Saturday, March 11, 2006

An interesting article followed by a respective blog on the Citibank PIN id theft

A big FYI...

Can globalization and free travel around the world continue without an effective, interoperable, strong authentication system? The key solution Citibank gives to its customer is to return to the US. The reason why? They cannot certainly authenticate the person - since there are no interoperable systems out there can strongly authenticate the person, only the authentication device/system. Work such as that being done presently by the Liberty Alliance Project and others will definitely help change this for the better through trusted interoperability of strong authentication devices. Moreover, what is truly needed are access control systems that are portable trusted devices that can digitize the user's inputs to authenticate the actual user and not the device, like most systems today do. Our authentication systems must represent as close as possibly the actual person along four main factors, token possession, knowledge challenge/responses, biometrics, and geolocation/time. Of course not all factors are needed at every point of authentication. Rather, based upon the policies of the asset being requested for access by the user, a unique challenge combination of these factors can be issued... (btw this is what Falkin Systems delivers...)

This is another example of how fragile and weak the current security technologies are. They were excellent when the system was first deployed - late 1970s. However, with the always advancing technology innovation track this becomes a cat-n-mouse game; the criminals have access to the same technologies and rate of technological change as those designing and putting these systems in. My beliefs are firm that within the next 2-5 years every business dealing with money, trust, and intellectual information property, will be in the business of strong authentication and access control - that is - identity sevice provider.


What impact will this PIN theft have on the economy within the next month? year? This news is just getting out...

hth,
/rob

--
Rob Marano
CTO & SVP R&D
Falkin Systems
rob@falkin.com
(skype) robmarano
(I-Name) http://public.xdi.org/=Rob.Marano
***
** Get your I-Name at http://2idi.com/grs/index.php?referral_code=falkinsystems
***
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++
Thomas J. Watson - "The way to succeed is to double your error rate."

PIN Scandal "Worst Hack Ever;" Citibank Only The Start

By Gregg Keizer, TechWeb News
March 09, 2006 (4:35 PM EST)
URL: http://techweb.com/wire/181502468

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."

Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.

The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.

In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."

The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.

"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.

So what's a consumer to do?

"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."




BLOG reference

http://www.boingboing.net/2006/03/05/citibank_under_fraud.html

Sunday, March 5, 2006

Citibank under fraud attack, customers locked out of accounts
BoingBoing pal and Citibank customer
Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:
To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt "INELIGIBLE ACCOUNT."
Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis -- by no means the only data security issue at Citibank in recent months. Jake continues:
The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud.

Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break [ Ed. note: definition here] of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed.

She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem.

In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now -- at ANY network, not just Citibank's -- you may find yourself totally fuxx0red. The call-and-response goes like this:

Citibank customer:
I'm stranded in a foreign country, I need cash, and I can't withdraw cash from my account.

Citibank drone:
d00d omfg we wuz 0wnz0red, it is teh suck!!!1!1 Go home and we'll re-issue a new card. Then be prepared to go through this all over again, and again, and again.

Citibank customer:
So even if I fly all the way back to the USA so you can issue me a new ATM card, you can't promise I won't be locked out the very next day?

Citibank drone:
yup! kthxbi!

Citibank didn't handle Jake's problem in a customer-friendly way at all, and this appears to be standard procedure.

Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness?

This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave thousands of customers stranded overseas without cash would get more notice. WTF?

Link to the full text of Jake's account.

Reader comment: Anonymous says,

Just wanted to mention that it's not just ATM cards that have been hacked with Citi. I was forced to close my Citi Mastercard by Citibank earlier this week "because one of their 'affiliates' was hacked and my card was affected". I knew it had to be a bad hack since when that _same card_ was involved in the DSW member information theft, they didn't make me close the card then (they never even contacted me). Forcing me to close it now made me suspect it was Citi that had been hacked, and the article about the ATM hack pretty much confirms it.

Reader comment: "Byte" in Poland says,

Not only US customers of CitiBank have problems, Polish have also, but the nature of problems is different.

According to short article: "CitiBank Handlowy S.A was hiding information that it has been robbed" by Rafał Pawlak on hacking.pl (Link, unfortunately in Polish only) accounts of several hundred customers of CityBank Handlowy S.A has been robbed with use of Internet access to their accounts. Translation of fragment of above article:

Robbed bank has not informed its customers that their accounts have been cleaned from money. Today (2003/03/02), bank has been identified to be CitiBank, and it has been determined that stolen money has been transferred through agency in Szczecin.

