As many of you know, Microsoft has been at the forefront in fighting the scourge of identity theft. We've improved our products and created tools to help fight identity theft -- the Internet Explorer Phishing Filter; Windows Defender; Windows Live OneCare; and Windows CardSpace.
Today we are releasing, "Online Identity Theft: Changing the Game Protecting Personal Information on the Internet," a new white paper that for the first time describes in detail Microsoft's comprehensive strategy for curbing online identity theft. In addition to describing current Microsoft initiatives, the paper outlines long-term solutions for "changing the game" by ending reliance on "shared secrets" for authentication.
Relying on "shared secrets," such as usernames, passwords, birthdates and government ID numbers to establish the right to do something online, creates security problems because they are relatively easy to steal and can be difficult to remember, update and manage. We need to employ new identity practices online that are just as reliable but better protect against fraud and abuse, and that's where Information Cards come in, as the paper describes:
Information Cards are not physical cards; rather, they are sets of data pointers that sit on a PC or a mobile phone. They are analogous to tangible cards in a person's wallet. In much the same way that a person might use a student ID card to get free admission to a museum or a frequent-shopper card to get a discount on groceries, a digital Information Card issued by one entity can be used to verify the card owner's identity with another entity, as long as the card includes the necessary data. How does this work? The creation and use of Information Cards involves three parties. The first party is the entity that issues the card. In the case of a card for use in sensitive interactions, the issuer might be a government, business or nonprofit organization. For less sensitive uses, individuals might issue themselves a card. The second party, or relying party, is whoever needs to accept the card during a transaction. The third party is the cardholder, who decides which card to present in a given transaction. How does the use of Information Cards reduce the risk of identity theft? For starters, the person's username and password aren't transmitted when an Information Card is presented to a Web site, so they can't be stolen. Information Card technology also supports a range of robust encryption methods that help prevent tampering with the data on the card or snooping to intercept it in transit. Information Cards also allow relying parties to request the minimum amount of personal information needed to authenticate an identity in a given transaction.
-- David Burt