Thursday, August 20, 2015

Secure Global Digital Identity, for the Digital World

What's worse than paying your taxes? Having an identity thief steal your return payment, the IRS paid out $5.8 Billion in fraudulent returns in 2015.

In Australia we don't have the same SSN issue (the failed Australia Card), which is the root cause of most of the above USA tax fraud, but the expanding use of TFN's, drivers licenses (for ID not driving a vehicle, i.e. functionality creep) is creating the same fraud opportunities here in Australia, ask any of the 770,000 Australian's who suffered from identity theft. The problem is real and no solution exists today.

Principles:
a) personal data shall be exclusively under the individuals control, b) not held in any centralised system, which does not hold a current certificate for a system evaluation to EAL3 at a minimum, this applies to all government as well as commercial systems, c) be held in fewer and more secure places and d) be global and freely available for verification subject to principle a.

Identity Theft is a Global problem, as such this article proposes a Global Solution to protect individuals and organisations, while still allowing the shared "community" objectives like AML ect to remain in place. The current Government, and private industry Identity protection practices, belong to a world which no longer exits, have consistently failed the Individual, and community, and are simply not suitable for the current Digital World. A truly Global secure solution is required which is effective in both the bricks and mortar, and Digital world, and should be publicly accessible and free. The same solution should en power "third world Individuals" to enable a truly global digital world in which everyone can participate.

Ones identity is something we take for granted (after all it is you), and expect the various organisation, including governments we deal with to protect our identity. Yet these same organisation are at the heart of the identity theft problem. All of these organisation tend to blame the "Individual" for any Identity Theft when in fact they are the root cause, and only the Individual is affected by theft of their Identity.

“Digital identity“ is the sum of all digitally available information about an individual. It is becoming increasingly complete and traceable, driven by the exponential growth of available data and the big data capabilities to process it. The issue addressed within this article is the ability to link both the Digital and physical worlds, and how a compromise within the digital world can affect the physical identity, i.e Identity Theft..

The data elements which underpin, most widely used "personal" identifying data, are birth dates, names and addressees, and drivers licence numbers. The aggregation of this data, under pins our "identity", with regard to many Digital Transactions. Many organisations routinely collect this information, some like banks, use birth date continuously.
Information collected for the purpose of AML,should only be used for the specified purposes it was collected for, not for general bank operations, this is clearly defined in the Privacy Act (Section 6.1), yet banks, and other organisations routinely violate this principle. This ongoing violation of the Privacy Act, is one source of Identify fraud, yet continues without any checks or balances.

Today the collection of personal identifying data, has become epidemic, and grows each and every day, routinely night clubs, and hotels (with zero security protection, or regulations in place), photo copy an individuals drivers licence. Banks photo copy drivers licences, birth certificates, even though not required under any legislation. With a drivers licence, a birth date and data readily available from a postbox or even available on line, almost anyone can open a bank account on-line as "you" today. On-line organisation like Google, track and scan all of your on-line and digital activities, collecting any data which lows though your emails or any site you visit, while using systems that have zero security accreditation or any stated compliance with Privacy Principle APP8 (cross boarder data transfers).

Once your Identity is lost, it can be impossible to participate within today's digital and physical world; many find it takes years to address their Identity, after being stolen, their are cases where physical properties have been sold from under their owners.

"Identity crime is now one of Australia’s most common crimes, It’s estimated to cost at least $1.6 billion each year. ID crime is one of the key tools of organised crime groups. Yet Around 20 government agencies in Australia issue more than 50 million documents or credentials used as proof of identity" from DVS transcript.

In many cases, Government departments are the root cause of the problem, by forcing the Individual to provide identifying data when in fact only authentication is required. Additional "function creep" , has become epidemic as data is collected for a specific purpose,and then used for a different purpose, in the case of DVS a unrelated revenue generation purpose. Government departments are the source of almost all Identifying documents, these MUST NOT be outside of the Individuals "control", and must not be used for any purpose other than as collected. This simple requirement is explicitly covered in the Privacy Act Section 6.1 which also applies to Government departments.

A drivers licence is solely for the purpose of authorising an Individual to dive a nominated vehicle, it is NOT an identity card, it is not an Australia Card by default. The whole DVS concept is bizarre. Check out the total absence of even the most basic security for these systems, the best you get is some waffle or links to policy documents, there is not a single Certification available on any Government or Commercial Site. DVS has recently started selling individuals verification to commercial entities, yes using an Individuals data as a means to generate Government revenue, and selling this as enhanced digital security, truly bizarre.

Identity theft is a by product of the issuance and storage of these 50 million documents and credentials within a range of in-secure centralised systems, this is just crazy.

Today there are a range of commercial providers of "Identity" systems, sometimes labelled as Green ID?, mainly to support AML requirements, and many private solutions such as used by banks, and recently Governments via DVS? All of these have fundamental security flaws, they are centralised and the control over the Identifying data is not the exclusive control of the individual but rather the centralised authority. This is is fundamentally flawed concept, as the identifying data MUST be under the control of the Individual or Entity to whom the data belongs, this is so very basic, as only the Individual is affected by Identity Theft, non of these organisation are affected at all, and take no responsibility for any Identity Theft relating to the data they collect and store.

