donderdag 27 september 2012

Identity Management and CRM

The use of digital identities for internet users has been discussed in many places. And plenty solutions have been developed. There are lots of identity providers that offer (open) standards based digital identities that can be reused.
For companies the use of digital identities is only part of the problem, the use of external identities is just becoming a necessity.

Apart from offering access for external identities, organisations also have to cope with the internal identities of their customers. The more (legacy) backoffice systems organisations use, the more difficulty they have in identifying the value of their customers. Nothing new here: this problem is solved in Customer Relation Management (CRM) and Master Data Management (MDM): we create a 'Golden Record', a unique internal representation of a customer, that is related to all coupled internal backend systems.

Master Data Management is an area with specific problems. How do you connect customer accounts in different backend systems with different identifiers. Backend1 customer A1 can be the same as Backend2 customer R2D2 and may not at all be Backend3 customer A1, but ASDFG9 instead. Master Data Management uses intelligent rules engines to connect Id's and knows some trics, like deduplication. I will not go into detail (I don't know this kind of process well enough).

In a sense both identity related problems look alike, although they are mirrored. Let me show it in a simple picture and await your reactions...:

dinsdag 25 september 2012

Your Twitter ID as a source for Twitter spam

I'm getting more and more spam in my Twitter timeline or in my twitter direct message mailbox. And these tweets come from my own twitter friends. And I'm not alone in this. Many others mention this as well.
Tweets like this: “GET MORE FOLLOWERS MY BEST FRIENDS? I WILL FOLLOW YOU BACK IF YOU FOLLOW ME” or direct messages like “lol ur famous now [link]” will in most cases link to malware infected sites.
And now and then a twitter friend reports that his twitter account was hacked.

I don't believe that this is the case. Accounts don't get hacked easily. Of course a pc could be infected with malware, with keyboard sniffers and password stealers, but apart from that, hacking an account is not that easy. Proof? Even security professionals became the source of twitter spam messages.

If your account was not hacked, how can this spam flood happen?
Tweets defininately come from a trusted person. But since there is no way that you can create a tweet with a faked sender address, these spam messages really come from your friends.
On his blog (http://nakedsecurity.sophos.com/2011/06/23/beware-shortcuts-for-getting-more-followers-on-twitter/) Graham Cluley from Sophos explains how these tweets happen. These tweets come from services that you(!) allowed access your twitter account. And these services may well do other things than you wanted them to.
Twitter can be used as an identity provider. It uses the underlying oauth protocol to authenticate twitter users for different services on the internet. And this feature is not only available on pc's but also on mobile phones. Very practical: if you use your twitter account you don't have to login using a user name and a password. All that is required is that you tell twitter to allow access for the external service. And in fact you allow the external service to post messages on your behalf.
Through this link ( https://twitter.com/settings/applications ) you can check what apps you trust to post on your behalf.

Do you really trust all these apps? My advise: You better revoke all unknown or unused apps. And btw: if I receive a strange tweet from your twitter account, I will use a second channel (like LinkedIn, or mail) to advise you to clean your twitter trusted app list.