ID Theft: Methods and Agenda John Black University of Colorado, Boulder April 15th, 2005 DIMACS Security in the Real World Reality is complex, messy and hard to model. – Therefore I do cryptography. Recently interested in what is broadly called “Identity Theft” – WRFIS workshop in DC last month 2 Workshop on Resilient Financial Information System https://www.cs.columbia.edu/wrfis/idtheft If I learned anything, it was how complex and messy the problem is “Identity??” Back to definitions in an attempt to understand the problem – – Identities are associated to each (human) entity In the old days we had – 3 Physical (eg, face, stature) Abstract (eg, name) Hybrid (eg, smell… works better if you’re a dog) Small communities, lack of technology, little incentive to crime Modernity New ways of tracking an entity – – – – – Note how few of these were invented with the intent to identify the individual – 4 Population explosion, increased technology, transportation and communication necessitate new identification techniques Physical (eg, fingerprints, retinal scans) Abstract (eg, SSNs, CC#s, MMN, National IDs) Hybrid (eg, gait) Scary (eg, RFIDs) Analogs with the usual “security as an afterthought” complaint Stealing an Identity: An Old Idea Impersonation Fake Login Screen – Fake ATM Machine Official-seeming people – – 5 I did this too… sigh… Lawyers from the 4th floor Taxi guy at EWR Modern ID Theft 310,000 DL#s, SSNs compromised in 2004 (WSJ) Along with Nigerian 419s, biggest Internet scams of recent times Compelling stories by victims News organizations love this stuff – – Everything is ID theft now UC Berkeley Example 6 CA Law kicks in The Good News FTC and Credit Agencies (Equifax, Experian, TransUnion) all have fraud divisions – – Very used to dealing with this type of thing Standardized process for flagging compromised accounts 7 Fraud Alert Tag Still a pain but (anecdotally) doesn’t ruin your life like it once did Human Silliness (In My Opinion) 8 IDs—Not that Easy NRC Report – Legit Assignments of Identities – Undercover gov officials, Witness Protection, etc Willing “lending” of IDs – 9 Implementing a national ID card has a lot of drawbacks as far as privacy is concerned Gaming Phishing Survey Some sources claim Phishing losses somewhat overstated – 10 Ah well, at least it’s something we can address technically Phishing Stats Number of active phishing sites reported in February 2005: 2625 Average monthly growth rate in phishing sites, July through February: 26% Number of brands hijacked by phishing campaigns in February: 64 – Country hosting the most phishing websites in February: United States – 11 Top 6 brands accounted for 80% of sites Though I might conjecture not authored in the United States Average time online for site: 5.7 days Longest time online for site: 30 days Hard to Believe But… 12 Most people (>60% of the American public) have inadvertently visited a fake or spoofed site. Over 15% of respondents admit to having provided personal data to a spoofed site. Small number of people (slightly more than 2%) affected, with an average cost of $115 dollars/victim. Extrapolating to the entire U.S. population, economic impact of fraud close to $500M. Monetization >20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices. >$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only) >Always Online: 5,000 - 6,000 >Updated every: 10 minutes >$220.00/weekly - $800.00/monthly (USD) >Type of service: Shared (4 slots) >Always Online: 9,000 - 10,000 >Updated every: 5 minutes 13 September 2004 postings to SpecialHam.com, Spamforum.biz Organized Crime and Spammers Estimated 65% of spam now originates from bots Commonly used in DDoS for years Useful for Distributed Phishing Some zombies log keystrokes, redirect URLs, and skim CC#s and passwords – 14 Moral: Once you’re 0wned there is really no point in talking about countermeasures Buy This Identity!! •Your name is: Sally S. Davidson •You live at: 9216 Avenida Del Ladrón, San Jose, CA, 95131 •You are a computer programmer •You make $57K per year •You have two children •You have a M.S. degree in Computer Science from University of Idaho •Your Visa credit card number is: 9012-881-1313-100 •Your Phone credit card number is: 781-982-3172-1192 •Your Social Security Number is: 078-05-1120 •You have a California Driver's License, number 4439-1917421 •Your mother‘s maiden name is Friedman •Your checking account with West Coast Civil Savings is 43-91-90321 •Your telephone number is 202-224-3121 •Your Fidelity investment account number is 451-910934, and the password is "fidelis". •You were born on Feb 13, 1961, in Fresno, California •You have an AOL account with username SSD9143 and password "fidelis" This identity is available for a payment of only $79.95, payable in cash (do you think we would take a check or credit card from someone using this service?). Phishing Countermeasures Uhh, use common sense? – SpoofGuard and PhishHook and Others… PwdHash – 16 Aaron argued that even we might fall victim to “contextual phishing” If only it worked… Fundamental Issues Current course is reactive and incremental Technology is hard to use – Research is fun, but unless tools can be used with little sophistication… – – 17 Eg, remote users and PwdHash Getting people to run a virus checker, firewall, and windows update is already way too much Yeah, I know it’s easy to stand up here and say all of this Security: State of the Practice ARP – – DNS – – – Javascript (ugh), PHP/etc scripting vulnerabilities DYI protocols – 18 Spoofing, MITM http – No authentication DoS attacks via spoofed hard errors, MTU discovery, source quench SSL – No authentication (DNSSEC where are you?) Cache poisoning (local and remote) ICMP – No authentication Cache poisoning (local) Netscape NRG, Diebold, WEP, Poker, ICC, DST RFIDs Education: It CAN Have an Impact 150 million people use Windows Update – 19 That’s not all windows users, but it’s a significant fraction People are buying shedders in record numbers Fewer people leave mail in their unsecured curbside boxes But (for example) very few people know that “erasing” their hard disk doesn’t really do much