160 likes | 284 Vues
Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada. DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ. April 14, 2005. “Identity-theft case costs taxpayers $540,400”.
Identity Theft and Legitimately-Minted Fraudulent CredentialsPaul C. Van OorschotCarleton University, Ottawa, Canada DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ April 14, 2005
“Identity-theft case costs taxpayers $540,400” The Globe and Mail, April 12 2004 • 89-year-old owns $1 million Calgary property • “buyer”, “seller” in a lawyer’s office use false DL, SIN • property transfer is registered • “new owner” gets $500K mortgage • money moves through several accounts . . . disappears
The Telus Cell Phone • “but we don’t have a Telus cell phone”
Identity Theft – Variations on a Theme • unauthorized exploitation of another’s ID-corroborating info • name, addr, phone#, SSN, DL, CC, bank info A. borrow privileges (parallel account access) B. expropriate privileges (take over existing accounts) C. fraudulently obtain new privileges*** • falsely use existing credentials to get new ones D. full impersonation (may include A, B and C) • less attractive to attacker? (scalability)
Leveraging Stolen Credentials ... to get new ones from credential issuers: better than forging – e.g. consider case of credit cards: • new credentials are “authentic” (created by legit issuer) • and “owned” by the thief (never otherwise possessed) • harder for legitimate party to track down
Identity Theft – Fundamental Enablers credentials: (digital, physical) “things” verifiers corroborate ID with Fundamental underlying problems: • ease of duplicating personal data and credentials • difficulty of detecting when a copy of a credential or credential info is made, or exists • if existing credential info mis-used to get new creds, no info typically flows back to legitimate owner quickly Implies ID theft cannot be solved by any single credential-granting organization in isolation
Identity Theft – More Enabling Factors • availability of personal data on Internet (e.g. at servers) • lack of relying party due diligence (earlier examples) • poor custodianship (regardless of diligence by individual) – ChoicePoint: 145,000 consumer records `bought’ (2005) – B of A: 1.2million records on stolen backup tapes (2005) – CIBC faxes: 3+ years mis-faxing of personal data (2004) – LexisNexis (WSJ, Apr.13, 2005)- unauthorized access to 310,000 customer records - 59 security breaches over 2 years (SSN, DL) Note: data brokers are currently unregulated (U.S.)
Who “owns” the ID theft problem? • system-level problem, no real “owner” • unclear whose responsibility to solve • unclear how it can be solved • individual citizens poorly positioned to protect themselves • although primary victims (2003: avg 60 hrs to resolve) Identity theft vs. phishing • phishing: ranges from access to one account, to open-ended social engineering • suppose all phishing stopped; ID theft still a big problem! • assume: info theft will occur; can we stop ID theft?
Consumer Credit Reporting Agencies Best positioned to address ID theft: national credit bureaus? • do their business models motivate them to address it? • do some prevention measures hurt their business? • can post alerts on individuals’ credit files • credit-check freeze solution (many U.S. states) • individual can put ‘fraud alert’ on their own report • blocks access to it by others for fixed period, or until individual contacts with pre-agreed info • bureaus themselves are a target: (Feb.2004) 1,400 Equifax Canada credit records criminally accessed
Banks and CC companies[current mechanisms] • CC activity profiling (anomaly detection in CC usage) • addresses stolen / fraud card use, but not “ID theft” • e.g. stolen CC could be leveraged for new credentials • U.S. major banks: when one “alerts” on a name, common clearinghouse shares warning with all others • limited notice (sector / within sector)
Before minting do ID-based lookup Return minting_bit (T/F)or require explicit customer action/OK Proposal: Credential Minting involves Minting-Bit Check Credential Issuer Customer Record DB Check minting_bit on customer record Mint credential if allowed
Proposal: “Centralized Minting Bits” • could be new offering by national credit bureaus (CB)- complements freezing access to credit records • requires co-ordination (of CBs or similar parties), or centralized / unified system • some such proposal needed to fully address ID theft • why might credential-minting orgs join in on this check: - voluntary, to show leadership? - reduce liability? - regulations?- consumers might demand use of such scheme (opt-in?)
Players and their Motives Players in the Identity Theft Game • private citizens (subjects) • credential minters (CA’s!) • credential verifiers (“relying” parties) • authorized data holders (e.g. employers, banks, gov’t) • credit bureaus (semi-authorized?) • data brokers (quasi-authorized?) • attackers Primary (secondary) motives of each player are subset of: 1. to protect and use data 2. to share/sell data 3. to provide score using data 4. to properly verify credentials
Concluding Remarks • phishing is a small part of identity theft • still in the initial stages of growth of ID theft • Q: What technical solutions to ID theft are possible? (for broad definition of ID theft)
Are there two of you? http://findaperson.canada411.ca/ What is answer to query “P. Van Oorschot”? P Van Oorschot2343 Orchard AveSidney, BC V8L 1T8(250) 656-2505
Thank you Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada