The sharp card

Smart devices are called just that because they have a canny knack of knowing when to give precisely the right amount of information

By Stephen Wilson

December 11, 2009

A common thread runs through the most important cybercrimes: the vulnerability of digital identities to abuse.

Digital identities are machine-readable proxies for the actual identities of natural persons or legal entities with whom a service provider has a relationship. Digital identities are data items or data sets, each unique in a particular context. Examples include account numbers, customer reference numbers, employee numbers, government identifiers, online social networking profiles, avatars and biometric templates.

The vast majority of digital identities are mere strings of alphanumeric data. Ordinarily, it is impossible for a computer to tell the difference between original data and copies; it is this difficulty that enables most identity fraud and cybercrime.

Stolen digital identities are traded in enormous volumes in thriving black markets. Card Not Present (CNP) fraud on the Internet is the model identity crime, exemplifying the ease with which digital identities can be taken over and used without permission.

Many other cybercrimes are very similar to CNP fraud, including medical identity theft, social networking identity theft (such as James Packer's network profile being taken over and used to collect details about his contacts) and avatar theft (when an attacker takes control of a digital persona in an online game or virtual world).

Vote of confidence
Beyond the dollar value of cyber crime lies the deeper issue of confidence in participation in the digital economy. We are on the verge of brave new eBusiness and eGovernment programs like online account origination, electronic verification of identity, and eHealth records that promise to transform how we live and work. The success of these programs depends on the public not losing confidence in the safety of their identities online.

I urge a coordinated effort across business and government to treat all digital identities more seriously. I certainly do not advocate any single identity system but instead I'd like to see a uniform approach by business and government to how they handle and convey diverse digital identities.

The most important new technology for preventing digital identity theft and the missing fraud using fake cards, therefore cyber crime in piece in the a proposition that fails to ignite public support general is to be found in
smartcards, smart phones, cybercrime for it casts aspersions on advanced SIMs, USB crypto puzzle is proper all Medicare recipients. Additional benefits are keys and the like. These devices are called "smart" because they can tell what's going on around them.

They don't just spit out ID data. Rather, they can act as intelligent proxies for their users, protecting them against misadventure and cybercrime. Smart devices can tell what context theyÕre being used in, and control
the release of the bare minimum ID data appropriate to the transaction at hand. Australian policy-makers can draw lessons from various current programs:

Chip-and-PiN

Payment card fraud is being redressed by Chip-and-PIN technology. Smartcards supersede magnetic stripe cards with vastly better protection of cardholder data against skimming, copying, cloning and counterfeiting. The advanced cryptography built into Chip-and-PIN cards can also be applied in web browsers to protect digital identities in e-business settings against theft and abuse.

Us Government Personal Identity Verification (Piv)
First developed by the US Government to improve civil servant identification, the PIV standard (technically referred to as "FIPS 201") is now being co-opted across the private sector, because it provides an interoperable suite of powerful tools for managing digital identity. FIPS 201 has now come to Australia, being adopted by the Department of Defence for its personnel ID cards.

Fresh thinking about a smart medicare card

From time to time, it has been suggested that the magnetic stripe Medicare card be upgraded to incorporate a chip. The headline benefit is often said to be prevention of Medicare government services by joining them up through a single card, at which point the argument for a new card tends to be lost on privacy grounds. Recent press reports have introduced a more powerful rationale for a smart Medicare card: protection of the new Unique Health Identifier.

If a new Medicare smartcard did nothing other than protect Unique Health Identifiers against theft and misuse, then it might be a valuable development in the emerging eHealth records system. The possibilities for combating cybercrime using these smart ID technologies are many and varied, and should be studied further as part of the governmentÕs ongoing work on identity security and online safety.

I contend that business and government alike need to move beyond the current focus on user education, security policy and audit, and adopt a more blended approach to combat organised cyber criminals. The missing piece in the cybercrime puzzle is proper protection of digital identities. Government should look closely at smart authentication technologies that mitigate digital identity theft and render stolen IDs useless to criminals.

Stephen Wilson recently appeared before the house of representatives' Cybercrime inquiry. This column is an edited version of Lockstep's submission. see also http://www.aph.gov.au/house/ committee/coms/cybercrime.