Red Flag, the Federal Trade Commission (FTC)’s rule of universal identity fraud prevention and action, goes into effect on November 1. When the due date arrives, all creditors and financial institutions will be required to implement compliant procedures for detecting, reporting and defending against the “red flags” of potential identity fraud. Businesses nationwide are educating themselves and taking the necessary steps toward security compliance.
An article from Government Computer News highlights demonstrations at last month’s Black Hat Briefings in Las Vegas, NV which establish an outstanding need for the Red Flags Rule. Dan Kaminsky, Director of Penetration Testing at IOActive, and Moxie Marlinspike of Thoughtcrime.org demonstrated exploits against the Secure Sockets Later, or SSL, the Web protocol used widely for establishing secure client interactions. According to both Kaminsky and Marlinspike, the issue with SSL stems from a lack of standardization, creating weaknesses hackers can use to trick the SSL protocol into accepting malicious digital certificates:
“Pretty much every corner we looked at in X.509 we found ugliness,” Kaminsky said of the X.509 standard employed by SSL. “It is remarkably fragile. There are a lot of ambiguities in a technology that ought not to be ambiguous.”
SSL security acts as a form of id authentication for various online interactions consumers have come to trust as being secure. With SSL’s easily exploitable weaknesses (like those demonstrated at Black Hat), it’s clear another form of secure authentication is necessary. While standardization across SSL usage may still be years away, Red Flag compliance will help to stop identity fraud exploits before the end of the year.
Visit Electronic Verification Systems to learn more about Red Flag Rules and find out how to make your current security measures compliant.