Sanjay Bahl
INDIA: Personally identifying information (PII) in digital form is the lifeblood of the Internet age. Because individuals, organizations, businesses and governments have been willing to trust service providers with such PII, the past decade has seen a tremendous variety of new uses for the Internet.
Access to PII has helped fuel explosive growth in e-commerce and e-gov applications as well as various online communities. Online banking and investing services, travel and shopping websites, electronic filing of tax returns and license renewals are all examples of how the Internet is enabling economic opportunity, efficiency and personal convenience in addition to offering countless other benefits.
How would one define the word identity? In the case of work / business, it may be the employee number or date of birth, online user name, MAC address, IP address, IMEI number, etc. And in case of government, it may be the passport number or your income tax permanent account number, driving license number, etc. This is what is our identity and it is unique when only a single attribute helps in identifying us in a situation. This is personal to us. When you impersonate someones personal identity/PII in the online digital world it is a crime commonly known as online identity theft. Identity theft is not only a threat faced by consumers but also a significant concern for organizations as they handle growing volumes of PII and use it in more diverse ways.
Broadly, tackling identity theft more effectively will require a concerted investment in what Microsoft calls End to End Trust, giving people more usable information about whom and what to trust online by building the infrastructure required to help evaluate the people, devices, software and data that make up the Internet. So you need to look at near-term tactics for mitigating online identity theft. A longer-range strategic vision is also needed for fundamentally addressing the issue with regard to how people assert their identity on the Internet, and how such identity claims are verified by other parties during an online interaction or transaction.
Mitigating the Theft
In addition to building anti-phishing, anti-spyware and anti-malware features and other security tools into its products, Microsoft works collaboratively with governments, the IT industry, business partners and customers to help reduce identity theft. Based on this work, we have identified some core principles for helping consumers safeguard their identity from being misused, helping organizations protect PII entrusted to them and discouraging potential criminals from attempting identity thefts.
In order to authenticate users, online merchants and financial institutions typically use a challenge such as asking for a username and password, to make sure that the user is allowed to access an account or conclude a transaction. However, the reverse is typically not true. Consumers do not have means to ask website providers to prove their identity. While it is possible for a website to prove its authenticity by obtaining an Extended Validation (EV) certificate which requires investigation of the site by a reputed certificate authority. These certificates are still in the gradual process of being adopted broadly. Typically, the maximum that consumers can do is visually inspect the site to see if it looks genuine. But the increasingly sophisticated thieves are creating spoofed pages that appear virtually identical to those of an authentic website. In the short term, consumers need better tools to identify signs of possible fraud.
Most websites that manage access to private information use the shared secret technique to protect that access. A shared secret is something that only the user and the website know, such as a username and a password. It can also be private data, the user chooses to share with the website, such as a credit card number. While this approach makes it convenient for merchants, banks and government agencies to identify users, it also creates incentives and opportunities for identity thieves. One of the most basic steps consumers can take is to avoid reusing passwords out of convenience and instead create different passwords or pass phrases to access each individual website or online system. Another helpful precaution is to create strong passwords that contain not just letters but also at least one numeral and one symbol (such as &, *or @). This approach is not effective for warding off phishing attacks but is useful in other situations.
