A.M.Marshall BSc CEng FRSA MBCS CITP
Centre for Internet Computing
University of Hull
Scarborough Campus
Filey Road
Scarborough YO43 3DX, UK
(a.marshall@hull.ac.uk)
and
Eur.Ing. B.C.Tompsett BSc MSc CEng MBCS CITP,
Dept. of Computer Science,
University of Hull
Cottingham Road
Hull HU6 7RX, UK
(b.c.tompsett@dcs.hull.ac.uk)
June 9, 2004
Abstract
With the aid of an example case of identity-theft used to perpetrate an apparent benefits fraud & consideration of other undesirable online activities, the authors examine the motives and methods of Internet-based identity theft. Consideration is given to how such cases may be detected, investigated and prevented in the future.
The problem of trust relationships and validation of identity tokens is discussed and recommendations for the prevention of identity theft are given. Keywords:
Internet, crime, trust, identity, identity theft, fraud, trustworthiness, impersonation
Acknowledgements
The authors are grateful to Mike Andrews, of the Digital Evidence Recovery and Internet Crime (DERIC) Unit of North Yorkshire County Council, and
Karen Watson, an undergraduate of the Centre for Internet Computing, for their assistance with background for this paper.
Thanks also go to John Rayner and Mike Brayshaw for their invaluable proof-reading. 1
1
Introduction
Services available on the Internet offer many opportunities for the acquisition of personal data, and some provide significant quantities of personal information for even casual users to see. Although much of this information is quite innocuous, aggregation of data from several sources can allow criminals to build up a large enough corpus that they can successfully impersonate another individual. Frequently such identity-theft is used to obtain financial benefit through credit-card fraud, but other types of fraudulent activity are possible.
2
Context
Theft of identity is a concept which has been in existence for many years but, for the purposes of this exercise, we define it as “The acquisition of sufficient data for one individual to successfully impersonate another” . This does not, per se, constitute a theft, but certainly defines the concept in such a way that most instances of what is commonly described as identity theft are encompassed.
In this document, we propose to examine a range of identity types existing in an online environment, the relationships between them, and the mechanisms of identity-acquisition available.
3
Identity tokens
Conventionally, an identity theft exercise requires the acquisition or fabrication of sufficient information to be able to establish that the individual presenting that information as credentials is, beyond reasonable doubt, the subject of that information, and hence that the information verifies that the presenter is the owner of the claimed identity.
The quantity and quality of information required to establish ownership of an identity, and hence gain access to an identity verification token, vary greatly and affect the acceptability of the token. Consider two common tokens - an e-mail address and a passport.
In order to register for an e-mail address, an applicant may have to provide no information other than the name they wish to be known by, a preferred username and a password. To obtain a passport, a considerable amount of personal data, ranging from date of birth to a photograph are required. In the case of the passport, most claims about information must be corroborated through the production of official forms (e.g. birth certificate) or verification by a trustworthy third party (e.g. having a GP, lawyer, academic or other trusted person, attest that the photograph is a true likeness).
As a weak token, an e-mail address should have little use other than for the sending and receiving of e-mail which, although it may be financially rewarding (consider the spam problem), should have no particularly strong legal standing. Pervasiveness of Internet services and the need for a lightweight identity-verification system (primarily because of end-user resistance to strong authentication) has led to the use of the e-mail address as a primary authentication token. In spite of this, most users still seem to consider that their e-mail address has little intrinsic value.
2
It has been shown [1], in the past, that even an apparently rigorous identity establishment process, such as the passport issuing mechanism, can be subverted by a determined individual who can bypass or override the chain of trust upon which it depends. Furthermore, it is known that identity verification tokens can be created without going through the verification progress.
In spite of this, passports are still internationally-recognised, standardised, official government-produced documents with a high perceived value.
The critical element in determining the acceptability and perceived worth of an identity verification token is thus the effort required to complete the process used to create that token, which relates to the cost (financial and/or time) required. 4
4.1
Online Identity
Types of Identity Online
In online interactions identity can be associated with differing aspects of an entity or transaction between entities. The interaction may be between two individuals who identify themselves using some form of online identity token.
