UAE authorities recently announced they had broken up an international Internet data-smuggling ring suspected of hacking into the credit network and stealing credit and debit card information and cash amounting to over 50 million USD. Officials billed the arrests as the ‘largest hacking and identity theft case ever prosecuted in the country’ and the multinational footprint of the operation brought home the global specter of cybercrime. The case also offers a stark reminder of the sheer volume of personal data now circulating online – and its vulnerability to security breaches by criminals with malicious intent.
The Internet has become indispensable to so many facets of our lives, from managing our finances and making purchases, to interacting with government agencies and keeping in touch with colleagues, friends and loved ones. Personally identifiable information (PII) is the lifeblood of such transactions, enabling online service providers to authenticate consumers’ identities. But to cybercriminals this data represents a digital skeleton key with which to unlock and plunder bank accounts, go on unauthorised online spending sprees and fraudulently open lines of credit – illicit activity that inflicts a considerable annual financial toll on consumers and businesses.
The rising tide of security threats and ever more sophisticated and devious scams graphically illustrate the need for urgent action that embraces bold, fresh thinking and overhauls the current haphazard system of managing online identities to protect consumers. Research suggests that fear of online fraud is eroding consumer confidence in the web and impacting online economic activity.
But what if PII could be made more difficult to steal and even less valuable in the first place to cybercriminals? In other words, what if it could be largely supplanted by more secure modes of online data transmission and identity authorisation? That’s the promise held out by new technology commanding a growing groundswell of industry support called Information Cards.
Think of Information Cards as virtual versions of the physical cards we carry around in our wallets for identification purposes and to facilitate transactions like making purchases. In the same way that the cards in a person’s wallet attest that they are who they say they are – often based on previous in-person verification – and establish their right to certain privileges like access to their bank account, Information Cards can corroborate a person’s identity online in a way that does not rely on easily-stolen usernames, passwords or pieces of PII that offer prospective points of entry for would-be identity thieves.
Instead of requiring manual entry of PII or usernames and passwords, digital Information Cards employ strong cryptography to ensure that only authorised parties can access the identity assertions they relay – helping prevent interception of data in transit.
Information Cards also provide the key capability to reduce the volume of data transmitted by consumers through allowing online service providers to specify the minimum information they need to authenticate someone’s identity for their purposes. For a news site, for example, this might be confined to a subscriber’s name, limiting the person’s exposure to security risk from the sharing of more sensitive data.
Laying the groundwork necessary for adoption of Information Cards by a critical mass of consumers, businesses, and public agencies is a task in which government and industry have pivotal and complimentary roles to play.
Government agencies already issue birth certificates, driving licenses, and other identification tokens, making them a natural choice for performing the in-person verification that should underpin Information Cards used for the most sensitive activities. Accredited business could also issue these types of cards. For less sensitive uses, online entities could issue cards, and for the least sensitive purposes, individuals could even issue their own Information Cards.
Government agencies can also lead by example by piloting the technology themselves to demonstrate its utility and by conducting educational outreach to inform citizens, businesses and law enforcement of the benefits.
The good news is that they can count on a powerful cross-section of industry support now building behind Information Cards. The non-profit Information Card Foundation dedicated to promoting adoption of the technology, counts Microsoft, PayPal, Equifax, Novell and Oracle among its members. In fact, Information Cards are distinguished by their use of commonly-accepted Web protocols and compatibility with a wide range of software and hardware, offering an easy on-ramp to widespread adoption.
With the right application of political will and cooperation between government and industry, we believe that Information Card technology holds out the promise of significantly stacking the deck against cybercriminals and making landmark progress against the scourge of online fraud. In doing so, we can help secure the future vitality of the online economy.