Electronic Surveillance And Identity Theft by alicejenny


									Electronic Surveillance
    Identity Crimes
         Kjell Jørgen Hole

      NoWires Research Group
     Department of Informatics
       University of Bergen

           Last updated October 4, 2012

   PART I: electronic surveillance

     examples of electronic traces

     are we safer with CCTV?

   PART II: data retention

     EU Directive 2006/24/EF

     how to avoid data retention


    PART III: identity crimes

      identity theft crimes

      how is it done?

      guarding against identity theft


        PART I:
Electronic surveillance

  Picture from Newman
  street (near Oxford
  Circus) in London

 Electronic traces
People leave behind many electronic
traces every day at

  airports, banks, ATMs, credit card
  companies, stores, tollgates, taxies,
  buses, web sites, parking garages,
  and Internet providers

These entities can collect information
about people’s habits and whereabouts


Examples of tracing
A mobile phone that is turned on can be
traced using the mobile phone company’s
base stations

CCTV (Closed Circuit TV) cameras film
citizens in


  buses and taxies

  city streets

  train, bus, and underground stations
      More examples
Electronic cards are read at tollgates to
register the time, date, and direction of
each passing car (AutoPASS)

  possible to install card readers all
  along freeways to monitor traffic

Credit card companies record the time,
date, and location of each card use

  possible to determine shopping and
  traveling habits

Web sites record buying habits (Amazon)

 Even more examples
 Phone companies record the phone
 numbers their customers are calling,
 as well as the time, date, and
 duration of the calls

 Some employers record when employees
 log on and log off their computers

 Automatic speed cameras register all
 cars passing through certain control
 points and then calculate the average
   Privacy discussion
 If only a few identifiers are used during
 identification and authentication of
 individuals, then it is possible to link
 information gathered by different systems

   the current authentication technology is
   not generally designed to mitigate this
   privacy risk

 Large commercial and governmental systems
 utilizing authentication constitute
 privacy risks little understood by the

Are we safer with CCTV?

 Numbers of CCTV
cameras in the UK

There are 1.85 million CCTV cameras
in the UK

  not 4.2 million as commonly claimed


Arguments for CCTV
                     It is argued that CCTV
                     reduces vandalism,
                     violence, and theft

                     Furthermore, CCTV is
                     also supposed to make
                     it easier to arrest
                     criminals and terrorists

                     What are the facts?

     Crime discussion

   There is no research showing that
   CCTV systems lead to a significant
   reduction in violent crime

   Partial explanation? Drug addicts,
   intoxicated or seriously disturbed
   people do not care whether cameras
   are installed


    Terror discussion
The London bombings on July 7
and 21, 2005 showed that CCTV
can help identify terrorists
after bombings have taken place

However, CCTV did not stop the    The four bombers
suicide bombers                   at Luton station,
                                    July 7, 2005

  a large staff is needed to
  watch all TV footage in real

  must have prior information
  on terror suspects
    Subway terrorists
The only technology known to stop subway
terrorists is the screening technology
used at airports

Impossible to screen all passengers
   London Underground has 270 stations and 3.6 million
   passengers on a weekday (http://en.wikipedia.org/wiki/

   New York subway has 468 stations and 5.3 million passengers
   on a weekday (http://en.wikipedia.org/wiki/New_York_City_Subway)

Best defense is to encourage transit
riders to become more vigilant, and to
use more police and bomb-sniffing dogs

    Fear of terrorism
    Let us consider some hypothetical
    terror attacks on the London

        2 weekday attacks during a year

        100 people die in each attack

        person X uses the Underground
        every weekday during a year

Fear of terrorism ...
  p = Prob(X is killed in one attack)
    = 100/3 600 000

  Prob(X is not killed) = (1-p)2

  Prob(X is killed) = 1 - (1-p)2
  ≈ 0.00006

 People respond to fear, not the real risk


 CCTV reduces fear?

  Terrorism is a means of spreading

  Terrorists introduce a small risk of
  violent death to create fear among
  the general population

  Anecdotal evidence indicates that
  CCTV may help reduce this fear

  Home Office CCTV
reports 2002 and 2005
   CCTV is not as useful in the fight
   against crime as originally thought

   CCTV is more useful for preventing
   property crime, including car theft
   and burglary

   The cameras may be more effective as
   a detection tool than as a deterrent

   More street lights may be a better
   and cheaper alternative in many cases

 CCTV in London 2007
 According to an article in Evening
 Standard (19.09.07)

     London has 10 524 CCTV cameras
     funded with Home Office grants
     totaling about £200 million

     Police are no more likely to catch
     offenders in areas with many cameras

       CCTV in UK 2008
 According to an article in the Guardian

    Massive investment in CCTV cameras
    to prevent crime has failed to have
    a significant impact

    Only 3% of street robberies in
    London were solved using CCTV


Internal Metropolitan
Police report (2009)
  One crime per year in London is
  solved for every 1 000 cameras

  More than one million cameras in

  The cost is more than £500 million

      CCTV misuse?

