Plano dos EUA quer permitir autenticação sem uso de senhas

Governo criou a estratégia de identidades digitais.
NSTIC viabiliza a identificação segura dos internautas.

Por Altieres Rohr Especial para o G1*

Imagine se você pudesse visitar o site de um hospital em que um parente seu esteve recentemente e obter, sem complicação, sem precisar de uma senha de acesso, o relatório médico criado pelo hospital – e que ainda isso pudesse ser feito pelo celular de forma segura. Esse é um cenário contemplado na estratégia de identidades digitais dos Estados Unidos (NSTIC), um plano que busca implantar, dentro de dez anos, um conjunto de tecnologias que deve viabilizar a identificação segura dos internautas.

Se você tem alguma dúvida sobre segurança da informação (antivírus, invasões, cibercrime, roubo de dados, etc), vá até o fim da reportagem e utilize a seção de comentários. A coluna responde perguntas deixadas por leitores todas as quartas-feiras.

 

Site oficial do NSTIC, no Instituto Nacional de
Normas e Tecnologia dos EUA (Foto: Reprodução)

Um dos problemas atualmente existentes na internet é a questão de identidade. No modelo atual, cada site que precisa identificar o internauta requer um usuário e senha. No entanto, certas conexões, como envio de e-mails e a autenticação em bancos, entre outras, ainda carecem de uma segurança maior.

Até hoje, o envio de e-mails não é sempre autenticado, ou seja, alguém pode enviar um e-mail parecendo ser você. Já nas transações bancárias pela internet existe a possibilidade de fraudes como phishing, em que um criminoso cria uma página similar à do banco para confundir correntistas.

Já o uso de uma grande quantidade de senhas incentiva os usuários a usarem senhas fracas ou as mesmas senhas várias vezes, enquanto se apresenta como uma barreira para novos sites. Por exemplo, um site de compras precisa primeiro convencer o internauta a gerar um cadastro antes de finalizar a aquisição do produto ou serviço.

É para resolver esses problemas que foi criado o a “estratégia nacional para identidades confiáveis no ciberespaço” (NSTIC).

O plano escrito pela Casa Branca prevê mais ações da iniciativa privada do que do governo. As empresas fornecedoras de identidades (“RGs digitais”, por assim dizer) seriam instituições privadas, como provedores de serviços de comunicação, bancos, universidades, entre outros. As empresas responsáveis por autorizar outras organizações a participarem no “Ecossistema de Identidades” também seriam privadas.

Ao governo caberia supervisionar as atividades e ser o pioneiro a adotar o sistema em suas operações internas e externas para criar os incentivos necessários à adoção do plano. As especificidades do NSTIC estão sendo discutidas pelo NIST, o órgão de normas dos EUA, equivalente à ABNT no Brasil.

 
Usuário obtém identidade em um provedor. Empresas
e indivíduos podem autenticar usuários sem precisar
de um cadastro específico (Foto: Reprodução)

Como funcionaria
No exemplo que deu início a esta coluna, o provedor de identidade seria a operadora do serviço de telefonia de celular. Ao acessar o ambiente seguro do hospital, a identidade da pessoa é verificada de forma transparente. Quando o histórico médico do parente é solicitado, o hospital busca um “provedor de atributos”, que vai confirmar sua autorização para solicitar esses dados em nome do seu parente. Tudo isso é feito de tal forma que nem o provedor de atributos, nem a companhia de celular tenham detalhes da operação, mantendo a privacidade.

O “provedor de atributos” é capaz de fornecer informações de um indivíduo sem revelar informações precisas. Por exemplo, alguém que quer acessar uma sala de bate-papo para adolescentes entre 13 e 19 anos terá um provedor de atributos que irá garantir que o internauta atende esse critério, sem precisar revelar a data de nascimento exata e sem precisar todos os dados disponíveis no provedor de identidade.

Outro exemplo dado pelo governo americano é de alguém que compra um produto em uma farmácia. Um provedor de identidade confirma que o internauta é quem ele diz ser, enquanto um provedor de atributos confirma que o internauta tem a receita para comprar o remédio – e tudo isso acontece sem que os fornecedores dessas informações saibam em qual farmácia o paciente adquiriu o remédio.

O objetivo é permitir que internautas usem as identidades e informações já cadastradas em bancos de dados de instituições que ele conhece para conseguir entrar em sistemas novos, nos quais ele ainda não possui cadastro, sem precisar criar um par de login e senha específico para aquele serviço. Seria, em alguns aspectos, semelhante ao Facebook Connect – serviço do Facebook que permite a outros sites autenticar um usuário pelo login do Facebook. Porém, as informações teriam atribuição de confiabilidade: a informação do banco é mais confiável que a fornecida pela escola, por exemplo.

