Microsoft, Experian service targets ID fraud

• Article
• Gallery

gallery

Experian and Microsoft have developed a proof-of-concept identity management service to streamline identity management and authentication process for e-commerce companies and their customers.

The first commercial offering based on Windows CardSpace technology, the service is designed to take advantage of the industry standards development of single sign-on ID authentication tokens. CardSpace is designed to run on the Windows operating system (OS), Bandit is for the Linux OS and DigitalMe is the Mac OS X equivalent.

Jim Lound, Experian product director of transfer services told IT PRO that, as ID fraud activity intensifies, this service would streamline identity authentication and provide a safer and simpler way to pay online.

Experian verifies both individuals and organisations using a registration and ID authentication process. Once complete, the Windows CardSpace card runs on the consumer's desktop and prompts them to use it when they are attempting to authenticate their identity or a transaction.

Steve Plank, an identity architect at Microsoft said: "Cryptographic code and digitally signatures mean the request to use the card to authenticate the user can only go to Experian, avoiding the chance of man-in-the-middle attacks [duping customers into divulging information through a bogus website] or phishing," he said.

For example, if an individual wants to renew their car insurance, they select their 'Experian Card,' which would contain confirmation of identity details and age plus, in this instance, other facts that form part of money laundering legislation. Windows CardSpace then sends a request to Experian, as the identity provider, to validate the identity of the website.

Once the requesting website is identified, Experian then forms and returns a signed and encrypted token, which contains a confidence level as to whether that person exists and is who they say they are to Windows CardSpace and from their to the website.

While Lound said the first, 'information card' would hold identity details - to replace the need to fulfil multiple, registration, username and password requests - other cards could be launched including credit card details.

Retailers are charged a fee based on the type of transaction, and have to develop the integration to the service on their websites and back-end systems, while also potentially replacing existing card authentication schemes, like MasterCard SecureCode and Verified by Visa.

Lound said the identity management service will enable organisations to reduce the customer support resources needed for web-based activity, such as resetting forgotten passwords, while users will have more consistent, secure customer experience.

Email to a friend

Print this page