From: Edentificaat_private Extract from: Electronic Identity Fraud Newsletter Volume 1, Issue 2 THE ASSUMPTIONS REGARDING THE SECURITY OF ANY ELECTRONIC COMMERCE OR COMMUNICATION SYSTEM CAN ANY SYSTEM BEING USED OR PROPOSED TODAY IN ELECTRONIC COMMERCE BE MADE SECURE? NO!!! Absolutely secure encryption cannot provide security, perfect firewalls can't provide security; perfect digital certification can't provide security and neither can the combination of all three. I can hear everyone saying, "Wait a minute! Are you crazy?" No system, no matter how advanced the technology, can be secure if it has an unsecured element. System security is a weakest link phenomenon. The weakest link in this environment is Identity Certainty. All commerce today relies almost exclusively on digital identities. These digital identities may be in the form of credit cards, government identification cards, or digital files in large or small databases, operated either locally or by international information providers. The problem is that the focus has been placed on the physical security of the system, and not the security of the information contained in the digital identities. The primary source of the digital identification is the individual. There is no imprimatur as to the truth of the information provided, regarding the identity of the individual and no significant attempt at verifying the truth of the information. These digital identifications are freely exchanged and ultimately contained in innumerable databases. This is an open system. It takes no sophistication for a criminal to insert an identity in the system or to manipulate an identity within the system. Complicating and significantly weakening the security of the system is the obsolete paradigm that; there is a one to one relationship between a digital identity and a real person. This assumption does not withstand scrutiny. There is no way of knowing with any certainty that a digital identity actually is the surrogate for the person whose information is represented by the digital identity. Most information that ends up as a digital identity is collected remotely. In the rare instance where the information is collected face-to-face, it is collected by a person not familiar with the stranger offering the identity information. To the extent there is an attempt at verification it is by comparing one set of digital information collected in this manner with another set collected in the same manner. Furthermore, the input of identity information into the system is in a wide- open environment with no uniform controls. There is virtually no security for this crucial piece of information in the system including encryption, firewalls or any other approach. Therefore, there is no compensation for this breach of system security. The proof of this pudding is the rapidly growing problem of identity fraud. (The use of biometrics; their strengths and weaknesses will be the subject of a future newsletter.) CONCLUSIONS ~~~~~~~~~~~~ The origin of the problem of "Identity Certainty" is in the assumption that the fraudster and digital identity are the same unique person. The solutions to this problem will only be found when that assumption is addressed. Those who are designing the electronic commerce system are still using 19th century definitions when designing for the 21st Century. These definitions no longer apply and their use will result in a weak and vulnerable system. By, John F. Ellingson, Madison, WI - editor Principal in e-DENTIFICATION, LLC Personal Email Address: JohnE37179 @ aol.com -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:27 PDT