IdTheft by liuhongmeiyes


									Identity Theft Online

  Angus M. Marshall BSc Ceng MBCS FRSA
   University of Hull Centre for Internet Computing

                with assistance from

             Mike Andrews (DERIC),
        Brian Tompsett (University of Hull),
     Karen Watson (DERIC & University of Hull)

                                    BAHID, Sheffield, 2nd Nov. 2003
Identity Theft Online
 Examination of
   Nature of online identity
   Reasons for identity theft
   Methods of identity theft

                                BAHID, Sheffield, 2nd Nov. 2003
Identity Theft

  Acquisition and use of credentials to which
     the (ab)user has no legitimate claim.

   Process of acquiring and using sufficient
     information to convince a 3rd party that
      someone or something is someone or
                something else.

                              BAHID, Sheffield, 2nd Nov. 2003
Types of Identity Online



                     BAHID, Sheffield, 2nd Nov. 2003
Personal Identity Online
 Created to :
    Verify the rights of a system user.
    Control access to resources/actions.

 Generally token-based
    Username & password
    Cryptographic keys
    Swipe cards, dongles etc.
                                   BAHID, Sheffield, 2nd Nov. 2003
Corporate Identity
 Corporate presence
   Web site
   e-mail address(es)
   Domain Name(s)
   Relationships to other bodies
   + “personal” identity credentials
                                   BAHID, Sheffield, 2nd Nov. 2003
Network Identity
 Unique within network
   Equipment address
    ●   MAC (hardware)
    ●   IP (software)
    ●   Usually mapped to address
    ●   Primarily for humans' benefit

                                        BAHID, Sheffield, 2nd Nov. 2003
Why steal an identity ?
   Financial gain
   To create an air of authority/legitimacy
    ●   Assist in theft of more identities
   To disguise real origin of data/traffic

                                             BAHID, Sheffield, 2nd Nov. 2003
Methods of identity theft
 Protocol weaknesses
 Gullible users
 Malicious software
 Data Acquisition

                       BAHID, Sheffield, 2nd Nov. 2003
Protocol Weaknesses
 Origins of communications protocols
   Little security built-int
   Minimal verification
   Based on trust
   e.g. SMTP
    ●   reliably relays the “From” field as presented by the
        sending machine. Many mail clients believe it,
        though it is not checked.

                                         BAHID, Sheffield, 2nd Nov. 2003
Gullible users
 Users are targetted by forged e-mail
   (requiring corporate ID theft)
   e-mail contains an obfuscated link to a WWW
   Page appear to be legitimate (corporate ID
   User re-enters verification tokens
   Criminal empties bank account.

                                    BAHID, Sheffield, 2nd Nov. 2003
Malicious Software
 Viruses, Trojans, Worms
   Attack insecure machines
     ●   Servers & home systems
   Implant proxies, relays, servers
   Become distribution nodes for illegal material
 Hide the true source of the material
 Make it difficult to trace
                                  BAHID, Sheffield, 2nd Nov. 2003
And there's more

         Data acquisition

                            BAHID, Sheffield, 2nd Nov. 2003
Data acquisition – case study
 Benefits agency informed of a suspected
 case of benefits fraud
 Initial inspection
   Family living well beyond their visible income
     ●   Large house
     ●   expensive cars
     ●   several expensive holidays per year
     ●   Ponies & stabling

 Surveillance authorised
                                        BAHID, Sheffield, 2nd Nov. 2003
 Cameras & observations at post offices etc.
   Claimants seem to be claiming in several
   Receving more than legitimate entitlement

 Authorisation granted to search house.

                                BAHID, Sheffield, 2nd Nov. 2003
Search & Seizure
 In addition to benefits-related material
   Benefit books etc.
 Several Personal Computers
   Internet enabled

 Forensic Computing applied to recover data

                               BAHID, Sheffield, 2nd Nov. 2003
Forensic Computing
 Non-invasive data recovery and examination
 revealed :

 Regular access to sites such as
   Data aggregator
    ●   Phone books
    ●   Electoral Register

 All for names similar to those of the
                               BAHID, Sheffield, 2nd Nov. 2003
Further computer-based
 Multiple accesses to online loan application
   Unsecured loans
   £25000 maximum

                              BAHID, Sheffield, 2nd Nov. 2003
What had been happening ?
 In addition to the fraudulent benefits claims
 (mainly for deceased relatives), the
 suspects seem to have been creating
 names similar to theirs
 Searching for these names on
 Applying for loans in these names
   Giving current address
   Giving results as previous address
 Receiving loans
                                BAHID, Sheffield, 2nd Nov. 2003
How did they get away with it ?
 Banks, credit reference agencies have well-
 known process for verifying ID.
   Check electoral register etc.
   Information freely available, but made easier by
   aggregators such as
   Fraudsters had access to the same data &
   understood the process
   Virtual guarantee of success
 Inadequate cross-referencing and checking
 of historical material by lenders
                                   BAHID, Sheffield, 2nd Nov. 2003
Fraud becoming easier
 More personal data (already available
 through govt. agencies) is being put online
   Land Registry (name, address, size of
   mortgage etc.)
   Companies House (name, address of directors)

 More opportunities for aggregation
 More opportunities for complete “ID History”
 to be built.
                                BAHID, Sheffield, 2nd Nov. 2003
Solutions ?
 ID verifiers need to take more active role
   Better anomaly checking
   Better use of historical data
   Be more suspicious generally

 ID holders need to take more care
   Disclosure of secret info
    ●   (PINs, passwords, Credit Card check numbers)

                                      BAHID, Sheffield, 2nd Nov. 2003
What about ID cards ?
 ID cards are token-based verification
 They are NOT the identity, just a way of
 attempting to verify it.
 They don't work at a distance – can't
 examine the presenter directly
 Once information has been disclosed to the
 challenging party – what happens to it?
   Stored, modified, re-used without permission ?

                                BAHID, Sheffield, 2nd Nov. 2003

To top