Invention Is Nothing If There's No Market For It

If Your Retailer Doesn't Get To See Your Data, Does It Stop Phishing?

from the we-shall-see dept

Thu, Oct 19th 2006 5:38pm — Mike Masnick

Phishing, obviously, has become a big problem online. While plenty of people have worked on temporary solutions, it seems like people are finally looking seriously at a more comprehensive way of fighting these types of scams. For a while, some folks have talked about identity management offerings, and one of the best explanations of the concept is the Identity 2.0 presentation done by Sxip CEO Dick Hardt. Beyond just being entertaining, the presentation really lays out the concept of separating your identity from the silo or walled garden of the site you're dealing with. While there are rumors (apparently denied) that Sxip is in trouble, apparently aspects of that Identity 2.0 idea are spreading. The Globe and Mail newspaper has an article about Ontario's privacy commissioner pushing for just such a system that separates out your confidential data from any particular site and simply just gives approval. So, for example, instead of giving your credit card info to a retailer, you would just have some method of confirming that you are you and then have your bank verify that you're legit and the payment will be good. That way, the retailer never actually has your credit card info, but knows that it will get your money. Of course, to some extent this could just open up a different area to attack, since it skips over the bit where you prove you're you. The article discusses Microsoft Vista "Infocards" as a way to do this, but doesn't make it clear how those infocards will actually prove you're you, or resist any kind of forgery. Also, it relies on people trusting Microsoft, which is a big if -- especially given the company's past failures in this area (anyone remember Passport?). It does seem like a step forward, but is hardly a complete solution to spam or even phishing, as the Globe and Mail article suggests.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

7 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

b_has_opinions (profile), 19 Oct 2006 @ 7:14pm

Anything Dick Hardt lays out is OK with me. Keep that 'silo' out of that 'walled garden'.

Is it April 1 already?
[ link to this | view in chronology ]
Anonymous Coward, 19 Oct 2006 @ 8:34pm

Borin..... Zzz...ZzZ..zZz..zZz..ZZz..zZZ..zzZ..
[ link to this | view in chronology ]
Anonymous Coward, 19 Oct 2006 @ 8:43pm

I received modifications to the Merchant Agreements I have with Discover and American Express this year, which make it impossible, or extremely difficult to process credit cards in any way where a clerk would re-key the information.

It doesn't solve the problem of proof (Yes, this is me, and this is my credit card, so I pay you), but it does elminate a possible leak in the system.

A bigger problem is that now the merchants have to trust shopping cart providers just that much more, even though shopping cart providers are not liable for any security breaches. With a merchant account, all of the expense of a security problem fall on the merchant.
[ link to this | view in chronology ]
STJ, 19 Oct 2006 @ 10:14pm

Isn't that what PayPal does? You sign on to your PP account, click on send money, and put in the reciepts email address, they get the money, no finational info
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2006 @ 8:00am

The best solution is where everyone has all their information in one centralized place, a place where others can go for money, but no information.

Problem is, who is that centralized place that has all of your information. The govt? Google?

Probably never happen. It would work if we could find someone that we would trust with all our information.
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2006 @ 9:27am

Bank issued ssl certs
SSL certificates may be an existing technology that could work here.

Your bank could issue you a certificate periodically (i.e. yearly, monthly) that you could use when making purchases. The bank's own certificate could be issued by a central authority (i.e. FDIC), so that merchants could be assured that it's a legitimate bank. When you close your account, or if your account is tapped out, the bank could add your cert to their public revocation list.
When you make a purchase, you send a message authorizing the payment of x dollars, timestamped and encrypted with your private key. The bank could verify that your message is timely and matches the amount requested by the merchant, and could then authorize the payment.

As long as you don't lose, or give out your private key, I think it would work.
[ link to this | view in chronology ]
Anonymous Coward, 20 Oct 2006 @ 1:10pm

it already exists and it is called Paypal
Too bad that Newegg just stopped accepting it.
[ link to this | view in chronology ]