Published by Computachem Services

P.O Box 297.
Alstonville. 2477
NSW Australia

Phone:
61 2 66285138

Recently, some of my neighbors warned me that they have found envelopes in their mailbox torn open, and that they suspected some of their letters had gone missing.
Mindless vandalism, or was it someone trying to steal an identity?
If the experts are correct, identity theft is set to become one of the most popular criminal pastimes into the immediate future.

I have heard of a business person caught up in credit fraud which took two years to reverse. His credit rating suffered so badly, that he was ultimately forced to close his business. Credit rating agencies are reluctant to remove any adverse information unless it is proven through another recognised agency, such as the police.
This can take time.

Gartner Research, based in the US, reports that in the 12 months ending June 2003, 3.4% of US consumers were victims of identity theft.
This represents seven million adults and is up from 1.9% of consumers in February 2002.
The trend could be similar here in Australia.

Personally, my first line of defence has been to rent a post office box and collect my own mail.
I have systematically trained all people and organisations who communicate with me, to use my post office box number, rather than my street address.
This has had the added advantage that if I shift home, the redirection of mail is much simpler, and if I go on vacation, I know my mail is still secure.

To give some idea of the scale of this type of fraud, for the last financial year the ANZ Bank posted a loss of $51 million, and Westpac reported a loss of $19 million. There is a call world-wide for banks to tighten up their security systems, because they are more frequently being penetrated.

Most of the bank losses have been through the fraudulent use of credit cards.

The response to this avalanche of fraud has been to improve bank technology e.g. the ANZ Bank has brought out the SmartCard, and Westpac is looking at a similar strategy.
While the technology gets smarter, it seems to spur on high-tech criminals who seemingly have an ability to work ahead of legislation to contain this type of fraud, and also be as smart as the IT people working with banks to outsmart them.

So where you see a secure system being advertised as being "equivalent to banks" you may need to have a second look.

In recent times we have seen a raft of legislation pertaining to privacy issues, and we will see more legislation relating to identity checks and what will be needed to substantiate them. And it may get down to such things as taking DNA samples, fingerprinting or eye scanning for you to prove who you are.

E-mail is also a source of insecurity and identity stealing.

I don't know how other pharmacists are finding it, but I am now getting up to 50 e-mails per day which are nothing more than "spam" in its most puerile form.

I never object to receiving unsolicited e-mails if they pertain to my profession and have a ready "opt-out" system.
However, when other people or organisations send me offers to enlarge parts of my anatomy, or build it all up with growth hormones and then get me to try it all out with cheap Viagra- enough is enough!
Unfortunately, using a spam filter very often filters out regular e-mail that is mistakenly identified as "spam", so I am looking at an alternate strategy, which I will share with readers later in this article.
More of a problem is the fact that "spammers" have begun to use the form mail component of my website. I have a "Contact Us" section, in line with most websites, which is being utilised by spammers to send their garbage to unfortunate recipients who happen to have advertised their e-mail addresses on the Internet in some form or another. This means that I will now have to disconnect this section to prevent garbage e-mails being inflicted on others in my name.
This is another type of identity theft, and there are no laws in place to prevent its occurrence.
It is a relief to know that the Australian government is shortly to introduce legislation to outlaw "spam", which may stem some of the problem.
Another annoyance that has just occurred is the unauthorised use of the e-classified employment section of my site, to advertise products and services I have never heard of and certainly do not endorse.They all seem to emanate from India, and if currently seen by readers, should be disregarded, as they cannot be trusted.
This will have to be dealt with by disconnecting, or by creating a password entry, which further means that people will have to be able to identify themselves before being given a password.

It all adds to the cost of doing business on the Internet, and a convenience service is made more complex as a result.

To add insult to injury, I am now receiving viruses at the average rate of two to three each day. Fortunately, my virus checker is a good one.

Most people are unaware of how insecure e-mails really are.
It is quite common for any e-mail received by you, to reside on a number of fileservers located anywhere in the world. These "footprints" are completely accessible by staff attached to these fileservers, so your e-mail can be read by many unauthorised persons.

Even if e-mails are encrypted to improve security, there are programs available to "crunch" and break common codes. The security of encryption is measured by the number of "bits" used by the "key" that creates the encryption.
The higher the number of "bits", the more difficult it is to crack the code.

The first encryption technology was built around a 40 bit PKI (Public Key Infrastructure) system, which was quickly broken. Some browsers, (older versions), use a 40 bit PKI system and need to be upgraded.
Recent advancements in cryptology are gradually replacing the 40 bit PKI with a 128 bit PKI system, which is a system utilised by banks and other establishments that require this level of security.
PKI security systems are also measured in the estimated time it will take to crack the code. In a recent sighted article on cryptology, a 128 PKI system was reported as having a secure life of three years, a 512 bit PKI system was estimated at seven years, and a 1024 bit PKI system as having a life of ten years i.e. dated from 2003 as a baseline. These are only subjective estimates and are based on the rate of introduction of computer processing speed and capacity, that will be delivered in coming years.

With the increase in the "bit" size of encrypted documents comes more complexity in programming and use, and from a practical standpoint, a slowing down of document transmission. The more advanced the cryptology, the slower it is to encrypt and decrypt documents in a commercial environment.

So these identity stealers and privacy violators continue to escalate the cost of doing business on the Internet and rob people of rightful gains that would naturally accrue from an ethical use of the Internet.
Music publisher and film production companies are losing billions through the theft of intellectual property on the Internet.

With the introduction of e-health there is an imperative to move away from "old technology" which includes items such as fax machines, that are notoriously insecure. This movement is towards the use of document encryption and transmission by e-mail or by Internet document exchanges.
The security risk in a cryptology environment lies in who has access to your private "key", the electronic file that can be used to encrypt and decrypt documents.

