Amex, Fidelity Eye ID Theft Protections

IT execs from American Express, Fidelity Investments, and other F1000 firms plan on crafting Best Practices for protecting web-based applications against identity theft. We look at the planned "identity theft matrix," designed to map all possible identity theft vulnerabilities all the ways they can thwarted. Get a preview of the work, which will be done under the Liberty Alliance.

Tags: Identity Theft, Liberty Alliance, Identity Theft Protection, Security, Fidelity, Vice President, Consumers,

IT execs from American Express, Fidelity Investments, and others have begun a process aimed at developing cross-industry Best Practices for protection web-based applications against identity theft. The basis of the work will be the creation of an "identity theft matrix," which will map all possible identity theft vulnerabilities and ways to address them.

This work, which will be include input from some 40 groups, including commercial and government end users, and security vendors under a new working group at the Liberty Alliance.

Liberty noted that identity theft has become a "critical concern" to its members over the past year, and that the best way to attack the problem of online identity theft is in a collaborative environment. "Identity theft has scared away many businesses and consumers from conducting business on the Internet, and threatens to destroy many of the new lines of ecommerce," Liberty said in a statement.

In fact, a 2004 report from Forester Research backs up IT concerns, finding that 6 million households (or 9% of all U.S. households) have experienced identity theft, and than only 1-in-5 consumers think their credit card information is secure online.

While there are other groups and individual vendors looking to address identity theft, the Liberty Alliance noted: "[O]nline identity theft problem is too big and growing too quickly to be solved by only one vendor or by multiple organizations with limited scope and reach."

A Holistic Approach to
Securing IDs over the Internet

Liberty intends to take a "holistic" approach to online identity theft, defining what it calls an identity theft matrix," which would integrate "open" identity and security technology specs with privacy and business guidelines. The end result would be Identity Theft Protection case studies and Best Practices.

Liberty's Identity Theft Protection Group is co-chaired by Michael Barrett, president of the Liberty Alliance Management Board from 2002 to 2004 and Vice President Internet Strategy, American Express, and Alex Popowycz, member of the Liberty Alliance management board and Vice President, Fidelity Investments.

"You can't tackle what you don't understand," Barrett said, in outlining the ID theft agenda. "The first step in solving any difficult problem is defining and establishing the scope of the issue. Our team is working on this now, analyzing this problem from every angle and painting a clear picture of what we are up against. From this, we'll be able to provide a comprehensive view of the issues and threats, recognize behaviors that put organizations and consumers at risk, and present specific guidance on avoiding these actions."

Liberty will host its first Identity Theft Workshop on July 20 in Chicago.

Liberty noted that successful identity theft protections should be integrated with a federated security approach, the core of Liberty's initial work.

Liberty noted 4 basic tenets in a quality federation implementation:
  • Superior security and privacy inherent in interactions between the Principal, Identity Provider and Service Provider
  • No single point of failure, i.e. limited information in any one repository
  • Permission-based access to attributes
  • Coordinated response to incidents of fraud

    Liberty estimated that some 400 million Liberty-enabled identities (or clients) will be in use worldwide by the end of 2005. They are now is use at Amex, AOL, Fidelity, General Motors and Nokia, among others.