From bob at bobpinheiro.com Tue May 13 10:04:29 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 13 May 2008 13:04:29 -0400 Subject: [SIG-IDtheft] Next ID Theft SIG Call: Wednesday, May 21 Message-ID: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net> Since assuming the chairmanship of the ID Theft SIG last year, it's been my belief that the primary purpose of this SIG should be to support a Liberty strategy or goal for defining best-practices or other specifications that would be applicable directly to preventing identity theft. Although there may be more than one strategy or goal for doing this, I believe the work that Liberty is now doing regarding the Identity Assurance Framework could play an important role. With that in mind, I presented to the Technology Expert Group last week one possible approach that combines high assurance electronic trust services that could be enabled by the IAF, and provided to consumers, with a Discovery capability enabled by the Liberty Web Services Framework. This could potentially allow, for instance, electronic credentials issued by Liberty-accredited Identity Providers for specific consumer applications (ie, online banking or other financial services, electronic payment services, access to government services, access to online medical records, etc.) to be leveraged for authentication of anyone claiming the identity of holders of such credentials. FYI, further details of this approach can be found here and here. While it is tempting to propose that Liberty ought to pursue such an approach if indeed Liberty is going to adopt any strategy or position on identity theft prevention, this assumes that (1) there is business value to potential Identity Providers and Relying Parties in high assurance electronic trust services for consumers, and (2) consumers will choose to use these electronic credentials for such purposes. While we are now witnessing the beginnings of a market for low assurance identity services in the form of OpenID and self-issued Infocards, is there a consumer market for high assurance services? Of course, the government could mandate the use of stronger authentication capabilities for some of these applications, such as occurred in the US for online banking. However, it's not clear that such capabilities would necessarily satisfy the accreditation criteria set forth in the Liberty IAF, or that the providers of such capabilities would be interested in acting as Identity Providers for other purposes. So I propose we hold the next ID Theft SIG call to discuss the following question: If a Liberty strategy/position on prevention of identity theft depends on the existence of a consumer market for high assurance electronic trust services, is it necessary to understand these market issues in more detail before Liberty adopts any position on identity theft prevention? Or do we take the approach that "if we build it, they will come", and put aside these market issues? More specifically, it might be interesting for someone to pull together some sort of future discussion or seminar on some of these market issues, to help clarify what a viable strategy might be for Liberty to adopt (should it decide to adopt any strategy at all). For instance, PayPal offers OTP tokens to their users. What has been their experience with user adoption? Is PayPal a potential Identity Provider in the consumer space? What about the banks and financial services companies that must provide stronger authentication for online access to their services? Who are other potential Identity Providers in the consumer space? These are just a few possible ideas. It's also been suggested that further discussions related to IdentityTheft take place in some other group, such as the Identity Assurance Expert Group, the Public Policy Expert Group, or the Identity Assurance SIG. That might make sense if identity theft efforts revolve around identity assurance. On the other hand, these groups may be more focused on the technical and operational issues involving identity assurance. In addition, there may be other identity theft topics that people may want to raise that don't concern identity assurance. Any thoughts on this? In my view, it would make sense to maintain the Identity Theft SIG, provided we can focus it on specific topics that would help to support a Liberty strategy on identity theft, and that there is sufficient interest among people to contribute their thoughts. I am distributing this announcement to the IAEG, as well as the IA-SIG. If anyone interested in these topics can't attend next week's call, please Reply All and post your thoughts and comments to the list(s). Also, if there are other identity theft prevention strategies or approaches that anyone believes Liberty ought to pursue, including no strategy at all, please bring these up as well, either by posting to the list or during the call. Wednesday, May 21, 2008 9:00 AM PT / 12 Noon ET / 1600 UTC US/Canada toll-free number: 866-469-3239 US toll number: 650-429-3300 Attendee Code: 00119954 # International numbers can be found at wiki.projectliberty.org/index.php/IntlDialInNum Bob --------------------------------------------- Robert Pinheiro Consulting LLC bp at bobpinheiro.com (908) 654-1939 www.bobpinheiro.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080513/cccb010a/attachment.html From bob at bobpinheiro.com Tue May 20 05:04:29 2008 From: bob at bobpinheiro.com (Bob Pinheiro) Date: Tue, 20 May 2008 08:04:29 -0400 Subject: [SIG-IDtheft] REMINDER: Next ID Theft SIG Call: Wednesday, May 21 In-Reply-To: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net> References: <0K0T00JVQGZOXPB4@vms173001.mailsrvcs.net> Message-ID: At 01:04 PM 5/13/2008, Bob Pinheiro wrote: >Since assuming the chairmanship of the ID Theft SIG last year, it's >been my belief that the primary purpose of this SIG should be to >support a Liberty strategy or goal for defining best-practices or >other specifications that would be applicable directly to preventing >identity theft. Although there may be more than one strategy or >goal for doing this, I believe the work that Liberty is now doing >regarding the Identity Assurance Framework could play an important role. > >With that in mind, I presented to the Technology Expert Group last >week one possible approach that combines high assurance electronic >trust services that could be enabled by the IAF, and provided to >consumers, with a Discovery capability enabled by the Liberty Web >Services Framework. This could potentially allow, for instance, >electronic credentials issued by Liberty-accredited Identity >Providers for specific consumer applications (ie, online banking or >other financial services, electronic payment services, access to >government services, access to online medical records, etc.) to be >leveraged for authentication of anyone claiming