1 / 16

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada. DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ. April 14, 2005. “Identity-theft case costs taxpayers $540,400”.

madra
Download Presentation

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Identity Theft and Legitimately-Minted Fraudulent CredentialsPaul C. Van OorschotCarleton University, Ottawa, Canada DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ April 14, 2005

  2. “Identity-theft case costs taxpayers $540,400” The Globe and Mail, April 12 2004 • 89-year-old owns $1 million Calgary property • “buyer”, “seller” in a lawyer’s office use false DL, SIN • property transfer is registered • “new owner” gets $500K mortgage • money moves through several accounts . . . disappears

  3. The Telus Cell Phone • “but we don’t have a Telus cell phone”

  4. Identity Theft – Variations on a Theme • unauthorized exploitation of another’s ID-corroborating info • name, addr, phone#, SSN, DL, CC, bank info A. borrow privileges (parallel account access) B. expropriate privileges (take over existing accounts) C. fraudulently obtain new privileges*** • falsely use existing credentials to get new ones D. full impersonation (may include A, B and C) • less attractive to attacker? (scalability)

  5. Leveraging Stolen Credentials ... to get new ones from credential issuers: better than forging – e.g. consider case of credit cards: • new credentials are “authentic” (created by legit issuer) • and “owned” by the thief (never otherwise possessed) • harder for legitimate party to track down

  6. Identity Theft – Fundamental Enablers credentials: (digital, physical) “things” verifiers corroborate ID with Fundamental underlying problems: • ease of duplicating personal data and credentials • difficulty of detecting when a copy of a credential or credential info is made, or exists • if existing credential info mis-used to get new creds, no info typically flows back to legitimate owner quickly Implies ID theft cannot be solved by any single credential-granting organization in isolation

  7. Identity Theft – More Enabling Factors • availability of personal data on Internet (e.g. at servers) • lack of relying party due diligence (earlier examples) • poor custodianship (regardless of diligence by individual) – ChoicePoint: 145,000 consumer records `bought’ (2005) – B of A: 1.2million records on stolen backup tapes (2005) – CIBC faxes: 3+ years mis-faxing of personal data (2004) – LexisNexis (WSJ, Apr.13, 2005)- unauthorized access to 310,000 customer records - 59 security breaches over 2 years (SSN, DL) Note: data brokers are currently unregulated (U.S.)

  8. Who “owns” the ID theft problem? • system-level problem, no real “owner” • unclear whose responsibility to solve • unclear how it can be solved • individual citizens poorly positioned to protect themselves • although primary victims (2003: avg 60 hrs to resolve) Identity theft vs. phishing • phishing: ranges from access to one account, to open-ended social engineering • suppose all phishing stopped; ID theft still a big problem! • assume: info theft will occur; can we stop ID theft?

  9. Consumer Credit Reporting Agencies Best positioned to address ID theft: national credit bureaus? • do their business models motivate them to address it? • do some prevention measures hurt their business? • can post alerts on individuals’ credit files • credit-check freeze solution (many U.S. states) • individual can put ‘fraud alert’ on their own report • blocks access to it by others for fixed period, or until individual contacts with pre-agreed info • bureaus themselves are a target: (Feb.2004) 1,400 Equifax Canada credit records criminally accessed

  10. Banks and CC companies[current mechanisms] • CC activity profiling (anomaly detection in CC usage) • addresses stolen / fraud card use, but not “ID theft” • e.g. stolen CC could be leveraged for new credentials • U.S. major banks: when one “alerts” on a name, common clearinghouse shares warning with all others • limited notice (sector / within sector)

  11. Before minting do ID-based lookup Return minting_bit (T/F)or require explicit customer action/OK Proposal: Credential Minting involves Minting-Bit Check Credential Issuer Customer Record DB Check minting_bit on customer record Mint credential if allowed

  12. Proposal: “Centralized Minting Bits” • could be new offering by national credit bureaus (CB)- complements freezing access to credit records • requires co-ordination (of CBs or similar parties), or centralized / unified system • some such proposal needed to fully address ID theft • why might credential-minting orgs join in on this check: - voluntary, to show leadership? - reduce liability? - regulations?- consumers might demand use of such scheme (opt-in?)

  13. Players and their Motives Players in the Identity Theft Game • private citizens (subjects) • credential minters (CA’s!) • credential verifiers (“relying” parties) • authorized data holders (e.g. employers, banks, gov’t) • credit bureaus (semi-authorized?) • data brokers (quasi-authorized?) • attackers Primary (secondary) motives of each player are subset of: 1. to protect and use data 2. to share/sell data 3. to provide score using data 4. to properly verify credentials

  14. Concluding Remarks • phishing is a small part of identity theft • still in the initial stages of growth of ID theft • Q: What technical solutions to ID theft are possible? (for broad definition of ID theft)

  15. Are there two of you? http://findaperson.canada411.ca/ What is answer to query “P. Van Oorschot”? P  Van Oorschot2343 Orchard AveSidney, BC V8L 1T8(250) 656-2505

  16. Thank you Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada

More Related