… and it’s a great way to avoid running afoul of logo usage guidelines.

Currently in Development: eGov Profile 2.0

Identity Matters: eGovernment

Download MP3 | Episode Length: 0:15:10 | Filesize: 10 MB

NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.

From the UMA charter: The purpose of the UMA work at Kantara is to develop a set of draft specifications that enable an individual to control the authorization of data sharing and service access made between online services on the individual’s behalf, and to facilitate the development of interoperable implementations of these specifications by others.

Identity Matters: User Managed Access

Download MP3 | Episode Length: 0:27:41 | Filesize: 18.5 MB

NOTE: This podcast was produced in collaboration with the Kantara Initiative Identity Community Update Discussion Group.

About 8 years ago I took on the challenge of securing the digital borders around the e-commerce systems for the Kraft Group’s sports properties. At that time, I could see a storm cloud gathering on the networked horizon as we built a system to unify all of the current properties and set the foundation to build out a series of interconnected portal communities. Looking forward, I knew that it was only a matter of time before a major press-worthy event would raise everyone’s awareness regarding the protection of user privacy, in the form of personally identifiable information (PII), and associated payment information.

Our business strategy was to build a core commerce engine that could handle online transactions embedded within each separate portal. Key to our success was enabling users to have a persistent identity throughout their engagement with our products. In this way we could minimize the barriers to their interacting with our content, as well as streamlining the purchase pipeline. Essentially, once users logged into any of our portals (to access premium/personalized content, manage accounts, and purchase products), we were able to effectively cater to them by simplifying their experience.

The problem with this single-sign-on model was that if a user account was compromised, the intruder could have free reign over the victim’s PII and associated payment information. I had to make the case for going the extra mile(s) by designing strict access control procedures, knowing that something bad was going to happen to a company soon and that we should be ahead of any reactionary solutions imposed upon us. I had a feeling that after some bad press, the e-commerce industry would be pressured to lock down the porous borders that were relatively common at the time.

Just such a case occurred in 2004 when hackers were able to access an estimated 8 million credit card numbers from BJ’s Wholesale Club. It took a few years for details of the incident to emerge, but it was clear even then that there were two primary issues: insecure access points, and poor audit logging. Regardless of whether it was an inside job (as was initially assumed) or an outside hack (which it turned out to be), BJ’s (among other compromised companies) had poor access control and monitoring.

This, as well as other similar incidents, prompted the creation of the Payment Card Industry Security Standards Council, founded in 2006 by American Express, Discover, JCB, MasterCard, and Visa. The payment card industry thus began requiring strict practices and controls around systems that perform above a modest threshold of transactions. It was a strong move, in advance of looming legislation, that helped steer wayward companies toward better practices. Regardless of the critiques of their programs, it has succeeded in shining a light on many problems needing to be addressed.

Fortunately, by the time the PCI guidelines hit the market, we were able to breeze through their audits. The commerce engine we’d built was tighter than what they required. It’s rare that you can so easily point to a situation like this where the extra capital cost on the front end so clearly saved money that would’ve been required to retrofit a running system.

Now, here’s where the history lesson circles around to become informative for current events. We should learn from these cases of identity intrusion and address the core issues. The obvious lesson is not to be cavalier regarding the protection of your email accounts. After all, they are your core identity asset in today’s online world. Be careful when setting up your email account and follow common sense when selecting passwords and associated “remind me” features.

Beyond what you can do for yourself today, the industry needs to step up it’s game, too. Fortunately, there are a number of efforts currently under way to help protect your identity. They just need to be more whole-heartedly embraced and helped to mature by the major players in the market. What’s uniquely interesting about many of the emerging solutions is that they’re user-centric, rather than being centered around any one company’s digital security practices. This focus helps solve the root problems: privacy protection starts at home, and it’s not a simple matter of more/better cyber-security and encryption.

For more information, and to become involved, I highly recommend following the open standards development relating to user-managed identity:

• Kantara Initiative
• OpenID Foundation
• Information Card Foundation
• OAuth / IETF Working Group

And, of course, the Internet Society Trust & Identity Initiative. Tell them I sent you.

We’re all familiar with the airport security ceremony by now. You stand in line (fortunately they seem shorter these days) with your boarding pass and drivers license (or other government-issued identification card) in hand. From what I can tell, the TSA agent confirms that the ID appears to be valid and that the embedded photo resembles the person standing there.

While the agents use loupes and florescent lights on the IDs, very little validation of the boarding pass seems to take place. With the ability to print your own boarding pass at home, their vetting is definitely limited. Setting aside what they could do (e.g. each pass including a hashed string encoded as a barcode the TSA agent could scan), the boarding passes seem oddly useless.

Or that’s what I thought until I noticed the ceremony was taking just a beat longer than usual in this case. I don’t know how much longer it was taking, but for some reason I noticed the person wasn’t moving as quickly as I’d assume they should though the checkpoint. Glancing at the TSA agent, I saw that she was scrutinizing the boarding pass, then looking back at the passenger’s ID, into his face, then back to the boarding pass, her eyes darting all over it. All the while a slight frown of concentration was deepening on her face.

At this point, the passenger tried to lighten the mood by pointing to his ID and saying, “I know, the photo doesn’t look like me any more.” It’s obvious he was talking about how much he’d aged, but the TSA agent cocked her head to one side and immediately made a decision that there was something needing to be investigated before she’d let him pass.

She began asking the passenger questions about his flight, where he was going, and if he had a second ID. At this point the passenger started to sweat as he realized the situation seemed to be going pear shaped. He sputtered something about not having another ID and started patting his pockets (as if he’d find he’d accidentally slipped his passport into his jacket before leaving for the airport). Then the magic happened.

The passenger pulled a slip of paper from his pocket and stared at it for a second, smiled, and then chuckled. He’d found his real boarding pass for this flight. Apparently, the one he’d initially handed the TSA agent was for his return flight the next day. After handing over the correct boarding pass, the agent checked it and was visibly relieved, belying the fact that she was preparing herself for he worst (according, no doubt, to her training). She quickly performed the standard checks and let him pass, reaching out for my documents.

Oddly enough, during this particular trip I was reading the book “How We Decide” by Jonah Lehrer. There is a chapter in it about how a British radar operator accurately detected an incoming missile during the first Gulf War despite an apparent lack of hard evidence linking the incoming blip with a known threat.

This situation seemed similar in that the TSA agent couldn’t quite put her finger on the reason why she felt something was wrong with the passenger’s documents. She’d apparently seen enough boarding passes and IDs to have some type of ingrained sense of what patterns are right, and which are wrong. Since she had been given a valid boarding pass, with only a minor difference of a few characters, she wasn’t able to quickly home in on what specifically was wrong in this case. All she knew at that point was she had to slow things down and start probing until she was able to determine the correct course of action.

There are, of course, flaws to in the airport security system, but this experience was oddly reassuring. Until a more automated system is in place, this particular TSA agent was very good at what she does. Within what turned out to be less than a minute, she had detected a slight anomaly even though she couldn’t immediately identity what it was. She then escalated the situation smoothly and easily in a way that allowed her the time to work out what was wrong.