Identify Theft

Criminals, terrorists, and others who wish to penetrate an airport’s business operations have gotten smarter about how to use the Internet to commit a host of cyber crimes. They have gotten more organized and sophisticated, using a diverse set of tactics to launch multi-pronged attacks aimed at specific targets. In response, airports are now considering a variety of technologies to help them to do a better job of screening travelers and personnel. The exact role of technology continues to be debated within the industry and at the federal level.

That said, if an airport business should choose to implement technology for additional security measures, and while it would certainly advance the security of the operations, there comes a hidden risk: identity theft.

In order to ensure security, the federal government and airports themselves are demanding more thorough background checks on employees. The Transportation Security Administration holds lists of banned or suspect travelers. All of this information is highly sensitive and subject to security risk. Determining who has access to this information and ensuring that only authorized personnel get access should be a priority.

One measure for airports to consider implementing is stronger authentication of employees. Passwords alone are no longer secure, no matter how complex or how often they’re changed. Password crackers (freely available on the Internet) have made it nearly impossible to choose a password that a user can remember but that cannot be quickly cracked. Forcing more complex passwords (and more changes), causes users to write down the password, which certainly does not improve security.

Strong Authentication

Today, many organizations are exploring the use of strong authentication, which allows access based on at least two parameters: something you have and something you know — like ATM cards for the Internet.

This differs from the most prevalent authentication technologies in use today, which require a “shared secret” between the user and the application — usually a password — that the user must send over the network. The problem with this method is that identity thieves and hackers can intercept passwords, or they can break in, to back end directories and steal blocks of hashed passwords.

Many of the mechanisms used today for strong authentication still have this vulnerability. For example, one-time password tokens, a widely deployed form of two-factor authentication, still require the user to send a secret (the one-time password) over the network and to store a secret (the seed) in a server at the back end.

Though solid technology, one-time passwords need additional protection to be completely secure — the channel over which they are sent needs to be secured, and the seed should be stored in a specialized piece of hardware.

Another common form of two-factor authentication is the smart card, which provides very strong protection but does require physical provisioning of the cards. The underlying PKI infrastructure can be expensive and difficult to manage.

5 Recommendations

In formulating and implementing a strategy to ensure for proper identity information protection, airports must be proactive and account for current and future threats. Staying ahead of the bad guys requires just a few things:

  1. Don’t run out and buy an expensive system just to feel like you’re doing something. Do research, and pick something that will last more than a few months in the field.

  2. Separate identity information theft from access theft and work on the two problems separately. The two have gotten mixed up in a lot of people’s minds, but they’re different. Protecting social security numbers, names, and addresses is a different problem than protecting against access theft. They’re related only in that access theft often allows an attacker to get personal information. Securing access helps protect data.

  3. Use solutions that are realistic for real-world customers to adopt. Not all employees are the same, and not all have the same risk. Staff members accessing social security numbers, salaries, and other information need stronger security than a receptionist looking up phone numbers for callers. You have a range of users, so look for something that can provide a range of solutions.

  4. Don’t get caught up in vendor hype. Phishing, identity theft, Sarbanes-Oxley — they’re all “hot” topics. But there is no silver bullet. Take vendor claims with a grain of salt; get solid security for the money.

  5. Deploy flexible solutions to protect against future attacks. Most systems out there are “one trick ponies” that do one type of authentication and do it for everything, all the time. With today’s Internet, attacks are changing constantly, and no one can predict what’s coming next. Find authentication solutions that allow you to migrate users to stronger credentials without ripping out the infrastructure. It takes too long, and you don’t have the money to do that every six months anyway.

Recognizing the increased risk that comes with holding more information on employees and potential criminals can maintain the trust of travelers, improve overall security, and protect their employees and customers.