Identify Theft

Criminals, terrorists, and others who wish to penetrate an airport’s business operations have gotten smarter about how to use the Internet to commit a host of cyber crimes.

Criminals, terrorists, and others who wish to penetrate an airport’s business operations have gotten smarter about how to use the Internet to commit a host of cyber crimes. They have gotten more organized and sophisticated, using a diverse set of tactics to launch multi-pronged attacks aimed at specific targets. In response, airports are now considering a variety of technologies to help them to do a better job of screening travelers and personnel. The exact role of technology continues to be debated within the industry and at the federal level.

That said, if an airport business should choose to implement technology for additional security measures, and while it would certainly advance the security of the operations, there comes a hidden risk: identity theft.

In order to ensure security, the federal government and airports themselves are demanding more thorough background checks on employees. The Transportation Security Administration holds lists of banned or suspect travelers. All of this information is highly sensitive and subject to security risk. Determining who has access to this information and ensuring that only authorized personnel get access should be a priority.

One measure for airports to consider implementing is stronger authentication of employees. Passwords alone are no longer secure, no matter how complex or how often they’re changed. Password crackers (freely available on the Internet) have made it nearly impossible to choose a password that a user can remember but that cannot be quickly cracked. Forcing more complex passwords (and more changes), causes users to write down the password, which certainly does not improve security.

Strong Authentication

Today, many organizations are exploring the use of strong authentication, which allows access based on at least two parameters: something you have and something you know — like ATM cards for the Internet.

This differs from the most prevalent authentication technologies in use today, which require a “shared secret” between the user and the application — usually a password — that the user must send over the network. The problem with this method is that identity thieves and hackers can intercept passwords, or they can break in, to back end directories and steal blocks of hashed passwords.

Many of the mechanisms used today for strong authentication still have this vulnerability. For example, one-time password tokens, a widely deployed form of two-factor authentication, still require the user to send a secret (the one-time password) over the network and to store a secret (the seed) in a server at the back end.

Though solid technology, one-time passwords need additional protection to be completely secure — the channel over which they are sent needs to be secured, and the seed should be stored in a specialized piece of hardware.

Another common form of two-factor authentication is the smart card, which provides very strong protection but does require physical provisioning of the cards. The underlying PKI infrastructure can be expensive and difficult to manage.

5 Recommendations

In formulating and implementing a strategy to ensure for proper identity information protection, airports must be proactive and account for current and future threats. Staying ahead of the bad guys requires just a few things:

This content continues onto the next page...

We Recommend