Add to collection(s) Add to saved
  1. Business
  2. Economics
  3. Microeconomics
  4. Game Theory

Highly-Optimized Provably

advertisement 
ID Theft: Methods and Agenda
John Black
University of Colorado, Boulder
April 15th, 2005
DIMACS
Security in the Real World

Reality is complex, messy and hard to model.
–

Therefore I do cryptography.
Recently interested in what is broadly called “Identity
Theft”
–
WRFIS workshop in DC last month



2
Workshop on Resilient Financial Information System
https://www.cs.columbia.edu/wrfis/idtheft
If I learned anything, it was how complex and messy
the problem is
“Identity??”

Back to definitions in an attempt to understand
the problem
–
–
Identities are associated to each (human) entity
In the old days we had



–
3
Physical (eg, face, stature)
Abstract (eg, name)
Hybrid (eg, smell… works better if you’re a dog)
Small communities, lack of technology, little
incentive to crime
Modernity

New ways of tracking an entity
–
–
–
–
–

Note how few of these were invented with the intent to
identify the individual
–
4
Population explosion, increased technology, transportation and
communication necessitate new identification techniques
Physical (eg, fingerprints, retinal scans)
Abstract (eg, SSNs, CC#s, MMN, National IDs)
Hybrid (eg, gait)
Scary (eg, RFIDs)
Analogs with the usual “security as an afterthought” complaint
Stealing an Identity: An Old Idea


Impersonation
Fake Login Screen
–

Fake ATM Machine

Official-seeming people
–
–
5
I did this too… sigh…
Lawyers from the 4th floor
Taxi guy at EWR
Modern ID Theft

310,000 DL#s, SSNs compromised in 2004 (WSJ)
Along with Nigerian 419s, biggest Internet scams of
recent times

Compelling stories by victims

News organizations love this stuff

–
–
Everything is ID theft now
UC Berkeley Example

6
CA Law kicks in
The Good News

FTC and Credit Agencies (Equifax, Experian,
TransUnion) all have fraud divisions
–
–
Very used to dealing with this type of thing
Standardized process for flagging compromised
accounts


7
Fraud Alert Tag
Still a pain but (anecdotally) doesn’t ruin your
life like it once did
Human Silliness (In My Opinion)
8
IDs—Not that Easy

NRC Report
–

Legit Assignments of Identities
–

Undercover gov officials, Witness Protection, etc
Willing “lending” of IDs
–
9
Implementing a national ID card has a lot of
drawbacks as far as privacy is concerned
Gaming
Phishing Survey

Some sources claim Phishing losses
somewhat overstated
–
10
Ah well, at least it’s something we can address
technically
Phishing Stats



Number of active phishing sites reported in February
2005: 2625
Average monthly growth rate in phishing sites, July
through February: 26%
Number of brands hijacked by phishing campaigns in
February: 64
–

Country hosting the most phishing websites in
February: United States
–


11
Top 6 brands accounted for 80% of sites
Though I might conjecture not authored in the United States
Average time online for site: 5.7 days
Longest time online for site: 30 days
Hard to Believe But…
12

Most people (>60% of the American public) have
inadvertently visited a fake or spoofed site.

Over 15% of respondents admit to having provided
personal data to a spoofed site.

Small number of people (slightly more than 2%)
affected, with an average cost of $115 dollars/victim.

Extrapolating to the entire U.S. population, economic
impact of fraud close to $500M.
Monetization
>20-30k always online SOCKs4, url is de-duped and updated every
>10 minutes. 900/weekly, Samples will be sent on request.
>Monthly payments arranged at discount prices.
>$350.00/weekly - $1,000/monthly (USD)
>Type of service: Exclusive (One slot only)
>Always Online: 5,000 - 6,000
>Updated every: 10 minutes
>$220.00/weekly - $800.00/monthly (USD)
>Type of service: Shared (4 slots)
>Always Online: 9,000 - 10,000
>Updated every: 5 minutes
13
September 2004 postings to SpecialHam.com, Spamforum.biz
Organized Crime and Spammers




