A group including Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community announced on Monday the creation of the Information Card Foundation (ICF) with the goal of increasing awareness of the use of electronic ID cards on the Internet, and encouraging interoperability in business around new standards.
"We need to come together in a neutral body to continue to promote the adoption of this technology," said Paul Trevithick, CEO of Parity and chairman of the ICF.
Information cards are online equivalents of physical ID cards, such as a driver's license. The basic idea is that customers would have an electronic wallet with various information cards. This would allow customers to bypass typing in user names and passwords. One example for how it could work is a student accessing a university network would simply present his or her electronic student information card.
That basic concept isn't new. Various vendors have introduced variations on this before. Microsoft recently introduced its own CardSpace concept with the Windows Vista operating system.
However, there are "still too many user names, too many passwords," said Kim Cameron, an architect of Identity and Access at Microsoft. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."
What ICF hopes to introduce instead is a tripartite system. In real time, a user would sync via encrypted connection with an ID provider (say a bank or credit card issuer), and also with a reliant party (a university network, a financial site, or an e-commerce site). Unlike having a credit card number, which anyone on the Internet can use anytime, the ID card model proposed by the ICF requires that all three players (user, provider, reliant party) be synced in real time before the transaction could proceed. The addition of a trusted third party in real time should make the new proposal more secure.
Trevithick said that nearly 50 companies participated in discussions at the RSA 2008 conference in February. Additional discussions are planned for upcoming security conferences through the end of 2008. The idea is to bring together as many players in the identification card space as possible. Currently, the ICF steering currently includes Trevithick, Cameron, Drummond Reed (VP of infrastructure at Parity), Mary Ruddy (founder of Meristic), Axel Nennker (consultant at T-Systems Enterprise Services), Pamela Dingle (consultant for Nulli Secundus), Ben Laurie (of OpenSSL and The Bunker), Andrew Hodgkinson (embedded software engineering consultant and contractor), and Patrick Harding (CTO at Ping Identity).
The foundation's site with more information will be live on Tuesday.
A new attack on PayPal could have allowed users who thought they were on a trusted page to access a fraudulent page and possibly expose personal information. On Friday, Finnish researcher Harry Sintonen reported the vulnerability on an IRC chat room.
In an interview with Netcraft, Sintonen said the issue was critical. "You could easily steal credentials." He added that in this case you can't trust the URL http://www.paypal.com.
A few weeks ago PayPal announced it would block users whose browsers did not support EV SSL. Sintonen, who is credited with finding an XSS attack on Barack Obama's Web site in April, said his vulnerability also affected EV SSL pages.
In response, a PayPal representative said: "At PayPal, we take safety and security very seriously. As soon as we were informed of this exploit, we began working very quickly to shut it down. To our knowledge, this exploit was not used in any phishing attacks.
"However, as in any phishing incident, we encourage our customers to contact us immediately if they believe they have given out any personal or financial information that would jeopardize the security of their accounts or lead to unauthorized account access. If an unauthorized withdrawal or purchase is made on a PayPal account, PayPal will reimburse that customer 100 percent. We encourage all of our customers to frequently check the status of their accounts to ensure security."
PayPal is seriously considering blocking some browsers from accessing its site, according to a paper (PDF) available to shareholders.
Titled "A Practical Approach to Managing Phishing," the paper admits that there's no one silver bullet to prevent fraudsters from making money on the Internet. However, authors Michael Barrett, PayPal's chief information security officer, and Dan Levy, the company's senior director of risk management for Europe, say companies could and should start addressing five specific areas:
Prevent fraudulent e-mail from getting into users' in-boxes
Prevent phishing sites by shutting them down
Authenticate users so that stolen credentials can't be used on PayPal
Prosecute fraudsters to the full extent of the law
Focus on brand and consumer recovery
Of these, the paper focuses mainly on e-mail prevention and phishing-site blocking. For e-mail prevention, the authors cite Yahoo Mail as an example and point to its use of domain keys to identify legitimate and illegitimate mail marked as coming from PayPal.
Most controversial is the idea of blocking "unsafe" browsers, or browsers that do not currently include antiphishing tools. PayPal says it would first notify users when they log in if they are using an unsafe browser. Later, PayPal would simply block the use of the browser entirely.
PayPal is interested in enforcing new Extended Verification SSL certificates used by Internet Explorer 7 and the upcoming Mozilla Firefox 3. EV SSL highlights the address bar in green when the site has been certified. Other browsers, such as Apple Safari and Opera, do not currently include these protections.
Browsers not on the desktop could also be barred. On Monday, researchers cited the Apple Safari browser on the iPhone and Nintendo's use of the Opera on its DS and Wii gaming systems as lacking adequate antiphishing protection.
- prev
- 1
- next
