Identity theft

About: Identity theft is a research topic. Over the lifetime, 2284 publications have been published within this topic receiving 31700 citations.

Online Privacy: Risks, Challenges, and New Trends

Abstract: Being on the Internet implies constantly sharing information, personal or not. Nowadays, preserving privacy is not an easy feat: technology is growing too fast, leaving legislation far behind and the level of security awareness is insufficient. Websites and Internet services are collecting personal data with or without the knowledge or consent of users. Not only does new technology readily provide an abundance of methods for organizations to gather and store information, people are also willingly sharing data with increasing frequency, exposing their intimate lives on social media websites. Online data brokers, search engines, data aggregators, geolocation services and many other actors on the web are monetizing our online presence for their own various purposes. Similarly, current technologies including digital devices such as smartphones, tablets, cloud computing/SaaS, big data, BYOD are posing serious problems for individuals and businesses alike. Data loss is now a common event and the consequences are exceedingly damaging. Although there are means at our disposal to limit or at least acknowledge how and what we’re sharing, most do not avail themselves of these tools and so the current situation remains unacceptable. Many privacy enhancing technologies (PETs) have been available for some time, but are not effective enough to prevent re-identification and identity theft.

Enterprise Systems Network: securID Solutions, the Authentication to Global Security Systems

Abstract: INTRODUCTION Enhancement in information access has necessitated new challenges to users for the fortification of susceptible data and systems resources against emergent number of security risks and theft related issues. Enterprise systems have witnessed breaches and malicious intrusions into network systems. This has raised the standard for security compliance by system engineers as they struggle to protect network vulnerabilities and meet regulatory compliance. With the rising number of data security breaches and the increasing sophistication of cybercrime, protecting access to organization critical data and systems becomes a major necessity. System gurus comprehend the potential threats posed to their networks and are devising means to cope with those threats and implement sustainable solutions. As businesses strive for transparency, interoperability and mobility, respective corporate networks become susceptible to threats from a third party whose security apparatus is not subject to audits and control mechanism by the system (Altman, 2006). Systems employees are given administrative privileges to enable such individuals perform their administrative duties. Such rights could be compromised by disgruntled employees, contractors, vendors, or temporary workers, thereby allowing critical security services to be inoperable. Several enterprise systems use Internet filtering tools such as intrusion detection software and firewalls to protect valuable data on their systems, but additional security measures are needed to safeguard the loss of intellectual properties and other valuable data on a system. Most of these companies do not have enforcement apparatus to enforce compliance or to report on suspicious activities (Resencrance, 2004). Phishers are constantly circumventing the two-multi factor authentication scheme by implementing man-in-the middle attacks. Due to this loophole in the enterprise policy security infrastructure, corrective measures to detect and prevent threats from malware, hackers, malicious users, become paramount. According to Andress (2006), the Federal Trade Commission (FTC) reported that identity theft affected nearly 90 million Americans and cost approximately $173 billion in 2005. Also, Skoudis (2005) found evidence that worldwide identity theft and related crimes could cost businesses about $532 billion in losses by the end of 2010. Since most end-users and various enterprise clients perform a fraction of their business transactions at their respective local offices, the need for a reliable and secured authentication mechanism cannot be overstated. End-users, who engage extensively on electronic services, complain that passwords have become difficult to remember (Andress, 2006). Most of the systems require password changes every 90 days and this makes it cumbersome to remember which password was used within a given period. Logon functionalities of user name and password algorithm have been used to grant authentication and authorization into enterprise systems network resources. Although authentication provides system administrators with valuable information about who is accessing the application, users get frustrated remembering user name and logon IDs. Since passwords can be compromised, the urgency for a stronger authentication process becomes paramount. Solutions to these problems could include the fortification of the Enterprise Network Security platform and the addition of more security layers for a stronger multifactor authentication process. A strong authentication process should include, but not limited to, a device or information that the user possesses. These could include a hardware token or a barometric characteristic or some information or code that the user knows. An example would be a Personal Identification Number (PIN). Other examples might include smart cards or badges. REVIEW OF THE LITERATURE Ofir (2005), Lu, Liu, Yu, and Yao (2005), Ryker and Bhutta (2005), Opara (2004), Pescatore, Nicolett, and Orans (2004), and Krim (2003) among others have noted that in the past few years, systems security administrators have seen a decline in recreational hacking, and an increase in commercial hacking. …

