From: Edentifica@aol.com
Extract from: Electronic Identity Fraud Newsletter Volume 1, Issue 2
THE ASSUMPTIONS REGARDING THE SECURITY OF ANY ELECTRONIC COMMERCE OR
COMMUNICATION SYSTEM
CAN ANY SYSTEM BEING USED OR PROPOSED TODAY IN ELECTRONIC COMMERCE BE MADE
SECURE?
NO!!! Absolutely secure encryption cannot provide security, perfect
firewalls can't provide security; perfect digital certification can't
provide security and neither can the combination of all three.
I can hear everyone saying, "Wait a minute! Are you crazy?"
No system, no matter how advanced the technology, can be secure if it has
an unsecured element. System security is a weakest link phenomenon. The
weakest link in this environment is Identity Certainty. All commerce today
relies almost exclusively on digital identities. These digital identities
may be in the form of credit cards, government identification cards, or
digital files in large or small databases, operated either locally or by
international information providers.
The problem is that the focus has been placed on the physical security of
the system, and not the security of the information contained in the
digital identities. The primary source of the digital identification is
the individual. There is no imprimatur as to the truth of the information
provided, regarding the identity of the individual and no significant
attempt at verifying the truth of the information.
These digital identifications are freely exchanged and ultimately
contained in innumerable databases. This is an open system. It takes no
sophistication for a criminal to insert an identity in the system or to
manipulate an identity within the system.
Complicating and significantly weakening the security of the system is the
obsolete paradigm that; there is a one to one relationship between a
digital identity and a real person. This assumption does not withstand
scrutiny.
There is no way of knowing with any certainty that a digital identity
actually is the surrogate for the person whose information is represented
by the digital identity. Most information that ends up as a digital
identity is collected remotely. In the rare instance where the information
is collected face-to-face, it is collected by a person not familiar with
the stranger offering the identity information. To the extent there is an
attempt at verification it is by comparing one set of digital information
collected in this manner with another set collected in the same manner.
Furthermore, the input of identity information into the system is in a
wide- open environment with no uniform controls. There is virtually no
security for this crucial piece of information in the system including
encryption, firewalls or any other approach. Therefore, there is no
compensation for this breach of system security. The proof of this pudding
is the rapidly growing problem of identity fraud. (The use of biometrics;
their strengths and weaknesses will be the subject of a future
newsletter.)
CONCLUSIONS
~~~~~~~~~~~~
The origin of the problem of "Identity Certainty" is in the assumption
that the fraudster and digital identity are the same unique person. The
solutions to this problem will only be found when that assumption is
addressed. Those who are designing the electronic commerce system are
still using 19th century definitions when designing for the 21st Century.
These definitions no longer apply and their use will result in a weak and
vulnerable system.
By, John F. Ellingson, Madison, WI - editor
Principal in e-DENTIFICATION, LLC
Personal Email Address: JohnE37179 @ aol.com
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Nov 18 14:57:09 1998