IdentityTheftSIG

Jump to: navigation, search

Contents

Conference Call Information

Conference calls are generally held on Wednesdays at 9:00 am PT / 12 Noon ET / 1600 UTC.

Call-in information is as follows:
US/Canada toll-free number: 866-469-3239
US toll number: 650-429-3300
Attendee Code: 00119954 #
List of corresponding International Dial In Numbers

The last call was on Wednesday, May 21, 2008.

Email Information

Go here to subscribe and follow the instructions provided.

The email archive is here

Charter

The Identity Theft Prevention SIG exists for Discussion of identity-based crime as a whole, creating a forum for industry recommendations and action (eg. identity theft, identity fraud, etc). Specific goals include:

  • Generation of best practice guidelines/suggestions/technical recommendations to feed into appropriate Liberty Alliance expert groups and other interested community bodies
  • Generation of a taxonomy for defining ID Theft and application of Liberty (current and potential futures) to various elementsDefining opportunities in deploying appropriate technical and policy solutions to help mitigate identity theft
  • Serving as a community body for discussion and upleveled awareness of solutions (existing and potential) for ID theft/fraud protection or mitigation
  • Serving as experts on ID Theft with clearly articulated messages
  • Providing education to businesses and the people they serve regarding ID theft (both members and non-members)
  • Serving as a catalyst for responsible development, maintenance and implementation of identity infrastructure, from both a policy and a technical perspective

Read more in the Liberty Identity Theft SIG Charter

Meeting Minutes

Identity Theft and the Liberty Identity Assurance Framework

Liberty Alliance defines the Liberty Identity Assurance Framework (LIAF) as “the basis upon which identity assurance providers and their services can be certified as compliant to common policies, business rules and baseline commercial terms; avoiding redundant compliance efforts and market confusion about the substance of identity assurance value delivered.” Each service compliant with the LIAF provides assurance that an identity claim is valid at one of four Assurance Levels, ranging from little or no confidence in the asserted identity's validity, to very high confidence in the asserted identity's validity.

Because identity theft occurs when a fraudulent identity claim is not detected as being false, a reasonable approach to preventing identity theft is to implement more efficient and reliable authentication of identity claims. Public interest and concern about identity theft is due to the high risk of damage to individuals when new credit accounts are fraudulently established using someone else’s identity information, or when fraudulent medical claims and diagnoses are tied to someone else’s identity. For these reasons, such identity claims must be authenticated at high (rather than low) assurance levels.

The LIAF enables identity claims to be authenticated at high assurance levels by the use of electronic trust services that require an identity claimant to demonstrate possession and control of appropriate identity credentials/tokens issued by accredited Identity Providers. Issuance of these credentials/tokens to individuals by Identity Providers follows an appropriately rigorous initial identity verification process (“identity proofing”). Unlike low assurance trust services, there are much higher costs associated with high assurance trust services. These higher costs are due to several factors, including more rigorous identity proofing requirements, more stringent business and organizational constraints on the identity provider, and the higher costs of more reliable and secure authentication technologies.

Due to the higher costs of high assurance trust services, existing and potential Identity Providers have mainly geared these service offerings to their large business customers. The business model underlying such offerings relies on revenues generated from the sale of these high assurance trust services to these large customers. Although consumer applications such as online banking and bill-paying arguably require high assurance identity authentication, the higher costs associated with “stronger” authentication for these consumer applications has often meant that authentication technologies associated with low assurance trust services, such Personal Identification Numbers (PINs) or passwords, were instead used exclusively.

With this in mind, the first obstacle that must be overcome in order for LIAF-enabled high assurance trust services to help fight identity theft is to make such services economically viable for large-scale use by consumers. Such services would be appropriate for consumer authentication to applications such as online banking, bill paying, and others requiring a high degree of identity assurance.

