Liberty Alliance takes on ID theft

Group formed to set technology standards for online authentication branches out into combating ID theft.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
4 min read
In the wake of several high-profile data breaches, the Liberty Alliance is branching out to take on identity theft.

The organization, formed to develop technology standards for online authentication, plans to launch its Identity Theft Protection Group on Tuesday. Headed by representatives from American Express and Fidelity Investments, the new effort plans to release an identity theft glossary next month and to subsequently come up with ways to prevent ID theft.

"I am concerned that unless we do something as an industry, this problem is going to get worse and worse, to the point that it is no longer a question if your identity gets stolen, but when," Michael Barrett, co-chairman of the Identity Theft Prevention Group and a security executive at American Express, said in an interview Monday.

Identity-related crime such as phishing threatens the growth of the Internet, Barrett said. The Identity Theft Prevention Group hopes to become a hub for efforts to combat the issue. It plans to first define and dissect the problem and then develop solutions, which could be technical specifications, policy best practices or business guidelines, Barrett said.

The launch comes in the wake of several high-profile data loss incidents that exposed American consumers to identity risk. Last week, CitiFinancial said tapes containing unencrypted information on 3.9 million customers were lost by the United Parcel Service while in transit to a credit bureau. CitiFinancial is the consumer finance subsidiary of Citigroup. In past months, data leaks have been reported by Bank of America and Wachovia, data brokers ChoicePoint and LexisNexis, and the University of California at Berkeley and Stanford University.

The alliance's Identity Theft Prevention Group claims to be the first to address the issue from a multiorganizational perspective. It includes technology vendors, financial services organizations, law enforcement and others, Barrett said. Non-Liberty members can participate through a liaison program.

Liberty is not alone in fighting the problem. Organizations such as the Better Business Bureau and the Federal Trade Commission have efforts to educate consumers and prevent identity theft. So have groups including the Anti-Phishing Working Group.

A larger, collaborative effort is welcome, said James Van Dyke, a principal analyst at Javelin Strategy & Research, which publishes an annual report on identity fraud. However, Liberty should start by renaming its working group the Identity Fraud Protection Group, he said. "The ultimate thing we are trying to stop is identity fraud," Van Dyke said.

Education is key to the push, Van Dyke said. He noted that the Internet is a double-edged sword, in that it can be abused to commit identity fraud, but consumers can also use it to monitor accounts and get rid of paper statements that could be used by Dumpster-diving ID fraudsters.

Also, contrary to popular belief, ID fraud in most cases is not committed by hackers far away in another country, Van Dyke said. In 54 percent of the ID theft cases, the perpetrator is somebody the victim knows, such as a relative, friend or domestic employee, he said.

Jonathan Penn, an analyst at Forrester Research, said the Liberty Alliance should not overreach. The group could be a clearinghouse for ID theft issues, but really its strength is in developing technical specifications, he said. "There should be some definition of Liberty's purpose and scope--for example, focusing on technical solutions that would be adopted across various industry sectors," he said.

Though public perception may be that identity fraud is rampant, the number of victims has actually decreased in the past years. A spring 2003 study by the FTC found that 10.1 million people, or 4.6 percent of the adult U.S. population, were the victims of ID fraud. In an identical study 18 months later, Javelin found that 9.3 million people, or 4.25 percent of the population, had been hit by such crime.

As the number of ID fraud incidents has decreased, the amount of money involved has risen. In 2003, victims' losses averaged $5,072 per incident, for a total of $51.4 billion. In the fall of 2004, Javelin found an average loss of $5,686, for a total of $52.6 billion, Van Dyke said. In both the FTC and Javelin surveys, about 4,000 people were interviewed by telephone.

The Liberty Alliance was established in 2001 to create an open authentication platform that would enable people to use a single sign-on for participating Web sites. The federated identification push was a response to Microsoft's closed Passport technology. The Liberty effort, originally sponsored by Sun Microsystems and about 30 other companies, has continued to expand. It currently counts more than 150 companies, nonprofit and government organizations as members. Specifications developed by the group are supported in several products.

Liberty has scheduled its first Identity Theft Workshop on July 20 in Chicago.