Transcript Identity Theft Presentation

Identity Theft Online
Angus M. Marshall BSc Ceng MBCS FRSA
University of Hull Centre for Internet Computing
with assistance from
Mike Andrews (DERIC),
Brian Tompsett (University of Hull),
Karen Watson (DERIC & University of Hull)
BAHID, Sheffield, 2nd Nov. 2003
Identity Theft Online
Examination of
Nature of online identity
Reasons for identity theft
Methods of identity theft
BAHID, Sheffield, 2nd Nov. 2003
Identity Theft
Acquisition and use of credentials to which
the (ab)user has no legitimate claim.
Process of acquiring and using sufficient
information to convince a 3rd party that
someone or something is someone or
something else.
BAHID, Sheffield, 2nd Nov. 2003
Types of Identity Online
Personal
Corporate
Network
BAHID, Sheffield, 2nd Nov. 2003
Personal Identity Online
Artificial
Created to :
Verify the rights of a system user.
Control access to resources/actions.
Generally token-based
Username & password
Cryptographic keys
Swipe cards, dongles etc.
BAHID, Sheffield, 2nd Nov. 2003
Corporate Identity
Corporate presence
Web site
e-mail address(es)
Domain Name(s)
Relationships to other bodies
Logos
Names
Trademarks
+ “personal” identity credentials
BAHID, Sheffield, 2nd Nov. 2003
Network Identity
Unique within network
Equipment address
●
●
MAC (hardware)
IP (software)
Name
●
●
Usually mapped to address
Primarily for humans' benefit
BAHID, Sheffield, 2nd Nov. 2003
Why steal an identity ?
Personal
Financial gain
Revenge
Corporate
To create an air of authority/legitimacy
●
Assist in theft of more identities
Network
To disguise real origin of data/traffic
BAHID, Sheffield, 2nd Nov. 2003
Methods of identity theft
Protocol weaknesses
Gullible users
Malicious software
Data Acquisition
BAHID, Sheffield, 2nd Nov. 2003
Protocol Weaknesses
Origins of communications protocols
Little security built-int
Minimal verification
Based on trust
e.g. SMTP
●
reliably relays the “From” field as presented by the
sending machine. Many mail clients believe it,
though it is not checked.
BAHID, Sheffield, 2nd Nov. 2003
Gullible users
Users are targetted by forged e-mail
(requiring corporate ID theft)
e-mail contains an obfuscated link to a WWW
page
Page appear to be legitimate (corporate ID
theft)
User re-enters verification tokens
Criminal empties bank account.
“Phishing”
BAHID, Sheffield, 2nd Nov. 2003
Malicious Software
Viruses, Trojans, Worms
Attack insecure machines
●
Servers & home systems
Implant proxies, relays, servers
Become distribution nodes for illegal material
Hide the true source of the material
Make it difficult to trace
Distributed
Layered
BAHID, Sheffield, 2nd Nov. 2003
And there's more
Data acquisition
BAHID, Sheffield, 2nd Nov. 2003
Data acquisition – case study
Benefits agency informed of a suspected
case of benefits fraud
Initial inspection
Family living well beyond their visible income
●
●
●
●
Large house
expensive cars
several expensive holidays per year
Ponies & stabling
Surveillance authorised
BAHID, Sheffield, 2nd Nov. 2003
Surveillance
Cameras & observations at post offices etc.
Claimants seem to be claiming in several
names
Receving more than legitimate entitlement
Authorisation granted to search house.
BAHID, Sheffield, 2nd Nov. 2003
Search & Seizure
In addition to benefits-related material
Benefit books etc.
Several Personal Computers
Internet enabled
Forensic Computing applied to recover data
BAHID, Sheffield, 2nd Nov. 2003
Forensic Computing
Non-invasive data recovery and examination
revealed :
Regular access to sites such as 192.com
Data aggregator
●
●
Phone books
Electoral Register
All for names similar to those of the
suspects
BAHID, Sheffield, 2nd Nov. 2003
Further computer-based
evidence
Multiple accesses to online loan application
sites
Unsecured loans
£25000 maximum
BAHID, Sheffield, 2nd Nov. 2003
What had been happening ?
In addition to the fraudulent benefits claims
(mainly for deceased relatives), the
suspects seem to have been creating
names similar to theirs
Searching for these names on 192.com
Applying for loans in these names
Giving current address
Giving 192.com results as previous address
Receiving loans
BAHID, Sheffield, 2nd Nov. 2003
How did they get away with it ?
Banks, credit reference agencies have wellknown process for verifying ID.
Check electoral register etc.
Information freely available, but made easier by
aggregators such as 192.com
Fraudsters had access to the same data &
understood the process
Virtual guarantee of success
Inadequate cross-referencing and checking
of historical material by lenders
BAHID, Sheffield, 2nd Nov. 2003
Fraud becoming easier
More personal data (already available
through govt. agencies) is being put online
Land Registry (name, address, size of
mortgage etc.)
Companies House (name, address of directors)
...
More opportunities for aggregation
More opportunities for complete “ID History”
to be built.
BAHID, Sheffield, 2nd Nov. 2003
Solutions ?
ID verifiers need to take more active role
Better anomaly checking
Better use of historical data
Be more suspicious generally
ID holders need to take more care
Disclosure of secret info
●
(PINs, passwords, Credit Card check numbers)
BAHID, Sheffield, 2nd Nov. 2003
What about ID cards ?
ID cards are token-based verification
They are NOT the identity, just a way of
attempting to verify it.
They don't work at a distance – can't
examine the presenter directly
Once information has been disclosed to the
challenging party – what happens to it?
Stored, modified, re-used without permission ?
BAHID, Sheffield, 2nd Nov. 2003