IBM Software Aims to Prevent Online Identity Theft

Researchers at IBM have created a new shield for personal information in an effort to prevent identity theft online.

Code named Identity Mixer, or Idemix for short, the software was crafted by IBM researchers at the company's laboratory in Zurich, Switzerland, and will let customers purchase goods and services online without revealing their personal information.

To Jan Camenisch, the lead researcher on the project, it all makes perfect sense: minimize the number of parties with personal information, and the threat of the data being compromised diminishes.

"I think that's the first step in safeguarding your data," he said. "If they have it encrypted, they can't lose it."

Idemix works by allowing the consumer using the software to get an anonymous digital credential, or voucher, from a trusted third party, such as a bank. Government agencies can also serve as third parties, Camenisch said.

To read more about online identity theft, click here.

The bank would provide a credential containing a credit card number and expiration date that would be digitally sealed by the Idemix software when an online purchase is made. As a result, the real credit card numbers are never revealed to the merchant. A new encrypted credential would be used every time a new purchase is made.

"When people don't have to disclose their personal information on the Web, the risk of identity theft is dramatically reduced," said John Clippinger, senior fellow at the Berkman Center for Internet and Society at Harvard Law School, in a prepared statement. "The ability to anonymize transactions using Idemix has the potential to bolster consumer confidence, opening digital floodgates to new forms of Internet commerce."

IBM will contribute its Idemix software to the Higgins project, an open-source effort led by the Eclipse Foundation aimed at developing user-centric software to manage and protect user identities.

A user-centric approach means individuals can actively and securely control who has access to their online personal information, such as bank accounts, credit card numbers and medical records rather than having institutions manage the information, IBM officials said.

Currently, the software's code is going through the Eclipse Foundation's IP review process, IBM officials said. Once that's completed, the code will be available on Eclipse through the Higgins Project.

The Idemix software will provide the required added layer of privacy to the Project Higgins framework for true user centric identity management, IBM officials said. IBM plans to incorporate the Idemix technology into its Tivoli software portfolio of federated identity management software, Camenisch said, adding that he thinks the software offers more protection than Microsoft's Cardspace.

Information security analyst Jon Oltsik said he is optimistic that the fact the software is open source would have a positive impact on the speed of its widespread adoption.

"In the identity space, we've seen a lot of progress with open standards for federated identity," said Oltsik, of Enterprise Strategy Group, headquartered in Milford, Mass. "There is no reason why open source wouldn't follow suit. Also, this is being managed by the Eclipse Foundation, which is getting a lot of enterprise and industry attention."

He added that the software has the potential to be effective in reducing the risk of personal data being compromised by businesses.

"Idemix lets a user control who has access to what data," Oltsik said. "In addition, it can work as a trusted response. Rather than asking my bank for an exact bank balance, a mortgage company could ask a yes-no question, like, 'Does this person have a balance in excess of $25,' and get a trusted yes-no response. In this way, we can pass the information necessary for transactions while protecting other private data."

Ron O'Brien, a senior security analyst with Sophos, said many people have become cautious online and are skeptical of e-commerce because of security concerns. This software, he said, can go a long way in giving online shoppers peace of mind.

"I think this is a huge first step in terms of keeping people using the Internet as it was intended," he said.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraine's eWEEK Security Watch blog.