Identity Theft and
1 / 16

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada - PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada. DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ. April 14, 2005. “Identity-theft case costs taxpayers $540,400”.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Identity Theft and Legitimately-Minted Fraudulent CredentialsPaul C. Van OorschotCarleton University, Ottawa, Canada

DIMACS Workshop on Theft in E-Commerce

DIMACS Center, Rutgers, Piscataway, NJ

April 14, 2005

“Identity-theft case costs taxpayers $540,400”

The Globe and Mail, April 12 2004

  • 89-year-old owns $1 million Calgary property

  • “buyer”, “seller” in a lawyer’s office use false DL, SIN

  • property transfer is registered

  • “new owner” gets $500K mortgage

  • money moves through several accounts . . . disappears

The Telus Cell Phone

  • “but we don’t have a Telus cell phone”

Identity Theft – Variations on a Theme

  • unauthorized exploitation of another’s ID-corroborating info

    • name, addr, phone#, SSN, DL, CC, bank info

      A. borrow privileges (parallel account access)

      B. expropriate privileges (take over existing accounts)

      C. fraudulently obtain new privileges***

    • falsely use existing credentials to get new ones

      D. full impersonation (may include A, B and C)

    • less attractive to attacker? (scalability)

Leveraging Stolen Credentials

... to get new ones from credential issuers:

better than forging – e.g. consider case of credit cards:

  • new credentials are “authentic” (created by legit issuer)

  • and “owned” by the thief (never otherwise possessed)

  • harder for legitimate party to track down

Identity Theft – Fundamental Enablers

credentials: (digital, physical) “things” verifiers corroborate ID with

Fundamental underlying problems:

  • ease of duplicating personal data and credentials

  • difficulty of detecting when a copy of a credential or credential info is made, or exists

  • if existing credential info mis-used to get new creds, no info typically flows back to legitimate owner quickly

    Implies ID theft cannot be solved by any single credential-granting organization in isolation

Identity Theft – More Enabling Factors

  • availability of personal data on Internet (e.g. at servers)

  • lack of relying party due diligence (earlier examples)

  • poor custodianship (regardless of diligence by individual) – ChoicePoint: 145,000 consumer records `bought’ (2005)

    – B of A: 1.2million records on stolen backup tapes (2005)

    – CIBC faxes: 3+ years mis-faxing of personal data (2004)

    – LexisNexis (WSJ, Apr.13, 2005)- unauthorized access to 310,000 customer records - 59 security breaches over 2 years (SSN, DL)

    Note: data brokers are currently unregulated (U.S.)

Who “owns” the ID theft problem?

  • system-level problem, no real “owner”

    • unclear whose responsibility to solve

    • unclear how it can be solved

  • individual citizens poorly positioned to protect themselves

    • although primary victims (2003: avg 60 hrs to resolve)

      Identity theft vs. phishing

  • phishing: ranges from access to one account, to open-ended social engineering

  • suppose all phishing stopped; ID theft still a big problem!

  • assume: info theft will occur; can we stop ID theft?

Consumer Credit Reporting Agencies

Best positioned to address ID theft: national credit bureaus?

  • do their business models motivate them to address it?

    • do some prevention measures hurt their business?

  • can post alerts on individuals’ credit files

  • credit-check freeze solution (many U.S. states)

    • individual can put ‘fraud alert’ on their own report

    • blocks access to it by others for fixed period, or until individual contacts with pre-agreed info

  • bureaus themselves are a target: (Feb.2004) 1,400 Equifax Canada credit records criminally accessed

Banks and CC companies[current mechanisms]

  • CC activity profiling (anomaly detection in CC usage)

    • addresses stolen / fraud card use, but not “ID theft”

      • e.g. stolen CC could be leveraged for new credentials

  • U.S. major banks: when one “alerts” on a name, common clearinghouse shares warning with all others

    • limited notice (sector / within sector)

Before minting

do ID-based lookup

Return minting_bit (T/F)or require explicit customer action/OK

Proposal: Credential Minting involves Minting-Bit Check

Credential Issuer

Customer Record DB

Check minting_bit on customer record

Mint credential if allowed

Proposal: “Centralized Minting Bits”

  • could be new offering by national credit bureaus (CB)- complements freezing access to credit records

  • requires co-ordination (of CBs or similar parties), or centralized / unified system

  • some such proposal needed to fully address ID theft

  • why might credential-minting orgs join in on this check: - voluntary, to show leadership? - reduce liability?

    - regulations?- consumers might demand use of such scheme (opt-in?)

Players and their Motives

Players in the Identity Theft Game

  • private citizens (subjects)

  • credential minters (CA’s!)

  • credential verifiers (“relying” parties)

  • authorized data holders (e.g. employers, banks, gov’t)

  • credit bureaus (semi-authorized?)

  • data brokers (quasi-authorized?)

  • attackers

    Primary (secondary) motives of each player are subset of:

    1. to protect and use data 2. to share/sell data

    3. to provide score using data 4. to properly verify credentials

Concluding Remarks

  • phishing is a small part of identity theft

  • still in the initial stages of growth of ID theft

  • Q: What technical solutions to ID theft are possible?

    (for broad definition of ID theft)

Are there two of you?

What is answer to query “P. Van Oorschot”?

P  Van Oorschot2343 Orchard AveSidney, BC V8L 1T8(250) 656-2505

Thank you

Paul C. Van Oorschot

Digital Security Group

School of Computer Science

Carleton University, Ottawa, Canada

  • Login