Certificação digital
A difusão de provedores de identidade permitirá que um mesmo usuário tenha vários deles e, caso algum sofra alguma falha que o torne pouco confiável, outros podem ser usados sem perda de funcionalidade. É diferente do atual sistema de certificados digitais, em que um usuário tem apenas um provedor de certificado e esses provedores são tão poucos que, caso algum venha a falhar, é extremamente difícil tirá-lo do sistema sem comprometer o seu funcionamento.

 
Identidades baseada em “provedores” poderia
reduzir ou acabar com as senhas na web
(Foto: Divulgação)

Ao mesmo tempo, os provedores de identidade podem fornecer ao internauta o equivalente a certificados digitais. O plano menciona arquivos digitais certificadores, cartões inteligentes e dispositivos USB que poderiam autenticar transações e arquivos.

Empresas poderiam usar o mesmo sistema, padronizado, para autorizar seus próprios funcionários dentro de sua rede interna, permitindo que eles acessem os serviços da empresa de outros locais e ainda servindo como provedor de identidade para terceiros.

Esbarrando na realidade
O NSTIC quer fornecer serviços de identidade sem acabar com o anonimato – um direito nos Estados Unidos que não existe no Brasil (aqui, o anonimato é proibido). Por isso, a adesão ao sistema seria voluntária. Usuários ainda poderiam usar usuários e senhas, com pseudônimos, sem que sua identidade fosse verificada de qualquer forma.

O plano ainda não define qualquer tecnologia a ser usada. Ninguém ainda sabe como tudo iria acontecer, apenas quais são os objetivos do sistema. Não há incentivos definidos para que as empresas venham a fazer parte do esquema. Mesmo assim, o governo americano quer que tudo venha a ser desenvolvido com o objetivo de ser usado “internacionalmente”.

Até, talvez por isso, que a previsão de definição das tecnologias seja de dez anos – depois disso é que seria analisado a difusão do sistema para a população e internacionalmente.

Mesmo assim, a estratégia americana, embora não seja totalmente inovadora, mostra que há um grande interesse em eliminar os atuais problemas de identidade na internet de uma forma um pouco diferente da que está sendo normalmente pensada, em que existem poucos provedores de identidade e cada organização ou indivíduo tem apenas um provedor e não vários, como prevê a proposta.

A coluna Segurança Digital de hoje fica por aqui, mas volta na quarta-feira. Se você tem dúvidas, deixe na área de comentários. Sugestões de pautas, críticas ou elogios também podem ser escritos. Todos os comentários são lidos. Até a próxima!

*Altieres Rohr é especialista em segurança de computadores e, nesta coluna, vai responder dúvidas, explicar conceitos e dar dicas e esclarecimentos sobre antivírus, firewalls, crimes virtuais, proteção de dados e outros. Ele criou e edita o Linha Defensiva, site e fórum de segurança que oferece um serviço gratuito de remoção de pragas digitais, entre outras atividades. Na coluna “Segurança digital”, o especialista também vai tirar dúvidas deixadas pelos leitores na seção de comentários. Acompanhe também o Twitter da coluna, na página http://twitter.com/g1seguranca

Fonte: G1 - Tecnologia e Games

Segurança na internet se torna prioridade diplomática dos Estados Unidos

O coordenador de assuntos na Internet do Departamento de Estado dos EUA, Christopher Painter, afirmou que o país enfrenta uma série de potenciais ameaças no ciber espaço provenientes de hackers individuais, militantes e potenciais países rivais. 

A diplomacia e as políticas do país estão somente começando a alcançar o avanço da tecnologia, disse.


Está claro que a segurança na internet é agora um imperativo nas políticas.

Fonte:  Brasil Econômico- 03/06/2011

USA lança estratégia para proteger os consumidores on-line

The White House

Office of the Press Secretary

For Immediate Release

April 15, 2011

 

 

  

Administration Releases Strategy to Protect Online Consumers and Support Innovation and Fact Sheet on National Strategy for Trusted Identities in Cyberspace

WASHINGTON, DC – Today, the Obama Administration released the National Strategy for Trusted Identities in Cyberspace (NSTIC), which seeks to better protect consumers from fraud and identity theft, enhance individuals’ privacy, and foster economic growth by enabling industry both to move more services online and to create innovative new services.  The NSTIC aims to make online transactions more trustworthy, thereby giving businesses and consumers more confidence in conducting business online.

