The ID Space

Last week VeriSign released results of a survey it commissioned regarding Internet security.  The findings show that 85% of consumers think trusting a site is most important when interacting on a Web site and sharing confidential information.  And only 9% said competitive pricing was more important.

Also interesting is that 76% of consumers claim identity theft is a “major” concern for them with more than 56% saying they felt distrustful of brands that did not protect their online identity.

When so many e-commerce companies are fighting for their share of the consumer’s dollar, it’s imperative that you build trust with your consumers and protect their identity if you want to increase your business.  If you’re wondering how to do this, here are some whitepapers that cover several of these topics.

One of my favorite places in Atlanta to visit is the square in Downtown Decatur, which has lots of unique places to eat and shop. However, one of my least favorite things sometimes about visiting the City of Decatur is parking. Inevitably when I find an open spot on the street, I never have enough coins to fill the meter! But thanks to the emerging mobile payments industry, this is about to change.

Over on the City of Decatur’s blog is a recent post about new parking meters being installed that will allow people to pay using their cell phone. Coincidentally, IDology spoke (along with our friends at Obopay) about keeping mobile payments secure at a NACHA conference earlier this month, so when I saw this news, I was struck by how close to home mobile payments is hitting. I think it’s a brilliant way to get people more comfortable with making mobile payments because it involves small $$ increments that won’t frighten consumers away from trying it and there is a great deal of practicality in the application.

The City of Decatur is known for being a progressive municipality so it doesn’t surprise me that it’s the first municipality to test the Pay-by-Cell service. And I’m certain it won’t be the last.

Well, the credit industry finally has some good news. The new ID Theft Red Flag Regulations which were slated to take effect on November 1 have been pushed back by the FTC and won’t be enforced until May 1, 2009. I guess, the FTC figures banks and creditors have bigger fish to fry right now than scrambling to meet new compliance regulations for identity theft. Based on personal observation this delay is a good thing because many companies are still unaware that Red Flag even applies to their business so getting compliant by Halloween might be tricky indeed.

I suppose now is a good time to remind you about our Guide for FACTA Compliance and How to Spot ID Theft Red Flags whitepaper. Go on…register to get it, I promise it’s a real treat.

The news about Governor Palin’s Yahoo account being hacked presents an interesting use-case for a dynamic KBA solution and gives me the opportunity to clear up a big misunderstanding people have about what [IDology's] KBA really is.

First, let’s examine how the hacker accessed her email. According to this Wired article:

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

You probably are already familiar with the type of security questions Yahoo uses to reset passwords - what is your mother’s maiden name? What is the name of your favorite pet? etc. etc. And yes, these questions are technically called “knowledge-based” because they are based on something that you know. But the biggest difference is that these questions are static.

When companies use a static KBA solution, they require us as consumers to pick 1 or 2 “security” questions and provide them with the answers. We’ve seen one of the dangers of this scenario already. And quite frankly Palin is somewhat lucky. Since human psychology is to select the same type of security questions in other accounts, I hope that she has gone and changed her questions/answers at other higher risk places like her bank account. The other danger here is that all these questions and answers are being stored by the company. Given the likelihood that people choose the same type of security questions for their bank account, email account, Amazon account, etc., a breach of this data could have enormous repercussions.

However, if Yahoo were using a dynamic KBA solution before allowing a password reset then the hacker would not have been able to trick the system. Why? Well, because the questions that would have been presented are created on-the-fly using information found in Palin’s personal and protected data records. She doesn’t pick the questions to present, and she either knows the right answer or she doesn’t. These questions are much more robust and are specifically designed to verify someone is who they claim to be. And there are deep analytics involved with dynamic KBA solutions to spot and stop suspicious activity.

As a founding member of the Information Card Foundation, I’d also like to point how this scenario makes the advent of Information Cards even more eminent. Had Palin been using a verified Trusted Identity to sign into her account then the hacker would not have been able to gain access and reset her password.

If you recall I blogged about the government’s crackdown on employers hiring illegal immigrants and how identity theft and the fake document industry is booming in some places as a result. Today’s Wall Street Journal article, How To Make Identity Theft Worse, IRS Audit Launches Emerita de Jesus into Fight To Get Her Name Back, shows the problems of the system both for consumers and businesses.

