A Comprehensive Approach to Security

Identity theft is the fastest-growing crime in the world, and while it is commonly thought of as a mostly petty crime involving stolen personal credit cards or social security numbers, it is now becoming a larger threat to governments and corporations. Multiple Web sites offering fake driver’s licenses and social security cards for as little as $75, paired with identity theft’s increased ties to organized crime, have made it a vital homeland security issue. According to Ali M. AlKhouri, a final-year doctoral researcher at the University of Warwick and a senior government official in the United Arab Emirates, and Jay Bal, an associate professor, principal research fellow in the International Manufacturing Centre and director of the InterLean Ebusiness Centre at the University of Warwick, an increasing emphasis on e-commerce and e-government means that organizations are under major threat to not only protect their customers but their own sensitive and proprietary data.

In a 2007 working paper, Digital Identities and the Promise of the Technology Trio: PKI, Smart Cards, and Biometrics, AlKhouri and Bal examine three existing technologies and introduce a framework for how they can be combined into a comprehensive security system. The first of these, biometrics, is the use of an iris scan or physical traits, such as fingerprints, voice, hand or face geometry, to identify an individual positively. The second, smart cards, features integrated chips that store and process data, and they can come with a variety of accessories, including magnetic strips, bar codes, optical strips and holograms. Finally, public key infrastructure is a framework for creating a secure method of exchanging information data through encryption. In a PKI environment, a pair of keys — a public key that is known by the user and a private key used only by the system itself — are employed so data encrypted with one key can be decrypted only with the other complementary key and vice versa.

At least one of these three systems is in use in almost every major organization. And most studies have shown that PKI can be employed to handle most security and verification operations, but according to the authors, other requirements such as availability, performance, uncoercibility, untraceability and anonymity cannot be fulfilled without additional measures. PKI on its own will not provide maximum security for authentication unless it is incorporated with other security technologies such as smart cards and biometrics.

The technology trio of PKI, smart cards and biometrics, argue AlKhouri and Bal, will create a mechanism to identify and authenticate individuals accurately and create a secure communication and transactional environment. Smart cards, for instance, can securely and accurately verify the identity of the cardholder. PKI can next be used to encrypt the data stored in the database and in the smart card’s chip (such as personal information, digital photo, biometrics) to limit access to authorized personnel. Biometrics can then link the holder of the card to the person to whom it was issued, so the card cannot easily be used if it is lost or stolen.

Through the incorporation of these three technologies in an identity management system, individuals are not locked into one form of authentication, but rather three different forms of authentication: (1) knowledge factor — a password to ascertain what one knows, (2) possession factor — a token (smart card) one must possess and (3) biometric factor — biological traits (fingerprint, voice or other biological imprint) used to verify identity. If one factor has been compromised (a lost smart card, for example), identity thieves still need to pass through two more levels of authentication.

To institute e-commerce or e-government initiatives successfully, organizations need a strong online authentication infrastructure. It is important to remember that e-transactions occur between people that are represented by machines. The anonymity of these transactions makes it more difficult to identify the parties involved and to ensure a trusted business relationship. Given the recent growth in reports of companies that have accidentally revealed significant private customer information such as credit card numbers and company data because of errors in their internal systems, it is increasingly important that companies address their security issues. Otherwise, they may find themselves paying a significant portion of an estimated $40 billion in costs that corporations and governments in the United States alone are being forced to pay because of identity theft.

For more information, contact Ali M. AlKhouri and Jay Bal at alkhouri@emiratesid.ae.