Identity Theft: Who Are You Anyway?

I N F O R M A T I O N S Y S T E M S S E C U R I T Y RALPH SPENCER POORE, CISSP, CISA, CFE, is the Chief Technology Officer of Privacy Infrastructure, Inc. and a long-time contributor to the Journal. Please feel free to provide feedback to him at [email protected]. When farmer Jones walked into the general store in town, the storeowner — or one of his employees — would greet him personally. The storeowner knew whether farmer Jones’ credit was good, what his buying habits were, and how he would settle his account. If someone else came in pretending to be farmer Jones, he had to look and act like farmer Jones, and if he didn’t pull it off, he risked physical detention. Of course, there may be places today that are like the television show Cheers where everyone knows us. In cyberspace, however, our computer has a better chance to be known than we do. The degree to which I must convey who I am to others directly correlates with the requirements of the transaction I attempt. Many transactions do not require me to identify myself. When I walk into a convenience store to buy a gallon of milk and I pay cash, the clerk neither requests nor needs my identification. When I attempt a transaction for which personally identifiable information is required (e.g., one requiring that I be at least 21 years of age), then either the clerk must ask for identification sufficient for the transaction or the clerk must acquire sufficient validation by personal recognizance. The latter choice (e.g., recognizing that a man with a graying beard is probably older than 21) is, at least currently, not an available choice to online merchants. In cyberspace, the apparent identity (usually obtained from the hardware or software used) becomes your identity for purposes of an online transaction. From knowing the identity of the computer presented, you may correctly identify the person using the computer — or not. Many technologies purporting to identify and to authenticate a person (“end user”) rely on the assumed relationship the user has with the computer that the user appears to be using. Cellular telephones and similar handheld computers (e.g., PDA) usually authenticate as if they were the end users. Successfully cloning such computers equates to stealing the identities of the legitimate owners — if only for limited purposes. Files used to authenticate a user can usually be copied to other computers. In Windows systems, for example, these P R I V A C Y