Over on the City of Decatur’s blog is a recent post about new parking meters being installed that will allow people to pay using their cell phone. Coincidentally, IDology spoke (along with our friends at Obopay) about keeping mobile payments secure at a NACHA conference earlier this month, so when I saw this news, I was struck by how close to home mobile payments is hitting. I think it’s a brilliant way to get people more comfortable with making mobile payments because it involves small $$ increments that won’t frighten consumers away from trying it and there is a great deal of practicality in the application.

The City of Decatur is known for being a progressive municipality so it doesn’t surprise me that it’s the first municipality to test the Pay-by-Cell service. And I’m certain it won’t be the last.

I suppose now is a good time to remind you about our Guide for FACTA Compliance and How to Spot ID Theft Red Flags whitepaper. Go on…register to get it, I promise it’s a real treat.

First, let’s examine how the hacker accessed her email.  According to this Wired article:

As detailed in the postings, the Palin hack didn’t require any real skill. Instead, the hacker simply reset Palin’s password using her birthdate, ZIP code and information about where she met her spouse — the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search.

You probably are already familiar with the type of security questions Yahoo uses to reset passwords - what is your mother’s maiden name?  What is the name of your favorite pet? etc. etc. And yes, these questions are technically called “knowledge-based” because they are based on something that you know.  But the biggest difference is that these questions are static.

When companies use a static KBA solution, they require us as consumers to pick 1 or 2 “security” questions and provide them with the answers.  We’ve seen one of the dangers of this scenario already.  And quite frankly Palin is somewhat lucky.  Since human psychology is to select the same type of security questions in other accounts, I hope that she has gone and changed her questions/answers at other higher risk places like her bank account.  The other danger here is that all these questions and answers are being stored by the company.  Given the likelihood that people choose the same type of security questions for their bank account, email account, Amazon account, etc., a breach of this data could have enormous repercussions.

However, if Yahoo were using a dynamic KBA solution before allowing a password reset then the hacker would not have been able to trick the system.  Why?  Well, because the questions that would have been presented are created on-the-fly using information found in Palin’s personal and protected data records.  She doesn’t pick the questions to present, and she either knows the right answer or she doesn’t.  These questions are much more robust and are specifically designed to verify someone is who they claim to be.  And there are deep analytics involved with dynamic KBA solutions to spot and stop suspicious activity.

As a founding member of the Information Card Foundation, I’d also like to point how this scenario makes the advent of Information Cards even more eminent.  Had Palin been using a verified Trusted Identity to sign into her account then the hacker would not have been able to gain access and reset her password.

According to the article:

About eight million illegal immigrants are in the US work force. Lacking documents the workers traditionally used phony names and Social Security Numbers to gain employment. But in recent years, technology has made it increasingly difficult for counterfeit documents to pass muster. The use of an electronic system that checks a person’s work eligibility, e-Verify, is now mandatory for employers in several states, and President Bush signed an order recently making it obligatory for companies that do business with the government.

Coincidentally, there are new billboards for e-Verify around Atlanta that I happened to notice this week. A quick look at the e-Verify website describes the program as:

E-Verify is a free Internet-based system that allows employers to confirm the legal working status of new hires in seconds. With one click, E-Verify can match your new hire’s Social Security Number and other Form I-9 information.

E-Verify reduces unauthorized employment, minimizes verification-related discrimination, is quick and non-burdensome to employers, and protects civil liberties and employee privacy.

Do you see how this system is flawed? e-Verify only determines the work eligibility of a SSN. It is lacking a way to determine that the applicant or employee is the rightful owner of the SSN being used.

An easy way for employers to overcome this and protect themselves while still following the antidiscrimination laws and protecting consumer privacy is to ask their job applicants or employees a set of knowledge based authentication (KBA) questions. Even though KBA is used mostly in consumer-not-present situations, it is also beneficial for in-person situations such as this.

Believe me, KBA is quick and easy and costs less than conducting full background checks on labor workers – and a lot less than the $232,100 the House of Raeford paid Emerita de Jesus for negligent damages.

And if you shop at major retail chains like OfficeMax, Barnes & Noble, and BJ’s Wholesale Club you could be one of those affected.

Interestingly, the fraud ring is connected to the TJ Maxx breach announced in early 2007. And after reading the article and seeing the sophisticated schemes the fraudsters have – it is clear to me that retailers and ecommerce businesses need to really step it up in their data protection and network security both online and in their bricks and mortar stores.

Just as importantly, ecommerce businesses need to focus on building consumer confidence. Consumers want to feel safe and know that their identity and data is protected before choosing to spend their money. Here is a short list of some ways to do this:

• Don’t ask for more information than you need from consumers and eliminate using, capturing or storing full SSNs
• Keep a minimal amount of consumer data for the shortest period of time possible
• Take compliance initiatives seriously — don’t take shortcuts by meeting the minimum requirements, go the extra mile to protect consumers
• Use solutions that validate identities to protect your customers

Does your driver’s license have your SSN number on it?  Federal law banned using SSNs as a driver’s license number in ‘04, but if your State followed this practice and your have a license issued prior to this, then you could be at a higher risk for identity theft.  I urge you to take the steps necessary to change your license number and get a new ID!

It costs $20 or so to renew your license.  That’s much cheaper than the $6278 mean fraud amount per victim Javelin and the BBB reported on in 2006.

As part of a presentation IDology did to the Task Force last month, we worked with Mike Jones at Microsoft to develop a prototype for using managed “age” cards. Mike does an excellent job of walking through the process in his recent blog post. If you are curious as to how Information Cards are going to work, this is a must read. I think you will quickly see how simple and easy using Managed Cards can be.

Certainly there is still a lot of work to be done in the area. We picked a social network just as an example but there are numerous places a trusted identity can be used online. Trusted Identity applies across the Internet, not just in age situations, and we are excited to be a part of helping to bring this about to the market.

What exactly is the Information Card Foundation? You can definitely read more about it here, here, and here, but to sum it up this is a non-profit group comprised of technology leaders working together to bring about a simpler, easier and more secure way for consumers to control their digital identities.

This is a big deal as it means we are getting closer to developing an open framework for managing our identities that is standard for all ecommerce.