misdirect" your browser to a counterfeit VByV signon page. As John explains, you have little chance, as a user, of knowing you are being duped, but once you enter your password it is available to the evil site for both instant use an future reuse. Those familiar with this site will understand that this is yet another example of an attack that cannot be made against Information Card users.

Beyond focusing attention on the phishing problems inherent in "site redirection" approaches, John argues that the system - though claiming to be more secure - is actually just as vulnerable as non-VByV mechanisms.  He then argues - and I have know knowledge as to whether this is the case - that the false claims about increased security are being used to reject complaints by end-users about irregularities and fraudulent purchases made in their name. If that were true, it would be scandalous.

Friends, this is a case of "The Writing on the Wall". I think people in the industry should see John's work as a sign of what's to come. He is the guy in the fable who is shouting out that "the Emperor has no clothes!"  And he's doing it cogently to the wide readership of the Register.

If I were an advisor to the emperor at this point I would insist on two things:

1.      admit the vulnerability of all systems based on "site redirection"; and

2.      start getting into phishing-resistant technologies like Information Cards while one's modesty can still be protected.

There's more...

Title: Online Identity Theft: Changing the Game

Microsoft Privacy Team — Tue, 16 Sep 2008 23:26:00 GMT

As many of you know, Microsoft has been at the forefront in fighting the scourge of identity theft. We've improved our products and created tools to help fight identity theft -- the Internet Explorer Phishing Filter; Windows Defender; Windows Live OneCare; and Windows CardSpace.

Today we are releasing, "Online Identity Theft: Changing the Game Protecting Personal Information on the Internet," a new white paper that for the first time describes in detail Microsoft's comprehensive strategy for curbing online identity theft. In addition to describing current Microsoft initiatives, the paper outlines long-term solutions for "changing the game" by ending reliance on "shared secrets" for authentication.

Relying on "shared secrets," such as usernames, passwords, birthdates and government ID numbers to establish the right to do something online, creates security problems because they are relatively easy to steal and can be difficult to remember, update and manage. We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse, and that's where Information Cards come in, as the paper describes:

Information Cards are not physical cards; rather, they are sets of data pointers that sit on a PC or a mobile phone. They are analogous to tangible cards in a person's wallet. In much the same way that a person might use a student ID card to get free admission to a museum or a frequent-shopper card to get a discount on groceries, a digital Information Card issued by one entity can be used to verify the card owner's identity with another entity, as long as the card includes the necessary data. How does this work? The creation and use of Information Cards involves three parties. The first party is the entity that issues the card. In the case of a card for use in sensitive interactions, the issuer might be a government, business or nonprofit organization. For less sensitive uses, individuals might issue themselves a card. The second party, or relying party, is whoever needs to accept the card during a transaction. The third party is the cardholder, who decides which card to present in a given transaction. How does the use of Information Cards reduce the risk of identity theft? For starters, the person's username and password aren't transmitted when an Information Card is presented to a Web site, so they can't be stolen. Information Card technology also supports a range of robust encryption methods that help prevent tampering with the data on the card or snooping to intercept it in transit. Information Cards also allow relying parties to request the minimum amount of personal information needed to authenticate an identity in a given transaction.

There's lots more, read on...

-- David Burt

Identity Crisis? What Crisis?

Microsoft Privacy Team — Tue, 12 Jun 2007 21:44:00 GMT

Jerry Fishenden, National Technology Officer for the UK, here ...

If you think the current problems of online safety and Internet e-crime (or cybercrime if you prefer) appear challenging, what on earth is going to happen when the Internet pervades every aspect of our daily lives?

As the Internet beings to power and monitor health and energy saving devices in our homes, enabling us to live richer, fuller lives in our own communities, will problems of cybercrime and threats to identity, security and privacy scale at the same rate: and thwart our aspirations to use technology to improve society? Will we finally reach Internet meltdown?

Right now, it’s all too likely the answer would be – “Yes.” If we don’t get the foundations right – and address some of the most fundamental issues that currently plague Internet safety – anything else we might construct on top of its inadequate infrastructure is unlikely to be sustainable.

But the Internet is not some autonomous, sentient, self-evolving life form – even if at times it might feel that way. It’s a by-product of decisions technologists took in the past, are taking now and will take in the future. So the problems we see today are fallout from failures in design – failures in technology design and in human-computer interaction design. And cyber-crooks are of course always amongst the quickest to exploit such flaws. After all, the digital world is no different to the real one – and that includes the preponderance of criminal activities based on exploiting weaknesses in both systems and people.

One of the most obvious contributory causes to our existing Internet problems is the lack of an identity layer. I can’t prove it’s me when I’m online – and I can’t prove to a reasonable level of satisfaction whether the person or thing I’m communicating or transacting with online is who or what they claim to be. Which really isn’t a good place to be. Unless you’re a cyber-crook, in which case, hey, this is great news and highly lucrative with it since it makes online attacks such as phishing and spam email possible.

If we’re serious about realising the Internet’s true potential we need to act now to fix the identity issues we’re seeing. These issues need to be resolved before we can seriously contemplate letting the Internet move into far more important areas – such as technology-assisted healthcare at home and the whole idea of assisted-living. After all, how are we going to do that if none of the devices can be certain who or what they’re communicating with? In front of us lies a vision where everything and everyone is linked and joined through an all pervading system. Billions of devices and communications happening every second, a complex mesh of systems communicating within and between each other in real time.

Now try to convince me you can build that – and trust it – without first fixing the problem of identity.

Which raises the question: identity, what is it anyway? For the sake of the point I’m making here, identity is about people - and "things": the physical fabric of the Internet and everything in (on) it. And ultimately it’s about safeguarding our security and privacy.

If we're to avoid exponential growth of the issues that plague the current relatively simple Internet as we enter the pervasive, complex, grid age, what principles do we adhere to? How can we have a secure, trusted, privacy-aware Internet that will be able to fulfil its potential – and have our trust too?

The good news is that these problems are being addressed: have you heard of the "laws of identity"? The “laws” are a set of design principles evolved over the last few years by some of the most respected authorities on identity using the crucible of the blogosphere. Kim Cameron (father of meta-directories and now Chief Identity Architect at Microsoft) has gathered together these lessons into a set of powerful guidelines. They help ensure that digital systems exhibit better behaviours than today - particularly around digital identity and ensuring security and privacy. They encompass everything learned about the good and the bad of digital identity systems. Lessons learned the hard way over the last 30 years or so of real world experiences. And these “laws” are already beginning to gain recognition: the Information and Privacy Commissioner of Ontario for example has issued an independent public endorsement (see http://www.ipc.on.ca/docs/7laws-whitepaper.pdf).

Without the application of underlying principles such as these "laws of identity" the future Internet will suffer entropy, massive breaches of security and privacy – and probably make the scale of today’s cybercrimes look like a golden era of online law and order by comparison. But with the “laws”, we may finally be able to realise the truly transformational benefits of the Internet.

Digital identity - of people and "things" - is a fundamental requirement of the coming pervasive Internet age. Equally clearly, we need consensus on the identity framework required before we go much further. So go and read the “laws” and see what you think: you can find them online at http://www.identityblog.com/?page_id=354.

And then let’s get moving on fixing these issues – before the whole idea of the benefits of the next generation of Internet developments gets a bad name and our dreams end up as just that: dreams, rather than a reality.

- Jerry’s personal blog can be found at http://ntouk.com