The whole concept of storing multiple copies of ones identifying data all over the planet in in-secure repertories (could not find a single provider who has its systems accredited to ITSEC at even the most basis EAL2 or more appropriate EAL3  level). Not a single operator has published their mandatory security policy which should include as a minimum encryption in transit and storage. See D&B Green ID, VEDA, and from 2015 the Australian Government via their DVS all fail this basic test.

Seriously, does no-one care less about Individuals, and theft of their Identity?

In the security world, centralised systems are known as "single point of compromise", the reason why one sees 100,000 of personal data affected,when one of these systems is compromised (credit card data is typically one such system). Centralised systems are not used for a single high assurance deployment anywhere in the world today, why is Identity data being stored in such insecure systems?

When ones "identity" data is compromised, this data cannot be put "back into the bottle" or fixed, once ones Identify is lost via compromise of identifying documents, one can be totally unable to participate in every day functions, yet the same insecure, centralised solutions are still in use today, as are the ongoing compromise of such systems systems.

Finally after 15 years of R&D and recent advances in cloud security, a solution to address both Identity Theft  and Anti Money Laundering compliance in a single secure and publicly available framework. The end of hidden or secret data storages with no transparency.

As part of the Global Block Chain Ledger network, we have deployed the worlds first totally Global Secure Identification system.

The system is based around a open standard, for a Secure Identification Number(SIN), which is derived from Elliptic Curve cryptography and keys generated and stored within cloud based Hardware Security Modules.

The solution to Identity Theft, is not complicated,
STOP:
  • Collecting personal identifying data which is not required to perform the immediate activity, by the requesting entity.
  • Storing any personal identifying data in any centralised system.
  • Sharing or accessing any personal data without the explicit approval, on a per request basis by the Individual
  • Storing aggregated personal identifying data in any System 
  • Sharing personal data, outside of the initial receiving entity and system
  • Routinely requiring personal identifying data as apart of an authentication process.
In order to prevent Identity theft, in all cases the Customer should be able to provide the "authentication token" to be used by any organisation when requesting authentication. This is very basic security and privacy requirement, and a part of the digital world today.

The fully decentralized, anonymous, secure identity.
Enter the Secure Identity Number(SIN), this is a totally digital identity that may be securely used for any type of transaction within the digital world, including replacement of the traditional username/password.
A SIN(s) is the unique record identifier by which this identity will be known, the key concepts are:
  • there is no centralized infrastructure or entity required
  • the secure identity is under the total control of the Individual
  • can securely support the full range of Identity and authentication requirements

Attributes:
  • Ownership can be digitally proven with high assurance, and possible non-repudiation
  • Disposable
  • Optionally attach sequence of key-value pairs (public proof) and hashes (private proof) to your SIN record. 
  • Start out as anonymous identity, and as required, support opt out of anonymity on a per SIN basis, by attaching identifying key-value pairs (real.name = "John Smith").
  • All key-value pair updates digitally signed by SIN owner (private key holder) abn=123456
  • Third parties may offer digital attestations:
    • Identity Verification, Inc. digitally signs a SIN as passing their 100 points check.
    • Auction Provider, digitally signs a SIN as having a certain reputation score, on their website.
    • Decentralized market users, digitally sign one another's SINs, building a decentralized reputation, social media.
Within the Public Block Chain Ledger, these signed  "attributes" are stored within the industry standard DNS "TXT" records for the entity identified by the SIN. This allows a totally secure, yet publicly accessible resource for any agency to securely query any AML related attributes, anywhere any-time for no cost. 

Customer identification and verification play a critical role in meeting anti-money laundering regulations and for maintaining an accurate customer database.

Address your business’s know-your-customer compliance obligations and reduce the business costs associated with outdated and inconsistent data with our Global Secure Identification Number(SIN) solution.

The World First Global, Secure Identification Number is now publicly available.
Any AML attribute verifications can be performed on-line, anywhere in the world for free.


Also see
http://villagemall-ceo.blogspot.com.au/2015/06/identity-theft-and-digital-world.html
http://villagemall-ceo.blogspot.com.au/2015/06/bitauth-decentralized-authentication.html
http://villagemall-ceo.blogspot.com.au/2015/07/public-block-chain-ledger-navigation.html

The following SIN attributes are supported in Release 1.0:
public enum attributeType
        {
            dob, // Date of birth
            adr, // Address
            bus, // Business number (abn)
            tax, // Tax number (tfn)
            drv, // Drivers licence
            pas, // Passport
            age, // Age card
            nam, // Individual name
            cpy, // Company, Trust ect name
            act, // Account, value is free form ASCII. Meaning within context of signing entity.
            bic, // Swift Code/Bank Identification Code
            lmt, // Payment Limit, value in local currency of signing entity
            rev, // Social Review of this entity, value is review scale of 1 to 10 where 10 is highest
            rat, // Social Reputation, based upon eBay rating, converted to a scale of 1 to 12
            rvk  // SIN is revoked, value is date of revocation, this makes any SIN disposable.
        }

Disclaimer The contents of this site should not be understood to be accounting, taxation or investment advice but rather as general product related educational information that may or may not meet your specific requirements.