X

Microsoft on ID theft watch

Authentication is a key part in the fight against ID theft and phishing, says Microsoft's chief privacy strategist, Peter Cullen.

Colin Barker Special to CNET News
See full bio
Colin Barker
4 min read
As the chief privacy strategist for Microsoft, Peter Cullen has an onerous responsibility.

Microsoft software routinely collects information from millions of computers around the world, quietly, and often without the owner's explicit knowledge.

Harvesting this kind of private information may seem intrusive, but Microsoft claims it is done for a good reason--the more information the company has on users, the better it can protect them.

For example, the Sender ID system, backed by Microsoft, checks tags on an e-mail to make sure it really is coming from the purported sender. That technology can help people avoid phishing attacks, Microsoft says.

Cullen spoke about what Microsoft is doing to help counteract identity theft, the increasing threat of phishing attacks and the ever-present menace of spam.

How do you differentiate your role from that of chief security officer or equivalent?
Cullen: At the core definition level, security is about how to keep information confidential, and privacy is about the use of information. But the two are very related. Look at a phishing event. What started off as a security event--something that caused the customer's information to be collected inappropriately--ended up the with customer's information being used, perhaps for identity theft, which is a privacy issue. Around the world, all privacy information has a security component to it.

On an issue like identity theft, what can Microsoft do to help people guard against that?
Cullen: We approach it from a number of angles. Look at the fight against spam as an example. There were really four buckets of things we had to look at. One was technology solutions. The second is education, and there are two strands: One is consumer education, so we help them by showing how to interact with online vendors and when not to.

Around the world, all privacy information has a security component to it.

The other area that we focus on is partnerships with industry. So if we think about spam, it is about working with other industry players on ways to combat spam.

And then there is government, and in particular, working with government on the law enforcement side of things. We have launched about 120 actions against spammers, phishers (and) spyware purveyors around the world.

Two years ago, (spam) was about marketing and offering us body parts we didn't need. Today, it is about a delivery mechanism for

spyware and phishing. So we are really focusing on spyware as part of spam. Now we are focusing on phishing, but it is still part of the spam problem. As we block spam reaching the user's mailbox, it becomes one less way of launching a phishing attack, which can also lead to identity theft.

What is the single biggest issue facing privacy? Is it phishing?
Cullen: It is really tough to identify one big issue...A year ago, the term "phishing" didn't exist. Spyware, a year ago, was about tracking where users went for the purpose of feeding them ads. Now it is about keystroke-loggers being put on people's PCs.

Take spam. We block 3.2 billion pieces of spam per day across MSN and Outlook, but still 65 percent of the world's e-mail is spam. That's why we felt that the whole Sender ID framework was good, and now 25 percent of the mail that MSN receives has the Sender ID framework. So that means we can now focus on the 75 percent, as opposed to the whole 100 percent.

Collectively, all of these things allow us to really narrow the funnel down, so that we can really focus on the bad people.

Do you think that the chip and PIN initiative in the United Kingdom and elsewhere, which calls for a personal indentification number to be entered with every card payment, is the way to go forward with privacy?
Cullen: Chip and PIN is great, but there are some operational issues with it. What happens if I lose it, for example? Does that mean that I am left stranded? I think that there are multiple different types of solutions.

In our view, authentication needs to be very two-way.

In other parts of the world, they are looking at two-factor authentication. In places like the U.S. and Canada, Internet banking tends to be rolled out without the use of smart cards. They just use password and user ID.

It's not just about the financial institution knowing who they are dealing with. Are we, as users, telling them we are dealing with a financial institution? In our view, authentication needs to be very two-way.

From the authentication point of view, is there any particular method you favor?
We've done an awful lot of thinking about this, and the system itself needs to be able to exist with multiple different kinds of technology solutions. It has to be very interoperable, as opposed to one single solution. We think that is the answer. So we have designed a set of principles, collaboratively. Even people from the open-source community helped to create this, and as a result of that, all of our technology solutions will actually meet those standards. They are called the seven laws of identity and were created over the past year. In our view, these are the laws a successful identity management framework needs to exist by.

Because we helped create them, these will be the standards that we meet in terms of identity solutions that we roll out for our customers.

Colin Barker of ZDNet UK reported from London.