“The Internet has transformed how we communicate and do business, opening up markets, and connecting our society as never before.  But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year,” said President Obama.  “By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation.  That’s why this initiative is so important for our economy.”

“We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords,” said Commerce Secretary Gary Locke, speaking at the U.S. Chamber of Commerce.  “Working together, innovators, industry, consumer advocates, and the government can develop standards so that the marketplace can provide more secure online credentials, while protecting privacy, for consumers who want them.”

The goal of NSTIC is to create an “Identity Ecosystem” in which there will be interoperable, secure, and reliable credentials available to consumers who want them.  Consumers who want to participate will be able to obtain a single credential--such as a unique piece of software on a smart phone, a smart card, or a token that generates a one-time digital password.  Instead of having to remember dozens of passwords, the consumer can use their single credential to log into any website, with more security than passwords alone provide.  Since consumers will be able to choose among a diverse market of different providers of credentials, there will be no single, centralized database of information.  Consumers can use their credential to prove their identity when they're carrying out sensitive transactions, like banking, and can stay anonymous when they are not.

Once the Identity Ecosystem is developed, a small business, for example, would be able to avoid the cost of building its own login system and could more easily take its business online.  Consumers would be able to connect with the new business with a credential they already have, thereby avoiding the hassle of creating another username and password while also being more secure.  The small business can take advantage of this interoperability to focus on its product or service instead of on managing users’ accounts.  The small business has also expanded its ability to reach new customers across the nation and around the world.

Separately, there are many services for which consumers must go to a physical store--or sign a sheet of paper and fax it to a business.  In the Identity Ecosystem, consumers would have the option of proving their identity online, which would enable industry and government to both move brick-and-mortar services to the online world and to create innovative new services.

More secure credentials will also help consumers and businesses better protect themselves from identity theft and online fraud, which annually cost our economy billions of dollars and impose a significant cost in time and money to those who fall victim.  In the worst cases, it can take a consumer over 130 hours to recover from having their identity stolen.  According to industry surveys, a consumer will also suffer an average out-of-pocket cost of $631 when their identity is stolen--and millions of consumers suffer this experience each year.

The Identity Ecosystem will provide more security for consumers; it will also provide better privacy protections.  Today, a vast amount of information about consumers is collected as they surf the Internet and conduct transactions.  How organizations handle that information can vary greatly, and more often than not, it is difficult for consumers to understand how their privacy will (or will not) be protected.  T

he NSTIC seeks to drive the development of privacy-enhancing policies as well as innovative privacy-enhancing technologies to ensure that the ecosystem provides strong privacy protections for consumers.

The NSTIC outlines a private-sector led effort, facilitated by government, to develop the technologies, standards and policies necessary to create the Identity Ecosystem and to enable a self-sustaining market of many different credential providers.  The Identity Ecosystem will be built to provide more security and privacy to consumers, while also spurring economic growth by helping businesses move more services online.

For more details on the National Strategy for Trusted Identities in Cyberspace (NSTIC), click here, or read the full Strategy here.

Fact Sheet: National Strategy for Trusted Identities in Cyberspace

“The internet has transformed how we do business, opening up markets and connecting our economy as never before.  It has revolutionized the ways in which we communicate with one another, whether with a friend down the street or a colleague across the globe.  And as we have seen in recent weeks, it has empowered people all over the world with tools to share information and speak their minds.  In short, the growth of the internet has been one of the greatest forces for innovation and progress in history.”

—President Barack Obama

A PLATFORM FOR SECURITY, PRIVACY AND INNOVATION

The NSTIC’s vision statement is: “Individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity solutions to access online services in a manner that promotes confidence, privacy, choice, and innovation.”

For our nation to continue to drive economic growth over the Internet, we must provide individuals and organizations the ability and the option to more securely identify each other.  When individuals and organizations have greater trust in online identities, they can offer and use online services for more sophisticated and sensitive transactions than have been available to date. They will also be better protected against online fraud and identity theft.

The Strategy emphasizes choice for individuals, who can:

• Choose whether or not to participate at all: participation is optional.
• Choose one or more different identity providers: the Strategy envisions a vibrant marketplace that provides individuals with choices among multiple identity providers—both private and public.
• Choose between different types of credentials: individuals will be able to choose credentials that meet their needs, including smart cards, cell phones, keychain “fobs,” one-time password generators, and, undoubtedly, secure solutions that have yet to be invented.
• Choose when to use a credential: if people want to use cyberspace without a credential in ways that don’t require authentication, like browsing or blogging anonymously, they can do so at any time.
• Choice drives competition and innovation —and will result in a thriving market of diverse solutions to fit different individuals’ needs.

