The web is deep in the throes of an identity crisis. Hacking has become a for-profit business, with a large and well-funded criminal element attacking legitimate online businesses on a number of fronts.
Despite dramatic security improvements, we are observing significant increases in fraudulent activities on the web. Phishing and pharming are on the rise, and have the potential to curb confidence in e-commerce.
On the Internet, users aren't always who they say they are. An enormous number of fraudulent sites can be staged at lightning speed to capture unsuspecting surfers responding to catchy ads or to recipients of targeted email. The sites vanish in minutes or hours, only to reappear in new forms somewhere else.
You've seen the play: a well-formatted email from a major company warning you of some compromise or asking for a “security confirmation” of your accounts. The mail has real logos and real links to security pages and disclaimers. The link on the page leads to an official-looking site with more real logos and links. Haven't seen one recently? I captured one such instance in the “Scary Chase Online Phish” post on my personal blog just two weeks ago.
Unhappily, it's easier to fall into this trap than you might think, and the damage may not immediately manifest itself. Identity theft is on the rise, and the more data these bogus sites collect, the easier it is for the bad guys to refine an attack, sending highly-targeted emails to carefully-selected users with enough ‘real' data to appear legitimate. This new attack is called “spear phishing”.
Technology can help prevent fraud, but the most significant advances will come when we solve the problems created by the lack of an identity layer on the internet. Once we positively identify users to sites and sites to users, we can reduce these risks.
To meet this need, Microsoft developed InfoCard; an identity meta-system based on open standards. The system integrates deeply into Windows and provides a method of unifying the identity systems available today in the Internet. Any identification entity can be an identity provider, providing branding opportunities and significant enhancements for the end user.
Steven Woodward posted about InfoCard last week in “InfoCard : A standards-based approach to User Authentication”, and we have sessions planned for the conference. Join the conversation Register now
Tag: MIX06