Is OpenID the Solution to Online Identity Theft?

In March, Dubner and Levitt tackled the realities of identity theft. Now, with phishing scams getting ever cleverer, state government databases leaving sensitive private information accessible to the world, and identity thieves expanding their schemes into Web giants like Facebook, it’s worth asking: how will the problem of identity theft be solved?

Technology innovators have been plugging away, of course, to develop programs that safeguard sensitive information from prowling hackers. One product touted as a possible solution is OpenID, an online protocol that manages a user’s web identity by offering single sign-on for any participating Web site. Surfers never have to enter a username or password to access sites that demand registration, and can navigate between different sites without logging in or out — the equivalent of an online driver’s license. While the program has yet to hit the mainstream, reports estimate that it and similar products are “two to five years away from mainstream adoption.”

On its face, OpenID seems to offer solution-oriented options for managing identity, like allowing users to identify themselves as part of a demographic (i.e. “35-year-old single man in financial services”) instead of typing in birth dates or employment information during registration. Users can add plugins for extra protection like the “SeatBelt Extension,” which lets you know that you’re visiting phishing site like this one. Other benefits include an automatic age verification system for purchases (making online liquor stores a possibility in the U.S.) and the erection of additional spam barriers (though, as countless filters have found, the spammers find a way).

Fans of OpenID have leaped on its bandwagon, including online giants like AOL, Microsoft, and VeriSign, all of which publicly endorse the product. Dick Hardt, the CEO of the Internet security firm Sxip Identity, called it “the next generation of how we manage identity on the Internet.”

Still, the concept has one glaring weakness that even a non-computer science expert can figure out: reduce the number of names and passwords you use on the Internet, and you reduce the amount of information a thief needs to steal. This line of thinking led online security giant Ben Laurie to famously dub OpenID a “Phishing Heaven.” Mike Neuenschwander, vice president and research director of identity and privacy at the
Burton Group, explained Laurie’s logic as follows: “Today, phishers have to set up a site that mimics a legitimate site a user frequents, and then trick the user into offering credentials and other information. With OpenID, such mimicry isn’t even necessary — the user need only be motivated to log into a site using an OpenID.”

With pro and con arguments flying back and forth, the protocol has become a polarizing force in the technology community, as tech bloggers take sides and rarely miss an opportunity to sound off on the debate. Respected figures like Laurie are working with the OpenID community to help solve its problems, but in the short term, this supposed I.D. theft solution won’t be revolutionizing the Internet any time soon.

What does it all mean for the average consumer? As Dubner and Levitt pointed out in their column, almost three-quarters of identity theft victims incur no damages from the crime. Still, until the security community can reach a consensus, it’s worth triple-checking every time you enter your name and personal information into a “Sign In” box. Even if the site looks like CNN.


discordian

A fool and his ID are soon parted.
hail eris.

Drew

If someone with the name Dick Hardt tried to send me an e-mail, it would probably end up being deleted by my spam filter.

You had a recent column about Aptonyms. How about one for people whose name is glaringly inappropriate for the profession they are in. The CEO of an Internet security firm shouldn't have a name that looks like the purveyor of pornography or "herbal Viagra."

Michael Hessling

It's not so easily cracked, Melissa. My OpenID is the address of my web site. I can use it to sign in to any site that supports OpenID, and because I'm the only person with control over my homepage I'm the only person who can use that identity.

If someone else tries to use my web site address, they'll be redirected to a page which will ask them to log in. This page merely provides a URL, which you must copy and paste into the address bar, and does not actually let you sign in. This helps prevent, to a great degree, any phishing attempt.

Simon Willison has a ton of useful articles about OpenID on his blog: http://simonwillison.net/search/?q=openID

Bob

Didn't Microsoft already try this concept several years ago? I think it was called .NET Passport and it failed after a couple years of no one adopting it. Why is OpenID going to be any different?

David

The flaw of a common security login is the flaw of a digital fingerprint: if someone steals it once, they have access to everything.

Instinctively, I thought fingerprint scanning was a great idea. It was only after hearing the head of RSA security speak (in a B-school class) did I see the problem. Fingerprints are digitized and sent to the website in question. If someone is able to steal that digital combination of 1s and 0s, that person would be able to mimic one's unique fingerprint.