To be totally secure, the key should be generated on your own desktop and stored off the desktop on a floppy disk or CD-ROM, which in turn, should be stored in a safe with a copy in a safe deposit box (in case of incapacity or death).
Herein lies a security flaw that is not widely publicised in the e-health environment, and that is that "keys" for the major government promoted systems are/will be generated by the Health Insurance Commission (HIC) at a central point and then transported to each health practitioner by various means.
Many people can have access to your key (within and outside of the HIC), or can hijack it during transport, including people working with you in your own environment.
It may take time for the criminals to penetrate the primary systems, but it is wide open because of the way its is structured, particularly in its reliance on e-mail transmission, with the accumulating risk of the leaving of "footprints" with each transmission and the ability to crack the code of a 128 bit PKI system increasing with the passage of time.

A more secure method of document transmission lies in the use of a closed Internet document exchange.
This is a method I advocate and I have "put my money where my mouth is" and developed a system independent of government funding or other external ownership.
I have called it HEALTH-Dx.

The system involves desktop software that can generate "keys" and can encrypt and decrypt documents. It currently utilises a 512 bit PKI system, with the ability to switch to 1024 bit PKI (or higher) at any given time. It connects to a secure Internet database that stores encrypted documents uploaded from the desktop, and dispatches encrypted documents from storage to another nominated recipient.
In a PKI system there are two "keys"- a public key and a private key.
Recipients have access to the public key, but only the sender has access to the private key.

Because it is a closed system, all recipients have to be verified by a central administrator and have their keys "signed" before they can become operational.
By this method, anyone receiving a document can be sure that it is from the person they believe is sending it.
Because each member of the document exchange generates their own key using a system of two separate passwords, they are the only ones who can use it. Even if a key went astray, it would still need a knowledge of the corresponding passwords to activate it. Only carelessness by a key owner would result in the theft of this type of identity.
Because it is not e-mail, it does not come with the baggage of spam or viruses.
This does not mean that a member, if they became malicious, could not introduce an improper form of communication or virus, but they would be immediately identifiable and would be disconnected. Further, the communication is one-on-one, so global contamination could not occur. Given the calibre of the health personnel attached to a document exchange, the possibility of malicious behaviour is virtually nonexistent.

To ensure the quality of security, the keys are re-signed every twelve months.

A document exchange operates in an identical manner to a Virtual Private Network (VPN) without the high cost factor of hardware. Being a software solution it is much cheaper, and accessibility is worldwide which gives it a convenience dimension over standard VPN's. Further, the system is being developed so that specific groups of recipients can be "tagged" to be visible to each other, but invisible to all others, creating multiple VPN's.

If a member of HEALTH-Dx has another external interest, it will be possible to set up a second wider network that is blind to the health network.
It may be that a member has a network of advisers may be needed to be connected for secure communications (solicitor, accountant, management consultant, IT consultant etc.).
This can be constructed, and further, existing members of the health network can be introduced to this private network if desired.

Another variation on the theme is that a member of the document exchange, while tapping into the mainstream of health communicators, can set up a substructure, which is confined to members of one organisation e.g. a large medical practice. In practice, this means that documents can be sent to the manager of a practice that may be confidential and can only be sighted by the manager. However, other staff may need access to some of these documents, and they can be given access by the issuing of a "shared key" that is unique for each individual. If they change employment it is a simple process to cancel one key without having to dismantle the entire permission system.
The permutations and combinations are endless.

Integrity of documents in the stored area is maintained through the generation of "message digests" that are 32 characters in length. When a document is originally encrypted, a numerical digest of that document is generated and encrypted with the document.
When the document is received, the recipient decrypts it and part of the process involves generating another message digest. The two message digests are then compared, and if they agree, the recipient knows that it has not been tampered with.
This is not unlike the generation of a check digit for a product code so that it is rejected as faulty if incorrectly input into a stock control system.

A message digest encrypted with the sender's private key creates a unique electronic signature, as the recipient can decrypt using the sender's public key.
Further, the HEALTH-Dx system will not allow a document to be changed, once encrypted, and a registration of the document involving the document name, date and sender's details is permanently incorporated with the original encryption.
It is believed that in the near future, all electronic documents will have to be registered to have any legal effect.
This does not mean that a document cannot be decrypted and downloaded and changed on the desktop. But it has to be re-encrypted and reregistered because it is a new document.
By this method documents can be tracked and no person can claim to have sent a particular document unless the registration details match at both ends of the transaction.

As all the above processes are handled by the software automatically, the user is able to manage with a minimal number of keystrokes at a reasonably high speed.

HEALTH-Dx has many applications.
It can transmit and store documents securely and safely between any two health professionals.
Medication reviews can be transmitted to GP's, doctors can review and alter nursing home charts electronically from their own desktop (and be signed with an electronic signature), prescriptions can be sent from GP to pharmacist, discharge summaries can be sent from hospitals to GP's...the list is endless.
It even has an application in medical detailing where encrypted PowerPoint type presentations can be sent to GP's and left within the Internet storage for future reference.

HEALTH-Dx is my choice of infrastructure to avoid theft of my identity, address privacy issues by ensuring only people authorised to view my confidential information can do so, plus register a document electronically so that it can be used in a court of law. In addition, I can use it for networking communications internally with staff, and externally with any other logical group of recipients, with only authorised recipients being able to see and identify each other on any given, completely separate, private network.

You will also note that I have basically duplicated my "snail mail" security with the creation of a virtual Internet post office box.

I am currently conducting a series of trials to ensure that the program is robust and free of "bugs".

If anyone is interested in participating in a trial, please contact the writer at neilj@computachem.com.au