The Disadvantages and Vulnerabilities of the Identity Ecosystem Zanita D. Robinson East Carolina University

Author Note: Zanita D. Robinson, Department of Technology Systems, East Carolina University Correspondence concerning this document should be addressed to Zanita D. Robinson, Department of Technology Systems, East Carolina University, Greenville, NC 27858 zanitarobinson@bellsouth.net

The Disadvantages and Vulnerabilities of the Identity Ecosystem 1 ABSTRACT In an effort to reduce online fraud and identity theft, the United States government has recently proposed the National Strategy for Trusted Identities in Cyberspace. With the purpose of protecting the nations critical infrastructure in cyberspace, the Strategy explores ways to increase the level of trust associated with each party in certain types of online transactions. By establishing a trusted environment, the government hopes to reduce the instances of compromise and fraud associated with an untrustworthy computing environment. Specifically, the Strategy proposes the creation of the Identity Ecosystem a trusted online environment where entities can conduct transactions safely and efficiently. This strategy for digital identities would ultimately eliminate the use of the username and password model and establish a nationwide federated identity structure. With a single digital credential, an entity could conduct a number of transactions, from purchasing to communications and social networking. The idea is similar to existing implementations of federated identity management, such as OpenID, Facebook Connect, Windows Live ID and 3D Secure, but on a national scale. Therefore, the implementation of the plan has the potential to affect every US Citizen and the way that they interact online. For this reason, it is prudent that we fully examine and consider the potential disadvantages and vulnerabilities that accompany the Identity Ecosystem. We must address the vulnerability that we accept in adopting the use of a single credential for authentication. We must be aware of the security concerns regarding data pooling of identities and attribute information. Finally, we must honestly examine the complexities surrounding such an interoperable environment and the costs and liabilities associated with making it work. The purpose of this study is to discuss each of these areas of concern and to evaluate the potential dangers in implementing the Identity Ecosystem.

The Disadvantages and Vulnerabilities of the Identity Ecosystem 2 Keywords: identity, digital identity, federated identity, Identity Ecosystem, digital credentials, personal identifiable information, trusted environment, authentication, data pooling, national security

The Disadvantages and Vulnerabilities of the Identity Ecosystem 3 INTRODUCTION Over the past few decades, the evolution of the Internet and computer technologies has changed the ways that society interacts and conducts business throughout the world. Through global networks, companies are better equipped to understand and respond to market demands more quickly, service consumer needs, and interact with their partners. Governments are able to share information and provide services for its citizens in a more efficient manner. Education is enhanced through the use of virtual classrooms and an abundant supply of research materials available online. Even social connections and interactions are now enhanced through social networking sites and online shares. Depending on the online resources being used, a person may have dozens of accounts to represent their digital identity when conducting transactions. For example, a person may have one username and password for online banking, another to manage and pay for a household utility, one to send email, and still another to make purchases through an online store. They may also use smart phones and/or tablets to conduct mobile transactions, each with its own digital identifier. In the workplace, the number of accounts increases, as smart cards, certificates and tokens are incorporated to represent that same person for authentication to the private network. With multiple authentication methods being used for a number of services, it becomes more difficult for an end user to keep up with the different accounts and credentials required to gain access. Meanwhile, companies and institutions are constantly finding ways to make more information available online and more ways to conduct business in cyberspace. Brick and mortar institutions are now being replaced by online entities with lower operational costs and greater revenue potential by companies, such as Amazon.com, eBay.com, INGDirect.com, and Overstock.com.

The Disadvantages and Vulnerabilities of the Identity Ecosystem 4 To these companies, the only interaction with many of their customers is through a digital credential that represents that entity. As a result, the amount of information that represents each entity online has exponentially increased. Likewise, there has been an increase in the number of malicious actions online to intercept, steal and misuse that information. Despite a dramatic decrease in the level and seriousness of street crimes in the United States over the past few decades, there has been a tremendous increase in computer related crimes, indicating a shift from street crimes to computer crimes (Wellford, 2006). Online fraud, identity theft, and cyber-attacks have become major threats to the national security of our nation. Therefore, in an effort to protect our nations citizens and industries, the United States government has introduced the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC was proposed under the Obama Administration in a draft in June of 2010. The purpose was to improve the security of online information by creating an identity ecosystem through the use of personal digital identities. Developed with input for business leaders, the digital identity would reduce the need for individuals to juggle multiple usernames and passwords for multiple online services and allow individuals to control how much private information they allow to be revealed when authenticating online (Metzger, 2010). The Strategy describes the Identity Ecosystem as an online environment where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate digital identities (Department of Homeland Security, 2010). With the underlying goal of ensuring the safety and economic needs of US citizens in cyberspace, the guiding principles of the Strategy are to ensure solutions are secure and resilient, interoperable, privacy enhancing, voluntary for the public, cost effective and easy to use. Using a layered approach to establishing