Robbers have cleaned Internet accounts of several hundred customers of CityBank Handlowy S.A. In virtual robbery citizens of Szczecin have been involved and money have been withdrawn from bank accounts through agency in Szczecin. (...)

Few minutes earlier, the same author has posted article (also linked from above text): "Virtual bank robbery" ( Link ) with more details about the robbery, but the name of the bank was not known at that time. According to that article twenty citizens of Szczecin have stolen 3 million zlotys (approximately 950 thousand dollars.) Hackers have installed software on bank's customers computers, and used it to collect data, that was later used to transfer money. There were only two hackers, and other eighteen involved people provided their private accounts for transferring stolen money.

Hackers have been collecting and analyzing data, about customers, for longer time. When they finally have decided that they have enough data, they have started the action of robbery, which has taken them about seven days to conduct. Fortunately for bank customers all of robbers has been already arrested.

Since data used in robbery has been collected from computers belonging to bank customers, blaming bank may not be appropriate. Still the bank can be accused of hiding information that it is being robbed (robbery took 7 days!!!), until the sum of money stolen reached 3 million zlotys.

I should also mention that there is bigger article in "Głos szczeciński" ("Szczecin Voice"), unfortunately I have no access to that article which is only available in printed form.



Monday, March 6, 2006

http://www.boingboing.net/2006/03/06/citibank_security_br.html

Citibank security breach: undisclosed *internally*, let alone publicly?
Following up on yesterday's Boing Boing post about an alleged class break affecting Citibank networks in the US, UK, and Russia, an anonymous Citibank employee says (via Consumerist):
Apparently [us] employees have no details either. A client came into the branch late last week, she was travelling in Canada, and her card stopped working for no reason. She called up Citiphone (the consumer help line - they're terrible), and they gave her no reason as to why the card was blocked, and had a new card sent to our branch. Since she was in Canada, this really didn't help her out one bit.

Your article was the first that I heard of this. When she came into the branch to pick up her new card, there were no notes on her account stating why her card was blocked in the first place. There was no internal memo or email sent out regarding this fraud issue.

Link. What is a "class break?" In network security jargon, that's what happens when one breach leads to a whole new "class" of attacks on various systems, using similar methods. When it happens on a global banking network, it's also known as "really bad news." Update: Ben Popken at Consumerist reports that Citibank is now claiming that the breach was not a class break -- but acknowledges they've known about it for a month.

Wednesday, January 25, 2006

Cross post to Paul Madsen's post " What does user-centric identity mean?"

Hi Paul,

Great post. This is an increasingly important discussion the industry and the public need to have in an open forum. I have been researching digital identity and privacy for the past several years and have started to "compile" my thoughts into a clear vision for my latest startup, Falkin Systems LLC, an "incubated" company from The Cooper Union for the Advancement of Science and Art in NYC, where I also lecture graduate and undergraduate studies in electrical/computer engineering. Please find a recent post I put on my blog robmarano.blogspot.com
called "Names, Traits, and Trails." I have not updated it for a while since we are in "stealth" mode for our product, but I plan on blogging on our efforts in the SAEG... I'd look forward to "merging" our thoughts on digital identity and privacy, starting first with interoperability and ease of use for users to "control" their personal, sensitive information. Have a look at my excerpt below and pay attention to my clear distinction to static and dynamic identities and how privacy and control may pertain. The latter I am still working on....

I hope that this and future blog entries of mine help in our LAP initiatives. I have several interns at The Cooper Union that have been working with me on this very issue; I started the NY Digital Identity Meetup, having them lead some of the discussions. My "team" is ready, willing and able to assist and share our work...

Warmest regards,
/rob --
Rob Marano
CTO, Falkin Systems
(founding member of Liberty Alliance's Strong Authentication Experts Group)
robmarano@gmail.com
www.falkin.com
(I-Name) http://public.xdi.org/=Rob.Marano
***
** Get your I-Name at http://2idi.com/grs/index.php?referral_code=falkinsystems
***
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++
Jacob Bronowski - "The world can only be grasped by action, not by contemplation."