the identity of >holders of such credentials. FYI, further details of this approach >can be found >here >and here. > >While it is tempting to propose that Liberty ought to pursue such an >approach if indeed Liberty is going to adopt any strategy or >position on identity theft prevention, this assumes that (1) there >is business value to potential Identity Providers and Relying >Parties in high assurance electronic trust services for consumers, >and (2) consumers will choose to use these electronic credentials >for such purposes. While we are now witnessing the beginnings of a >market for low assurance identity services in the form of OpenID and >self-issued Infocards, is there a consumer market for high assurance >services? Of course, the government could mandate the use of >stronger authentication capabilities for some of these applications, >such as occurred in the US for online banking. However, it's not >clear that such capabilities would necessarily satisfy the >accreditation criteria set forth in the Liberty IAF, or that the >providers of such capabilities would be interested in acting as >Identity Providers for other purposes. > >So I propose we hold the next ID Theft SIG call to discuss the >following question: If a Liberty strategy/position on prevention of >identity theft depends on the existence of a consumer market for >high assurance electronic trust services, is it necessary to >understand these market issues in more detail before Liberty adopts >any position on identity theft prevention? Or do we take the >approach that "if we build it, they will come", and put aside these >market issues? > >More specifically, it might be interesting for someone to pull >together some sort of future discussion or seminar on some of these >market issues, to help clarify what a viable strategy might be for >Liberty to adopt (should it decide to adopt any strategy at >all). For instance, PayPal offers OTP tokens to their users. What >has been their experience with user adoption? Is PayPal a potential >Identity Provider in the consumer space? What about the banks and >financial services companies that must provide stronger >authentication for online access to their services? Who are other >potential Identity Providers in the consumer space? These are just >a few possible ideas. > >It's also been suggested that further discussions related to >IdentityTheft take place in some other group, such as the Identity >Assurance Expert Group, the Public Policy Expert Group, or the >Identity Assurance SIG. That might make sense if identity theft >efforts revolve around identity assurance. On the other hand, these >groups may be more focused on the technical and operational issues >involving identity assurance. In addition, there may be other >identity theft topics that people may want to raise that don't >concern identity assurance. Any thoughts on this? In my view, it >would make sense to maintain the Identity Theft SIG, provided we can >focus it on specific topics that would help to support a Liberty >strategy on identity theft, and that there is sufficient interest >among people to contribute their thoughts. > >I am distributing this announcement to the IAEG, as well as the >IA-SIG. If anyone interested in these topics can't attend next >week's call, please Reply All and post your thoughts and comments to >the list(s). Also, if there are other identity theft prevention >strategies or approaches that anyone believes Liberty ought to >pursue, including no strategy at all, please bring these up as well, >either by posting to the list or during the call. > >Wednesday, May 21, 2008 >9:00 AM PT / 12 Noon ET / 1600 UTC >US/Canada toll-free number: 866-469-3239 >US toll number: 650-429-3300 >Attendee Code: 00119954 # > >International numbers can be found at >wiki.projectliberty.org/index.php/IntlDialInNum > > > >Bob > >--------------------------------------------- >Robert Pinheiro Consulting LLC >bp at bobpinheiro.com >(908) 654-1939 >www.bobpinheiro.com > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.projectliberty.org/pipermail/sig-idtheft_lists.projectliberty.org/attachments/20080520/f7fa2093/attachment.html From Peter.Davis at neustar.biz Fri May 30 06:29:34 2008 From: Peter.Davis at neustar.biz (Peter Davis) Date: Fri, 30 May 2008 09:29:34 -0400 Subject: [SIG-IDtheft] Fwd: [ipf] Nearly worst case scenario for registrar phishing may have happened already References: <4E66E874113BAA4794D35495F650307201504D31@STNTEXCH12.cis.neustar.com> Message-ID: An interesting ID-Theft vector not talked about much in the ID Theft SIG... and a compelling use case for Strong Authentication as well. the derivative consequences of this breach are pretty hard to completely comprehend. But there are hints that customer records could have been accessed as well. =peterd > To: ipf at antiphishing.kavi.com > Subject: [ipf] Nearly worst case scenario for registrar phishing > may have happened already > Importance: High > > This is almost unbelievable. Comcast's primary domain was taken over > by hackers, by using their Netsol user account: > > http://www.networkworld.com/news/2008/052908-domain-name-record- > altered-to.html > > They seem to think it might have been phished from them somehow - my > guess is that is was just as likely a simple brute-force attack. The > good news for Comcast is it only lasted an hour and a half, and it > looks like it was a lark. However, ALL comcast.net e-mail could have > been compromised as well - they don't mention that in the article. I > guess Network Solutions wasn't quite as prepared as they thought on > protecting critical domains from take-over - hopefully they'll get > this tightened up asap. This is likely to engender copycats, and is > exactly the kind of scenario (albeit a different vector) we've been > talking about since the GoDaddy phish last year. > > I hadn't listed ISPs as likely phishing take-over candidates, much > less one of the very largest in the world, as you would hope they'd > have a good plan for protecting their entire existence when it came to > things like DNS and domain registrations which they themselves manage > (unlike a bank that doesn't necessarily have the know-how). This is a > serious data breach given the nature of DNS and e-mail - the bad guys > could have gotten ahold of all Comcast users' e-mail, including > communications from FI's, confidential company correspondence, or even > sensitive government information. I would argue that Comcast should > probably be reporting this as a data breach under California and other > states' data breach laws. The ramifications here are really far- > reaching. Hopefully this high-profile attack will spur serious action > to address this gaping security hole in the Internet infrastructure. > > Rod > > Rod Rasmussen > President and CTO > Internet Identity > 1 (253) 590-4088 > >