Identity proofing, what is it? Simply it is the process to verify a person is who they say they are. At a retail location they may do this by asking for your photo ID when using your credit card. Most legacy utilities and businesses use your social security number or the last 4 digits of it to verify you. In the old world that was the best way to link a person to a defined identity which was your SSN and in theory to your tax profile with the U.S. government. The Internet has taken that process and made it antiquated, broken, vulnerable and it’s being exposed and used to defraud daily.
As the world shifts to a global communication hub a dangerous trend is picking up speed and I see that there isn’t a proper security framework underneath to protect people. I am referring to companies having more and more applications allow user’s to authenticate with their social network accounts. Facebook is the primary source of this but there is a huge gap with this practice, even with seemingly benign mobile applications that link up to your Facebook account is dangerous. There is no identity proofing in place and no easily accessible service to the regular customer to prove your accounts you use belong to you. The apps and you cannot truly guarantee that the account is what they say it is.
Anyone can goto Facebook today and create an account under any name they choose, including yours. There’s a recent scam going around of scammers setting up fake accounts that look like one of your friends and then sending you a friend request. The victim assumes it’s the person they know and accept it then the scammer chats with you and eventually beings asking for help and money which people do send out. All along it’s some scammer that just ripped you off. Why? Because there is no way to tell Facebook or be verified by them that you are exactly who you say you are so they others interacting with you can be assured you are legit.
Facebook being the largest social website has a great and profitable opportunity to step up and provide a service to verify Facebook profiles. I would pay for it to get that coveted badge of verification. Here’s how they could do it. First, Facebook already has tons of information about the user’s profile already. Timelines, photos, tags, history, status updates, etc… In order for the verification to be successful and as accurate as it could be it must not be online only but include physical contact to the person.
Here’s how it could work –
- You would complete an online form, phone numbers, addresses, and using your existing profile activity begin to prove your ownership.
- In order to confirm an Facebook profiles legitimacy it must be at least 1 year old and have X number of posts to avoid bots and quick scammers.
- An out of the box validation by sending photo/tag identification to your friends and they would have to confirm.
- Facebook would mail to your home addresses and to a secondary address confirmation codes that you would use to finalize the validation.
- There would be regular and random re-validations to maintain your confirmed status.
- After validation to protect the validated profile users would be required to use multi-factor authentication and maximum security features.
Through that when John Smith authenticates into your application a business and the user can be far more secure and confident that the person behind the keyboard is in fact John Smith. With the movement toward social authentication the industry, led by the leaders in the space, to begin to support this with improvements on overall security. There’s a huge push of social network validation to most web sites not but not one of them is even talking about this for their users.
End of line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.