Creating a false identity is both easy and legal. But businesses are remarkably trusting when presented with ‘identifying’ documentation, despite the growth in identity fraud and intellectual property theft.
This blind faith, Tony Collings, director of Electronic Commerce Associates and lead security advisor to the UK’s identity card programme warned the Enterprise Security 2006 conference, must end now and identity management must become a lot more sophisticated.
“If your organisation possesses information that is of any value, somebody will try to steal it,” said Collings. “And what’s more, they may be insiders – people placed within your company by organised criminals or by commercial competitors.”
This puts grave importance upon the process of checking potential employees’ backgrounds before they are appointed. And although new regulations require businesses to be security conscious, especially those who trade in the US, this process is often performed poorly by human resources departments.
“In order to meet their operational targets and get staff in quickly, human resources departments will fudge the security checks,” said Collings. “If they are working with the government, they will be ‘economic with the actualité’ on security clearances, or the clearance will be out of date.”
This lackadaisical approach is not helped by the outdated process which government organisations use to assure an individual’s identity. Birth certificates and driving licenses are bureaucratic documents not designed to prove that the holder’s identity is true and valid, but that is how they are often used.
Although businesses frequently treat them as ‘gospel’, these documents are unreliable sources of identity assurance, said Collings. As much as 40% of the information held on the DVLA (Driver and Vehicle Licensing Agency) database is inaccurate, as individuals often fail to update old information. A birth certificate is as easy to forge as such a forgery is hard to spot.
Once a government department accepts unproven information as fact, that false assumption is replicated across many other departments – and by businesses. ‘Breeder documents’, as Collings describes them, can be simply exploited to establish a false identity.
Tony Collings is senior director of Electronic Commerce Associates, a consultancy firm specialising in resilience and security. He has many years’ experience in building, designing and operating secure data and control centres, and his current focus is on the ramifications of identity management. He is the lead security advisor to the Home Office on ID management.
For instance, if an individual was to forge a birth certificate and register a non-existent individual for council tax, the council would be most unlikely to refuse the money. Using the council tax information, that individual could then apply for a TV licence, a gas bill and a telephone line, each of which would provide that individual with a document ‘proving’ the identity of a wholly imaginary individual.
At the moment, none of this is illegal. It only becomes a crime when an individual uses a false identity for financial gain.
So businesses must abandon their faith in identity assurance processes that were established in a more trusting, if not a more honest, time, and get to grips with the fundamentals of identity management, Collins counselled.
This is no simple task. Technologies which confirm that an individual with an assured identity is who they say they are, such as biometrics, are abundant. But establishing that assured identity in the first place is a matter for well-trained people and security conscious processes.
“Taking the long route of physically investigating each candidate can be done,” said Collings. “But it is very time consuming and very expensive and often doesn’t lead you to the information you need.”
So what should business do to assure their employees’ or contractors’ identities? Collings makes one firm recommendation: making sure that there is someone present at all stages of the interview process that can confirm that the person with the appropriate credentials who turns up at the first interview is the same as the person at later interviews and who eventually turns up for work.
Sending different people at different stages of the interview process is a simple but highly effective con, and one that is widely used in driving tests, said Collings.
Businesses can use system-generated, ‘biographical footprint checks’, to get some insight into prospective employees’ backgrounds. Many of the companies that provide this service, though, began life as credit rating agencies, so the information they possess has a particular slant.
“The information from system-generated background checks relates to their ability to pay their bills,” he said. This, like having a utility bill, is not the same as an assurance of identity. So, as with all identity checks, ‘biographical footprint checks’ must be taken in context and used intelligently.
“Short of DNA testing, there is always going to be a risk involved in identity management, as there is always going to be identity fraud,” said Collings. It is up to businesses to understand the dangers to which they are exposed, how much identity assurance they require to contain that risk, and how to establish that assurance.
“The foolproof identity management scheme does not exist,” he added. “The only things that do exist are practical, pragmatic processes aligned with technology that deliver business benefits.”