Property Rules, Liability Rules, and Immunity: An Application to Cyberspace

Abstract: =669023. 154 992 F. Supp. 44 (D.C. Cir. 1998). 155 Id. at 52-53; see also Communications Decency Act of 1996, 47 U.S.C. § 230(c)(2)(B) (2000). 156 See Blumenthal, 992 F. Supp. at 51. 157 RESTATEMENT (SECOND) OF TORTS § 580B (1965). 158 See Blumenthal, 992 F. Supp. at 51 (“If it were writing on a clean slate, this Court would agree with plaintiffs.”). 2007] PROPERTY RULES, LIABILITY RULES, AND IMMUNITY 37 Internet Service Provider’s general activity, including the provision of the online bulletin board, is beneficial to society – like the provision of water in Rickards. The principle reflected in Rickards suggests that Internet Service Providers should not be vicariously liable for defamatory comments posted in online discussion areas over which they assert virtually no control.159 But this is different from the Blumenthal case, where the Internet Service Provider did control the content. To reconcile Blumenthal with Rickards, we would have to change the facts of Rickards so that the defendant (the building lessee) actually stuffed the sink himself. And if the defendant had stuffed the sink in Rickards, he would clearly be liable for the damage done to the second-floor tenant. The CDA was a reaction to the failure of at least one court to draw the distinction just drawn between appropriate and inappropriate cases for vicarious liability.160 The statute itself was an overreaction that has led to a far broader immunity shield than would be implied by common law tort doctrine. The last real-world problem to consider is liability for theft of information. The issues here are in some instances academic since cases of information theft do not always lead immediately to a substantial and quantifiable harm to the victim.161 If someone steals your medical records, what is the harm to you? Obviously, if someone steals your “medical identity” and uses it to obtain fraudulent prescriptions, there is a potential harm: you might be required to pay for the prescriptions, or the identity thief’s conduct might prevent you from obtaining your medicine. But if someone takes your information and never reveals it to anyone, have you suffered a harm? Given the imprecise and inchoate nature of the injury to victims, firms that hold information electronically may take inadequate steps to prevent its theft.162 After all, if the information is stolen, it may take some time for the victim to realize the nature or existence of a resulting harm. 159 This principle was initially followed in Cubby, Inc. v. CompuServe, Inc., 776 F. Supp. 135, 140 (S.D.N.Y. 1991). For a more recent case consistent with the principle but decided on the basis of the CDA, see Carafano v. Metrosplash.com, Inc., 339 F.3d 1119, 1125 (9th Cir. 2003). 160 The failure to draw this distinction occurred in Stratton Oakmont, Inc. v. Prodigy Servs. Co., 23 Media L. Rep. 1794, 1797 (N.Y. Sup. Ct. 1995), available at 1995 WL 323710. The House Conference Report on the CDA stated that one of the “specific purposes” of Section 230 was “to overrule Stratton-Oakmont v. Prodigy.” H.R. REP. NO. 104-458, at 194 (1996) (Conf. Rep.), as reprinted in 1996 U.S.C.C.A.N. 124, 208; see also Jay M. Zitter, Annotation, Liability of Internet Service Provider for Internet or E-Mail Defamation, 84 A.L.R.5th 169, 178 (2000) (describing Section 230 of the CDA as “a specific response to Stratton-Oakmont”). 161 See generally Thomas M. Lenard & Paul H. Rubin, Much Ado About Notification, REGULATION, Spring 2006, at 44 (assessing the costs of identity theft). 162 As Bruce Kobayashi suggests, firms that store information are likely to have inadequate incentives to identify hackers. See supra note 147. In addition to this problem, if the harm to victims is difficult to predict and unlikely to appear for years, firms may choose to ignore the risk of liability for data security breaches. 