Although identity authentication by means of high assurance trust services requires possession and control of the appropriate credentials/tokens during the authentication process, identity theft typically doesn’t occur because such credentials or tokens have been lost or stolen. Instead, because of weak or non-existent authentication procedures, identity theft often results from the misuse of stolen personally identifiable information by an imposter to claim someone else’s identity. In order for LIAF-enabled high assurance trust services to be most useful in preventing identity theft, there needs to be a way to link personally identifiable information that describes a unique individual, with the credentials/tokens issued to the person. An identity thief using stolen personal information to claim the identity of someone using high assurance trust services could then be thwarted, because the thief would not be able to authenticate to the Identity Provider using the necessary credentials/tokens.

With the advent of the LIAF, Liberty Alliance stands poised to play a significant role in the evolution and specification of high assurance trust services for consumers. However, the use of such services by consumers requires not only the availability and adoption of authentication technologies that consumers will find easy and convenient to use. What is also needed are the business and economic drivers to motivate Identity Providers to offer such services for use by consumers, and to motivate Service Providers/Relying Parties to use them when a claim of identity must be authenticated.

Potential Liberty Work Related to Identity Theft

Whitepapers

To support the above goals, one approach may be to produce a series of Whitepapers that address issues involving LIAF-compliant high assurance trust services that could be geared to use by consumers, as well as specifications and best-practices to support specific functionality required to use these services for authentication when personally identifiable information is used to make claims of identity.

Specific Whitepapers could include:

  • Whitepaper describing the concept of a large-scale identity network / authentication system consisting of Liberty-accredited Identity Providers, Relying Parties who agree to honor credentials/tokens issued by accredited Identity Providers, and individual Subjects who present these credentials/tokens to Relying Parties for authentication. This network could enable any Relying Party to authenticate the identity claim of anyone presenting credentials/tokens (at the appropriate Assurance Level) issued by any Liberty-accredited Identity Provider that is trusted by the Relying Party. This identity network / authentication system may result from the inter-federation of different identity federations, so that Relying Parties and Identity Providers belonging to different federations are able to trust each other.
  • Whitepaper describing possible business models that would make high assurance trust services economically viable for use by individual consumers. One potential model might require Relying Parties to pay Identity Providers for identity assertions. This could be akin to credit grantors paying consumer credit bureaus for information about a consumer's credit history. Such a model may be viable in the context of allowing Relying Parties to satisfy the recently-issued Red Flag Rules in the US that require credit grantors to have written identity theft prevention programs. Another possible business model might focus on individual consumers themselves paying a fee to an Identity Provider for identity theft protection, similar to what people pay today for credit monitoring services and other identity theft prevention services (based on fraud alerts or credit freezes) that have emerged recently.
  • Whitepaper describing how an identity network / authentication system can be extended so that identity claims made to Relying Parties on the basis of personally identifiable information can be authenticated, if the personal information is associated with the identity of someone who has been issued credentials/tokens as part of a high assurance trust service from an accredited Identity Provider. This extension may involve a Discovery Service enabled by the Liberty Web Services Framework that can discover the appropriate Identity Provider on the basis of personally identifiable information. Privacy concerns about the handling of personally identifiable information may be addressed by the Liberty Identity Governance Framework.
  • Background: Even if a LIAF-enabled identity network / authentication system were to exist, it is assumed that a person whose identity is to be authenticated needs to present some sort of credentials or tokens to the service provider / relying party. But many cases of identity theft result when stolen personal information is used by an imposter to claim someone else's identity. In that situation, the stolen personal information itself acts as a "credential", and the service provider / relying party has no corresponding token to authenticate the claim of identity. It would be desirable if someone who possesses Liberty-accredited credentials/tokens can still be protected against identity theft, if the identity theft occurs by means of stolen personal information.
  • Whitepaper that explores the usefulness and viability of a range of potential LIAF-enabled high assurance trust services for consumers.
  • As one example, online banking and bill payment services pose high degrees of risk to consumers if unauthorized persons can gain access to these accounts, or are able to drain money from these accounts. Will Relying Parties such as financial institutions and others be willing to accept high assurance credentials for access to these accounts that have been issued by other, Liberty-accredited Identity Providers? Would financial institutions or other business entities be willing to act as Identity Providers for authentication of their consumer customers to other entities?
  • Another example could involve the Identity Providers that issue "managed" Information Cards. These managed Information Cards, unlike self-issued cards, provide higher assurance identity services to Relying Parties on behalf of the "owners" of these Information Cards, many of whom may be individual consumers. The recently formed Information Card Foundation, which is concerned with digital identities on the Internet, is also a new Liberty Alliance member. Might the LIAF play a role in establishing the trust relationships between the Relying Party users of Information Cards, and the Information Providers that issue managed cards?
  • Whitepaper that compares identity proofing methods used by financial institutions, motor vehicle bureaus, and REAL ID, to Liberty IAF identity proofing requirements at the appropriate assurance levels.
  • Whitepaper that discusses the characteristics of authentication tokens most likely to be used in high assurance consumer authentication applications, and compares these characteristics to authentication token requirements defined by NIST 800-63 “Electronic Authentication Guideline”, at various assurance levels.

