If Your Retailer Doesn't Get To See Your Data, Does It Stop Phishing?
from the we-shall-see dept
Phishing, obviously, has become a big problem online. While plenty of people have worked on temporary solutions, it seems like people are finally looking seriously at a more comprehensive way of fighting these types of scams. For a while, some folks have talked about identity management offerings, and one of the best explanations of the concept is the Identity 2.0 presentation done by Sxip CEO Dick Hardt. Beyond just being entertaining, the presentation really lays out the concept of separating your identity from the silo or walled garden of the site you're dealing with. While there are rumors (apparently denied) that Sxip is in trouble, apparently aspects of that Identity 2.0 idea are spreading. The Globe and Mail newspaper has an article about Ontario's privacy commissioner pushing for just such a system that separates out your confidential data from any particular site and simply just gives approval. So, for example, instead of giving your credit card info to a retailer, you would just have some method of confirming that you are you and then have your bank verify that you're legit and the payment will be good. That way, the retailer never actually has your credit card info, but knows that it will get your money. Of course, to some extent this could just open up a different area to attack, since it skips over the bit where you prove you're you. The article discusses Microsoft Vista "Infocards" as a way to do this, but doesn't make it clear how those infocards will actually prove you're you, or resist any kind of forgery. Also, it relies on people trusting Microsoft, which is a big if -- especially given the company's past failures in this area (anyone remember Passport?). It does seem like a step forward, but is hardly a complete solution to spam or even phishing, as the Globe and Mail article suggests.