38 BOSTON UNIVERSITY LAW REVIEW [Vol. 87:1 Despite the imprecise and inchoate nature of the injury, tort law should be sufficient to regulate the incentives of data holders.163 Cases of information theft would appear to be ideal for class actions. They involve small losses spread across large numbers of victims. There is nothing to prevent courts from estimating the potential losses to victims and forcing the negligent data holder to set up a fund to compensate those losses.164 Where the information holder has been negligent, the penalty generated by class action litigants should be large enough to deter future negligence. Moreover, this is theoretically superior on deterrence grounds to a scheme involving statutory penalties, because the damage judgments awarded in class actions will have a closer fit to the actual harm suffered by victims than would statutorily set penalties. Another approach, potentially superior to class actions seeking compensatory damages, would be restitution-based claims against corporations that failed to protect personal information. If, for example, a corporation profits by permitting the personal information of customers to be stolen,165 plaintiffs should be able to bring a claim for disgorgement of the corporation’s gains from the theft. In addition, if the corporation’s conduct can be characterized as intentional, a punitive award should be added to the restitution-based judgment. Specifically, the punitive award should be a multiple of the disgorgement remedy, with the multiple set in order to offset the prospect that the defendant might have escaped liability because of the low probability of detection.166 163 An alternative to tort law is to permit the reputation market to pressure firms to protect personal data. In order for the reputation market to work, data breaches would have to be disclosed in a way that signaled the importance of the breach. See Paul M. Schwartz & Edward J. Janger, Notification of Data Security Breaches, 105 MICH. L. REV. (forthcoming Mar. 2007) (manuscript at 34-36), available at http://ssrn.com/ abstract=908709. 164 Obviously, the courts must be vigilant against fraud. Losses should be estimated by=908709. 164 Obviously, the courts must be vigilant against fraud. Losses should be estimated by competent analysts and supported by credible evidence. The widespread fraud observed recently in the silicosis litigation should not be permitted to occur in this area. On the silicosis fraud, see Wade Goodwyn, Silicosis Ruling Could Revamp Legal Landscape, NPR, Mar. 6, 2006, http://www.npr.org/templates/story/story.php?storyId=5244935. 165 Suppose, for example, a retailer encourages customers to apply for gift cards, and an identity thief applies for several thousand dollars worth of gift cards using stolen financial information. The identify thief then spends the gift cards quickly. If the store’s security system is so weak that these events occur frequently, a plaintiff’s lawyer could take the frequency of occurrence as evidence that the retailer either recklessly or intentionally permitted identity theft to occur. For a journalistic account of various identity theft scams and recent case law, see generally Jason Krause, Stolen Lives, A.B.A. J., Mar. 2006, at 36. 166 Hylton, supra note 102, at 439-44 (setting out an algorithm for punitive awards). 2007] PROPERTY RULES, LIABILITY RULES, AND IMMUNITY 39

Towards distributed privacy-preserving mobile access control

Abstract: The mobile marketing is growing exponentially worldwide due to the emerging high speed wireless Internet and the proliferation of smartphones with powerful processors. Consequently, the management of the massive volume of mobile identities has sparked a lot of interest in both industry and academia, as they turn out to be a heavy burden for many mobile application startups. The conventional federated identity management technologies have been developed to delegate the users' identity tasks across different security domains to reduce the burden over the identity service consumers (i.e., Relying Party). However, they also raises serious security and privacy issues, such as the vulnerability to Single Point of Failure (SPOF) and the privacy leakage with respect to users' historical access information. To address these issues, we architect a novel Distributed Privacy-preserving Mobile Access Control (DP-MAC) framework. This framework also leverages a dual-root trust model to prevent identity theft in case of mobile device loss. In the end, we give performance evaluation and prove its applicability by implementing our system in the Cloud Computing platform and android smartphones based on jPBC in real-world settings.