The New Explorers: Partha Dasgupta


Computer expert puts identity thieves on notice

The Internet offers a bountiful virtual bazaar, replete with the hottest trends, cutting-edge technology and obscure nostalgia.

Every day, millions of people punch in their names, addresses, credit card and Social Security numbers to make their purchases, unaware of the risk to their security. That information contains everything a skilled computer hacker needs to assume a person’s identity, run up thousands of dollars in purchases and make life very difficult for the victim.

ASU computer science professor Partha Dasgupta has been working in computer security for the past eight years. He is focusing on the problem of identity theft and researching possible ways of thwarting it.

The emerging frontier of computer security resembles an arms race, with hackers constantly pushing the boundaries and authorities responding by closing security loopholes and erecting ever more restrictive security policies. Dasgupta spends his working hours finding flaws in security protocols, and devising methods to make software and hardware safer by improving network security and authorization protocols.

Dasgupta’s work is becoming increasingly important, as identity theft is a growing problem in the United States. According to an annual Federal Trade Commission report, last year there were more than 250,000 victims of identity theft in the United States.

Metropolitan Phoenix led the nation in reports of identity theft, which makes the problem especially significant for Valley residents.

“Computers pose an enormous risk to consumers, but it’s a risk we live with,” Dasgupta says. “The problem is you can’t ever completely trust the software, because it, in turn, answers to higher levels of software. The levels keep piling up until you no longer know where your information is going. Without knowing the nature of those higher levels, you can’t have full trust in them.”

Despite his security skepticism, Dasgupta has an intimacy with electronic technology that began at an early age. When he was young boy growing up in Calcutta, India, radio technology fascinated him. Eventually this interest led him to programming, which paved the way for his foray into computers.

Dasgupta and his family moved to New York in 1981 so he could pursue a doctorate in computer science from the State University of New York at Stony Brook. After receiving his degree in 1984, he worked as an assistant professor at Georgia Tech in Atlanta before coming to at ASU in 1991.

In addition to his ASU title, Dasgupta has been a visiting faculty member at New York University.

When he began working at ASU, Dasgupta’s research interests spanned a broad spectrum of computer-related topics, including operating systems and networking. Over time, the allure of the budding technology of security software – and the new ideas in computer security – became his sole focus.

At first, Dasgupta looked for ways online consumers could avoid providing sensitive personal information, such as Social Security and credit card numbers, when making transactions.

He quickly discovered that, with the current system, this is nearly impossible.

“The whole infrastructure is built with inherent flaws,” Dasgupta says. “It relies upon personal information to authenticate computer users’ identities, but that represents a huge personal financial risk. By using supposedly private information for so many aspects of authentication, it makes it easy for hackers to steal your identity. The bottom line is that we should not be using Social Security numbers for authorization purposes.”

The problem, he says, is that the entire infrastructure became dependent upon sharing this type of personal authentication information long before anyone realized just how dangerous this practice was.

“Until around 1997 or 1998, most computer users did not think computer security was an issue,” Dasgupta says. “Now we know that the whole concept is wrong. When we tried to correct the problem, we found that a perfect operating system would not exist without redoing everything. That isn’t going to happen.”

Even if consumers do everything they can to prevent their identities from leaking out, the reliance on personal information still allows for mistakes to happen.

“It’s even risky to provide your Social Security number at the doctor’s office, because if everyone in the office is trustworthy, you still can’t be sure how secure their software is – or who else will have access to that information,” Dasgupta says.

As an alternative to using Social Security numbers and other personal information to validate identities online, Dasgupta is looking into a technique similar to one used by the U.S. Department of Defense. Known as public key infrastructure, or PKI, this technique essentially allows a user to prove his or her identity without having to reveal any private information. Instead of providing sensitive information to a vendor and then using that information to verify an identity, the two parties use “public keys,” usually in the form of online certificates.

With public keys, users then will create a private key to identify themselves and confirm their certificate. The certificate then acts as the public key, verifying the person’s identity to the vendor, and vice versa, without either party having access to any private information.

These certificates then can either be verified by a trusted third party or can use a complex mathematical algorithm to verify themselves to each other.

“Deployment of PKI has been spotty and slow,” Dasgupta says. “The secure Web servers have always used PKI based on a standard certificate system called X.509.”

The Department of Defense has mandated the use of PKI-enabled smart cards for all personnel. These smart cards provide computer access authentication, building entry control and other security functions.

“PKI has not yet been deployed for consumer authentication,” Dasgupta says. “We still use user names and passwords, and not-so-secret Social Security numbers.”

Government pressures on the banking industry eventually could drive the deployment of PKI systems in commercial areas.

In the meantime, Dasgupta recommends using common sense to protect users’ identities online, such as:

• Don’t visit dubious or suspicious Web sites.

• Don’t download unknown programs.

• Don’t click on pop-up windows or follow the links in spam e-mails.

Safeguarding against hackers is a bit like survival of the fittest, where the best defense may be staying ahead of everyone else.

“Hackers will always go after the easiest target,” Dasgupta says. “The weakest users will get attacked. If you take simple precautions against identity theft, it reduces the chances of you becoming a victim.”