We believe that "stronger" forms of identity authentication (i.e., better than just a password or Social Security Number) are needed to prevent many types of fraudulent, identity-related transactions that involve ordinary people. Many strong authentication products and procedures exist that are successfully being used to authenticate people in corporations and other businesses who seek to access the online resources of their employers. However, many of these are not necessarily applicable for use in the "consumer market" because very large-scale deployments would be too costly, or because they would otherwise require behaviors that many consumers may find burdensome or inconvenient. For these reasons, banks have generally not asked consumers to carry around hardware tokens or smartcards for authentication to their online banking services.
The ongoing problem of identity theft has generated a need for people to be able to prove who they are online, or over the telephone, especially when there is no prior relationship between the person and the entity needing to verify the person's identity. In the physical world, we rely on government-issued photo IDs because we trust that the government has issued the ID to the right person. Something is needed in the online world that would serve a similar purpose.
Our goal is to work with interested parties to study, evaluate, and propose better and stronger forms of privacy-preserving, consumer-centric, identity authentication for a range of consumer applications. This includes exploring ways by which stronger authentication can help to prevent identity theft.
What's The Problem?
It's long been known that relying only on knowledge of "secret" personal information such as passwords and Social Security Numbers to protect a bank account, or to verify an identity, provides only weak security because the information is not truly secret and can be easily discovered by fraudsters. Social Security Numbers, driver's license numbers, and other personal information are widely used to identify individuals in numerous places where people conduct business, or have credit or other financial accounts. This information is contained in numerous databases that can be penetrated by thieves, and is often printed on paper documents that can be stolen or copied. Personal information may also be contained in public documents that governments make available over the Internet.
The link between stolen personal information, and identity theft and other identity-related fraud is this: it is a common business practice to assume that the mere knowledge of certain items of personal information "proves" the identity of a person who knows the information. That is, items of sensitive personal information such as a Social Security Number are being used as authenticators, and not simply as identifiers. This practice is based on the flawed assumption that such information is somehow "secret", and is known only to the person actually identified by the information. How often have we been asked for "the last four digits of your Social" during some telephone interaction with a bank or other place that needs to verify our identity? But much of our personal information is not really secret, and using personal information as identity authenticators enables identity theft.
Personal information has been the target of sophisticated attacks that seek to trick people into revealing the information to fraudsters and identity thieves. Phishing emails with links to look-alike but phony banking websites that prompt unsuspecting victims to enter personal information are a good example of attempts by fraudsters and identity thieves to steal personal information. Other methods for stealing personal information, such as pharming and the use of keystroke loggers, are becoming harder for people to avoid. But no matter how the information is stolen, the result is the same: identity thieves can use the information to impersonate others, causing harm to the victim in several ways:
- Thieves can use the information to gain access to another person's banking or other accounts ("Account Takeover"), potentially draining the account of the victim's money.
- New credit accounts can be opened using someone else's identity information. When the thief doesn't pay the bill, the credit grantor goes after the victim to collect the unpaid bills. The victim's credit history and credit score are also damaged when the credit grantor provides erroneous information to the credit reporting agencies about the delinquent account.
- Medical services can be obained by an identity thief using someone else's identity information. As a result, victims may not only be billed for medical services they didn't receive, but the victim's medical history is likely to be contaminated by erroneous entries involving treatment or services provided to the imposter.
- Earnings and tax information
may be reported to
the Internal Revenue Service using a Social Security Number that does
not belong to the person whose earnings are being reported.
The
victim whose Social Security Number is used may wind up being billed by
the IRS for taxes actually owed by someone else.
- Perhaps most disturbing of all, an innocent and unsuspecting person may be mistakenly arrested and detained because his or her identity information was provided to police by someone else during an arrest or other investigation.
These examples of identity theft all point to the need for better ways to verify that someone is actually who they claim to be.
Why Authentication?
Some may argue that identity theft can be addressed by devising better ways of keeping this information "secret". But personal information such as Social Security Numbers, birthdates, etc., is "out there" in one form or another, and knowledge of this information - by itself - should not enable identity theft. Although it may be difficult to keep this information from a determined identity theift, a "security freeze" on a consumer's credit file may help to prevent a would-be credit grantor from opening a new account using stolen information. However, security freezes require consumers to take conscious steps to lift the freeze before applying for credit, often at some cost and inconvenience, and then "refreeze" their credit files afterward.
Some may suggest that consumers can protect themselves by monitoring their credit reports and scores after being notified that their personal information has been lost or stolen. Because of laws requiring businesses to notify people when their personal information has been breached, we have become increasingly aware of how easy it is for our personal information to become stolen or lost. But rather than putting the burden on consumers to "watch their backs" to make sure no one is impersonating them by using stolen or lost identity information, wouldn't it be better to prevent the misuse of this information in the first place? There needs to be a better way to make sure that identity thieves cannot use the personal information of others for fraudulent purposes. One way is better authentication - making sure that people are who they claim to be.
next > The Authentication Challenge