Experts look to digital IDs to boost Net security

Rampant identity theft threatens the progress of e-commerce, but providing more security also creates issues, experts said at a Cebit panel.

Rampant identity theft is eroding users' trust in the Internet, and could threaten to erase some of the progress companies have made in doing business online, according to security experts.

A possible solution was to create digital identities to curtail the incidents of ID theft, but this also had some liabilities, the experts said while speaking on a panel at the Cebit trade show in Hanover, Germany.

"We actually run the risk of taking a step back on the Internet," president and chief executive officer of RSA Security, said. "We are starting to see a lack of confidence and even worse companies are scaling back what they are doing on the Web,"

Head of IT security architecture at Credit Suisse, Beat Perjes,, said that the customers at his bank were still doing online transactions but were also asking a lot more questions about whether it was secure.

This was a concern because what banks actually sell customers was trust, Perjes said.

Cases of online identity theft have ramped up in recent months, and the US Federal Trade Commission has labeled such theft as one of the fastest growing types of consumer fraud. Internet users are reporting cases of unauthorized access to their online bank accounts due to phishing scams and the increased prevalence of spyware, which can record users' passwords and log-ins.

Digital identities, which provided two measures of authentication, could help improve Internet security, as well as having various other uses, such as digital passports, the experts said.

Dual authentication often involved something a user knows or possesses, such as a smart card, and something that he or she was, which could be represented by biometric information, Coviello explained.

"Password-only IDs should be a thing of the past," Microsoft's chief security adviser for Europe, the Middle East and Europe, Detlef Eckert, said.

In addition to improving online security, digital identities would also allow users to reduce the number of credit cards, loyalty cards and other proofs of ID that they carry, the experts said.

Smart cards, digital passports and national ID cards could carry information for multiple purposes, as long as the authenticating body is trustworthy. So, if multiple credit cards were stored on a smart card, each credit card company would have to trust the other company's means of identifying and authenticating users, the experts said.

Authentication done by one body and then trusted by another was called federated identity, chief technology officer at Sun Microsystems, Hellmuth Broda, said.

Broda is also the spokesman for the Liberty Alliance Project, a consortium of more than 150 companies working to develop a standard for network identity. For a federated ID system to work, specifications needed to be open and interoperable, he said, and Liberty and other industry groups were working toward this.

"After the dot-com crash vendors realised how interdependent they are," Coviello said. "We really must all stand together because we won't make advances on the Internet otherwise."

While digital identities done right would improve online security and bring user convenience, they brought with them certain liabilities and levels of complexity, the experts said. How to safely store, share and authenticate data were just some of the issues that needed to be resolved.

All the experts agreed that data should not be stored in one central repository, which could be compromised. And while they also agreed that certain agencies and businesses should control data relevant to their relationship with customers, sharing information is a bit trickier.

One way to share data without allowing one organisation to have too much information about a person would be to separate the person's identity from the data by giving it another identifier. One company could identify a person as "customer 51" while another could identify the same person as "customer 254," for example, Coviello said. That way, they could share buying trends and other information without revealing who bought what, for example.

While there were some difficulties in implementing digital IDs, the challenges could be overcome with technological and regulatory solutions, the experts said.

For making further progress on the Internet, making digital IDs work was crucial, Broda said.

"We will never make a system that's impossible for thieves to break, but we can make it very, very hard," he said.

Join the newsletter!

Error: Please check your email address.

More about CeBITCredit SuisseFederal Trade CommissionHISINSLiberty AllianceMicrosoftRSARSA, The Security Division of EMCSun MicrosystemsUS Federal Trade Commission

Show Comments