Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities. Identity is a set of attributes.

Published byTaylor Wells Modified over 11 years ago

Similar presentations

Presentation on theme: "Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities. Identity is a set of attributes."— Presentation transcript:

1

2 Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities. Identity is a set of attributes related to an entity (individual / company) in a given domain An entity can have multiple identities, such as: Email account (private and corporate) Social network accounts (i.e. Facebook,Twitter, LinkedIn…) E-Commerce identities (i.e. Amazon, eBay) Banking identity Account to purchase flights or trains SIM phone E-Passport Health cards National service card Identity is a set of attributes related to an entity (individual / company) in a given domain An entity can have multiple identities, such as: Email account (private and corporate) Social network accounts (i.e. Facebook,Twitter, LinkedIn…) E-Commerce identities (i.e. Amazon, eBay) Banking identity Account to purchase flights or trains SIM phone E-Passport Health cards National service card ID for c/c online ID to request certificates ID to purchase flights ID for online magazines E-Commerce ID ID for social network ExamplesDigital Identity

3 The use of Digital Identities is subject to several risks Identity theft Impersonation Bank fraud (i.e. unauthorized transfers of money, through mobile banking, ATM and POS) Credit card fraud (i.e. unauthorized withdrawals on Internet, from ATM and POS) Mail identity theft Fraud to the State (i.e. to take advantage of special benefits even if you dont have the rights) Identity theft Impersonation Bank fraud (i.e. unauthorized transfers of money, through mobile banking, ATM and POS) Credit card fraud (i.e. unauthorized withdrawals on Internet, from ATM and POS) Mail identity theft Fraud to the State (i.e. to take advantage of special benefits even if you dont have the rights) Unauthorized withdrawal of money Reputation damage for misappropriation of identity Economic and reputation damage for the organization that manages the identity Defamation Attribution of responsibility Loss of confidential information Violation of electronic correspondence Computer intrusion Violation of privacy Unauthorized withdrawal of money Reputation damage for misappropriation of identity Economic and reputation damage for the organization that manages the identity Defamation Attribution of responsibility Loss of confidential information Violation of electronic correspondence Computer intrusion Violation of privacy Risks Consequences 2012: Hackers steal data of 1.5 million Visa and MasterCard customers in North America 1 2011: Theft of credit card details of up to 77 million Sony users 2 with estimated damage for 172 mln $ 3 2010: Bank tellers, retail workers, waiters and alleged criminals steals data from credit cards to a value of 13 mln $ 4 2009: Data robbery of more than 130 million credit and debit card numbers 5 to Hannaford Brothers, 7-Eleven and two other companies 2012: Hackers steal data of 1.5 million Visa and MasterCard customers in North America 1 2011: Theft of credit card details of up to 77 million Sony users 2 with estimated damage for 172 mln $ 3 2010: Bank tellers, retail workers, waiters and alleged criminals steals data from credit cards to a value of 13 mln $ 4 2009: Data robbery of more than 130 million credit and debit card numbers 5 to Hannaford Brothers, 7-Eleven and two other companies Some cases and consequences 1) www.globalpaymentsinc.com; 2) www.stampa.it; 3) www.latimes.com; 4) www.lastampa.it ; 5) www.csoonline.comwww.globalpaymentsinc.comwww.stampa.itwww.latimes.comwww.lastampa.itwww.csoonline.com

4 The assurance level of identity is characterized by registration process and by authentication process Authentication is the verification process of the attributes associated with identity 1 1-factor authentication 2-factor authentication 3-factor authentication Self-assertion Third party verification Direct verification Detailed direct verification The user makes a self-assertion of identity and there are no checks Verification of identity is direct and detailed (i.e. for e-passport) Verification of identity is direct (i.e. background check of clients) Verification is left to third party (i.e. phone number) Registration is the process that makes known entity in a given domain 1 1) ISO/IEC 24760 Strong Digital Identities are characterized by a process of registration and authentication that is able to ensure the verification of the data provided by the individual and the secure authentication to its user profile Soft Digital Identities, although sometimes they are used for commercial transactions (i.e. Amazon), do not require registration and authentication processes with high security levels Strong Digital Identities are characterized by a process of registration and authentication that is able to ensure the verification of the data provided by the individual and the secure authentication to its user profile Soft Digital Identities, although sometimes they are used for commercial transactions (i.e. Amazon), do not require registration and authentication processes with high security levels + - Level of trust The authentication is done through something that you know, or you have (i.e. password) The authentication is done through something that you know and you have (i.e. token and PIN) The authentication is done through something that you know, you are and you have (i.e. token, PIN, biometric)