EXAMPLES

Faster Online Errands—Mary is tired of memorizing dozens of password and username combinations to conduct her personal online errands.  She opts instead to get a smart card from her Internet service provider. She inserts the card into her computer and in a matter of seconds, with just clicks of her mouse, she is able to securely move between her online account with her bank, her mortgage company, and her doctor; next she sends an authenticated email to her friend and remotely checks her office calendar on her employer’s intranet.

Age Appropriate Access—Antonio, age 13, visits online chat rooms to talk to other students his age.  His parents give him permission to get an identity credential, stored on a keychain fob, from his school.  The credential verifies his age so that he can visit chat rooms for adolescents, but it does not reveal his birth date, name, or other information.  Nor does it inform the school about his online activities.  Antonio can speak anonymously but with confidence that the other participants are his age.

Smart Phone Transactions—Parvati does most of her online transactions using her smart phone.  She downloads a "digital certificate" from an ID provider that resides as an application on her phone.  Used in conjunction with a single, short PIN or password, the phone's application is used to prove her identity.  She can do all her sensitive transactions, even pay her taxes, through her smart phone whenever and wherever it is convenient for her – and without remembering complex passwords.

Efficient and Secure Business Operations—Juan owns a small business and is setting up a new online storefront.  Without making large investments in information technology, he wants customers to know that his small firm can provide the same safety and privacy for their transactions as sites for larger companies.  He installs standard software and agrees to follow the Identity Ecosystem privacy and security requirements, earning a "trustmark" logo for his Web site.  To reduce his risk of fraud, he needs to know that his customers' credit cards or other payment mechanisms are valid and where to ship his merchandise.

There are a number of different ID providers that can issue credentials that validate this information.  Millions of individuals can now use his Web site without having to share extra personal information or even set up accounts with Juan's company.  This saves his customers time, increases their privacy and confidence, and saves Juan money.

Enhanced Public Safety—Joel is a doctor.  A devastating hurricane occurs close to his home.  Using his interoperable credential located on a USB thumb drive and issued by his employer, he logs in to a Web portal maintained by a federal agency.  The site tells him that his medical specialty is urgently needed at a triage center nearby.

PRINCIPLES

PRIVACY ENHANCING AND VOLUNTARY

• Participation in the Identity Ecosystem will be voluntary: there is no requirement that any individual obtain a credential.
• The envisioned Identity Ecosystem will be grounded in the implementation of the full set of the Fair Information Practice Principles (FIPPs) in order to provide multi-faceted privacy protections.  The privacy rules must address not only the circumstances under which participants in the Identity Ecosystem may share information but also the kinds of information that they may collect and how that information is managed and used.
• Although individuals will retain the right to exchange their personal information in return for services they value, these protections will provide a default level of privacy and will enable individuals to form consistent expectations about the treatment of their information within the ecosystem.
• A FIPPs-based approach will also promote the adoption of privacy-enhancing technical standards. As envisioned by NSTIC, such standards will minimize the ability to link credential use among service providers, thereby preventing them from developing a complete picture of an individual’s activities online.

SECURE AND RESILIENT

• Identity solutions will provide secure and reliable methods of electronic authentication.  Authentication credentials are secure when they are issued based on sound criteria for verifying the identity of individuals and devices; resistant to theft, tampering, counterfeiting, and exploitation; and issued only by providers who fulfill the necessary requirements.
• Credentials are resilient when they can recover from loss, compromise, theft—and can be effectively revoked or suspended in instances of misuse.  Another contributor to resilience is the existence of a diverse environment of providers and methods of authentication.

INTEROPERABLE

• Interoperability encourages service providers to accept a variety of credentials and identity media, similar to the way ATMs accept credit and debit cards from different banks.
• Interoperability also supports identity portability: it enables individuals to use a variety of credentials in asserting their digital identities to service providers.  Finally, the interoperability of identity solutions envisioned in the Strategy will enable individuals to easily switch providers, thus aligning market incentives to meet individuals’ expectations.

COST-EFFECTIVE AND EASY TO USE

• Individuals, businesses, organizations, and all levels of government will benefit from the reduced cost of online transactions: fewer redundant account procedures, a reduction in fraud, decreased help-desk costs, and a transition away from expensive paper-based processes.

BENEFITS

INDIVIDUALS

• Convenience. Individuals will be able to conduct their personal business online with less time and effort.
• Privacy. Individuals’ privacy will be enhanced.
• Security. Individuals can work and play online with fewer concerns about identity theft.

