Identity Theft Online

BAHID, Sheffield, 2nd Nov. 2003

Identity Theft Online

Angus M. Marshall BSc Ceng MBCS FRSAUniversity of Hull Centre for Internet Computing

with assistance from

Mike Andrews (DERIC), Brian Tompsett (University of Hull),

Karen Watson (DERIC & University of Hull)


Identity Theft Online

Examination of

Nature of online identity

Reasons for identity theft

Methods of identity theft


Identity Theft

Acquisition and use of credentials to which the (ab)user has no legitimate claim.

Process of acquiring and using sufficient information to convince a 3rd party that someone or something is someone or

something else.


Types of Identity Online

Personal

Corporate

Network


Personal Identity Online

Artificial

Created to :

Verify the rights of a system user.

Control access to resources/actions.

Generally token-based

Username & password

Cryptographic keys

Swipe cards, dongles etc.


Corporate Identity

Corporate presence

Web site

e-mail address(es)

Domain Name(s)

Relationships to other bodies

Logos

Names

Trademarks

+ “personal” identity credentials


Network Identity

Unique within network

Equipment address● MAC (hardware)● IP (software)

Name● Usually mapped to address● Primarily for humans' benefit


Why steal an identity ?

Personal

Financial gain

Revenge

Corporate

To create an air of authority/legitimacy● Assist in theft of more identities

Network

To disguise real origin of data/traffic


Methods of identity theft

Protocol weaknesses

Gullible users

Malicious software

Data Acquisition


Protocol Weaknesses

Origins of communications protocols

Little security built-int

Minimal verification

Based on trust

e.g. SMTP ● reliably relays the “From” field as presented by the

sending machine. Many mail clients believe it, though it is not checked.


Gullible users

Users are targetted by forged e-mail

(requiring corporate ID theft)

e-mail contains an obfuscated link to a WWW page

Page appear to be legitimate (corporate ID theft)

User re-enters verification tokens

Criminal empties bank account.

“Phishing” ● PayPal, NatWest, Halifax, Nationwide


Malicious Software

Viruses, Trojans, Worms

Attack insecure machines● Servers & home systems

Implant proxies, relays, servers

Become distribution nodes for illegal material

Hide the true source of the material

Make it difficult to trace

Distributed

Layered


And there's more

Data acquisition


Data acquisition – case study

Benefits agency informed of a suspected case of benefits fraud

Initial inspection

Family living well beyond their visible income● Large house● expensive cars● several expensive holidays per year● Ponies & stabling

Surveillance authorised


Surveillance

Cameras & observations at post offices etc.

Claimants seem to be claiming in several names

Receving more than legitimate entitlement

Authorisation granted to search house.


Search & Seizure

In addition to benefits-related material

Benefit books etc.

Several Personal Computers

Internet enabled

Forensic Computing applied to recover data


Forensic Computing

Non-invasive data recovery and examination revealed :

Regular access to sites such as 192.com

Data aggregator● Phone books● Electoral Register

All for names similar to those of the suspects


Further computer-based evidence

Multiple accesses to online loan application sites

Unsecured loans

£25000 maximum


What had been happening ?

In addition to the fraudulent benefits claims (mainly for deceased relatives), the suspects seem to have been creating names similar to theirs

Searching for these names on 192.com

Applying for loans in these names

Giving current address

Giving 192.com results as previous address

Receiving loans


How did they get away with it ?

Banks, credit reference agencies have well-known process for verifying ID.

Check electoral register etc.

Information freely available, but made easier by aggregators such as 192.com

Fraudsters had access to the same data & understood the process

Virtual guarantee of success

Inadequate cross-referencing and checking of historical material by lenders


Fraud becoming easier

More personal data (already available through govt. agencies) is being put online

Land Registry (name, address, size of mortgage etc.)

Companies House (name, address of directors)

...

More opportunities for aggregation

More opportunities for complete “ID History” to be built.


Solutions ?

ID verifiers need to take more active role

Better anomaly checking

Better use of historical data

Be more suspicious generally

ID holders need to take more care

Disclosure of secret info ● (PINs, passwords, Credit Card check numbers)


What about ID cards ?

ID cards are token-based verification

They are NOT the identity, just a way of attempting to verify it.

They don't work at a distance – can't examine the presenter directly

Once information has been disclosed to the challenging party – what happens to it?

Stored, modified, re-used without permission ?

Identity Theft Online

Documents

Transcript of Identity Theft Online