Friday, October 28, 2005

Cross post to Phil Windley's DAY 2 IIW2005

Phil,

Btw, great IIW2005 event! On Day 2 I was thrusted to the front in organizing the PodCast for IIW2005 that focused on this very issue. Identity imho is what defines who you are, statically with an id issued to provide services by claims and dynamically with the use of these static ids to gain products/services through barter or other commerce... Back when I did my minor in Modern Germany from the Weimar Republic, I referenced heavily a work by a Harvard fellow, Dov Ronen, entitled __The Quest for Self-Determination__. In this book he discusses how groups form, first to assist one another to survive and secondarily then and more primarily now to satisfy the sense of belonging. This first type of group is called "functional aggregates." When a resource is constrained between two or more functional aggregates, these groups begin to conflict, resulting in a transformation to a "conscious aggregate." His study imho brings further clarity into the concept of identity - individuals and groups both have identity and are mutually inclusive and require one another for their respective definitions. The groups take over and begin issuing static ids of which the constituents use to "run" their life - basics, entertainment, religious, etc... Again, the "dynamics" define the "real" individual, which results in a pool or trail of privacy data... I have begun to develop these thoughts on my blog http://robmarano.blogspot.com

Joaquin Miller, Scot Lemon, Paul Trevithink, Bob Morgan, Alain Bloch, Jair, Gabe Walker, and Scott Mace were present at the IIW2005 podcast on "defining identity..."

let's keep this great dialog going, for without a common agreed-upon lexicon on digital identity, we'll find it difficult to actually communicate as engineers in developing the collaborative pieces of this difficult but all-too-important puzzle / conundrum - digital identity to help fuel the Internet as THE channel of people's life!

/rob

Wednesday, October 26, 2005

Internet Identity Workshop 2005 (iiw2005) DAY 1 - 26 October 2005

Hi all,

[in vivo thoughts....from speaker to my brain to you..]

So having completed my journey to Berkeley, CA, I am now sitting and participating the IIW2005. Thanks to Phil, Kaliya, Drummond, and Doc for arranging for this. I'm honored and happy to participate...

Till now, I have sat through 6 presentations and thoroughly enjoyed the topics, especially the Q&A- even the IRC channel! However, one "gaping" hole I see so far is a lack of deep discussions on authentication - proving/validating/verifying the actual identity. As Art Coviello, CEO of RSA, stated, his company's solutions authenticate the possession / knowledge rather than the actual person. Biometrically-enabled authentication is the only way to prove irrefutable positive identity. I understand the vastly important need for infrastructure, standard data and message transports, et al, for identity management. However, the discussions have been sparse about strong authentication. As important as the former, we need to discuss how biometric data will be (a) integrated into this thought-leading identity infrastructures, (b) protected from attack vectors, (c) remediated against compromised identities, and (d) audited by authorities if required. I'll stay tuned and see if we begin to detail these important concepts...

Another key thought on identity is the access to critical, sensitive information. Today's transaction systems and processes required "regurgitated" critical and sensitive information, e.g., full name, SSN, address, driver's license number, etc. I wonder why cybercriminals are trauling the net (using SabaSearch.com et al) and targeting identity aggregators (credit report agencies, large retailers, CC companies, etc)? Simply because that's where the pointer to money is! ;-) Leveraging the Internet's network effect, cybercriminals can use millions of records to attempt fraud... More numbers, more chances to hit a gold bar. Their ally remains the use of static identifiers "regurgitated" to service providers to convert to an account then pilfer the account in another's name without positive identification. Therefore, if the critical, sensitive information for consumers is made impotent without positive, biometrically-enabled authentication, we "remove the sting" or value of that information, possibly curbing id theft...

Just something to think about...

More to come after I complete today's sessions...

/rob

Thursday, August 25, 2005

Maturity models for privacy and identity

Greetings and salutations to you all! ;-)

I just read an awesome post to Toby Stevens blog on his maturity model for privacy. Check it out at http://www.highwest.com/. I thought that I'd share my comment I posted to his blog. Kim Cameron's cross-post was equally enlightenting: http://www.identityblog.com/2005/08/19.html

Let me know what you think? I will take a stab at developing a maturity model for identity and cross-reference it to Toby's model. I'll post it to this blog for public comments, especially the likes of Toby, Kim, Doc, Kaliya, et al. Imho, the industry needs to have these two strands of DNA (identity and privacy) laid out in a map that is digestable and realizable by society, business and governments, without having any individual give up the right to own his/her respective identity and privacy to sensitive information - either dynamic or static, as described in my earlier post......

So on to my comment to Toby's post at http://radio.weblogs.com/0146815/2005/08/22.html

Toby,

Great work on putting together the maturity scale. I believe calling it a maturity model for privacy is important. Privacy translates into protecting against access (authorized or not) critical, sensitive information, either owned by a person or a company that describes either a person or a company. In thinking about identity and privacy over the last 6 years, I have concluded that privacy follows from authorization which in turn follows from authentication. Knowing that privacy has been compromised results from monitoring access and reporting against unauthorized viewing by anyone, either authenticated or not. Authentication relies upon the proper verification of alleged identity - prove to the privacy guard who you are so that your profile can be assessed as to whether or not you have the appropriate rights to access that critical, sensitive information.

