Click here to download the identity theft brochure
HOW DIGITAL IDENTITY MANAGEMENT CAN REDUCE IDENTITY THEFT
Reports of identity theft and data loss are increasingly common, a trend that reflects both the growth of digital information and the rising number of online vulnerabilities. The impact of these security breaches is profound, burdening individuals and organizations in numerous ways and triggering general unease about the integrity of digital transactions.
The Institute for Information Protection's (I3P)'s Safeguarding Digital Identity project lays the groundwork for reducing identity theft by making digital identities, which are the sentinels of sensitive personal information, less vulnerable to exploitation. Although the vulnerabilities associated with digital identities vary, examples of exploitable identities include a simple user name combined with a weak password, or the unencrypted transmission of digital identity attributes.
Because identity theft regularly makes the news, I3P researchers are frequently asked the following questions:
What is digital identity management?
Digital identity management encompasses the administration and design of information that positively identifies a person thereby authorizing them for digital transactions. Many websites, for example, ask for a user name and password combination in order to access the site or conduct a transaction such as modifying data or making an online purchase.
What is identity theft?
Identity theft-the fraudulent use of an individual's personal information to obtain money, goods, services or data-falls into several categories, including financial identity theft, as in the theft of credit card numbers; medical identity theft, which involves tampering with patients' medical records; and social identity theft, which can damage a person's reputation.
How does digital identity management protect against identity theft?
Digital identity management, when effectively executed, reduces the risk that an identity has been fraudulently created or usurped, and thus can dramatically reduce rates of identity theft.
Specifically, identity management solutions set standards of good practice in the areas of identification, authentication (the process by which individuals are recognized prior to being authorized to seek funds, goods, services or information online) and identity protection.
Should I be concerned about the vulnerability of my digital identity?
Yes, assuming you have-like millions of others-created one or more digital identities based on convenience rather than security. People who devise user names and passwords on such publicly available information as, say, their initials or phone numbers, run the risk that a determined identity thief could eventually guess that information. Unfortunately, once the keys to the kingdom reach criminal hands, a person's information, assets and identity are already compromised.
What can I do to better manage and protect my online identity(ies)?
The strength of your digital identity should mirror the sensitivity of information and criticality of services you wish to use online. If you engage in online banking, for example, you should adopt the strongest digital identity and identity assurance mechanisms your bank offers. At a minimum you should base your name and password on a complex composition of letters, numbers and special characters, in addition, you should have one-time passcodes sent to your mobile phone to authorize especially sensitive transactions and you should use identification tokens and smart cards if they are offered by your bank.
Is digital identity management more critical in some sectors than in others?
Yes, depending on the senstitivity of the information. Government agencies, especially those that provide healthcare services through e-Health initiatives, as well as other healthcare and financial services, are especially concerned with identity management. Overall, any organization that provides web-based access to sensitive information or critical services must have a secure and privacy-preserving digital identity management system in place.
Adding to the need for better identity management is the trend in some critical sectors toward the formation of partnerships or federations to share information, thus reducing service costs. Regional Health Information Organizations (RHIOs) are just one example from the healthcare sector. Identity management solutions in these environments, with their large numbers of users and heterogeneous legacy systems, are badly needed.
Does the work related to the I3P project directly counter identity theft?
Yes, I3P researchers are developing technologies that:
Why does digital identity management matter?
The amount of identity information collected and shared by organizations of all sizes, types and technical capabilities is growing, necessitating the creation of standards that ensure the privacy, confidentiality and interoperability of identities. When personal information is digitized (on the magnetic strip of a credit card, for example, or in the database of customer transactions kept by a large retailer, or in the patient database of a healthcare provider), it becomes easier to share - and to steal.[1] And unfortunately, once a person's digital identity is compromised, other digital information associated with that person's identity becomes vulnerable to unauthorized use, disclosure, modification, destruction, or theft.
The consequences of having one's digital identity compromised depends on several factors, including the identifiability, sensitivity and confidentiality of the information being transmitted, stored, managed or shared by organizations; the value of the records associated with that identity; as well as the organization's size, business objectives, technical sophistication, and security and privacy safeguarding standards. A security breach targeting an organization that provides and manages large volumes of digital identities, for example, could affect millions of individuals. In any case, the consequences for an individual may range from identity theft to financial loss; for the identity providers and their partner organizations, they may include both financial and legal penalties.
What makes the I3P Safeguarding Digital Identity project especially challenging?
Digital identity management is rife with complexity. Not only must a vast amount of identity data be safely collected, transmitted, used, stored and shared, but the data must be handled in ways that preserve privacy expectations and adhere to fair information practices that are not amenable to technological enforcement.
Other challenges include needing to balance ease of use against security, ensuring identity interoperability within large enterprises and federations, developing solutions within a legal, social and political context that spans-yet must satisfy-different cultural and regulatory regimes (states, nations), and establishing trust among the people and organizations that provide, use and share identity information.
About the I3P Safeguarding Digital Identity project
The I3P digital identity management team has embraced an ambitious mission: to research, analyze and develop prototype solutions that allow organizations to securely and efficiently share identity-related information, without any loss of accuracy or privacy, in cost-effective ways. More than 25 researchers from six academic and research institutions-Cornell, Georgia Tech, MITRE, Purdue, SRI International and the University of Illinois-are participating in a two-year research activity that culminates in a series of presentations at IDtrust2009 hosted by the National Institute of Standards and Technology (NIST) on April 14-16, 2009.
About the I3P
The Institute for Information Infrastructure Protection (I3P) is a 27-member consortium of universities, federally funded labs and research institutions, managed by Dartmouth College. In addition to guiding and supporting research, the I3P is committed to finding solutions to infrastructure vulnerabilities, facilitating technology transfer and forging collaborative alliances with key stakeholders.
Information about the Safeguarding Digital Identity project can be found at www.thei3p.org or by contacting Bruce J. Bakis, MITRE Principal Investigator, at bbakis@mitre.org or Shari Lawrence Pfleeger, I3P Director for Research at shari.lawrence.pfleeger@dartmouth.edu.
[1] On May 10, 2006, the White House established an Identity Theft Task Force to coordinate its response to the identity crime issue, by Executive Order 13402 . http://www.idtheft.gov/
