— “The Internet will not reach its full potential until users and consumers feel more secure and confident than they do today when they go online.” That blunt assessment is from Commerce Secretary Gary Locke.
The Commerce Department is currently working with the White House Cybersecurity Coordinator to develop a program that will allow businesses and consumers to make sensitive online transactions with greater levels of trust and privacy.
We know the bad guys are out there, working around the clock to snag our personal information and to steal our money. The Internet Crime Complaint Center reports that in 2009, U.S. consumers lost $560 million to cybercrime. Because of this threat, many of us worry if something bad will happen when we shop or do financial transactions online. I know people who are afraid to do online banking.
The Commerce Department estimates e-commerce for the third quarter of 2010 at $41 billion, up 13.6 percent from the same period last year. But for sales to continue to grow, online transactions must be more secure.
Recently, I had a lengthy conversation with White House Cybersecurity Coordinator Howard Schmidt about the Trusted Identities initiative and how it might work.
ConsumerMan: When I’m buying something online, I need to be sure the company I’m about to do business with is legitimate. And to be successful, e-tailers need to know they’re not being taken by a cyber-crook. How does the Trusted Identities initiative accomplish that?
Schmidt: Trust has always been a challenge, because as we know, someone can put up a website in a relatively short period of time that looks very, very legitimate and can be used to harvest credit card numbers from consumers. By the same token, small businesses don’t always know exactly who they’re dealing with and they become the victims of fraud.
So what we’ve done is to work with the private sector to create what we now call the National Strategies for Trusted Identities in Cyberspace.
ConsumerMan: Under this plan, the Commerce Department would coordinate federal activities to implement the Trusted Identities program with the private sector. Who does the heavy-lifting here?
Schmidt: The private sector will lead the building of multiple ways that people can identify themselves depending on their interactions online, and to also make sure these trusted identities are indeed privacy-enhancing as well as helping businesses to be more successful.
ConsumerMan: Do you have any initial ideas as to how this might be done?
Schmidt: We do have some thoughts. Say for example, if I regularly do business with a particular bank. The bank can then give me some sort of device. Let’s say for the sake of our discussion, it’s an application I can put on my mobile device. Instead of using a credit card number every time I do a transaction or a password every time I do something, I have a one-time password or PIN number that I can use that’s generated locally on my mobile device.
So I’m not putting all this personally identifying information to the Internet. A third-party verifier — not the government by the way — can effectively complete that transaction with the business to make sure that they get the ability to sell what they want to sell to me, but I also get the benefit of insuring that the business is valid. That’s one easy example of a way to do trusted identities.
The other thing that I want to make sure that we’re very clear on: This is not an attempt to create any sort of national identity card. It’s quite the opposite. It’s a matter of letting the private sector, through the normal course of doing business, give people choices, including multiple choices. If I want an identity to deal with my bank, that is something that requires a higher level of validation. But if I want nothing at all, so I can blog about things on the Internet, I also have the ability to do that.
ConsumerMan: What we’re doing now is using passwords that are easy to steal or crack. And for verification we pick things like our mother’s maiden name, where we went to school, a pet’s name. You’re saying this system of identification and authentication just doesn’t cut it anymore?
Schmidt: It doesn’t. And as we’ve seen the evolution of cyber-criminals, they know those things that we depend on. They know there are other ways to get that information so they can impersonate you or someone else online. So moving to the next generation of identities in cyberspace is what we’re hoping the private sector will take a lead on.
ConsumerMan: Do you expect this will get a positive response from the business community and have you had any reaction so far?
Schmidt: We’ve had tremendous response and it’s very, very positive. We’ve had privacy and civil liberties organizations that have taken a look at this. And while we’ve not released the final strategy yet, we’ve been engaging with all of these key groups to make sure they understand the principles we’re operating by. We’ve had tremendous support for that.
We’re also working with key lawmakers to make sure Congress has full visibility of the way we’re doing this. And the bottom line is: The more we get positive feedback, the easier it is to have the private sector lead the way on this.
ConsumerMan: So am I getting this right? I’m envisioning some sort of little device that I keep with me that generates spontaneous passwords and the site, such as the bank or brokerage firm or retailer, knows it’s me. Is that where we’re headed?
Schmidt: Well that’s one of the options. You can have a fob, you can have a smart card or you could have an application on a mobile device. Some people only use one computer at home all the time to do things online. So for them, it may be as easy as having a certificate on their system that allows that system to talk reliably with the e-commerce sites they’re going to.
When we look at the National Strategies for Trusted Identities in Cyberspace, the whole issue is not only to provide privacy enhancing technologies led by the private sector, but also options. Because not everybody wants to have a fob, not everybody wants to have a smart card, not everyone wants to use a smartphone. As the industry develops options, this helps us move away from an environment where you’ve got to remember all of these passwords.
The other issue, which is really positive, is that nobody is looking to create a sort of central password that gets you everywhere you want to go. It’s having multiple identities for different circumstances that are easy for you to use and also using devices that you get to choose.
ConsumerMan: Do you envision that this would help reduce the use of the Social Security number as a personal identifier as it’s so often used today?
Schmidt: That’s one of the things we’re looking at. Not only what information, such as Social Security number, is used, but what information is being collected by anyone, including companies and governments. How long do they keep that information? What is it really being used for? And to give the user more choice over what they share, how long they share it and who they share it with.
ConsumerMan: Because you’d be able to turn this trusted identifier off if you wanted to, right?
Schmidt: That’s part of the idea, to give the person a choice. I no longer want to have a relationship with this particular company, so I have the ability to very proactively with some level of assurance, purge the fact that they’ve got any of my information and I can just go someplace else. It’s going to take some building of the infrastructure. This will become an ecosystem and we have the opportunity now to build for the future when it comes to the way we operate from anonymity to full-trusted abilities online.
ConsumerMan: Are you concerned from a security perspective about how many online transactions are now moving to smartphones that are so vulnerable to hackers and cybercriminals?
Schmidt: We are and that’s one of the things we’ve talked about for the past few years now. As the use of mobile devices become more ubiquitous, we have more Internet-enabled devices, we need to make sure we’re taking some proactive steps now to make sure those things are protected from malware or keystroke loggers and things of this nature. And we’ve actually seen some of the security companies building anti-malware, anti-virus software for various mobile platforms.
Resources to stay secure
The specific proposals for the “National Strategy for Trusted Identities in Cyberspace” is due to be released in the next few months. I’ll let you know what’s in it as soon as it comes out. In the meantime, there are some things you can do right now to increase your security when you go online. These resources can help both businesses and consumers: StopThinkConnect, OnGuardOnine, StaySafeOnline, iLookBothWays.