230 likes | 303 Vues
Angus M. Marshall BSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance from Mike Andrews (DERIC), Brian Tompsett (University of Hull), Karen Watson (DERIC & University of Hull). Identity Theft Online. Identity Theft Online. Examination of
E N D
Angus M. MarshallBSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance from Mike Andrews (DERIC), Brian Tompsett (University of Hull), Karen Watson (DERIC & University of Hull) Identity Theft Online
Identity Theft Online • Examination of • Nature of online identity • Reasons for identity theft • Methods of identity theft
Acquisition and use of credentials to which the (ab)user has no legitimate claim. Process of acquiring and using sufficient information to convince a 3rd party that someone or something is someone or something else. Identity Theft
Types of Identity Online • Personal • Corporate • Network
Personal Identity Online • Artificial • Created to : • Verify the rights of a system user. • Control access to resources/actions. • Generally token-based • Username & password • Cryptographic keys • Swipe cards, dongles etc.
Corporate Identity • Corporate presence • Web site • e-mail address(es) • Domain Name(s) • Relationships to other bodies • Logos • Names • Trademarks • + “personal” identity credentials
Network Identity • Unique within network • Equipment address • MAC (hardware) • IP (software) • Name • Usually mapped to address • Primarily for humans' benefit
Why steal an identity ? • Personal • Financial gain • Revenge • Corporate • To create an air of authority/legitimacy • Assist in theft of more identities • Network • To disguise real origin of data/traffic
Methods of identity theft • Protocol weaknesses • Gullible users • Malicious software • Data Acquisition
Protocol Weaknesses • Origins of communications protocols • Little security built-int • Minimal verification • Based on trust • e.g. SMTP • reliably relays the “From” field as presented by the sending machine. Many mail clients believe it, though it is not checked.
Gullible users • Users are targetted by forged e-mail • (requiring corporate ID theft) • e-mail contains an obfuscated link to a WWW page • Page appear to be legitimate (corporate ID theft) • User re-enters verification tokens • Criminal empties bank account. • “Phishing” • PayPal, NatWest, Halifax, Nationwide
Malicious Software • Viruses, Trojans, Worms • Attack insecure machines • Servers & home systems • Implant proxies, relays, servers • Become distribution nodes for illegal material • Hide the true source of the material • Make it difficult to trace • Distributed • Layered
Data acquisition And there's more
Data acquisition – case study • Benefits agency informed of a suspected case of benefits fraud • Initial inspection • Family living well beyond their visible income • Large house • expensive cars • several expensive holidays per year • Ponies & stabling • Surveillance authorised
Surveillance • Cameras & observations at post offices etc. • Claimants seem to be claiming in several names • Receving more than legitimate entitlement • Authorisation granted to search house.
Search & Seizure • In addition to benefits-related material • Benefit books etc. • Several Personal Computers • Internet enabled • Forensic Computing applied to recover data
Forensic Computing • Non-invasive data recovery and examination revealed : • Regular access to sites such as 192.com • Data aggregator • Phone books • Electoral Register • All for names similar to those of the suspects
Further computer-based evidence • Multiple accesses to online loan application sites • Unsecured loans • £25000 maximum
What had been happening ? • In addition to the fraudulent benefits claims (mainly for deceased relatives), the suspects seem to have been creating names similar to theirs • Searching for these names on 192.com • Applying for loans in these names • Giving current address • Giving 192.com results as previous address • Receiving loans
How did they get away with it ? • Banks, credit reference agencies have well-known process for verifying ID. • Check electoral register etc. • Information freely available, but made easier by aggregators such as 192.com • Fraudsters had access to the same data & understood the process • Virtual guarantee of success • Inadequate cross-referencing and checking of historical material by lenders
Fraud becoming easier • More personal data (already available through govt. agencies) is being put online • Land Registry (name, address, size of mortgage etc.) • Companies House (name, address of directors) • ... • More opportunities for aggregation • More opportunities for complete “ID History” to be built.
Solutions ? • ID verifiers need to take more active role • Better anomaly checking • Better use of historical data • Be more suspicious generally • ID holders need to take more care • Disclosure of secret info • (PINs, passwords, Credit Card check numbers)
What about ID cards ? • ID cards are token-based verification • They are NOT the identity, just a way of attempting to verify it. • They don't work at a distance – can't examine the presenter directly • Once information has been disclosed to the challenging party – what happens to it? • Stored, modified, re-used without permission ?