It appears that OpenID poses the same problem. I can change a password easily enough (and diversify passwords across websites), but I can't change who I am.

George

OpenID (or anything similar) will never be the solution to identity theft... as the title of this blog assumes. It is a faulty assumption that all identity theft is driven by thieves who steal users' IDs and passwords via phishing sites or key-logging software. That is not the case. Not even close.

A lot of identity theft is caused when companies expose the sensitive personal data (name, birthdate, SS#, etc.) of their customers, employees, and former employees. So, you can do everything correctly to protect your personal data and your IDs, and STILL become an ID-theft victim when your employer, or a prior employer, loses your personal data. And we ALL have prior employers. Many people don't realize that companies archive our personal data for very long periods of time.

I mention this because a company I never worked for (IBM) lost my personal data. IBM got my data when it bought a company (Lotus) I used to work for. I left Lotus in 1991. IBM bought Lotus in 1995. IBM suffered its data breach in 2007. IBM chose to archive my data for at least 16 years and a lot longer... 20 or 30 years... for other former employees. I blog about my experience with identity theft, how I deal with the mess IBM created for me, and related issues about corporate responsibility:
http://ivebeenmugged.typepad.com

George

Read more...

Trey Tomeny

I believe there is a solution, but OpenID is not it.

I have come up with something called the Private Identity Network (read more at replacegoogle.com) that is based more on economic principles than technical ones.

The idea is to build another level of abstraction around the existing Internet. When you go to use any device, you log in with your Private Identity Provider. Your Private Identity Provider then provisions your real, artificial, or anonymous identity to sites visited based upon your preset parameters.

The economics comes in because the Private Identity Providers are peers in the Network. The way they get more users is to compete for them by offering the most trustworthy experience. But they also cooperate by having secure connections with one another to form the Network as a gated community where users can trust other Private Identity Network users.

The Private Identity Network is a network of people, not machines or non-personal entities. Each person can only have one active presence on the Network at any time. This one person-one presence is guaranteed by a Network Guardian. The Network Guardian is the regulatory entity and it keeps a copy of just the most essential identity data to make sure the one person- one presence is maintained. Non-personal entities may be represented on the Network by natural persons who are members and document their affiliation with the entity.

The Private Identity Providers should be very profitable because everything a user does on the Network will flow through them. They will monetize this by selling only access to their users- if they were ever to sell any user data they would likely face a "run" and lose their users.

This is a dynamic solution because the market competition between the Identity Providers will continuously lead to technical developments that will benefit all over time. This is a big picture structure, not a technical specification.

There are a lot of details to this, if you would like to learn more, please check out replacegoogle.com.

Read more...

Raffy

OpenID is not, nor was even intended, to mitigate identity theft. The purpose of OpenID is to eliminate the need for repetitively entering in the usual information when registering for a new site. It actually improves security by reducing the number of places a user's information is stored.

mind

"Identity theft" is a complete misnomer, you cannot steal an identity. In fact, I freely give away my identity upon meeting new people ('hi! i'm xxxx. nice to meet you')

My name, address, phone number, social security number, credit card numbers, and bank account number are not authentication mechanisms. In a modern security analysis, they are what you'd call 'public information'. The only way they could be more available is if they were printed in the Sunday paper.

If a credit issuer lends somebody money because that somebody has used my public information (as above), that's not really my fault or problem. If they expect me to pay them back, that's laughable, and if they say bad things about me on a credit report, thats simply libel. I've signed no agreement with them which lets them do such things.

Public key cryptography has been around for thirty years, but has still yet to be adopted by the credit card companies. By having a system which requires a simple number that is -printed on the card- to authenticate, they are being extremely negligent. They have not fixed this, because they force the merchants to eat the cost of fraudulent transactions, when in reality, it is in no way the merchants fault. For every credit card issuer, a fraudulent transaction is actually a sale, where they make the normal processing fees, plus that $25 chargeback fee. They will never fix a system if they actually make money from it being broken.

Framing the debate in terms of identity theft just obscures the real issue - Only I can enter into a contract on my behalf. If somebody represents themselves as me and enters into a contract, it is the other party to that contract whom has been defrauded, not I.

