A new way to authenticate your identity?

"They're looking for accurate matches, but not exact matches, and that gray area is where fraudsters seek to perpetrate their crime," said Terrence DeFranco, chief of Edentify Inc. Edentify makes software that scans credit applications for signs of fraud.

To perform that check, Edentify examines information harvested by data brokers, companies like ChoicePoint Inc. or Reed Elsevier PLC's LexisNexis, which both had breaches that led to the current scrutiny.

Consequently, DeFranco has lobbied Congress to make sure Social Security numbers could still be sold for fraud-prevention services like his.

Since ChoicePoint discovered that it let identity thieves posing as legitimate customers get information on 145,000 Americans, the company has stopped printing Social Security numbers on background reports.

But James Lee, ChoicePoint's director of marketing, argues that preventing data brokers from harvesting Social Security numbers would be ill advised. The accuracy of background checks and other reports would suffer, he said, because the numbers remain the best way to differentiate people with similar names and to examine people's financial histories.

"You have to be very careful of the law of unintended consequences," he said.

What this all points out, many people in the information business argue, is the need for a new identifier.

One solution could be a "federated identity" system that relies on the mathematical principles of cryptography to ensure information can be transferred only among pre-arranged parties.

For several years, technologists with the Liberty Alliance, an industry consortium, have been developing a way for people to log in to one network and be automatically authenticated at another.

The idea is to avoid sharing a single password among multiple parties with which you transact business — the model followed when your bank and insurance carrier both ask for your Social Security number. Instead, one site sends another an encrypted numeric token that represents the user's identity — but only for that single Web session or transaction. The token is useless to anyone else or at another time.

The alliance's braintrust is now exploring ways its system can be applied more broadly in online systems where most identity thefts happen.

"We're not going to go from what we're standing in now to nirvana in a single step," said George Goodman, an Intel Corp. research executive who heads the alliance's management board. "But federated identity management is a step in the right direction. It puts a greater level of security and protection in place that currently exists."

MORE FROM SECURITY

Security Section Front

Internet activists push for greater democracy EU assembly adopts Internet, phone user rights 'Mr. Right' grifts widow's $50K in Web scam U.K. cops arrest people ‘just for the DNA’ Virus attacks ‘jail broken’ iPhones China attacks ‘biased’ U.S. cyber-spying report Chinese military Web site target of cyberattacks FBI: Hackers targeting law and PR firms House pushes ban on peer-to-peer software Facebook hit by ‘Control Your Info’ intruder Security Section Front   Add Security headlines to your news reader: