| |
Privacy watchdog raises concerns
The Toronto Star
Canada's privacy commissioner has advice for banks and other organizations that require customers to log on and prove their identity, and one recommendation is not to use personal facts such as mother's maiden name or place of birth.
"In the information age, the threats to personal information are constantly changing and new threats are emerging," said a report from commissioner Jennifer Stoddart's office, called Guidelines for Identification and Authentication.
"As the threats evolve and are better understood, organizations should adapt their policies and practices to manage these new risks."
Ideally, facts such as date of birth and identifiers such as social insurance and driver's licence numbers should not be used to prove customers' identities, the report said.
"These identity facts and numbers are likely to be known to others, they can be relatively easy to obtain and after they have been compromised they are difficult or impossible to change," it said.
The federal privacy commissioner's report came as Ontario information and privacy commissioner Ann Cavoukian prepared for a speech in which she will call for the development of a universal identity system.
The exponential growth of online fraud means the existing identity infrastructure of the Internet is no longer sustainable, Cavoukian says. "As online fraud is growing, it is threatening to cripple e-commerce," said a press release announcing her speech tomorrow at the International Association of Privacy Professionals' conference in Toronto. It's the first time the group has held this conference outside the United States.
Two senior American Microsoft executives will attend Cavoukian's press conference. Microsoft has developed a new "digital wallet" technology that creates a more secure method of information exchange - allowing consumers to minimize their information exposure and retailers to better protect customer's data, according to Cavoukian's press release.
"The next generation of intelligent and interactive Web services will require more, not fewer, verifiable identity credentials, and much greater mutual trust to succeed," Cavoukian said.
Stoddart's report, meanwhile, said organizations can mitigate the risk from "phishing" by never using email to request authentication information. Phishing is when someone is tricked into giving personal information after receiving an email pretending to be from a company they do business with.
"Given that it is relatively easy to spoof email addresses and caller ID, organizations should be very cautious about using email, email addresses and originating telephone numbers to authenticate individuals," Stoddart's report said.
At the same time, "organizations should not overlook more conventional `low-tech' threats. For example, a significant amount of identity theft is perpetrated by someone who knows the victim," it said.
It's easier for family members or colleagues with access to a victim's wallet to take advantage of authentication processes that use personal facts, it said.
Organizations are walking a tightrope, it noted. While authentication processes can help protect customers' privacy by reducing the risk of unauthorized disclosures, overly rigorous processes can intrude on privacy. Identities should only be authenticated when it's necessary based on the nature of the transaction, the report said.
More stringent authentication might be needed to allow customers to log in to carry out banking transactions than to check their points balance on a loyalty program, it said.
"Individuals should be provided with choices and identification/authentication options in order to manage their personal identity and privacy risks."
For example, customers should be allowed to choose their own nicknames, passwords and questions and answers when those are used for authentication. They should also pick when to change their authenticators.
And all authentication processes should keep audit records that show the time and outcome of each transaction. Even if a company outsources a customer service function, it remains responsible for ensuring the authentication process protects its customers' information and assets.
The article copied from Toronto Star
|
|