Therefore, with my understanding of how to convert identity into access to privacy, I would suggest an addendum to your maturity model:

1. Data Protection
Place the data under the strongest, state of the art lock and key, coupled to an authorization engine that converts identity to a profile and policies to access the data.

2. Authentication
This is the complete process of proving identity. Using a set of identifier acqusition systems, the alleged user steps through a number of challenges to prove his/her identity which requires a percentage of accuracy that matches the level of protection required for the information to remain private, i.e., for certain eyes only for a certain amount of time. This process requires tight coupling to the authorization and reporting/auditing in order for the information owners to know who is accessing what, when, where, why, and how. Once identity is assured (to a certain sigma - from six sigma vernacular), the authenication approval leads to the next section, data sharing. Effective authentication requires a federated identity management ecosystem to exist, where "trust" can be shared among organizations. In turn, federated authentication follows from the trust among these organizations, first from the point of view of culture, working processes, and finally technology. However, where in federation does the concept of fail-safe lie wrt authentication. How deep does that trust go, and how deep is it "programmed" into an organization's policies?


3. Data Sharing
This process actions the authentication approval or credential to a set of policies that govern the privacy. Now the system knows exactly who is requesting access, data sharing leverages the authorization policies to see exactly what portion, if any, of the privacy can the authenticated user access, for how long, on what display/device, during which time intervals, and at what location These are equivalent to the concept of considerations in traditional digital rights management. Moreover, the policies should have a section that assesses whether authenticated user and/or their role have the "right" to retain a copy, for how long, on what device/display/format, where to store, etc. An important aspect of data sharing is this retention policy. For example, the biggest problem today in consumer privacy issues is that the consumer is not aware who or what organization has what portion of their critical and sensitive information, how accurate are those copies, etc. More importantly, there is no mechanism for the consumer to automatically delete the information from these distributed datastores. Data sharing is about control and storage, and aging of critical, sensitive information by and to authenticated users.

4. Data Rejection
Imho, data rejection is a sub-process of data sharing since it is one of the "commands" that result from assessing the access profile of the authenticated user against the sought after privacy information. Anonymity is truly impossible if authentication of users to access privacy is effective. There is no room for anonymity in privacy data access; however, there are some uses in data sharing, not necessarily privacy, that do not require any or some identity verification and validation, e.g., accessing news sites, accessing free-websites that are offering free access to some product or service, etc. The real question is, "Can anonymity be realized in an all-digital organization, society, government? What place does anonymity have on the Internet?"


Toby, I do hope this helps. I am quite interested in your feedback. I am posting my thoughts on digital identity and privacy on my blog entitled, "Names, traits, and trails" at http://robmarano.blogspot.com. I welcome an open discussion on this.

Best wishes on the EPG. Please let me know how I can be of assistance. I know quite a number of people that would be interested in this both in the UK and the US! I spent almost 8 years in the UK working in infrastructure management in the City...

I totally support your efforts in the need and public definition of a maturity model for privacy and identity. You have my support! I'll start to disseminate this at my monthly meetings on the topics in NYC. I run the NY Digital Identity MeetUp. More info at http://digitalid.meetup.com/3

I'd love to hear your feedback...

Thanks for the opportunity to post to your blog...

Warmest regards,
Rob
--
(I-Name) http://public.xdi.org/=Rob.Marano
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++

Tuesday, August 16, 2005

Solutions to the Digital Identity and Privacy Conundrum

Part 1 - Introduction to Static and Dynamic Identities

Since I began researching digital identity and the concept of digital privacy in 1999, I have always envisioned a flexible authentication system to be at the heart of every point of interaction online and offline; between people, between people and business, between people and government, and between business and government. The explosive growth of the personal computer and the Internet and, subsequently, Internet culture and commerce, has not allowed society to transpose normal human behavior and practices to the new, all pervasive medium.


During my tenure at PricewaterhouseCoopers (PwC), I ended each conference presentation on emerging technologies with the statement, "With technology there is neither a replacement for a smile nor a frown." What I was getting across to the audience had more to do to help transform technology into a viable replacement for physical human interaction than it did to temper the use of technology. Processes within a business or through a value network require humans to interact with one another to make critical decisions for continued success. Since the first barter many millennia ago, good and continuing business has always included physical recognition, eye-to-eye communication and a bond to complete the transaction. Without recognition, the entire process would never proceed. Therefore, recognition of and the subsequent authenticity of the person with whom you conduct business or any type of valued transaction or interaction becomes the cornerstone of the relationship. It establishes trustworthiness between the participants, and trust is built on continued successful interaction for both parties.

