Presentation on theme: "BAHID, Sheffield, 2 nd Nov. 2003 Identity Theft Online Angus M. Marshall BSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance."— Presentation transcript:
BAHID, Sheffield, 2 nd Nov Identity Theft Online Angus M. Marshall BSc Ceng MBCS FRSA University of Hull Centre for Internet Computing with assistance from Mike Andrews (DERIC), Brian Tompsett (University of Hull), Karen Watson (DERIC & University of Hull)
BAHID, Sheffield, 2 nd Nov Identity Theft Online Examination of Nature of online identity Reasons for identity theft Methods of identity theft
BAHID, Sheffield, 2 nd Nov Identity Theft Acquisition and use of credentials to which the (ab)user has no legitimate claim. Process of acquiring and using sufficient information to convince a 3 rd party that someone or something is someone or something else.
BAHID, Sheffield, 2 nd Nov Types of Identity Online Personal Corporate Network
BAHID, Sheffield, 2 nd Nov Personal Identity Online Artificial Created to : Verify the rights of a system user. Control access to resources/actions. Generally token-based Username & password Cryptographic keys Swipe cards, dongles etc.
BAHID, Sheffield, 2 nd Nov Corporate Identity Corporate presence Web site address(es) Domain Name(s) Relationships to other bodies Logos Names Trademarks + personal identity credentials
BAHID, Sheffield, 2 nd Nov Network Identity Unique within network Equipment address MAC (hardware) IP (software) Name Usually mapped to address Primarily for humans' benefit
BAHID, Sheffield, 2 nd Nov Why steal an identity ? Personal Financial gain Revenge Corporate To create an air of authority/legitimacy Assist in theft of more identities Network To disguise real origin of data/traffic
BAHID, Sheffield, 2 nd Nov Methods of identity theft Protocol weaknesses Gullible users Malicious software Data Acquisition
BAHID, Sheffield, 2 nd Nov Protocol Weaknesses Origins of communications protocols Little security built-int Minimal verification Based on trust e.g. SMTP reliably relays the From field as presented by the sending machine. Many mail clients believe it, though it is not checked.
BAHID, Sheffield, 2 nd Nov Gullible users Users are targetted by forged (requiring corporate ID theft) contains an obfuscated link to a WWW page Page appear to be legitimate (corporate ID theft) User re-enters verification tokens Criminal empties bank account. Phishing PayPal, NatWest, Halifax, Nationwide
BAHID, Sheffield, 2 nd Nov Malicious Software Viruses, Trojans, Worms Attack insecure machines Servers & home systems Implant proxies, relays, servers Become distribution nodes for illegal material Hide the true source of the material Make it difficult to trace Distributed Layered
BAHID, Sheffield, 2 nd Nov And there's more Data acquisition
BAHID, Sheffield, 2 nd Nov Data acquisition – case study Benefits agency informed of a suspected case of benefits fraud Initial inspection Family living well beyond their visible income Large house expensive cars several expensive holidays per year Ponies & stabling Surveillance authorised
BAHID, Sheffield, 2 nd Nov Surveillance Cameras & observations at post offices etc. Claimants seem to be claiming in several names Receving more than legitimate entitlement Authorisation granted to search house.
BAHID, Sheffield, 2 nd Nov Search & Seizure In addition to benefits-related material Benefit books etc. Several Personal Computers Internet enabled Forensic Computing applied to recover data
BAHID, Sheffield, 2 nd Nov Forensic Computing Non-invasive data recovery and examination revealed : Regular access to sites such as 192.com Data aggregator Phone books Electoral Register All for names similar to those of the suspects
BAHID, Sheffield, 2 nd Nov Further computer-based evidence Multiple accesses to online loan application sites Unsecured loans £25000 maximum
BAHID, Sheffield, 2 nd Nov What had been happening ? In addition to the fraudulent benefits claims (mainly for deceased relatives), the suspects seem to have been creating names similar to theirs Searching for these names on 192.com Applying for loans in these names Giving current address Giving 192.com results as previous address Receiving loans
BAHID, Sheffield, 2 nd Nov How did they get away with it ? Banks, credit reference agencies have well- known process for verifying ID. Check electoral register etc. Information freely available, but made easier by aggregators such as 192.com Fraudsters had access to the same data & understood the process Virtual guarantee of success Inadequate cross-referencing and checking of historical material by lenders
BAHID, Sheffield, 2 nd Nov Fraud becoming easier More personal data (already available through govt. agencies) is being put online Land Registry (name, address, size of mortgage etc.) Companies House (name, address of directors)... More opportunities for aggregation More opportunities for complete ID History to be built.
BAHID, Sheffield, 2 nd Nov Solutions ? ID verifiers need to take more active role Better anomaly checking Better use of historical data Be more suspicious generally ID holders need to take more care Disclosure of secret info (PINs, passwords, Credit Card check numbers)
BAHID, Sheffield, 2 nd Nov What about ID cards ? ID cards are token-based verification They are NOT the identity, just a way of attempting to verify it. They don't work at a distance – can't examine the presenter directly Once information has been disclosed to the challenging party – what happens to it? Stored, modified, re-used without permission ?