Identity Theft and
1 / 16

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canad - PowerPoint PPT Presentation

  • Uploaded on

Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canada. DIMACS Workshop on Theft in E-Commerce DIMACS Center, Rutgers, Piscataway, NJ. April 14, 2005. “Identity-theft case costs taxpayers $540,400”.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Identity Theft and Legitimately-Minted Fraudulent Credentials Paul C. Van Oorschot Carleton University, Ottawa, Canad' - madra

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Identity Theft and Legitimately-Minted Fraudulent CredentialsPaul C. Van OorschotCarleton University, Ottawa, Canada

DIMACS Workshop on Theft in E-Commerce

DIMACS Center, Rutgers, Piscataway, NJ

April 14, 2005

Identity theft case costs taxpayers 540 400
“Identity-theft case costs taxpayers $540,400”

The Globe and Mail, April 12 2004

  • 89-year-old owns $1 million Calgary property

  • “buyer”, “seller” in a lawyer’s office use false DL, SIN

  • property transfer is registered

  • “new owner” gets $500K mortgage

  • money moves through several accounts . . . disappears

The telus cell phone
The Telus Cell Phone

  • “but we don’t have a Telus cell phone”

Identity theft variations on a theme
Identity Theft – Variations on a Theme

  • unauthorized exploitation of another’s ID-corroborating info

    • name, addr, phone#, SSN, DL, CC, bank info

      A. borrow privileges (parallel account access)

      B. expropriate privileges (take over existing accounts)

      C. fraudulently obtain new privileges***

    • falsely use existing credentials to get new ones

      D. full impersonation (may include A, B and C)

    • less attractive to attacker? (scalability)

Leveraging stolen credentials
Leveraging Stolen Credentials

... to get new ones from credential issuers:

better than forging – e.g. consider case of credit cards:

  • new credentials are “authentic” (created by legit issuer)

  • and “owned” by the thief (never otherwise possessed)

  • harder for legitimate party to track down

Identity theft fundamental enablers
Identity Theft – Fundamental Enablers

credentials: (digital, physical) “things” verifiers corroborate ID with

Fundamental underlying problems:

  • ease of duplicating personal data and credentials

  • difficulty of detecting when a copy of a credential or credential info is made, or exists

  • if existing credential info mis-used to get new creds, no info typically flows back to legitimate owner quickly

    Implies ID theft cannot be solved by any single credential-granting organization in isolation

Identity theft more enabling factors
Identity Theft – More Enabling Factors

  • availability of personal data on Internet (e.g. at servers)

  • lack of relying party due diligence (earlier examples)

  • poor custodianship (regardless of diligence by individual) – ChoicePoint: 145,000 consumer records `bought’ (2005)

    – B of A: 1.2million records on stolen backup tapes (2005)

    – CIBC faxes: 3+ years mis-faxing of personal data (2004)

    – LexisNexis (WSJ, Apr.13, 2005)- unauthorized access to 310,000 customer records - 59 security breaches over 2 years (SSN, DL)

    Note: data brokers are currently unregulated (U.S.)

Who owns the id theft problem
Who “owns” the ID theft problem?

  • system-level problem, no real “owner”

    • unclear whose responsibility to solve

    • unclear how it can be solved

  • individual citizens poorly positioned to protect themselves

    • although primary victims (2003: avg 60 hrs to resolve)

      Identity theft vs. phishing

  • phishing: ranges from access to one account, to open-ended social engineering

  • suppose all phishing stopped; ID theft still a big problem!

  • assume: info theft will occur; can we stop ID theft?

Consumer credit reporting agencies
Consumer Credit Reporting Agencies

Best positioned to address ID theft: national credit bureaus?

  • do their business models motivate them to address it?

    • do some prevention measures hurt their business?

  • can post alerts on individuals’ credit files

  • credit-check freeze solution (many U.S. states)

    • individual can put ‘fraud alert’ on their own report

    • blocks access to it by others for fixed period, or until individual contacts with pre-agreed info

  • bureaus themselves are a target: (Feb.2004) 1,400 Equifax Canada credit records criminally accessed

Banks and cc companies current mechanisms
Banks and CC companies[current mechanisms]

  • CC activity profiling (anomaly detection in CC usage)

    • addresses stolen / fraud card use, but not “ID theft”

      • e.g. stolen CC could be leveraged for new credentials

  • U.S. major banks: when one “alerts” on a name, common clearinghouse shares warning with all others

    • limited notice (sector / within sector)

Proposal credential minting involves minting bit check

Before minting

do ID-based lookup

Return minting_bit (T/F)or require explicit customer action/OK

Proposal: Credential Minting involves Minting-Bit Check

Credential Issuer

Customer Record DB

Check minting_bit on customer record

Mint credential if allowed

Proposal centralized minting bits
Proposal: “Centralized Minting Bits”

  • could be new offering by national credit bureaus (CB)- complements freezing access to credit records

  • requires co-ordination (of CBs or similar parties), or centralized / unified system

  • some such proposal needed to fully address ID theft

  • why might credential-minting orgs join in on this check: - voluntary, to show leadership? - reduce liability?

    - regulations?- consumers might demand use of such scheme (opt-in?)

Players and their motives
Players and their Motives

Players in the Identity Theft Game

  • private citizens (subjects)

  • credential minters (CA’s!)

  • credential verifiers (“relying” parties)

  • authorized data holders (e.g. employers, banks, gov’t)

  • credit bureaus (semi-authorized?)

  • data brokers (quasi-authorized?)

  • attackers

    Primary (secondary) motives of each player are subset of:

    1. to protect and use data 2. to share/sell data

    3. to provide score using data 4. to properly verify credentials

Concluding remarks
Concluding Remarks

  • phishing is a small part of identity theft

  • still in the initial stages of growth of ID theft

  • Q: What technical solutions to ID theft are possible?

    (for broad definition of ID theft)

Are there two of you
Are there two of you?

What is answer to query “P. Van Oorschot”?

P  Van Oorschot2343 Orchard AveSidney, BC V8L 1T8(250) 656-2505

Thank you
Thank you

Paul C. Van Oorschot

Digital Security Group

School of Computer Science

Carleton University, Ottawa, Canada