The Disadvantages and Vulnerabilities of the Identity Ecosystem 5 the rules for the Ecosystem, applying and enforcing those rules, and conducting transactions within the environment, the Strategy boasts potential benefits to individuals, the private sector and government. Some of those benefits include ensuring the security of data tied to a specific entity, efficiency in allowing transactions to be conducted saving time and increasing productivity, confidence in conducting business in a safe environment, privacy for personally identifiable information, and innovation allowing for the expansion of new market opportunities (Department of Homeland Security, 2010). When considering the benefits explained by the Department of Homeland Security, it would appear that the Identity Ecosystem could be answer to all of our concerns in cyberspace. However there are a number of disadvantages and vulnerabilities that must also be considered. With the use of a single credential for all transactions, we could make ourselves more vulnerable to loss and compromise. By pooling such large amounts of data in identity and attribute databases, hackers will be able to concentrate their efforts to obtaining greater amounts of information. Furthermore, the costs and liabilities involved in supporting an interoperable environment of such a large scale could be huge disadvantages to hinder the success of the Strategy. Each of these areas must be carefully considered and addressed before making the move towards an Identity Ecosystem.

SINGLE CREDENTIAL VULNERABILITY The first area of concern is in using a single credential for authentication to so many different services. While such usage could be a benefit by reducing the number of credentials that an end user has to manage, it also could represent a single point of failure, allow for greater damage if

The Disadvantages and Vulnerabilities of the Identity Ecosystem 6 compromised, and become a traceable source of information regarding the owner of the credential. Single Point of Failure To demonstrate a single point of failure, let us consider a person that uses a smart card for to access all systems within a company. The smart card is used to gain access to the building, login to the computer, access email, and perform job duties within the system. That same card could also emergency medical information for the employee and be linked to human resources data and travel orders. The Common Access Card (CAC) used by the United States Federal Government is an example of one type of smart card that is given to active duty/reserve armed forces and uniform services members for access and use of computer systems and facilities (Smart Card Alliance, 2003). Now imagine if a person were to lose their smart card or that it was damaged. That person would lose all access to systems until the card was replaced or repaired. Realistically, most companies with smart card implementations have a process to allow for temporary access in such instances. However, what would a person do in a situation such as this in the Identity Ecosystem? With a myriad of identity providers and processes, it could render that person helpless until a replacement is received. Instead of making that person more secure, opting into the Identity Ecosystem has made them more vulnerable. Greater Damage if Compromised In addition to creating a single point of failure, the Identity Ecosystems single credential could also lead to greater damage in the event that the credential is intercepted. Although the Strategy vows to increase safety for trusted identities, it is impossible to say that there would be no instances of compromise. And with multiple accounts linked to a single ID, including financial,

The Disadvantages and Vulnerabilities of the Identity Ecosystem 7 medical, professional and social accounts, an adversary would instantly have access to all of a persons information with one exploit. Consider the example of a user of OpenID, an Identity Management solution allowing you to sign on to multiple websites using a single credential. Basically, OpenID-enabled websites trust OpenID providers and thus allow a user to login to those systems with their OpenID credentials. Although there is the security benefit in that websites in which an entity uses their OpenID credential dont see the password entered to gain access, it does not reduce the phishing threat that exists (Miessler, 2009). So if a person uses their OpenID credentials for email, banking, and purchases on Amazon.com, then a compromise would allow access to all accounts. Instead of an attacker using that persons email account to send out phony emails, they also have credit card information to make purchases and banking account information to transfer funds. By using the Identity Ecosystem for all transactions, the amount of damage is exponentially greater. Traceability One of the more troubling concerns regarding a single credential is the issue of traceability. By using the same credential for all online activities, a person leaves a trail of activities that could possibly be examined and analyzed by an interested party. Although the Strategy boasts of privacy benefits to limit data collection and distribution by organizations, government would have the ability to electronically link and trace all citizen actions in real time with a single credential. In addition, insider powers can be abused by computer hackers, viruses and malware to gain insider status (Credentica Inc., 2007). Consider an example of a parent that wants to keep track of their child by installing a GPS tracking software on the childs cell phone. Using the software, a parent could be stay informed where that child is at all times to ensure they are safe. However, if the data was to fall into the wrong hands, such as a child predator, the same