Read more...

Andrew

If you are technical at all, Stefan Brands has summarized why OpenID isn't the answer.

http://www.idcorner.org/?p=161

Luigi Montanez

@Bob: Passport failed because it was a proprietary system controlled by Microsoft. OpenID, as the name implies, is completely open and can be used by anyone. Anyone can accept an OpenID and any website URL can act as an OpenID (including one that you own).

@David: The beauty of OpenID is that it doesn't care what method you use for authentication. It's an open identity system, not an open authentication system. So I could run my own OpenID provider on my own domain that does a three phase check before it authenticates me. Or I could look for an OpenID provider that authenticates in a way that I feel is secure.

Also, a person can choose to have more than one OpenID, so switching OpenIDs or OpenID providers is trivial in case of password phishing. It's just an ID, not the single definer of your existence as a human on the Internet.

Romuald

The supposed weakness of OpenId (less information to steal) is illusive.
Most people (except for the security freaks) always use the same id and password for all their web accounts.
Why is that? Simply because it is simpler.
So it's better to have this single information well protected than the same single information (albeit potentially different) not secured appropriately.

david

What this kind of openID needs is a big red 'stop' button.
Think you've been hit by ID theft? trot on over to the openid site and hit the big red stop button, freezing your account until further verification has been carried out.
Wait, you say, what if the criminal changes your email/password? They should log that too, and require verification by the original email (not the one that was changed in the account 5 minutes ago) and wit ha code word you give them with the Stop button.

Gary

Speaking of Dick Hardt - his presentation a couple of years back on the concept of open identity (available at http://identity20.com/media/OSCON2005/) is just a great presentation - both in style and as an introduction to the conceptual problems of distributed id management, even if this implementation has its challenges.

L.Gabriel

Iceland has a pretty comprehensive national ID system that works pretty well. One's ID is completely out in the open (like one's name). There is no partial obscurity and complex combination of verification data which can be exploited. This is not an online ID, but just a “real” one without which you can do absolutely nothing. Article in this English language Reykjavík newspaperpaper makes a good case for it on how it helps prevent fraud.

http://grapevine.is/default.aspx?show=paper&part=fullstory&id=884

Gavin

OpenID is half of the answer.

The other half is multi-factor authentication-- for example, enter your password (something you know) into your cell phone (something you have) in response to a phone call or text message from a web site you're logging into.

The beauty is that one company can dedicate itself to making the OpenID signing process ultra-secure (supporting all the latest&greatest security techniques), and all the websites that support OpenID will get those security upgrades without doing any work at all. And since it's a truly open standard and free for anybody to implement, competition among OpenID providers will make the technology get better and better over time.

frankenduf

nice post mind- I agree that the credit card cos are negligent in their enabling of ID theft- I find it ironic that the internet, the ultimate anonymous media, has become the center of the modern concept of identity theft

Curtis

I would suggest you all take a look at Kim Cameron's blog to get a better idea of OpenID and the Identy MetaSystem that both OpenID and the co-operating system of Information Cards (Microsoft uses InfoCard) are all about. As well as taking a look at the Laws of Identity that are driving all of this.

And no OpenID and Information Cards are not the solution to online identity theft. But it does impact it. In that the merchants or sites you interact with will have only the information YOU agree to let them see. It allows a user to only disclose the minimal information required to undertake a transaction.

Steven Peisner ~ www.SellitSAFE.com

Steven Peisner your local Identity Theft Watch Dog here ~ As I have mentioned before why “victims” exist is because of something referred to as the “Point of Vulnerability” which is that split second that a Phish email is answered –

It will not be long before hackers target openID with new Phishing schemes - What will happen here is that unsuspecting new users will receive Phishes and reply to the Phish – What happens then? A New Identity Theft Victim will be born that's what -

The consumer's impression will be that it does not work and that openID sucks –

Preventing Identity Theft starts with education and then some type prevention tool like openID

Walter Mosley

They key to OpenID is SECURITY. I urge you all to check out www.myVidoop.com. They just came out of private beta last week and quite frankly, their OpenID is more secure than any online banking login, and possibly more so than ANY web login. Also offer a password manager Firefox plug-in. Definately the most innovative company I have come across in a while.