Way back in the early '90s when the internet was in its infancy, identity was rarely an issue. First, early web users were a friendly group of a few thousand technologists who mostly knew each other, and second, nobody was doing business there. That changed as the web grew more popular and went mainstream, making anonymity a selling point – the opinionated could vent freely without fear of personal repercussion, and timid suburbanites could buy pornography without risking awkward encounters with neighbours at the local adult video store.

Today's internet is no longer just the playground of a geek in-group or a platform for the opinionated, but a genuine worldwide web. It's fundamental to commerce, to news, to many aspects of daily life in the industrialized world.

And it's often very important indeed that we know who the people on the other side of the keyboard actually are.

At the relatively low-risk end of the anonymity spectrum, there are the nuisances — spammers who clog up the comments sections of blogs and inboxes with ads for prescription medicines, replica watches and, of course, pornography. The problem grew so quickly that it threatened to overwhelm some people entirely until tools became available to manage the flood of spam.

Software as a gatekeeper

One tool that has emerged to deal with the problem is OpenID. It's an open source (meaning the code can be used and modified freely by anyone) identification system developed by Six Apart, the company responsible for the widely used blogging software Movable Type.

"The big issue here was accountability," said Anil Dash, vice-president and chief evangelist (a technology evangelist is someone who promotes technology) for Six Apart. "You could leave spam links, because there was no authentication at all needed to leave comments."

With OpenID software, participating websites can require visitors to be registered with OpenID and to sign in before a comment can be left. The advantage to the user is that a single consistent login can be used across different social networks or platforms. OpenID has already been put to use by AOL, and Bill Gates has been talking about adopting it for Microsoft sites.

The downside to OpenID is that it's not designed to verify who's really on the other side of the keyboard. It simply assigns them an online identity that remains consistent and can't be used by anyone else.

"It's not implying trust or anything beyond an identity," Dash said. "Users might be using a synonym, so you don't necessarily know their real name, but at least you know it's not software or a robot leaving the spam comments."

As a result, the system isn't useful for sensitive commercial or business applications, for which a higher level of security and a specific personal ID are required.

Financial problems

One common crime involving the use of false identities is online auction fraud, which Detective Constable Mark Fenton of the Vancouver Police Computer Crime Unit said is his department's most frequently received complaint. "The bad guys get a hold of an eBay ID, set up a bank account with another fake ID, and start selling things they don't have."

These criminals typically use public internet terminals in libraries or airports to conduct their transactions without being tracked down.

Ron Jackson, a security researcher with Atlanta security services provider SecureWorks, discovered and, with the FBI, monitored a server that was being used by criminals to store stolen personal information. He said that of 5,200 sets of stolen personal information, about 30 per cent or 1,800 had unique eBay IDs associated with them, which were themselves being sold online to other cyber crooks.

So how can you or the auction company know the person selling you that espresso machine or autographed hockey card is who he says he is?

The days when a simple password and ID were sufficient to identify a user are long gone, relics of an age before Trojan horse software — software that installs malicious programs on computers — could log keystrokes and report them back to gangs of identity thieves. But Ron O'Brien, senior security analyst at information technology security firm Sophos, said auction companies are responding to the threat.

"EBay has recently implemented significant improvements in their security, including banning the sale of some virtual tools [from online games such as Warcraft] because they're so frequently stolen," he said.

He also pointed to new ID verification software that some institutions are putting in place. It requires users to click on a picture after typing their password, a move designed to outwit key logging software. However, malware has already been created to circumvent this measure, as well, he said.

Some financial institutions now provide customers with handheld devices that generate a constantly changing PIN, but even those can be defeated. "They're trying to protect the gateway from the fraudsters being able to get in, but [the criminals] can just put a Trojan horse on that computer. Then they wait for you to type up that little number that comes up, and after that they can take over your browser just as if they were you," said Joe Stewart, senior researcher at SecureWorks.

Cutting-edge biometrics

One company working to defeat the cybercrooks with innovative identification solutions is Seattle-based Cogneto. It is developing biometric systems that identify users through far more subtle methods than passwords.

"We look at how [users] are moving their hands, how they interact with their computer, and we look at behavioural characteristics," explained Patrick Audley, chief technology officer of Cogneto. "Are you doing something you would normally do, from a computer you've used before, a network we've seen you at before, in a city we've seen you in?"

Cogneto's systems even work to stymie the crooks who hijack transactions after the user is logged in — one version of the system continually analyses and reassesses risk during the course of the online operation.

Sophos's O'Brien said that he expects to see many more biometrics-based identification systems in the future, as part of the ongoing arms race between the crooks and the security firms.

Phonebusters info

Phonebusters.com

1-800-495-8501

(Note: CBC does not endorse and is not responsible for the content of external sites - links will open in new window)

Still, SecureWorks's Stewart said that technology will never be the whole answer to the problem, and that prevention and law enforcement must go hand in hand. "A fundamental problem with computers is that there is really no way you can ever tie a computer transaction with the person at the keyboard. You can try to use biometrics and authenticate the person before they can do a transaction, but that stuff can be recorded and replayed. There are all kinds of subtle ways that somebody can get a Trojan horse on your computer, and for all intents and purposes, they can become you.

"There's no end solution that you can deploy technically that would stop it entirely," he said. "You have to also counter these efforts with law enforcement actually going out and putting [criminals] behind bars."

[an error occurred while processing this directive] [an error occurred while processing this directive]