The Disadvantages and Vulnerabilities of the Identity Ecosystem 8 information could be used to find the child and cause harm. A single digital credential in the Identity Ecosystem could have the same effect if in the wrong hands. A criminal, for example, with access to such data could determine from audit records where a person lives and their daily routine and use that information to plan a home invasion or personal attack. This factor alone makes the single credential vulnerability all the more frightening. DATA POOLING VULNERABILITY Another area of concern that must be addressed regarding the Identity Ecosystem solution is the vulnerability created by pooling large amounts of personal data in identity databases. According to the draft of the Strategy, Identity Providers would store logon credentials for participants of the system and Attribute Providers would be responsible for storing the data associated with those credentials (Department of Homeland Security, 2010). With a large number of participants, these companies could amass large database stores full of personal identifiable information. But as stated by one researcher, as the amount of personal information stored at remote service providers increases, so does the danger of data theft (Castellucia, De Cristofaro, & Perito, 2010). The reason, of course, is because a successful compromise would yield greater rewards on larger databases of information. In the same way that street thugs look for victims that have more to take in a robbery, hackers look for opportunities that can maximize their return of useful information. Examples of Major Breaches LexisNexis is one company that maintains a wealth of personal identifiable information in large data stores. Specializing in background checks and employee screenings, the type and amount information that is collected by the company could be extremely valuables to hackers motivated

The Disadvantages and Vulnerabilities of the Identity Ecosystem 9 by financial gain. In May of 2009, the company reported a breach that affected 32,000 personal records (Westfeldt, 2009). By amassing such a large data store of information, the company became a major target with a gold mine of information to be stolen. TJX, parent company of a number of retail brands including T.J.Maxx, Marshalls and Bobs Stores, was compromised several times over a two year period from 2005-2007. Hackers illegally accessed one of its payment systems and absconded with over 45.6 million card numbers, making it one of the largest data breaches in history (Vijayan, 2007). Note that the company was infiltrated multiple times due to the nature of data that it stored. Acxiom, a major marketing firm, has developed some of the largest and most sophisticated business intelligence and marketing databases in the world (Acxiom, 2011). Its no wonder the company was targeted in two separate breaches between 2003 and 2004 resulting in the exposure of as many as 1.6 billion records. In both cases, employees of third party companies with legitimate access to the servers were responsible for the theft (Fleischer). This example demonstrates that any company housing that much data is at risk of theft, not only from outside agitators, but from sources inside the organizations as well. In this year alone, companies such as Epsilon and RSA were targeted because of the large amounts of information being stored at these companies. In the Epsilon data breach, millions of customer email addresses were exposed, prompting worries about the targeted spear phishing campaigns that may follow (Heussner, 2011). Just a few weeks prior, RSA released notifications regarding a breach of SecureID customers, as information related to the SecureID two-factor authentication products had been stolen (Rashid, 2011). Both cases show how companies are often targeted because of the types and large amounts of data stored.

The Disadvantages and Vulnerabilities of the Identity Ecosystem 10

Types of Attacks When evaluating the security risk for large data stores, it is important to consider the types of attacks that might be successful and the amount of damage that can be inflicted. It will also be important to consider in choosing the type of Identity Provider that a person might select. One type of attack targeted at large databases of information is the SQL injection attack. As web applications interact with databases of information, such as an attribute database, the SQL injection attack exploits the situation by attempting to send pieces of valid SQL queries as unexpected values of GET and POST data (Shiflett, 2004). Login pages, shopping carts, search

pages, and any fields that allow user input to query a database all have vulnerabilities to SQL Injection attacks. As firewalls and intrusion detection mechanisms provide little defense against such attacks, the only real protection against such attacks is in the development of database arguments to prevent such occurrences. With the size of the databases to house identity credentials and attribute information, the risk is great that they would be targeted for such attacks. Another type of attack for large databases is the distributed denial of service (DDoS) attack. This type of attack is one in which a multitude of compromised systems join forces to attack a single target. By flooding the target with traffic, it overloads the victims resources, causing a denial of service for legitimate users of the system (Wikipedia). This type of attack is common in situations of hactivism where an attacker may be trying to silence a particular group. However, imagine a foreign adversary launching denial of service attacks against multiple