Specifications / Best-Practices

Some specifications and best-practices may be necessary to define some of the capabilities discussed in the White Papers:

  • Specifications for a Discovery Service that identifies the specific accredited Identity Provider that is able to authenticate an identity claim using credentials/tokens issued by that Identity Provider, on the basis of personally identifiable information presented to the Discovery Service that is associated with the holder of those credentials/tokens. Such a Discovery Service is necessary to prevent identity theft when stolen personal information is used to make claims of identity.

Identity Theft Technical Document

This document contains several references to possible technical solutions towards mitigating the threat of identity theft. Please feel free to add more links or provide comments!

1. Executive Summary

2. How does Identity Theft Occur?

3. Identity lifecycle

4. Desired Properties of a Federated Identity Management System

5. Technology Solutions and Tools for Identity Theft Prevention

  • 5.1 Policy Languages
    • 5.1.1 P3P
    • 5.1.2 SAML Assertions:
    • 5.1.3 XACML Authorization Policy
  • 5.2 Cryptographic Tools
    • 5.2.1 Secret Splitting
    • 5.2.2 Zero Knowledge Proofs
    • 5.2.3 Anonymous Credentials
  • 5.3 Trust Management
    • 5.3.1 Anti Phishing Tools
  • 5.4 Database Security

6. Phases of Identity and Corresponding Identity Theft Protection Mechanisms

  • 6.1 Registration Procedure
  • 6.2 Mechanism for Identity Information Storage
  • 6.3 Access Control on Usage
  • 6.4 Authentication
    • 6.4.1 Cryptographic
    • 6.4.2 Biometric
    • 6.4.3 Mobile channel
    • 6.4.4 Secure Hardware.
  • 6.5 Authorization
  • 6.6 Audit and Accountability
    • 6.6.1 Reverse Surveillance
    • 6.6.2 Forensics
    • 6.6.3 Accountability
    • 6.6.4 Compliance
    • 6.6.5 Notification
  • 6.7 Usability

7. Conclusion and Best Practices

Resources

External References

Participants

  • Steve Bramson (514) 909-2022
  • Abhilasha Bhargav-Spantzel (home page)
  • Britta Glade
  • Paul Biciunas [=paul.biciunas]
  • Kevin O'Neil
  • David Weitzel
  • Bob Pinheiro (Chair)
  • Eric Nelson [1]

License

Content that violates any copyright will be deleted. You agree to license your contributions under the Creative Commons Public License Attribution 2.5. When quoting, reproducing or re-using the entire documents or parts thereof, attribution shall include the name of the paper and an link to the location of the paper (where possible).

image:CC-BY88x31.png

Retrieved from "http://wiki.projectliberty.org/index.php/IdentityTheftSIG"
Personal tools