Like what you've read?

On Line Opinion is the only Australian site where you get all sides of the story. We don't
charge, but we need your support. Here�s how you can help.

  • Advertise

    We have a monthly audience of 70,000 and advertising packages from $200 a month.

  • Volunteer

    We always need commissioning editors and sub-editors.

  • Contribute

    Got something to say? Submit an essay.

 The National Forum   Donate   Your Account   On Line Opinion   Forum   Blogs   Polling   About   
On Line Opinion logo ON LINE OPINION - Australia's e-journal of social and political debate


On Line Opinion is a not-for-profit publication and relies on the generosity of its sponsors, editors and contributors. If you would like to help, contact us.


RSS 2.0

Be alert, be alarmed!

By Mohammed Alzomai - posted Tuesday, 11 December 2007

The fast growth in the number of online services leads to an increasing number of different digital identities each user needs to manage. As a result, many people feel overloaded with identities which negatively impact their ability to manage these identities securely. Users and organisations need a secure and convenient system capable of controlling digital identities.

Identity Management Systems are built to protect user's personal information against attacks. The typical scenario is that an attacker is trying to illegally get some confidential information about a user.

Privacy is a major concern in any identity management system. Users should have control over their identities and personal information, so they can decide who to communicate with and give their personal information.


A general privacy principle is that personal information should be disclosed as minimally as possible and not be shared with parties who have no direct involvement in the interaction between users and service providers.

In fact, privacy violation is considered to be a major threat to identity management systems. An example of privacy violation is using user's personal information for purposes other than those agreed. The correlation of user's personal information that could allow revealing his or her identity, impersonating users for malicious purposes and revealing user's personal information which the user would not be willing to disclose.

To ensure privacy, all involved parties should follow a well defined security policy. The Office of the Privacy Commissioner at the Australian government aims to protect privacy in Australia under the federal Privacy Act 1988. Two important privacy standards are used for that purpose: the Information Privacy Principles and the National Privacy Principles.

The Information Privacy Principles (available here) are intended to be followed by federal and ACT government agencies when handling personal information. On the other hand, private sector organisations, in relation to personal information, need to comply with the National Privacy Principles (available here).

The two main and most popular identity theft attacks that identity management systems try to protect from are the keyboard logging and the spoofing attacks. The two attacks aim to collect personal information about the victim, such as credentials, so the attacker can use those credentials to authenticate himself to the service provider as the legitimate user and then perform illegal operations.

The keyboard logger is a malicious program that runs on the victim's infected personal computer and it aims to collect user personal information by recording the keystrokes of the user without his/her knowledge. This information is then sent to the attacker and with some analysis the attacker will be able to gain the credentials necessary to access online services.


A spoofing attack is a situation in which the attacker successfully masquerades as another identity to illegally gain an advantage.

Whereas keyboard logging requires infection of victim's machines with a malicious program (keyboard logger), spoofing attack can work without this requirement. Phishing and pharming are the most known spoofing attacks.

Phishing attack is where an attacker sends a spam email containing an URL link which leads to the attacker server (the fake) masquerading as the legitimate URL of the service provider to fraudulently acquire sensitive information (like passwords) about the victim.

  1. Pages:
  2. Page 1
  3. 2
  4. All

Discuss in our Forums

See what other readers are saying about this article!

Click here to read & post comments.

3 posts so far.

Share this:
reddit this reddit thisbookmark with Del.icio.usdigg thisseed newsvineSeed NewsvineStumbleUpon StumbleUponsubmit to propellerkwoff it

About the Author

Mohammed Alzomai is a PhD Candidate at the Queensland University of Technology, Information Security Institute.

Creative Commons LicenseThis work is licensed under a Creative Commons License.

Article Tools
Comment 3 comments
Print Printable version
Subscribe Subscribe
Email Email a friend
Latest from QUT
 The science of reporting climate change
 Why schools need more than a business plan
 Suburban resilience
 Science unlimited
 Wake-up call for science

About Us Search Discuss Feedback Legals Privacy