The Disadvantages and Vulnerabilities of the Identity Ecosystem 11 identity providers. The consequences could be disastrous for those with credentials housed on that providers network. A final type of attack, although many fail to consider it, is the inside attack. What happens when a disgruntled employee with access to incredible amounts of customer data decides to steal or use that data for malicious purposes? According to a report by Verizon and the Secret Service, 48% of security breaches originated from within the organization that was attacked (ViaForensics, 2010). It is quite possible adversaries across the country are already employed at potential Identity Provider companies. With so much data available to employees, the companies themselves may be targeted by perspective employees with the sole purpose to steal data. Who is Liable? With the threat so great on large data stores, the next question is obvious. Who would be liable for compromises of identity data? In the Identity Ecosystem, credentials are stored with an Identity Provider for all systems access. The attributes associated with the credential are stored with an Attribute Provider. So what happens if a persons credentials are compromised and used to access financial information? Would the Identity Provider be liable? Or would the Attribute Provider be held liable, since it was the attributes associated with the identity credential that were affected? Furthermore, who would the end user contact to report such a breach? And how could they be sure that the information stolen was the result of a breach at either provider? In our current environment, parties specifically limit liability. However with the interdependencies of the Identity Ecosystem becoming substantial, inaccurate assertions of liability could be even

The Disadvantages and Vulnerabilities of the Identity Ecosystem 12 more damaging. Accountability must be established within the Ecosystem (Durand & Norlin, 2003). COSTS AND LIABILITIES OF SUPPORTING AN INTEROPERABLE ENVIORNMENT A final concern to consider regarding the Identity Ecosystem are the costs and liabilities associated with the task of attaining interoperability between so many different identity providers and systems. As the goal is to enable interoperability that would allow for the lining together of user identities maintained by different service providers, a number of implementation issues might arise from technical complexities. Costs of Standardization In order to establish an interoperable environment, minimum standards must be identified to support the system. This includes standards to ensure safe transmission, hardware standards and even operating system requirements. With the exception of password mechanisms, the burden of standardization would likely fall to the end user. For example, a person may be interested in using a smart card for authentication, but unless they purchased a computer recently, they would have to purchase the necessary equipment to integrate smart card technology with their computer system. The equipment could be provided by the identity provider, of course. However, there would probably be a premium charged for use of the equipment. Some might wish to use their cell phones as their digital credential. This would require the purchase of a smart phone in order to comply with ecosystem requirements. In addition to hardware requirements, operating systems that do not have certain built in capabilities would need to be updated to handle integration with identity media. As stated by Henry Bagdasarian, a Los Angeles-based risk

The Disadvantages and Vulnerabilities of the Identity Ecosystem 13 management specialist, it is challenging and costly to build relationships and connect various domain systems through technical standardization (Brenner, 2008). Provider Security With Identity Providers and Attribute Providers handling so much sensitive data, methods of security may vary between providers. While some companies may have strong physical security and encryption requirements, others companies have different philosophies about security. For example, while a bank may have strict regulations about the storage of customer account information, a provider responsible for maintaining multiple types of information may be less diligent in protecting that same information. Background screens may be absolutely necessary for all employees that work at the IRS, but an identity provider may only screen analysts for criminal history. That provider would then become the weak link that could ultimately violate the trust of the entire system. Thus, all parties must be required to adhere to a rigorous set of standards for both IT and physical security. As stated by David Hawkins, product manager of Software House, This is one of the biggest reasons for making security systems interoperable: to extend physical securitys capabilities into the IT world (SecuritySolutions.com).

CONCLUSION In summary, the National Strategy for Trusted Identities in Cyberspace represents a valiant effort by our government to secure our nations technical assets. However, there are many points that must be addressed before moving forward with implementation. Vulnerabilities in using a single credential for all systems and pooling large amounts of sensitive data combined with the costs

The Disadvantages and Vulnerabilities of the Identity Ecosystem 14 and liabilities required to support such a large interoperable environment must be evaluated. It is important to preserve an open Internet, where digital identities are protected. However, trust is essential. In order to achieve that trust, the concerns regarding the Identity Ecosystem must be adequately taken into consideration.

