ID providers: Working together against Internet fraud


Last month the personal email account of James Clapper, the head of the American Intelligence Agency, was hacked and information leaked, amounting to a very serious issue. Does this prove we are powerless against cyber criminals? Of course not! Now is the time that ID providers join together to share information which may indicate fraudulent activity. This concept already exists: Shared Signaling which is now being tested in Great Britain.

According to last month's edition of Vice Magazine not only was the email account of James Clapper hacked, but also his telephone and Internet accounts, which mostly likely gave him many sleepless nights. Additionally, Mr. Clapper's wife also endured the same concern and sleepless nights since it was evident that her own Yahoo account was as risk as well.

Thousands of users are victims

ID Providers may need to deal with fraud at some point. The Netherlands are investing substantially into security and protection of data and are taking proactive steps, e.g. the services of DigiD, eHerkenning and the successor Idensys, to make it as difficult as possible for cyber criminals to hack accounts, where Government services have shown to be successful.

But …

Suppose a married couple decide to split up, where disagreements, quarrels and eventually a really messy divorce takes place. To take revenge on his wife, the husband takes his wife's passwords, logins to DigiD, modifies bank details and makes fraudulent gains.

An Account Take Over (ATO) is any Internet user's worst nightmare. Before you know it someone is pretending to be you, using your credentials, making accounts and manipulating your details and possibly finances. No ID provider is solving this at the moment.

Andrew Nash however, has ideas!

Andrew Nash' solution: Shared Signaling

The former director of Paypal and Google has set up a way to collectively combat Internet fraud. While Andrew Nash was working at Google he saw abnormal amounts of traffic around Yahoo accounts and suspected they were hacked, this is when he came up with the idea. Since Andrew was not working for Yahoo, but still noticed this abnormal traffic, the idea to collaborate with others against Internet fraud was formed.

Andrew has now set up the system: Shared Signaling. This system can be compared to the banking system which works with black lists, where banks alert each other about possible fraudsters. ID providers should be doing the same. Online identification is under constant threat from illegal accounts and hacker attacks, the consequences of such events can be enormous; customer data destroyed, ID providers losing their reputation and financial losses of incalculable amounts.

How does Shared Signaling work?

To fight fraud Nash is making a plea that companies start working together, by sharing information when they have noticed something is wrong via a secure environment and central point of information: the signal manager. Nash's plea is to work together by sharing information on fraud together. It goes like this. An ID provider notices that something is wrong with a user account. The provider gives this within a secure environment through a central point of information: the Signal Manager.

The Signal Manager provides a warning to the other ID providers. Is the fraudster to request an account or change? Then they can change their mind on the basis of the information of the Signal Manager. Thus the scope for the fraudster has become a lot smaller.

Nash's plea is to work together to share information on fraud. When an identity provider suspects something is wrong with a user account, the provider notifies the Signal Manager by means of a secure connection.

The Signal Manager issues warnings to other ID providers. When the fraudster tries to register or update an account, the ID provider can take the Signal Manager warning into consideration. This lowers the chance that the fraudster will succeed in his attempt to commit fraud.

Are there any objections?

This kind of warning system sounds nice, but I can hear you think: what about the privacy of the users? The information that the Signal Manager receives and sends is specific enough to recognise a fraudster without it actually using any privacy sensitive data.

What if the ID provider ignores the warnings? Of course, an ID provider is free to make its own risk assessment based on the information of the Signal Manager. When the ID provider decides to ignore the warning, the fraudster can perform the action that would have been blocked otherwise. However an ID provider can never take this information for granted, because they would create a safe haven for cyber crime. As an ID provider you are always careful about your reputation and you handle your accounts with care.

Embrace Shared Signaling

Shared Signaling is more than just a theory. Nash's model is currently being trialed in the United Kingdom. The lessons we can learn from this trial are also of interest in the Netherlands. Especially now and especially for us.

We are at the verge of replacing DigiD with Idensys. The DigiD platform is monitored by a special fraud team from Logius, but with Idensys this becomes the responsibility of the ID providers. Let's accept this role and embrace Shared Signaling to prevent minister Plasterk and his wife from having sleepless nights.

Additional information:

The Shared Signals Model Protecting the Identity Ecosystem Reducing Fraud and Improving Online Safety through IdP Signal Sharing