Identity crisis in cyberspace
June 7, 2007
By Patrick Metzger, CBC News
Way back in the early '90s when the internet was in its infancy, identity was rarely an issue. First, early web users were a friendly group of a few thousand technologists who mostly knew each other, and second, nobody was doing business there. That changed as the web grew more popular and went mainstream, making anonymity a selling point – the opinionated could vent freely without fear of personal repercussion, and timid suburbanites could buy pornography without risking awkward encounters with neighbours at the local adult video store.
Today's internet is no longer just the playground of a geek in-group or a platform for the opinionated, but a genuine worldwide web. It's fundamental to commerce, to news, to many aspects of daily life in the industrialized world.
And it's often very important indeed that we know who the people on the other side of the keyboard actually are.
At the relatively low-risk end of the anonymity spectrum, there are the nuisances — spammers who clog up the comments sections of blogs and inboxes with ads for prescription medicines, replica watches and, of course, pornography. The problem grew so quickly that it threatened to overwhelm some people entirely until tools became available to manage the flood of spam.
Software as a gatekeeper
One tool that has emerged to deal with the problem is OpenID. It's an open source (meaning the code can be used and modified freely by anyone) identification system developed by Six Apart, the company responsible for the widely used blogging software Movable Type.
"The big issue here was accountability," said Anil Dash, vice-president and chief evangelist (a technology evangelist is someone who promotes technology) for Six Apart. "You could leave spam links, because there was no authentication at all needed to leave comments."
With OpenID software, participating websites can require visitors to be registered with OpenID and to sign in before a comment can be left. The advantage to the user is that a single consistent login can be used across different social networks or platforms. OpenID has already been put to use by AOL, and Bill Gates has been talking about adopting it for Microsoft sites.
The downside to OpenID is that it's not designed to verify who's really on the other side of the keyboard. It simply assigns them an online identity that remains consistent and can't be used by anyone else.
"It's not implying trust or anything beyond an identity," Dash said. "Users might be using a synonym, so you don't necessarily know their real name, but at least you know it's not software or a robot leaving the spam comments."
As a result, the system isn't useful for sensitive commercial or business applications, for which a higher level of security and a specific personal ID are required.
One common crime involving the use of false identities is online auction fraud, which Detective Constable Mark Fenton of the Vancouver Police Computer Crime Unit said is his department's most frequently received complaint. "The bad guys get a hold of an eBay ID, set up a bank account with another fake ID, and start selling things they don't have."
These criminals typically use public internet terminals in libraries or airports to conduct their transactions without being tracked down.
Ron Jackson, a security researcher with Atlanta security services provider SecureWorks, discovered and, with the FBI, monitored a server that was being used by criminals to store stolen personal information. He said that of 5,200 sets of stolen personal information, about 30 per cent or 1,800 had unique eBay IDs associated with them, which were themselves being sold online to other cyber crooks.
So how can you or the auction company know the person selling you that espresso machine or autographed hockey card is who he says he is?
The days when a simple password and ID were sufficient to identify a user are long gone, relics of an age before Trojan horse software — software that installs malicious programs on computers — could log keystrokes and report them back to gangs of identity thieves. But Ron O'Brien, senior security analyst at information technology security firm Sophos, said auction companies are responding to the threat.
"EBay has recently implemented significant improvements in their security, including banning the sale of some virtual tools [from online games such as Warcraft] because they're so frequently stolen," he said.
He also pointed to new ID verification software that some institutions are putting in place. It requires users to click on a picture after typing their password, a move designed to outwit key logging software. However, malware has already been created to circumvent this measure, as well, he said.
Some financial institutions now provide customers with handheld devices that generate a constantly changing PIN, but even those can be defeated. "They're trying to protect the gateway from the fraudsters being able to get in, but [the criminals] can just put a Trojan horse on that computer. Then they wait for you to type up that little number that comes up, and after that they can take over your browser just as if they were you," said Joe Stewart, senior researcher at SecureWorks.
One company working to defeat the cybercrooks with innovative identification solutions is Seattle-based Cogneto. It is developing biometric systems that identify users through far more subtle methods than passwords.
"We look at how [users] are moving their hands, how they interact with their computer, and we look at behavioural characteristics," explained Patrick Audley, chief technology officer of Cogneto. "Are you doing something you would normally do, from a computer you've used before, a network we've seen you at before, in a city we've seen you in?"
Cogneto's systems even work to stymie the crooks who hijack transactions after the user is logged in — one version of the system continually analyses and reassesses risk during the course of the online operation.
