More laws, collaboration required for online safety

At Authentication and Online Trust Summit, security experts discuss ways businesses, law enforcement, and policy makers must work together to solve cybercrime

Washington state's attorney general is only half joking when he suggests that perhaps sites like Facebook and MySpace should require members to use a credit card to sign up for access as a way to prove their identity.

"We need good age and identity verification technology so that it's much harder for an individual to get online and pretend to be 15 when really it's a 45-year-old man," said Attorney General Rob McKenna at the Authentication and Online Trust Summit in Seattle on Thursday. "There is a way to accomplish this quickly. It's wildly unpopular," he said, before suggesting that social-networking sites require users to have credit cards.

In addition to online identity verification techniques, McKenna and other security experts discussed ways that businesses, law enforcement, and policy makers must work together to solve cybercrime.

"We need to figure out what we can do not just with law enforcement but with each other," said Hemanshu Nigam, chief security officer at Fox Interactive Media and MySpace. "If there are bad guys in MySpace or eBay or Facebook, are they the same people?"

He pointed to MySpace's lawsuit against Scott Richter, a notorious spammer who was also sued by Microsoft, settling with the software giant for $7 million. The industry might have better success shutting down such people if they work together to pursue single actions, he said.

In addition, the entire legitimate online community should be on the same page in terms of strict safety and security policies, said Mozelle Thompson, a former commissioner on the U.S. Federal Trade Commission and currently a consultant. Sites like MySpace and Facebook represent implementations of the best security policies, he said. "There are a lot of sites out there doing nothing," he said. "You're only as good as where the bottom is."

Some of the speakers pushed for new laws that might help companies shut down some cybercrime. MySpace would like to have laws that ensure education for law-enforcement agents, who need training, as well as consumers. States should require schools to teach online safety every year to students, Nigam said.

That kind of education could very easily prevent some of the most common online fraud, he said, including one technique described by Chris Siouris, a cyberinvestigator at the U.S. Postal Inspector. His office pursues schemes where people unwittingly sign up for a job advertised online that they think simply involves receiving items in the mail, repackaging them, and sending them to a new address. However, they usually don't know that the items are purchased with stolen credit cards.

When Siouris and his colleagues discover someone has begun engaging in this type of job, they serve the person with a cease-and-desist letter and require them to sign an agreement not to do such work in the future or they'll be arrested. Rarely if ever has anyone engaged in the activity again, usually because they didn't realize that they were doing anything illegal, he said.

In addition to laws that would ensure education so that people realize that such jobs are illegal, every state should have antispyware laws, said McKenna. He also said that there should be federal data-loss notification requirements and legislation regarding spyware.

Washington state is seen as a leader in the country in its efforts to pursue cybercrime. In 2005, McKenna was instrumental in expanding the state's high-tech unit, which investigates cybercrime. His department now trains other states on how to bring spyware and other online crime cases to court.

Online privacy should also be addressed from a broader perspective, McKenna said. There is far more identity theft in the United States than in Europe or other regions that have stronger privacy protections, such as requirements for opt-in, rather than opt-out, data collection, he said. "I think as a society we need to discuss more fully the affects on our privacy and the impacts on issues like ID theft from the extensive commercialization of private information that we've seen in this country," he said.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Join the discussion
Be the first to comment on this article. Our Commenting Policies