DIMACS Workshop on Theft in E-Commerce
DIMACS Center, Rutgers, Piscataway, NJ
Identity Theft and
Legitimately-Minted
Fraudulent Credentials
Paul C. Van Oorschot
Carleton University, Ottawa, Canada
April 14, 2005
1
“Identity-theft case costs taxpayers $540,400”
The Globe and Mail, April 12 2004
• 89-year-old owns $1 million Calgary property
• “buyer”, “seller” in a lawyer’s office use false DL, SIN
• property transfer is registered
• “new owner” gets $500K mortgage
• money moves through several accounts . . . disappears
2
The Telus Cell Phone
• “but we don’t have a Telus cell phone”
3
Identity Theft – Variations on a Theme
•
unauthorized exploitation of another’s ID-corroborating info
– name, addr, phone#, SSN, DL, CC, bank info
A. borrow privileges (parallel account access)
B. expropriate privileges (take over existing accounts)
C. fraudulently obtain new privileges***
– falsely use existing credentials to get new ones
D. full impersonation (may include A, B and C)
– less attractive to attacker? (scalability)
4
Leveraging Stolen Credentials
... to get new ones from credential issuers:
better than forging – e.g. consider case of credit cards:
•
new credentials are “authentic” (created by legit issuer)
•
and “owned” by the thief (never otherwise possessed)
•
harder for legitimate party to track down
5
Identity Theft – Fundamental Enablers
credentials:
(digital, physical) “things” verifiers corroborate ID with
Fundamental underlying problems:
1. ease of duplicating personal data and credentials
2. difficulty of detecting when a copy of a credential
or credential info is made, or exists
3. if existing credential info mis-used to get new creds,
no info typically flows back to legitimate owner quickly
Implies ID theft cannot be solved by any single credentialgranting organization in isolation
6
Identity Theft – More Enabling Factors
•
availability of personal data on Internet (e.g. at servers)
•
lack of relying party due diligence (earlier examples)
•
poor custodianship (regardless of diligence by individual)
– ChoicePoint: 145,000 consumer records `bought’ (2005)
–B
of A: 1.2million records on stolen backup tapes (2005)
– CIBC faxes: 3+ years mis-faxing of personal data (2004)
– LexisNexis (WSJ, Apr.13, 2005)
- unauthorized access to 310,000 customer records
- 59 security breaches over 2 years (SSN, DL)
Note: data brokers are currently unregulated (U.S.)
7
Who “owns” the ID theft problem?
• system-level problem, no real “owner”
– unclear whose responsibility to solve
– unclear how it can be solved
• individual citizens poorly positioned to protect themselves
– although primary victims (2003: avg 60 hrs to resolve)
Identity theft vs. phishing
• phishing: ranges from access to one account,
to open-ended social engineering
• suppose all phishing stopped; ID theft still a big problem!
• assume: info theft will occur; can we stop ID theft?
8
Consumer Credit Reporting Agencies
Best positioned to address ID theft: national credit bureaus?
• do their business models motivate them to address it?
– do some prevention measures hurt their business?
• can post alerts on individuals’ credit files
• credit-check freeze solution (many U.S. states)
– individual can put ‘fraud alert’ on their own report
– blocks access to it by others for fixed period,
or until individual contacts with pre-agreed info
• bureaus themselves are a target: (Feb.2004)
1,400 Equifax Canada credit records criminally accessed
9
Banks and CC companies [current mechanisms]
• CC activity profiling (anomaly detection in CC usage)
– addresses stolen / fraud card use, but not “ID theft”
• e.g. stolen CC could be leveraged for new credentials
• U.S. major banks: when one “alerts” on a name,
common clearinghouse shares warning with all others
– limited notice (sector / within sector)
10
Proposal:
Credential Minting involves Minting-Bit Check
Credential Issuer
Customer Record DB
Before minting
do ID-based lookup
Check minting_bit
on customer record
Return minting_bit (T/F)
or require explicit customer action/OK
Mint credential if allowed
11
Proposal: “Centralized Minting Bits”
• could be new offering by national credit bureaus (CB)
- complements freezing access to credit records
• requires co-ordination (of CBs or similar parties),
or centralized / unified system
• some such proposal needed to fully address ID theft
• why might credential-minting orgs join in on this check:
- voluntary, to show leadership?
- reduce liability?
- regulations?
- consumers might demand use of such scheme (opt-in?)
12
Players and their Motives
Players in the Identity Theft Game
•
private citizens (subjects)
•
credential minters (CA’s!)
•
credential verifiers (“relying” parties)
•
authorized data holders (e.g. employers, banks, gov’t)
•
credit bureaus (semi-authorized?)
•
data brokers (quasi-authorized?)
•
attackers
Primary (secondary) motives of each player are subset of:
1. to protect and use data
2. to share/sell data
3. to provide score using data 4. to properly verify credentials
13
Concluding Remarks
• phishing is a small part of identity theft
• still in the initial stages of growth of ID theft
• Q: What technical solutions to ID theft are possible?
(for broad definition of ID theft)
14
Are there two of you?
http://findaperson.canada411.ca/
What is answer to query “P. Van Oorschot”?
P Van Oorschot
2343 Orchard Ave
Sidney, BC V8L 1T8
(250) 656-2505
15
Thank you
Paul C. Van Oorschot
Digital Security Group
School of Computer Science
Carleton University, Ottawa, Canada
16