5 There are different types of Digital Identities that, depending on the use and the level of security required, we can divide into two categories: soft and strong Social Networks (Private ed Corporate) Email accounts Identities for the eCommerce Online magazine subscription Accounts for Blogs and Forums … Social Networks (Private ed Corporate) Email accounts Identities for the eCommerce Online magazine subscription Accounts for Blogs and Forums … Soft Identity National ID card Digital Sign Electronic Passport Secure card of Payment … National ID card Digital Sign Electronic Passport Secure card of Payment … Strong Identity Soft identities are used by online operators to access to digital services that are not considered critical in a more or less secure way These soft identities normally consist of a user name and a password plus several attributes needed to use the specific services Soft identities are used by online operators to access to digital services that are not considered critical in a more or less secure way These soft identities normally consist of a user name and a password plus several attributes needed to use the specific services Strong identities are released with procedures that involve a de visu user recognition Specific technologies are used to ensure a secure authentication process (i.e. smart cards, tokens, biometrics) Strong identities are released with procedures that involve a de visu user recognition Specific technologies are used to ensure a secure authentication process (i.e. smart cards, tokens, biometrics) The attention of legislators is currently focused on strong identity

6 There isnt a regulation about Digital Identity on Internet. There are only some technical standards (ISO) and guidelines (US NISTC or OCSE) There are not international legislations or policies dealing with Digital Identity topics Regulations and legislations are concerned only with technical standard facing single aspects such as authentication, data management, privacy (i.e. ISO), principles and guidelines (NIST, OECD) or standards de facto (OpenID, Persona, OneID) The result of this legislation/regulation heterogeneity is transferred in the heterogeneity of the implemented solutions and in the difficulties to create interoperability systems between existing infrastructures ISO/IEC 24760, A framework for identity management ISO/IEC 29115, Entity authentication assurance framework ISO/IEC 9798, Entity Authentication ISO/IEC 29100, Privacy Framework OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication NIST Recommendations for establishing an identity ecosystem governance structure ISO/IEC 24760, A framework for identity management ISO/IEC 29115, Entity authentication assurance framework ISO/IEC 9798, Entity Authentication ISO/IEC 29100, Privacy Framework OECD Recommendation on Electronic Authentication and OECD Guidance for Electronic Authentication NIST Recommendations for establishing an identity ecosystem governance structure

7 The Digital Identities related to financial systems (i.e. Credit/Debit Cards) are ruled by operators consortium such as EMV and PCI Financial systems are strongly ruled by operators consortiums or standardization bodies that have defined standard and technical procedures to guarantee interoperability and security. These standards defer in the application between traditional use (POS/ATM) and online (Card Not Present) The adopted security countermeasures for the security of cards, such as EMV, are not useful for online services (absence of card readers), for that reason the PCI/DSS standard has been defined by credit card operators. The NO Compliance bring to sanctions and reimbursement duties to end users, in case of fraud online At European level, European Directives have been published (95/46/CE27 e 2002/58/CE28). They define a legal framework for personal data treatment during a payment transaction and the directive on payment services (2007/64/CE), that provide a legal framework on payment topics and has a strong impact on Digital Identity EMV standard on interoperability (defined by Europay, Visa, MasterCard) between smart card, POS and ATM define a secure authentication procedure of cc/bancomat SecureCode/Verified by Visa, standard on online security PCI/DSS, standard applied to any subjects dealing with the PAN of cards delivered by Visa, Mastercard, American Express, JCB o Discovery SEPA-Single Euro Payments Area (CE) EU Directives ( 2007/64/CE, 95/46/CE27, 2002/58/CE28) EMV standard on interoperability (defined by Europay, Visa, MasterCard) between smart card, POS and ATM define a secure authentication procedure of cc/bancomat SecureCode/Verified by Visa, standard on online security PCI/DSS, standard applied to any subjects dealing with the PAN of cards delivered by Visa, Mastercard, American Express, JCB o Discovery SEPA-Single Euro Payments Area (CE) EU Directives ( 2007/64/CE, 95/46/CE27, 2002/58/CE28)

