1 / 23

Identity Theft Online

Angus M. Marshall BSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance from Mike Andrews (DERIC), Brian Tompsett (University of Hull), Karen Watson (DERIC & University of Hull). Identity Theft Online. Identity Theft Online. Examination of

ulema
Télécharger la présentation

Identity Theft Online

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Angus M. MarshallBSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance from Mike Andrews (DERIC), Brian Tompsett (University of Hull), Karen Watson (DERIC & University of Hull) Identity Theft Online

  2. Identity Theft Online • Examination of • Nature of online identity • Reasons for identity theft • Methods of identity theft

  3. Acquisition and use of credentials to which the (ab)user has no legitimate claim. Process of acquiring and using sufficient information to convince a 3rd party that someone or something is someone or something else. Identity Theft

  4. Types of Identity Online • Personal • Corporate • Network

  5. Personal Identity Online • Artificial • Created to : • Verify the rights of a system user. • Control access to resources/actions. • Generally token-based • Username & password • Cryptographic keys • Swipe cards, dongles etc.

  6. Corporate Identity • Corporate presence • Web site • e-mail address(es) • Domain Name(s) • Relationships to other bodies • Logos • Names • Trademarks • + “personal” identity credentials

  7. Network Identity • Unique within network • Equipment address • MAC (hardware) • IP (software) • Name • Usually mapped to address • Primarily for humans' benefit

  8. Why steal an identity ? • Personal • Financial gain • Revenge • Corporate • To create an air of authority/legitimacy • Assist in theft of more identities • Network • To disguise real origin of data/traffic

  9. Methods of identity theft • Protocol weaknesses • Gullible users • Malicious software • Data Acquisition

  10. Protocol Weaknesses • Origins of communications protocols • Little security built-int • Minimal verification • Based on trust • e.g. SMTP • reliably relays the “From” field as presented by the sending machine. Many mail clients believe it, though it is not checked.

  11. Gullible users • Users are targetted by forged e-mail • (requiring corporate ID theft) • e-mail contains an obfuscated link to a WWW page • Page appear to be legitimate (corporate ID theft) • User re-enters verification tokens • Criminal empties bank account. • “Phishing” • PayPal, NatWest, Halifax, Nationwide

  12. Malicious Software • Viruses, Trojans, Worms • Attack insecure machines • Servers & home systems • Implant proxies, relays, servers • Become distribution nodes for illegal material • Hide the true source of the material • Make it difficult to trace • Distributed • Layered

  13. Data acquisition And there's more

  14. Data acquisition – case study • Benefits agency informed of a suspected case of benefits fraud • Initial inspection • Family living well beyond their visible income • Large house • expensive cars • several expensive holidays per year • Ponies & stabling • Surveillance authorised

  15. Surveillance • Cameras & observations at post offices etc. • Claimants seem to be claiming in several names • Receving more than legitimate entitlement • Authorisation granted to search house.

  16. Search & Seizure • In addition to benefits-related material • Benefit books etc. • Several Personal Computers • Internet enabled • Forensic Computing applied to recover data

  17. Forensic Computing • Non-invasive data recovery and examination revealed : • Regular access to sites such as 192.com • Data aggregator • Phone books • Electoral Register • All for names similar to those of the suspects

  18. Further computer-based evidence • Multiple accesses to online loan application sites • Unsecured loans • £25000 maximum

  19. What had been happening ? • In addition to the fraudulent benefits claims (mainly for deceased relatives), the suspects seem to have been creating names similar to theirs • Searching for these names on 192.com • Applying for loans in these names • Giving current address • Giving 192.com results as previous address • Receiving loans

  20. How did they get away with it ? • Banks, credit reference agencies have well-known process for verifying ID. • Check electoral register etc. • Information freely available, but made easier by aggregators such as 192.com • Fraudsters had access to the same data & understood the process • Virtual guarantee of success • Inadequate cross-referencing and checking of historical material by lenders

  21. Fraud becoming easier • More personal data (already available through govt. agencies) is being put online • Land Registry (name, address, size of mortgage etc.) • Companies House (name, address of directors) • ... • More opportunities for aggregation • More opportunities for complete “ID History” to be built.

  22. Solutions ? • ID verifiers need to take more active role • Better anomaly checking • Better use of historical data • Be more suspicious generally • ID holders need to take more care • Disclosure of secret info • (PINs, passwords, Credit Card check numbers)

  23. What about ID cards ? • ID cards are token-based verification • They are NOT the identity, just a way of attempting to verify it. • They don't work at a distance – can't examine the presenter directly • Once information has been disclosed to the challenging party – what happens to it? • Stored, modified, re-used without permission ?

More Related