Building a More Secure Internet

Last updated: 05 February 2015

PadlockThe birth of the Internet opened the doors to e-commerce, and forever changed the way we shop, bank, trade stocks, file income tax returns, access government services, manage our health information, etc.

Unfortunately, the Internet opened the doors to online fraud and identity theft which created a multi-billion industry for criminals and adversely impacts the U.S. economy.  An estimated 11.7 million Americans were victims of identity theft of some kind including online identity theft over a recent two-year period.

Phishing attacks affect thousands of consumers every year. Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card information by masquerading as a trusted website site with consumers unknowingly providing their information directly to the thieves. In the second half of 2010, there were at least 67,677 phishing attacks worldwide and while it’s very hard to measure the impact of these attacks, we know that 3.6 million adults lost US $3.2 billion in the 12 months in August 2007.

Assuming the consumer visits a legitimate website, the overwhelming majority of website operators have no idea who is visiting their site. For many sites, that doesn’t matter. They may ask you to register on their site and create a username and password, but the person registering could easily provide false information and pose as another person or create a fictitious online identity.

For specific transactions or Website visits like those that mentioned above, it is critical that consumers are certain that the site they visit is the one they intended to access. It is also important for the website operator to have very high confidence that the person accessing the site is who they claim they are in order to protect consumer privacy and security.

Today, trust is severely lacking on the Internet.

During the past year, the Obama Administration has been working with private sector industry leaders, think tanks, privacy groups and others to draft the National Strategy for Trusted Identities in Cyberspace (NSTIC). NSTIC will change the way we as consumers do business on the internet by providing what is referred to as strong authentication into certain websites to combat online fraud and identity theft.

Strong or multi-factor authentication utilizes more than a username and password to verify your identity when logging into a specific website. Two-factor authentication is commonly defined as “Something you know” such as a PIN or password and “Something you have” such as a one-time password device.

You use two-factor authentication every time you use an ATM. You are in physical possession of your bank card (Something you have) and you enter your PIN (Something you know).

The purpose of NSTIC is to create an ecosystem where individuals and organizations can complete online transactions with confidence. More information is available at the NIST NSTIC website, and be sure to check out the animation video.

Instead of having to remember an ever-expanding and potentially insecure list of usernames and passwords to login into various online services, the NSTIC enables a future where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential (e.g., a smart identity card, a digital certificate on their cell phone, etc.) from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions (e.g., online banking, accessing electronic health records, sending email, etc.).

Another key concept in the strategy is that the Identity Ecosystem is user-centric – that means you, as a user, will be able to have more control of the private information you use to authenticate yourself on-line, and generally will not have to reveal more than is necessary to do so.

As Leslie Harris, President and CEO of the Center for Democracy & Technology stated in a recent blog post,

“Importantly, the Administration has turned to the private sector to make this vision a reality. The Strategy is not a national ID program—in fact, it’s not an ID “program” at all. It is a call for leadership and innovation from private companies.”

I anticipate much progress in combating online fraud and identity theft now that President Obama has signed the National Strategy for Trusted Identities in Cyberspace.