Pretexting and social engineering

Great summary from Kim Cameron of the NPR show on pretexting and privacy issues brought froth by HP spying scandal (originally from Craig Burton)…Pretexting is a problem that will be there as long as there is profit to be made by pretending to be somebody else. In real world communities, short of DNA profiling or a chip planted into each human being, there is not much that can done to eliminate it. And even then enterprising social engineers/pretexts will find a way to pretend to be somebody else.

As with all new technologies that facilitate communication, there is a price to be paid in terms of increase in pretexting. The advent of phones brought in a wave of new pretexting scams (Kevin Mitnick does a good job of documenting them in “The Art of Deception“) and the same is now true of Internet. So what is the solution? How do on-line communities handle rampant pretexting?

I do not believe there are any silver bullets to deal with this issue. Technologies like info-cards help in providing ease of use for managing identities (its a big problem) along with some good encryption mechanisms to make it harder for pretexters to steal identities. But anytime there is a fixed set of credentials (like name, SSN, Credit card etc.) that are used to establish identity, pretexters will be able to deploy clever techniques (albeit with a bit more difficulty) to collect these credentials. Another approach is to rely on more decentralized identity mechanism shared in a tight knit community. Establishing identity in such communities will not only require a user to have the right credentials but also have an understanding of all the old interactions including the shared context with the community members. This will not stop pretexters but will make their job a whole lot harder.

Mystery of online community

John C. Dvorak, the often controversial and flamboyant columnist at the PC magazine had an interesting post, related to the problems with virtual on-line communities.

The problem with on-line communities has been the lack of an identity infrastructure and other word-of-mouth mechanisms typically available in real-world communities. In real world communities like a church group or a professional group, word-of-mouth mechanisms provide a strong incentive to all participants to contribute positively to the shared interest of the group. In the virtual communities, where there is no physical presence required and there are no costs of joining new communities, none of these identify or word-of-mouth mechanisms that provide incentives for positive participation, exist. As a result most of the web conversation degenerate into a series of venting or spamming entries. So is it impossible to have a workable virtual community?

One of the communities John looked at in the article is Slashdot. Slashdot is a very successful community (over 100K members) that a number of my techie friends swear by. Slashdot replaces the real-world word-of-mouth mechanisms with its Karma/reputation scores in order to provide incentives to all members to contribute positively to the community. A lot of what Slashdot does is manual member-driven management of the moderation and meta-moderation system but the results are a vibrant community that provides a lot of value to its members. The takeaway then is that if one can provide the right incentives for positive participation along with a reliable identity mechanism, it is possible to have a vibrant on-line community. Now who is up to that challenge :-).

On the absurdity of owning one’s identity

Check out Bob Blakely’s well reasoned article On The Absurdity of Owning One’s Identity. Bob provides a powerful argument for how in social networks and in society, owning one’s identity is an unworkable proposition.

What is identity?

There are a number of problems with the identity systems available on the Internet:

Trying to keep track of all the username and passwords of all different accounts is hard enough but if you are like my wife, who likes to have a separate password for all her accounts, the problem is ten times more vexing.
Trying to ascertain that you are indeed on a web page you think you are on is not easy for technically unsophisticated users. This leads to a number of Phishing incidents.
Trying to ascertain who you are dealing with is hard on the internet. This leads to a number of baiting scams.
Identity theft is a growing menace with offenders able to easily complete a number of fraudulent transactions with the stolen identity data.
Email spam and comment spam on blogs is growing problem.

Kim Cameron’s laws of identity provide an excellent roadmap for building solutions that can address the identity infrastructure needs. Based on some of the laws, there are a number of solutions in the market waiting to mature and provide solutions to some of the problems listed above. A few of these solutions/approaches are SXIP identity, OpenID, Inforcard (Microsoft) etc. While there solutions and laws are important in addressing the glaring needs of identity infrastructure, they might not apply to all layers of identity.

Multiple Personas

Every individual has multiple personas. People have a persona as a professional (VP of engineering), a persona as a customer (buying a book from Amazon.com), a persona as a citizen (INS etc.) persona as a member of social clubs (treasurer of TIE), a persona for friends (you don’t know him like I do!), a persona for parents (I am not intimidated by him as I have seen him in diapers), a persona as a spouse and a parent (remember that time in Hawaii) etc.

Some of these personas like customer or citizen personas require explicit credentials based claim validations but several others like treasurer of a social club are validated by other people based on shared experiences. Remember that famous scene from Ghost, when Oda Mae Brown (Whoopi) allows Sam to take over her body and touch Molly. Molly does not ask Sam for any social security number or password, a touch based on their shared past is all the identification she needs to feel Sam’s presence. There shared experiences are important form of identification especially in the online social networks. In fact companies are willing to pay money for some of these personas if they can be unambiguously identified.

What kind of infrastructure is needed to support to capture such shared experiences? Do all the laws of identity still apply? How does it fit with the first law of user control and consent?

Introducing KarmaWeb

BIO
Jitendra has over 15 years of experience in software technology. He started his career as a software engineer in the EDA industry. In 2000, after his MBA, Jitendra joined Siebel systems as product manager for Siebel web platform – the platform used for all Siebel application to the web. When he left Siebel in April 2005, he was managing a team of 4 product managers and 3 product lines. In May 2005 Jitendra joined InQuira as director product management. At InQuira, he managed the company’s flagship search product. In his role, Jitendra set the course of product development and participated in closing a number of sizable deals.

Jitendra obtained his MBA degree from University of Chicago in 2000 and his B.Tech degree in EE from IIT Kanpur in 1993. At Chicago, he developed and marketed chibus.com, the on-line edition of university of Chicago GSB school paper. He won the best PM award in PM group at Siebel for his efforts on the initiative to make the Siebel architecture more flexible.

Update 5/20/2009: Jitendra started (late 2006) and sold (March, 2009) SezWho – an online reputation service for social media participants. In the process Jitendra raised $1.3 M in VC money, built up massive distribution, met a lot amazing people, did some innovative deals and all in all had a blast…

KarmaWeb

Personal Weblog of Jitendra Gupta

Menu

Author Archives: Jitendra Gupta