Docstoc

IdTheft

Document Sample
IdTheft Powered By Docstoc
					Identity Theft Online


  Angus M. Marshall BSc Ceng MBCS FRSA
   University of Hull Centre for Internet Computing


                with assistance from

             Mike Andrews (DERIC),
        Brian Tompsett (University of Hull),
     Karen Watson (DERIC & University of Hull)


                                    BAHID, Sheffield, 2nd Nov. 2003
Identity Theft Online
 Examination of
   Nature of online identity
   Reasons for identity theft
   Methods of identity theft




                                BAHID, Sheffield, 2nd Nov. 2003
Identity Theft

  Acquisition and use of credentials to which
     the (ab)user has no legitimate claim.



   Process of acquiring and using sufficient
     information to convince a 3rd party that
      someone or something is someone or
                something else.

                              BAHID, Sheffield, 2nd Nov. 2003
Types of Identity Online
 Personal

 Corporate

 Network




                     BAHID, Sheffield, 2nd Nov. 2003
Personal Identity Online
 Artificial
 Created to :
    Verify the rights of a system user.
    Control access to resources/actions.


 Generally token-based
    Username & password
    Cryptographic keys
    Swipe cards, dongles etc.
                                   BAHID, Sheffield, 2nd Nov. 2003
Corporate Identity
 Corporate presence
   Web site
   e-mail address(es)
   Domain Name(s)
   Relationships to other bodies
   Logos
   Names
   Trademarks
   + “personal” identity credentials
                                   BAHID, Sheffield, 2nd Nov. 2003
Network Identity
 Unique within network
   Equipment address
    ●   MAC (hardware)
    ●   IP (software)
   Name
    ●   Usually mapped to address
    ●   Primarily for humans' benefit




                                        BAHID, Sheffield, 2nd Nov. 2003
Why steal an identity ?
 Personal
   Financial gain
   Revenge
 Corporate
   To create an air of authority/legitimacy
    ●   Assist in theft of more identities
 Network
   To disguise real origin of data/traffic

                                             BAHID, Sheffield, 2nd Nov. 2003
Methods of identity theft
 Protocol weaknesses
 Gullible users
 Malicious software
 Data Acquisition




                       BAHID, Sheffield, 2nd Nov. 2003
Protocol Weaknesses
 Origins of communications protocols
   Little security built-int
   Minimal verification
   Based on trust
   e.g. SMTP
    ●   reliably relays the “From” field as presented by the
        sending machine. Many mail clients believe it,
        though it is not checked.




                                         BAHID, Sheffield, 2nd Nov. 2003
Gullible users
 Users are targetted by forged e-mail
   (requiring corporate ID theft)
   e-mail contains an obfuscated link to a WWW
   page
   Page appear to be legitimate (corporate ID
   theft)
   User re-enters verification tokens
   Criminal empties bank account.


 “Phishing”
                                    BAHID, Sheffield, 2nd Nov. 2003
Malicious Software
 Viruses, Trojans, Worms
   Attack insecure machines
     ●   Servers & home systems
   Implant proxies, relays, servers
   Become distribution nodes for illegal material
 Hide the true source of the material
 Make it difficult to trace
   Distributed
   Layered
                                  BAHID, Sheffield, 2nd Nov. 2003
And there's more




         Data acquisition




                            BAHID, Sheffield, 2nd Nov. 2003
Data acquisition – case study
 Benefits agency informed of a suspected
 case of benefits fraud
 Initial inspection
   Family living well beyond their visible income
     ●   Large house
     ●   expensive cars
     ●   several expensive holidays per year
     ●   Ponies & stabling

 Surveillance authorised
                                        BAHID, Sheffield, 2nd Nov. 2003
Surveillance
 Cameras & observations at post offices etc.
   Claimants seem to be claiming in several
   names
   Receving more than legitimate entitlement

 Authorisation granted to search house.




                                BAHID, Sheffield, 2nd Nov. 2003
Search & Seizure
 In addition to benefits-related material
   Benefit books etc.
 Several Personal Computers
   Internet enabled


 Forensic Computing applied to recover data



                               BAHID, Sheffield, 2nd Nov. 2003
Forensic Computing
 Non-invasive data recovery and examination
 revealed :

 Regular access to sites such as 192.com
   Data aggregator
    ●   Phone books
    ●   Electoral Register

 All for names similar to those of the
 suspects
                               BAHID, Sheffield, 2nd Nov. 2003
Further computer-based
evidence
 Multiple accesses to online loan application
 sites
   Unsecured loans
   £25000 maximum




                              BAHID, Sheffield, 2nd Nov. 2003
What had been happening ?
 In addition to the fraudulent benefits claims
 (mainly for deceased relatives), the
 suspects seem to have been creating
 names similar to theirs
 Searching for these names on 192.com
 Applying for loans in these names
   Giving current address
   Giving 192.com results as previous address
 Receiving loans
                                BAHID, Sheffield, 2nd Nov. 2003
How did they get away with it ?
 Banks, credit reference agencies have well-
 known process for verifying ID.
   Check electoral register etc.
   Information freely available, but made easier by
   aggregators such as 192.com
   Fraudsters had access to the same data &
   understood the process
   Virtual guarantee of success
 Inadequate cross-referencing and checking
 of historical material by lenders
                                   BAHID, Sheffield, 2nd Nov. 2003
Fraud becoming easier
 More personal data (already available
 through govt. agencies) is being put online
   Land Registry (name, address, size of
   mortgage etc.)
   Companies House (name, address of directors)
   ...

 More opportunities for aggregation
 More opportunities for complete “ID History”
 to be built.
                                BAHID, Sheffield, 2nd Nov. 2003
Solutions ?
 ID verifiers need to take more active role
   Better anomaly checking
   Better use of historical data
   Be more suspicious generally

 ID holders need to take more care
   Disclosure of secret info
    ●   (PINs, passwords, Credit Card check numbers)



                                      BAHID, Sheffield, 2nd Nov. 2003
What about ID cards ?
 ID cards are token-based verification
 They are NOT the identity, just a way of
 attempting to verify it.
 They don't work at a distance – can't
 examine the presenter directly
 Once information has been disclosed to the
 challenging party – what happens to it?
   Stored, modified, re-used without permission ?


                                BAHID, Sheffield, 2nd Nov. 2003

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:2/11/2013
language:Unknown
pages:23