Sophos's O'Brien said that he expects to see many more biometrics-based identification systems in the future, as part of the ongoing arms race between the crooks and the security firms.
(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)
Still, SecureWorks's Stewart said that technology will never be the whole answer to the problem, and that prevention and law enforcement must go hand in hand. "A fundamental problem with computers is that there is really no way you can ever tie a computer transaction with the person at the keyboard. You can try to use biometrics and authenticate the person before they can do a transaction, but that stuff can be recorded and replayed. There are all kinds of subtle ways that somebody can get a Trojan horse on your computer, and for all intents and purposes, they can become you.
"There's no end solution that you can deploy technically that would stop it entirely," he said. "You have to also counter these efforts with law enforcement actually going out and putting [criminals] behind bars."
- Green machines
- Disk drive: Companies struggle with surge in demand for storage
- Open season: Will court decision spur Linux adoption?
- Analogue TV
- Video games: Holiday season
- Video games: Going pro
- Guitar Hero
- Parents' guide to cheap software
- Working online
- Laptop computers for students
- Technology offers charities new ways to attract donations
- The invisible middleman of the game industry
- Data mining
- Two against one
- The days of the single-core desktop chip are numbered
- Home offices
- Cyber crime: Identity crisis in cyberspace
- Yellow Pages - paper or web?
- Robotics features
- iPhone FAQ
- Business follows youth to new online world
- A question of authority
- Our increasing reliance on Wikipedia changes the pursuit of knowledge
- Photo printers
- Rare earths
- Widgets and gadgets
- Surround Sound
- Microsoft's Shadowrun game
- Dell's move to embrace retail
- The Facebook generation: Changing the meaning of privacy
- Digital cameras
- Are cellphones and the internet rewiring our brains?
- Intel's new chips
- Apple faces security threat with iPhone
- Industrial revolution
- Web developers set to stake claim on computer desktop with new tools
- Digital photography
- Traditional film is still in the picture
- HD Video
- Affordable new cameras take high-definition mainstream
- GPS: Where are we?
- Quantum computing
- What it is, how it works and the promise it holds
- Playing the digital-video game
- Microsoft's forthcoming Xbox 360 Elite console points to entertainment push
- Online crime
- Botnets: The end of the web as we know it?
- Is Canada losing fight against online thieves?
- Malware evolution
- Money now the driving force behind internet threats: experts
- Adopting Ubuntu
- Linux switch can be painless, free
- Sci-fi projections
- Systems create images on glass, in thin air
- Power play
- Young people shaping cellphone landscape
- Digital cameras
- Cellphone number portability
- Barriers to change
- Desktop to internet
- Future of online software unclear: experts
- Complaining about complaints systems
- Canadian schools
- Multimedia meets multi-literacy age
- Console showdown
- Comparing Wii, PS3 and Xbox 360 networks
- Social connections
- Online networking: What's your niche?
- Virtual family dinners
- Xbox 360 console game
- Vista and digital rights
- Child safety
- Perils and progress in fight against online child abuse
- Biometric ID
- Moving to a Mac
- Supply & demand
- Why Canada misses out on big gadget launches
- Windows Vista
- Computers designed for digital lifestyle
- Windows Vista
- What's in the new consumer versions
- Cutting the cord
- Powering up without wires
- GPS and privacy
- Digital deluge
- Consumer Electronics Show
- Working online
- Web Boom 2.0 (Part II)
- GPS surveillance
- Hits and misses: Best and worst consumer technologies of 2006
- Mars Rovers
- Voice over IP
- Web Boom 2.0
- Technology gift pitfalls to avoid
- Classroom Ethics
- Rise of the cybercheat
- Private Eyes
- Are videophones turning us into Big Brother?
- Windows Vista
- Cyber Security
- Video games: Canadian connections to the console war
- Satellite radio
- Portable media
- Video games
- Plasma and LCD
- Video screens get bigger, better, cheaper
- Video games:
- New hardware heats up console battle
- High-tech kitchens
- Microsoft-Novell deal
- Lumalive textiles
- Music to go
- Alternate reality
- Women and gadgets
- High-tech realtors
- The itv promise
- Student laptops
- Family ties
- End of Windows 98
- Browser wars
- Exploding laptop
- The pirate bay
- Stupid mac tricks
- Keeping the net neutral
- PS3 and WII at E3
- Sex on the net
- Calendars, online and on paper
- Google, ipod and more
- Viral video
- Unlocking the USB key
- Free your ipod
- In search of
- Sony and the rootkit
- Internet summit
- Electronic surveillance