Consider this scenario: You just bought a pair of $89 sneakers online. In order to complete the transaction, you had to type in your private identity information into the merchant
Morally, any online merchant should have a vested interest in protecting its customers’ online identity and information, but monetarily, there isn’t an incentive.
Sound familiar? In a time where the vast majority of goods, services, businesses and operations have been moved onto the World Wide Web, one would think any single person's online identity and sensitive information would be safe among billions of other consumers. Well, think again.
In today’s Internet economy, the consumer rarely, if ever, meets face-to-face with the merchant. Instead, customers are required to create an Internet identity and use it over and over again in order to buy goods and services. While this seems harmless enough, a dangerous problem frequently arises: unlike a flesh-and-blood person that can shop at a store and be physically recognized when using his or her credit card, customers shopping in the Internet marketplace are required to create an “electronic identity” in order to buy from their favorite online stores. If an experienced thief gets ahold of this delicate information, they can easily steal your identity with just a few clicks.
From the enterprise perspective, not only are attackers constantly trying to glean this sort of identity data (which is often linked to credit card and other valuable personal data), but also the ongoing challenge of securing online identity data increases the cost of doing business. In order to address this and the related consumer fraud issues, the U.S. Commerce Department began developing a project that aimed to create stronger Internet identities for its populous to reduce Internet identity theft and fraud. The outcome of these efforts is the establishment of a National Program Office at the National Institute of Standards and Technology (NIST) called the National Strategy for Trusted Identities in Cyberspace (NSTIC) project.
The NSTIC is composed of a mix of public and government personnel who are designing a standards framework that attempts to reduce identity fraud and allow consumers around the world to operate safely online without having to remember various passwords or carry multiple security tokens. In fact, the NSTIC is reinventing the way in which online identity verification will take place. The first major deliverable for NSTIC was to document recommendations for establishing an identity ecosystem governance structure. In February 2012, this document, entitled Recommendations for Establishing an Identity Ecosystem Governance (.pdf), was released to the general public for review and consideration.
The basic structure of the NSTIC identity proposal emphasizes the creation of an “identity broker,” which follows the general operations of today’s Internet financial brokers. For example, if a consumer has a PayPal account and the merchant site that the consumer is buying from has an agreement with PayPal, the consumer has the option of entering his or her payment information on the local merchant’s website, or more ideally, clicking the PayPal icon. If they choose the latter, the buyer is redirected to the PayPal website where he or she logs in, accepts the charges, and is redirected to the merchant’s checkout page where the payment is shown “paid in full.” This is all done without entering payment information on the merchant's site. But if the user wants to be recognized for future shopping upon returning to the merchant site, he or she must still provide private identity information directly to the merchant, even though the financial information is being retained by the third-party financial broker (PayPal).
NSTIC attempts to address this issue by recommending identity data go through a similar identity broker. Identity brokers, like PayPal, would allow each user to register, store and present their private identity information on their behalf when requested. With NSTIC, certified identity brokers would create relationships with Internet merchants and other identity brokers, so when a consumer is prompted to provide his or her online identity information, the merchant would redirect the consumer to the broker where the consumer would provide strong identity data to verify that he or she is in fact the person requesting identification; the broker would then share this data with the merchant.
This identity broker method technically occurs today with many vendors, but in a proprietary way. Some major merchants like Google, Amazon, Apple and Microsoft, among others, use centralized identity stores for authorizing transactions for themselves and their business partners. But while this minimizes the number of Internet identities a person has to maintain, their scope is limited and they still have to rely on standard usernames and passwords to authenticate someone's identity.
So what does NSTIC’s work mean to the average enterprise? While NSTIC is working hard on scoping the level of effort, standards, processes and agreements that will need to be in place in order to make the ideal of a trusted third-party protecting consumer identity possible, it will first require the buy-in of major merchants, e.g. enterprises. Morally, any online merchant should have a vested interest in protecting its customers’ online identity and information, but monetarily, there isn’t an incentive since allowing customers to easily reuse their accounts between storefronts would open their marketplaces to competition. In addition, while NSTIC is making an effort to reduce fraud on U.S.-based merchant sites, the Internet has opened up a worldwide marketplace that questions Internet brokers’ abilities to span geographic boundaries.
More Internet Identity Protection Resources
What does the NSTIC's identity project really need?
Security School: How to establish a data breach prevention strategy.
The Identity Ecosystem: what does it mean for IT shops?
There’s also the issue of how commercial enterprises would be able to use NSTIC’s work for their own purposes. Enterprises typically have to define a unique identity and issue separate credentials for their workforce. So far, NSTIC’s focus has been for consumer use, but there’s no reason why these same identities couldn’t be used to access corporate resources like business systems, email and benefits applications. Sharing a consumer’s identity information with his or her employer would allow individuals to be able to reduce the overall number of credentials the average person needs to maintain. In addition, by using NSTIC credentials, fraudulent access would likely be reduced in the workplace, allowing an enterprise to provide more external access for workers who wish to work remotely or travel as part of their job.
Scale could be a problem too. There are countless business and merchant sites that are not affiliated with other large Internet merchants. Many of the identities consumers continue to create are on these sites. The problem of getting small business and merchant sites into this architecture, while making it cheap enough for the companies to participate, will be a difficult issue. Additionally, how the consumer will “strongly” authenticate is yet to be determined. Will all consumers receive a hardware token in the mail? Strong credentials are still pricey to set up, distribute and maintain. Ideally, with NSTIC pushing for general acceptance of its identity model, economy of scale will reduce the cost of strong authentication.
The final point to consider, and probably the most important in most consumers’ minds, is how identity brokers will be able to protect customers’ identity data and what will happen if one of those brokers has a breach. At least with small sites, there’s a chance that the entire consumer’s identity won’t be compromised. But identity brokers will be required to maintain comprehensive identity data on the consumer. A breach of this data could cause far-reaching problems for the consumer and the identity broker, possibly beyond anything that we’ve encountered to date.
So, while NSTIC still has a long way to go in convincing both small and large merchants and businesses to get on board the online identity protection train, ideally the goal of reducing Internet identity theft and fraud will drive the marketplace towards acceptance in the near future.
About the author:
Randall Gamby is the information security officer for the Medicaid Information Service Center of New York (MISCNY). Randall has worked in the security industry for more than 20 years, specializing in security/identity management strategies, methodologies and architectures. He has recently rejoined SearchSecurity.com's Ask the Experts panel, and is ready to answer your questions!
This was first published in April 2012