Standing in front of a person fulfills the recognition process, otherwise known in IT terms as "authentication." It is a necessary but not always sufficient requirement for interaction. As the value of interaction rises, so too do the methods of recognition, which becomes both a physical (biometric) and a knowledge challenge/response test. Authentication answers the question, "Is this person truly who they claim to be?" Name, physical presence and traits, distinguishing physical features, e.g., clothes, shoes, eyeglasses, jewelry, etc, serve as cursory markers as proof of identity. Society considers these traits as sufficient in informal, casual interaction.

However, other forms of identity are required to conduct more formal, value-based transactions, such as, citizenship, commerce (buy/sell/invest), travel, entertainment, healthcare, and participation in government programs, for example. Value translates into money, social order, or safety and security of life. In order to standardize these forms of identity, governments, organizations, and businesses have issued their own identity cards, which simply connect a signature and photograph or a uniquely distinguishing identifier (bar code) to the organization's branded token, or card; for example, birth certificate, marriage certificate, credit and debit cards, drivers license, passport, loyalty card, stadium ticket, health insurance cards, and Social Security card, respectively. Such identity cards can be defined as static, since they do not change in appearance. New ones are issued based upon a change in status of the service guaranteed by the card issuer. Moreover, these static identity cards almost always have time value associated with it, giving an expiration date, since the user's unique distinguishing trait may change over time.

As an aside, citizenship by birth is a tough identity to prove with the lack of standardized birth certificates, which is due to the varying formats and policies of each hospital in each county in each state across the country. Moreover, marriage certificates are an important source of identity in several areas, financial records, property ownership, benefactor association, drivers license, and passports. For example, if a woman changes her name legally before using her older passport during international travel, national borders have been known to accept the marriage certificate as a proof of name change. Is there any way the border agent can verify and validate the authenticity of the marriage certificate, especially when there are no standards among the thousands of municipalities in the country? The US Congress is poised to pass the REAL-ID Act of 2005, which requires states to surrender their regulatory rights over driver's licenses and birth certificates with no mention of marriage certificates and excludes applicability to illegal aliens.

Returning the concept of static identities, it's important to stress that this type of identity is given to a person upon entering or joining a group, organization, business, or state privilege like driving or marriage. Information on the actual use of services, what and when people buy, what they listen, watch, eat, and where they go and how frequently forms the second type of identity, called dynamic identity. As taken from the Merriam-Webster entry for privacy, "Freedom from unauthorized intrusion" or access defines privacy of one's own critical, sensitive, and personal information. It is common for people to share their static identity markers with credit card companies, government agencies, insurance companies, etc, in return for service. However, it becomes an issue of privacy to guard any sensitive information that defines their dynamic identity. This will be addressed in detail in an upcoming installment on this blog, for privacy and identity are two strands that make up the DNA which defines a person - names, traits, and trails (of dynamic information). Both static and dynamic identities serve as access keys to any type of value for every individual. The value can either be represented as goods or as services, both of which are bought, sold, or bartered.

The next installment will focus on how modern IT systems can be transformed to ensure trustworthy identity transaction across business to business, business to government, business to consumer, and consumer to government. I'll begin to detail how these technologies will help solve the problems and reduce costs to fraud and insecurity, extend trust over the Internet between people, and help to establish and solidify trust across the spectrum of merchants, consumers, and financial service providers, helping to unleash the next generation of Internet-based commerce. It is important to note that a recent Gartner report states online banking and ecommerce has taken a slight dip due to fears of identity theft and credit fraud.

In the new Internet order, consumers will be able to transpose their purchased content across any device of their choosing, for example, from watching a movie on the bus on a mobile device/cell phone to then transpose the movie directly to their TV upon arriving at home, with ease. With technologies deliver and assure digital identity authentication, mobile service providers can assure Hollywood that piracy would be a thing of the past because every copy of digital content will be associated to a valid, paying consumer. Moreover, consumers will be assured that their critical, sensitive information cannot be used in any type of fraud against them, since the power to control how, when, why to use their information will rest with them...

Thursday, June 09, 2005

Names, traits, and trails

Greetings and salutations to all on the Internet!

This post is a placeholder for my upcoming blog on digital identity and privacy. I plan on having my first post here by the end of this month, with my "treatise" on the topic. ;-)

In the meantime, come join our growing MeetUp at http://digitalid.meetup.com/3/

Thank you, and I look forward to discussing this seminal topic.

Warmest regards,
Rob