TMCnet News

Beat cybercrime, switch to a virtual wallet
[March 31, 2006]

Beat cybercrime, switch to a virtual wallet


(New Scientist Via Thomson Dialog NewsEdge)YOU are bidding for a product at an auction website. Instead of typing in a username and password followed by your credit card number, you simply click on an icon on your computer resembling a virtual ID card, and the site lets you start bidding. You then go to a gambling site and prove your age by clicking on a different icon.



If Microsoft has its way, soon all of us will have a virtual wallet of these icons, known as InfoCards, stored on a secure section of our computers. Acting as the digital equivalent of the bulging collection of credit cards, driver's licence and social security cards that we carry around with us today, the company hopes InfoCards will become universally accepted by websites as a proof of our identity. For the first time this will also allow you to verify personal details such as age or gender online.

The system should also make everyday internet transactions vastly more secure, by subjecting them to cryptographic protocols that are currently reserved for banking and government dealings, and by doing away with passwords, which are easily stolen or guessed. "From the user standpoint, it's really simple, it's fast and it's much more secure," says Drummond Reed, a digital identity expert based in Seattle, Washington.


In February at the annual RSA security conference in San Jose, California, Microsoft announced that the necessary software will be bundled with the next version of Windows, scheduled to go on sale early next year. XP users will also be able to download it for free.

Easy targetApple and Linux users will have their own version. An open-source project called Higgins, run by the non-profit Eclipse Foundation and with contributors including IBM, is working on an alternative virtual wallet for those operating systems that could be ready by June.

The need for such systems arises from the fact that when the internet was created, its developers did not consider that surfers and websites would need be able to prove their identities to each other. "The internet was built without a way of knowing who you are connecting to," says InfoCard creator Kim Cameron. This has helped cybercrime to flourish, particularly phishing, spam and identity theft attacks that exploit how easy it is to impersonate someone online.

It has also led to unsatisfactory solutions such as passwords, which create more problems than they solve. "People have multiple passwords or logins and as a result they pick ones that are easy to remember and therefore easy to guess," says Phil Windley, a computer scientist at Brigham Young University in Provo, Utah, and author of Digital Identity
. Malicious hackers can write programs that work their way through dictionaries and then guess passwords by trying combinations of different words.

There have been several previous attempts to create a universal online authentication system. In 2001 Microsoft launched a system called Passport that collected information such as names and credit card numbers and passed them to accredited websites to verify a user's ID. However, this involved storing information in a central database, putting Microsoft in charge of guarding every consumer's data and creating a privacy nightmare. It was never widely adopted. Now at last, many identity experts are cautiously optimistic that Microsoft has hit the magic formula. "I think that they have finally got it right," says Reed.

The new system dodges privacy concerns as all personal information will be guarded by third parties such as credit card companies, which do this already.

So how does InfoCard work? All users and websites first register with third-party certification authorities. These provide the websites with a digital certificate to display, and issue web users with a virtual card that allows them to request their own digitally signed certificate to present as proof of ID whenever they need it. The system also generates public and private encryption keys for verifying transactions. The private key is stored on the user's computer, while the public key is shared only between the user and the card issuer.

When you want to buy a product online, you first access the InfoCard wallet on your computer by entering a password. This "master" password is not transmitted over the internet but stays on a secure section of your machine, making it virtually impossible for a hacker to steal it. The InfoCard software then automatically verifies that the vendor's website really is what it purports to be by checking its digital signature.

No phishingIf the site does not have a valid certificate, meaning it could be a phishing site, the system will not allow you to hand over any personal details. If the site is valid, it requests the necessary details for the transaction, such as your card number, name and address, and this prompts InfoCard to show you all the digital cards stored on your desktop. Then you click on the relevant ones and InfoCard passes the request for details to the card issuer.

The card issuer can instantly verify the request has come from the correct person by asking your computer to use its private key to decrypt a string of bits encrypted with the issuer's public key. Your card company then creates a certificate containing the relevant information, signs it with a digital signature, and sends it to you. Clicking on the certificate transmits it to the site and lets the sale go through.

Although this may sound laborious, it will only take a few seconds, and will save you having to manually type in all your personal details. Plus you can choose different cards containing only selected information, to limit the amount of personal data you give to any one website. There will also be cards for website accounts that need to know who you are but do not require third-party verification, such as email and free online newspapers. These will store a private/public key pair for each website that can be used instead of a password.

Adding cryptographic keys will vastly improve online security, says Stefan Brands, a cryptographer at McGill University in Montreal, Canada. "If it is done in the way they say it will be, it could practically eliminate the big problems we have today." Security firm Verisign has already indicated it will provide digital certificates for InfoCard. What's more, Verisign will be legally liable if it issues an InfoCard certificate to a scam site, according to Kerry Loftus, director of product management at the company. However, some remain unhappy about the idea, simply because it is the brainchild of Microsoft, says Paul Trevithick, whose Boston-based company Parity Communications is sponsoring the Higgins project. "They worry that since it all flows through Windows, doesn't this give Microsoft enormous power?"

Windley says these fears are "largely unfounded". After the Passport disaster, Cameron created a blog where experts from inside and outside Microsoft discussed how to solve the online identity problem. The result of these discussions formed the basis for InfoCard. "These things were discussed all over the internet," says Windley. "A lot of people were involved in shaping them. It gives people a reason to trust the system."

There's no one quite like youCeleste Biever Biometric technologies could be used to prove your identity over the internet, just as they are increasingly being used in the real world.

The trouble with most traditional biometrics, such as fingerprint, face and iris recognition, is that using them over the internet would mean fitting computers with expensive dedicated scanners. No wonder the technology has not made its mark in internet applications.

However, this may be about to change thanks to the growing field of behavioural biometrics, in which a person's voice, writing or typing is used to identify them. Various companies are developing systems that don't require the user's computer to be fitted with any additional hardware.

BioPassword of Issaquah, Washington, has developed a system that identifies people by the way in which they type a password. It uses parameters such as the time it takes them to move from one key to the next, and how long they dwell on each key, to match them with their stored profile. The company's clients already include credit unions and banks, including the World Bank.

Voice recognition is another promising biometric, as most computers already have built-in microphones. Unlike keystroke logging it could also be used as a convenient method of authentication for internet-enabled cellphones. Vance Harris, head of technology for voice-recognition firm VoiceVault based in Dublin, Ireland, says recent developments in the technology have improved its ability to authenticate people, and mean systems are no longer fooled by criminals making an illicit recording of the phone owner's previous logins and playing it back. The systems compare the voice sample with recordings of recent logins, and if they find them to be identical something that would be virtually impossible if the voice was real they ask the user to try again. If the sample proves identical a second time, access is denied.

Duncan Graham-Rowe

[ Back To TMCnet.com's Homepage ]