HANOVER, GERMANY -- Rampant identity theft is eroding users' trust in the Internet, and could threaten to erase some of the progress companies have made in doing business online, security experts warn.
One possible solution is to create digital identities to curtail the incidents of ID theft, but this also comes with some liabilities, the experts say. They spoke on a panel at the CeBIT trade show here.
"We actually run the risk of taking a step back on the Internet. We're starting to see a lack of confidence and, even worse, companies are scaling back what they are doing on the Web," says Art Coviello, president and chief executive officer of RSA Security.
This is a concern because what banks actually sell customers is trust, Perj
Fraud on the Rise
Cases of online identity theft have ramped up in recent months, and the U.S. Federal Trade Commission has labeled such theft as one of the fastest growing types of consumer fraud. Internet users are reporting cases of unauthorized access to their online bank accounts due to phishing scams and the increased prevalence of spyware, which can record users' passwords and log-ins.
Digital identities, which provide two measures of authentication, could help improve Internet security as well as having various other uses, such as digital passports, the experts say. Dual authentication often involves something a user knows or possesses, such as a smart card, and something that he or she is, which can be represented by biometric information, Coviello explains.
"Password-only IDs should be a thing of the past," says Detlef Eckert, Microsoft's chief security adviser for Europe, the Middle East, and Europe.
In addition to improving online security, digital identities would also allow users to reduce the number of credit cards, loyalty cards, and other proofs of ID that they carry, the experts say.
Smart cards, digital passports, and national ID cards could carry information for multiple purposes, as long as the authenticating body is trustworthy. So if multiple credit cards were stored on a smart card, each credit card company would have to trust the other company's means of identifying and authenticating users, the experts say.
Authentication done by one body and then trusted by another is called federated identity, explains Hellmuth Broda, chief technology officer at Sun Microsystems. Broda is also the spokesperson for the Liberty Alliance Project, a consortium of more than 150 companies working to develop a standard for network identity. For a federated ID system to work, specifications need to be open and interoperable, he says, and Liberty and other industry groups are working toward this.
"After the dot-com crash, vendors realized how interdependent they are," Coviello says. "We really must all stand together because we won't make advances on the Internet otherwise."
While digital identities done right would improve online security and user convenience, they bring with them certain liabilities and levels of complexity, the experts say. How to safely store, share, and authenticate data are just some of the issues that need to be resolved.
All the experts agree that data should not be stored in one central repository, which could be compromised. And while they also agree that certain agencies and businesses should control data relevant to their relationship with customers, sharing information is a bit trickier.
One way to share data without allowing one organization to have too much information about a person would be to separate the person's identity from the data by giving it another identifier. One company could identify a person as "customer 51" while another could identify the same person as "customer 254," for example, Coviello says. That way, they could share buying trends and other information without revealing who bought what, for example.
While there are some difficulties in implementing digital IDs, the challenges can be overcome with technological and regulatory solutions, the experts say. For making further progress on the Internet, making digital IDs work is crucial, Broda adds.
"We will never make a system that's impossible for thieves to break, but we can make it very, very hard," Broda says.
CeBIT runs through Wednesday.