PRIVATE SECTOR

• Innovation. The Identity Ecosystem will provide a platform on which new and more efficient business models will be developed—just as the Internet itself has been a platform for innovation.  It will also enable organizations to put new services online, especially for sectors such as healthcare and banking. 
• Efficiency. Online transactions will be practical in more situations.  The private sector will have lower barriers to customer enrollment, increased productivity, and decreased costs.  Cross-organizational trust will provide businesses with exposure to a large population of potential customers they might not otherwise reach.  Not only is there potential access to new customers, the traditional barriers associated with customer enrollment can be eliminated, reducing a friction that prevents potential customers from using a service.
• Trust. Trusted digital identities will allow organizations to better display and protect their brands online.  Participants in the Identity Ecosystem will also be more trusted, because they will have agreed to the Identity Ecosystem’s minimum standards for privacy and security.

GOVERNMENT

• Constituent Satisfaction. The Identity Ecosystem will enable government to expand its online services in order to serve its constituents more efficiently and transparently.
• Economic Growth. Government support of the Identity Ecosystem will generate innovation in the marketplace that will create new business opportunities.
• Public Safety. Increasing online security will reduce cyber crime, improve the integrity of networks and systems, and raise overall consumer safety levels.  Enhanced online trust will also provide a platform to support more effective and adaptable response to national emergencies.

Fonte: White House

Leia Também

• President Obama’s New Role: Identity Protector in ... 
• Penalizar empresas por vazamentos de dados é polêmica entre especialistas  
• A Manhattan Project for online identity 
  
  

President Obama’s New Role: Identity Protector in Chief

With $10 trillion of U.S. commerce conducted online every year, basic username and password “security” is just not strong enough – not strong enough to protect the amount of information people volunteer or are  required to give to complete an ecommerce transaction.

While this is not a new revelation and none of you have suddenly been awakened to this reality, recent moves by the Obama administration to push stronger online identity protection helps bring to light a real human concern and we hope starts a process resulting in better identity protection for all internet users.

Last week in Washington D.C. , top officials from the Commerce Dept., Department of Homeland Security (DHS) and others launched the National Strategy for Trusted Identities in Cyberspace (NSTIC), which President Obama has now signed.

“The Internet has transformed how we communicate and do business, opening up markets, and connecting our society as never before. But it has also led to new challenges, like online fraud and identity theft, that harm consumers and cost billions of dollars each year,” said President Obama. “By making online transactions more trustworthy and better protecting privacy, we will prevent costly crime, we will give businesses and consumers new confidence, and we will foster growth and untold innovation. That’s why this initiative is so important for our economy.”


“We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords,” said Commerce Secretary Gary Locke, speaking at the U.S. Chamber of Commerce. “Working together, innovators, industry, consumer advocates, and the government can develop standards so that the marketplace can provide more secure online credentials, while protecting privacy, for consumers who want them.”

It’s about time we got serious about this topic and with this statement the Obama administration has elevated protecting online digital identities to a national priority.

Is this just political positioning?  Far from it.

Identity is the very essence of who we are.

Yet ID theft has been the #1 consumer complaint to the Federal Trade Commission for the last ten years.  During that time the threat landscape has evolved from a labor intensive paper chase to super automated botnets and a global network of computers pushing out phishing, keyboard loggers and other attacks by the millions.

The threat is so pervasive that the Anti-Phishing Working Group (APWG) states that 25 percent of all PCs are infected with banking Trojans or downloaders aimed at stealing account credentials or hijacking online banking sessions.  Cyber criminals are particularly focused on businesses, municipalities and high net worth individuals where they can get a much bigger payout.

While NSTIC recognizes there is a place for anonymity and many low level password-protected personas online, there is a clear message that high value transactions, especially e-commerce and banking, need to move to a higher level of identity protection based on a smart card or secure USB token.

Speaking at the launch event, U.S. Commerce Secretary Gary Locke said, “We must do more to help consumers protect themselves, and we must make it more convenient than remembering dozens of passwords.  Working together, innovators, industry, consumer advocates, and the government can develop standards so that the marketplace can provide more secure online credentials, while protecting privacy, for consumers who want them.”

Protecting online identity is not a luxury – it is a mandate. As more of our world becomes connected, protecting online identity needs to be a top priority. As more people use (and in some ways implicitly trust) the internet for e-commerce, personal finance and social interaction, the amount of personal information placed online warrants a real identity protection solution. The NSTIC call for a strong identity credential is a great foundation to protect the individual identity with standardized industry proven technology. While it will take some time to see the true impact of NSTIC, it is certainly a move in the right direction.

Posted on 26th Apr 2011 by Ray Wizbowski

Leia Também USA lança estratégia para proteger os consumidores on-line