According to the article:

About eight million illegal immigrants are in the US work force. Lacking documents the workers traditionally used phony names and Social Security Numbers to gain employment. But in recent years, technology has made it increasingly difficult for counterfeit documents to pass muster. The use of an electronic system that checks a person’s work eligibility, e-Verify, is now mandatory for employers in several states, and President Bush signed an order recently making it obligatory for companies that do business with the government.

Coincidentally, there are new billboards for e-Verify around Atlanta that I happened to notice this week. A quick look at the e-Verify website describes the program as:

E-Verify is a free Internet-based system that allows employers to confirm the legal working status of new hires in seconds. With one click, E-Verify can match your new hire’s Social Security Number and other Form I-9 information.

E-Verify reduces unauthorized employment, minimizes verification-related discrimination, is quick and non-burdensome to employers, and protects civil liberties and employee privacy.

Do you see how this system is flawed? e-Verify only determines the work eligibility of a SSN. It is lacking a way to determine that the applicant or employee is the rightful owner of the SSN being used.

An easy way for employers to overcome this and protect themselves while still following the antidiscrimination laws and protecting consumer privacy is to ask their job applicants or employees a set of knowledge based authentication (KBA) questions. Even though KBA is used mostly in consumer-not-present situations, it is also beneficial for in-person situations such as this.

Believe me, KBA is quick and easy and costs less than conducting full background checks on labor workers – and a lot less than the $232,100 the House of Raeford paid Emerita de Jesus for negligent damages.

If you read the NY Times today you probably saw this story: 11 Charged in Theft of 41 Million Card Numbers.

And if you shop at major retail chains like OfficeMax, Barnes & Noble, and BJ’s Wholesale Club you could be one of those affected.

Interestingly, the fraud ring is connected to the TJ Maxx breach announced in early 2007. And after reading the article and seeing the sophisticated schemes the fraudsters have – it is clear to me that retailers and ecommerce businesses need to really step it up in their data protection and network security both online and in their bricks and mortar stores.

Just as importantly, ecommerce businesses need to focus on building consumer confidence. Consumers want to feel safe and know that their identity and data is protected before choosing to spend their money. Here is a short list of some ways to do this:

• Don’t ask for more information than you need from consumers and eliminate using, capturing or storing full SSNs
• Keep a minimal amount of consumer data for the shortest period of time possible
• Take compliance initiatives seriously — don’t take shortcuts by meeting the minimum requirements, go the extra mile to protect consumers
• Use solutions that validate identities to protect your customers

I’m still amazed by stories such as this about how ticketed drivers from Virginia and D.C. could find their Social Security number posted on a Maryland State Web site if that information is on their driver’s license.

Does your driver’s license have your SSN number on it? Federal law banned using SSNs as a driver’s license number in ‘04, but if your State followed this practice and your have a license issued prior to this, then you could be at a higher risk for identity theft. I urge you to take the steps necessary to change your license number and get a new ID!

It costs $20 or so to renew your license. That’s much cheaper than the $6278 mean fraud amount per victim Javelin and the BBB reported on in 2006.

If you have a technology solution that can be used to address child Internet safety you should check out the call for review entries the Berkman Center announced last week to present to the Technical Advisory Board Committee, which is a sub-committee of the Internet Safety Technical Task Force. The Technical Advisory Board members are going to evaluate technologies and the ways they address issues children face on social networks such as sexual predators, cyber-bullying, inappropriate content access, and more.

I mentioned in an earlier post that I was at the Burton Catalyst Conference last week. For those of you that didn’t make it, this blog post by Mark Dixon is a great recap of some of the identity related sessions.

One of the great things about CardSpace and the work the Information Card Foundation will be doing is developing how managed cards are going to work in commerce. A good use case is to show an age verified card for situations where you only need to show proof of age — thus limiting the amount of personal data (name, address, email, etc.) required to access a website. Because of our involvement with the Internet Safety Technical Task Force, we felt this was an easy and applicable way to show the future of identity verification which could help address some of the issues the Task Force is exploring this year.

As part of a presentation IDology did to the Task Force last month, we worked with Mike Jones at Microsoft to develop a prototype for using managed “age” cards. Mike does an excellent job of walking through the process in his recent blog post. If you are curious as to how Information Cards are going to work, this is a must read. I think you will quickly see how simple and easy using Managed Cards can be.

Certainly there is still a lot of work to be done in the area. We picked a social network just as an example but there are numerous places a trusted identity can be used online. Trusted Identity applies across the Internet, not just in age situations, and we are excited to be a part of helping to bring this about to the market.