8 At the moment, major focus is on eGovernment for the adoption of "Electronic ID", although use of soft identity for access and identification through Internet is raising (i.e. INPS). presence in some Countries of strategic guidelines to define standards and regulations of trusted digital identities both for public and private sectors presence of operative projects in some small realities, started as Governments initiatives but open to private services too (i.e. Estonia, Portugal) presence at European level of strategic guidelines where digital identity is a driver (i.e. Europa 2020 and European Digital Agenda) presence at European level of regulations initiatives on eSignature and eAuthentication. National strategy for Trusted Identities in Cyberspace (USA) National Identity Security Strategy (AU) Digital Identity Management – OECD Report National strategy for Trusted Identities in Cyberspace (USA) National Identity Security Strategy (AU) Digital Identity Management – OECD Report

9 Considering the current risk scenario and the fragmented approach of International Institutions, Member States could adopt a short term programme to guarantee security and interoperability of Digital Identity Involvement policy for Identity Service Provider Functioning and Control Regulations Possibility of Digital Identity Federation in international and commercial environment Identity Service Provider must be involved in a working group together with Public Institutions delivering online services in order to regulate Digital Identity topics It is strongly suggested that at national level a series of regulations should be defined to manage Digital Identities. Moreover, control mechanism should be defined in order to guarantee minimum operational parameters such as 24h access to Digital Identity, minimum levels of security,… The Identity Service Provicer should give the possibility to federate the system both in national and International level. That means a starting architecture that allows trust and federation mechanism with other platforms Awareness of Commercial providers on minimum security levels to protect personal data and to manage Digital Identity Its necessary to make aware commercial providers to guarantee secure services and data protection to the end users. For that reason a national information campaign should be targeted to Identity providers eCommerce eGovernment Description

10 Some initiatives could be taken in order to improve the framework for Digital Identities Proposals for EU Define EU common framework, standard and regulation on Digital Identity (soft and strong) mutually recognized in all Member States Define also a set of minimal security requirements that Identity Service Providers must be compliant with Create public awareness on importance to secure Digital Identity in order to mitigate threats and vulnerabilities

Download ppt "Digital Identity is a set of attributes of a person or company in a specific domain. An entity has multiple Digital Identities. Identity is a set of attributes."

Similar presentations

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.

CONFIDENTIAL 1 Preparing for & Maintaining PCI Compliance.
IT Security Policy Framework

IT Security Policy Framework
Mobile Payment Security The Good, the Bad and the Ugly

Mobile Payment Security The Good, the Bad and the Ugly
Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.

Copyright, 1996 © Dale Carnegie & Associates, Inc. BANK ON IT Money Smart Course Indiana Department of Financial Institutions.
BUSINESS PLAN Project Brief: Facilitating general public to have Cash-in-hand by converting mobile phone credit to cash. And transfering the credit to.

BUSINESS PLAN Project Brief: Facilitating general public to have Cash-in-hand by converting mobile phone credit to cash. And transfering the credit to.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Siemens IT Solutions and Services - 2007 Porvoo 12 – Grosseto, October 2007 Update on EU Common Specifications.

Siemens IT Solutions and Services Porvoo 12 – Grosseto, October 2007 Update on EU Common Specifications.
M-PAYMENT SYSTEM (e–WALLET ).

M-PAYMENT SYSTEM (e–WALLET ).
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker

Identity Assurance at Virginia Tech CSG January 13, 2010 Mary Dunker
The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.

The Third International Forum on Financial Consumer Protection & Education “Fostering Greater Consumer Protection & Education” Preventing Identity Theft.
© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.

© Vendor Safe Technologies 2008 B REACHES BY M ERCHANT T YPE 70% 1% 9% 20% Data provided by Visa Approved QIRA November 2008 from 475 Forensic Audits.
An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004.

An Investigation into E-Commerce Frauds and their Security Implications By Kevin Boardman Supervisor: John Ebden 1 November 2004.
Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.

Chief Information Officer Branch Gestion du dirigeant principal de l’information “We will have a world class public key infrastructure in place” Prime.
1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.
1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.

1.7.6.G1 © Family Economics & Financial Education –March 2008 – Financial Institutions – Online Banking Funded by a grant from Take Charge America, Inc.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean

E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 24.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment ELC 200 Day 24.
Wildman Harrold | 225 West Wacker Drive | Chicago, IL 60606 | (312) 201-2000 | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.

Wildman Harrold | 225 West Wacker Drive | Chicago, IL | (312) | wildman.com Wildman, Harrold, Allen & Dixon LLP Identity Management: The.
Travillon Consultants

Travillon Consultants

Similar presentations

Ads by Google