Estimated 65% of spam now originates from
bots
Commonly used in DDoS for years
Useful for Distributed Phishing
Some zombies log keystrokes, redirect URLs,
and skim CC#s and passwords
–
14
Moral: Once you’re 0wned there is really no point in
talking about countermeasures
Buy This Identity!!
•Your name is: Sally S. Davidson
•You live at: 9216 Avenida Del Ladrón, San Jose, CA, 95131
•You are a computer programmer
•You make $57K per year
•You have two children
•You have a M.S. degree in Computer Science from University of Idaho
•Your Visa credit card number is: 9012-881-1313-100
•Your Phone credit card number is: 781-982-3172-1192
•Your Social Security Number is: 078-05-1120
•You have a California Driver's License, number 4439-1917421
•Your mother‘s maiden name is Friedman
•Your checking account with West Coast Civil Savings is 43-91-90321
•Your telephone number is 202-224-3121
•Your Fidelity investment account number is 451-910934, and the password is "fidelis".
•You were born on Feb 13, 1961, in Fresno, California
•You have an AOL account with username SSD9143 and password "fidelis"
This identity is available for a payment of only $79.95, payable in cash (do you think we would take
a check or credit card from someone using this service?).
Phishing Countermeasures

Uhh, use common sense?
–

SpoofGuard and PhishHook and Others…

PwdHash
–
16
Aaron argued that even we might fall victim to
“contextual phishing”
If only it worked…
Fundamental Issues


Current course is reactive and incremental
Technology is hard to use
–

Research is fun, but unless tools can be used
with little sophistication…
–
–
17
Eg, remote users and PwdHash
Getting people to run a virus checker, firewall, and
windows update is already way too much
Yeah, I know it’s easy to stand up here and say all
of this
Security: State of the Practice

ARP
–
–

DNS
–
–

–
Javascript (ugh), PHP/etc scripting vulnerabilities
DYI protocols
–
18
Spoofing, MITM
http
–

No authentication
DoS attacks via spoofed hard errors, MTU discovery, source quench
SSL
–

No authentication (DNSSEC where are you?)
Cache poisoning (local and remote)
ICMP
–

No authentication
Cache poisoning (local)
Netscape NRG, Diebold, WEP, Poker, ICC, DST RFIDs
Education: It CAN Have an Impact

150 million people use Windows Update
–



19
That’s not all windows users, but it’s a significant fraction
People are buying shedders in record numbers
Fewer people leave mail in their unsecured curbside
boxes
But (for example) very few people know that “erasing”
their hard disk doesn’t really do much
Related documents
AndranikKarapetyanSlides
AndranikKarapetyanSlides
The following malicious email was received by members of the
The following malicious email was received by members of the
Internet Safety - CFFinfo
Internet Safety - CFFinfo
PCC_Social-Engineering_2014_Final
PCC_Social-Engineering_2014_Final
Security Awareness for ISACA
Security Awareness for ISACA
Presentation - myroyalmail
Presentation - myroyalmail
phishing
phishing
Don’t Take the Bait on Phishing Scams Learning & Information Technology
Don’t Take the Bait on Phishing Scams Learning & Information Technology
Network Security - Information Technology at the Johns Hopkins
Network Security - Information Technology at the Johns Hopkins
  Fall 2013 Cyber Criminals Want to Steal from YOU!
  Fall 2013 Cyber Criminals Want to Steal from YOU!
AuditNews
AuditNews
Accessing Public WiFi: Security Issues
Accessing Public WiFi: Security Issues
Data Security Update
Data Security Update
Phishing
Phishing
Phishing & Botnets - Information Security Pro
Phishing & Botnets - Information Security Pro
Phishing Season Opens for 2016 Tax Filings –
Phishing Season Opens for 2016 Tax Filings –
Phishing for Phools - Princeton University
Phishing for Phools - Princeton University
Phishing Web Pages Detection
Phishing Web Pages Detection
Phishing
Phishing
Why are we doing it? – Mandate
Why are we doing it? – Mandate
The Rise of Phishing Dave Brunswick Tumbleweed Communications Anti-Phishing Working Group
The Rise of Phishing Dave Brunswick Tumbleweed Communications Anti-Phishing Working Group
Document9387706 9387706
Document9387706 9387706
Download
advertisement