The Disadvantages and Vulnerabilities of the Identity Ecosystem 15

Works CitedAcxiom. (2011). About Acxiom. Retrieved April 5, 2011, from Acxiom.com: http://www.acxiom.com/about_us/Pages/AboutAcxiom.aspx Brenner, B. (2008, July 31). Federated ID: An Idea Whose Time Never Came? Retrieved April 15, 2011, from Csoonline.com: http://www.csoonline.com/article/print/440274 Castellucia, C., De Cristofaro, E., & Perito, D. (2010). Private Information Disclosure from Web Searches. Irvine, CA: Springer-Verlag Berlin Heidelberg. Credentica Inc. (2007). Government Online: A Credentica White Paper. Credentica, Inc. Department of Homeland Security. (2010, June 25). The National Strategy for Trusted Identities in Cyberspace. Retrieved April 10, 2011, from Homeland Security: www.dhs.gov/xlibrary/assets/ns_tic.pdf Durand, A., & Norlin, E. (2003, October 10). Toward Federated Identity Management. Retrieved March 30, 2011, from Technewsworld.com: http://www.technewsworld.com/story/31809.html?wlc=1303082175 Fleischer, G. (n.d.). Acxiom Data Breaches. Retrieved April 3, 2011, from pseudo-flaw.net: http://pseudoflaw.net/content/acxiom-data-breaches/ Heussner, K. M. (2011, April 4). Epsilon Email Breach: What You Should Know. Retrieved April 9, 2011, from ABCNews.com: http://abcnews.go.com/Technology/epsilon-email-breach/story?id=13291589 Metzger, T. (2010, June 28). U.S. proposes creating an 'identity ecosystem'. Retrieved April 12, 2011, from CreditCards.com: http://blogs.creditcards.com/2010/06/us-proposes-creating-an-identityecosystem.php Miessler, D. (2009, August 24). From Password Reset Mechanisms to OpenID: A Brief Discussion of Online Password Security. Retrieved April 3, 2011, from DanielMiessler.com: http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-ofonline-password-security Rashid, F. Y. (2011, March 18). RSA Warns SecurID Customers of Data Breach. Retrieved April 3, 2011, from eWeek.com: http://www.eweek.com/c/a/Security/RSA-Warns-SecurID-Customers-of-Data-Breach395221/ SecuritySolutions.com. (n.d.). Bridging the Gap. Retrieved April 17, 2011, from SecuritySolutions.com: http://securitysolutions.com/mag/security_bridging_gap_2/ Shiflett, C. (2004, April 15). SQL Injection. Retrieved April 2, 2011, from Shiflett.org: http://shiflett.org/articles/sql-injection Smart Card Alliance. (2003). Smart Card Case Studies and Implementation Profiles. Princeton Junction, NJ: Smart Card Alliance.

The Disadvantages and Vulnerabilities of the Identity Ecosystem 16US-CERT. (2009, October 22). Avoiding Social Engineering and Phishing Attacks. Retrieved April 17, 2011, from US-Cert.gov: http://www.us-cert.gov/cas/tips/ST04-014.html ViaForensics. (2010, August 19). Study finds more data breaches are inside jobs SFGate. Retrieved April 5, 2011, from ViaForensics.com: http://viaforensics.com/computer-forensics/study-finds-more-databreaches-are-inside-jobs-sfgate.html Vijayan, J. (2007, March 29). TJX data breach: At 45.6M card numbers, it's the biggest ever. Retrieved April 1, 2011, from Computerworld.com: http://www.computerworld.com/s/article/9014782/TJX_data_breach_At_45.6M_card_numbers_it_s_t he_biggest_ever Wellford, C. (2006). Foreward. In S. C. McQuade, Understanding and Managing Cybercrime (p. x). Pearson Education, Inc. Westfeldt, A. (2009, May 1). LexisNexis warns 32,000 people about data breach . Retrieved April 15, 2011, from USAToday.com: http://www.usatoday.com/money/industries/technology/2009-05-01lexisnexis-warns-of-data-breach_N.htm Wikipedia. (n.d.). Denial-of-service attack. Retrieved March 30, 2011, from Wikipedia.com: http://en.wikipedia.org/wiki/Denial-of-service_attack