 Alleged voyeuristic surveillance
 reported by the UK press

   footage of couples having sex in
   cars turned into a DVD

   camera pointed into woman’s flat


CCTV countermeasures
Plastic bag over camera

Sticker or tape on lens

Spray lens with paint gun

Cut cable

Destroy camera

Destroy recording device

For a wireless network, jam signals
   CCTV conclusions
CCTV gives a false sense of security

  property crime is reduced, but there
  is no significant reduction in violent

CCTV does not stop suicide bombers, but
helps finding the terrorists involved

CCTV systems around the world have led
to more surveillance and less privacy

  e.g., there are 6 000 CCTV cameras on
  the London Underground alone

      What to learn
 A large security system that doesn’t
 work according to plan will not be

 Instead, the rationale for installing
 the system will be changed to show
 that the system works

 Mission creep. CCTV system in London
 reads license plates to collect
 congestion taxes

        PART II:
     Data retention

 Tape library with
 robot arm


Data retention defined
 Data retention refers to the storage of
 telephony and Internet traffic, both
 transaction data and contents, by
 governments and commercial organizations

 Examples of retained data:

   telephone calls made and received

   e-mails sent and received

   web sites visited

Directive 2006/24/EC

 EU’s data retention directive covers

   fixed and mobile telephony

   Internet telephony and access

   Internet email

 To be implemented in Norway towards
 the end of 2013 (?)


   Data collection
 EU member states must retain data to

   source and destination of

   the date, time, and duration,

   communication devices,

   type of communication, and

   location of mobile terminals
   Collection and
 No data revealing the content of
 the communication may be retained
 pursuant to the directive

 Collected data must be stored for
 periods of not less than six months
 and not more than two years from
 the date of communication


Availability of data
  Who. The data is required to be
  available to competent national
  authorities in specific cases

  Purpose. For the purpose of
  investigation, detection, and
  prosecution of serious crime,
  as defined by each Member State
  in its national law

 My personal view



Protection against
  data retention
Utilize a

  VPN (Virtual Private Network):
  only address to VPN server is

  anonymizing proxy service: only
  address to proxy server is kept

       PART III:
    Identity crimes


         Identity theft
Identity theft can be defined as the
assumption of another person’s financial
identity through the use of the person’s
identifying information:


  date of birth

  Social Security Number (SSN)

  credit card numbers

    Identity fraud

Identity fraud occurs when a thief uses
a stolen identity to commit crime, e.g.,
charge merchandise to a victim’s account

  According to the UK Fraud Prevention
  Service, there were 89 000 victims of
  identity fraud in 2010


   Identity crimes
Identity theft is the precursor for
identity fraud such as

  access to other people’s welfare and
  social security benefits

  ordering new checks to a new address

  obtaining new credit cards

  opening new bank accounts

  taking out loans in the victim’s name
    How is it done?
Dumpster diving and mail theft are used
to obtain credit card numbers and bank
account numbers

Theft of laptops and smartphones yield
personal information

Social engineering techniques are used by
thieves to fool victims into believing
they talk to legitimate account managers
for financial institutions


 Buying information
On-line data resellers and data brokers
provide background information on
individuals for a small fee

According to Gartner, 70% of credit
card related cases of identity theft
involve insiders

  many known cases of insiders selling
  SSNs and account numbers

 Using the Internet
 Identity thieves can:

   place spyware on people’s PCs

   create fake e-commerce sites with
   desirable and cheap products to lure
   customers into providing detailed
   personal information

   hack web servers running e-commerce
   applications and access personal


Using the Internet...
 Identity thieves can send phishing
 emails to people and trick them into
 accessing fake web sites

   victims believing they are accessing
   legitimate sites, e.g. online banking
   sites, enter personal information

   information is subsequently used by
   identity thieves

                    Example of phishing email
                         (in Norwegian)

          HTML mail containing link to
         proxy controlled by an attacker


Guarding against theft
 It is often recommended that people
 guard their personal information:


   maiden name (yours and your mother’s)

   date of birth

   past addresses

 This is almost impossible in practice

     Reducing risk
It is important to minimize the
opportunity for identity theft:

  shred old bank statements, credit card
  statements, and documents containing
  your SSN to avoid dumpster diving

  do not give out your SSN unless it is
  absolutely necessary

  report stolen credit cards immediately

  check bank statements and credit card
  statements carefully

 Further reduction
 Store passports, birth certificates,
 wedding certificates, and social
 security cards in locked vaults

 Only use web sites utilizing

 Use different passwords for different
 web sites

ID theft conclusions
There is not very much you can do to
protect yourself from identity theft

The main problems are weak authentication,
insufficient verification of transactions,
and insecure storage

There is a need for stronger and more user
friendly authentication techniques

Financial institutions should be made
liable for fraudulent transactions



To top