E-mail messaging or real time chats are examples of such online on-to-one transactions between individuals.
The transaction may be between an individual and a Corporate identity, such as is the case of a purchase from a major online bookstore.
In addition to these examples, which have analogues in the world of face to face interactions, there is also the identity associated with the network which are facilitating these other interactions. The network devices and the traffic flow itself have associated identity tokens.
4.2
Personal Identity Online
Individuals, when they “go online”, or interact in an online context, need to create for themselves, or have created for them, an artificial representation of their identity. This artificially created version of identity is often primarily used to establish the person’s rights as a user of the online and computerised systems they are connected to and with. Its use establishes and controls their access to resources and limits or enables the actions they wish to take over the network.
These identities, as already established, are primarily token based in nature, often characterised by a simple username, password pair, but can also involve cryptographic keys, physical devices such as dongles, swipe cards, or even biometric recognition.
4.3
Corporate Identity Online
A corporate identity, in an online environment, is established by the presence of websites, e-mail addresses, the registration of domain names and so forth.
Much like the identity of a corporation in the physical world, where the physical presence of documents and, perhaps, of buildings and their human occupants establishes the company, the same is true in the online world, where the establishment of equally significant online constructions and their population
3
with services, individuals and information, can been seen as the online corporate identity. As in the real world, the recognition of one body by another further establishes corporate identity, such as the registration of a company name or the establishment of trading or partnership agreements. Similar recognitions and links serve to reinforce corporate identity in an online world.
The established use of recognised names and trademarks which have the support and protection of the law confer various degrees of authority to different corporate identities when online. These are further confirmed by their association with individual personal online identity credentials.
4.4
Network Identity Online
The components of the network that facilitate the interactions between individuals and corporate entities also have a network identity established for them.
These are often the addresses of the devices themselves so that they can be uniquely distinguished from other similar devices and to permit the operation of the network. The identities can be associated with the actual hardware devices themselves (such as MAC addresses of network cards) or with the software being used for communication over the network (such as the IP address, or the Fully
Qualified Domain Name [FQDN]).
The names associated with network identity, such as the domain are usually the creations of humans and are primarily a means for people to exchange online identity information. The network itself usually uses the more low level addresses in the operation of the communication infrastructure.
4.5
Identity vs. Identifier
In fact, although we discuss identities in the preceding paragraphs, it must be remembered that the identities are properties of the entities themselves. Online, an identity association with a particular resource or activity is determined by the presence of one or more identifiers normally linked to that identity.
Identifiers have a range of “trustability”, dependent on their intended usage.
Often this “trustability” is a composite value, based on relationships between identifiers for several different online identities.
4.6
Inter-relationships between Identity/Identifier Types
The three forms of online identifier are inextricably bound together. Their combination or juxtaposition can, in itself, provide further information that qualifies aspects of the identity of each of them. For example, an e-mail address contains elements that relate to the person and a domain that receives the message. The domain part of the address can contain components that further identify aspects of the identity of the person’s organisational membership, and indeed can further show aspects of inherited trust relationships from which other information regarding the identity can be inferred. In addition, the network domain information will link to computer based addresses, and registration records that in turn can illustrate aspects of relationships between the e-mail address, individuals and the trust framework that bears the addresses. These can help someone decide if the identity is to be trusted, or not.
4
This is more easily seen in the form of an example. If an individual is identified by the e-mail address manager@sales.corporationname.com, we might infer that they have a job function that is related, in an official capacity, to sales for the named organisation. The registration records for the corporate domain name could be examined to determine if the e-mail address is likely to be a bona-fide one for the company. The computer names, and their associated addresses and their registration details could be further examined to establish the credentials of that address. In this example, the domain name service might show that the IP address associated with this name is 2.3.4.5 and this, in turn, will lead to further registration records that could be examined [2].
Conversely an example address such as windows patch@sun.scampage.biz might instill an element of suspicion, both with the nature of the personal name used, and the fact that the corporation name is used in a context that might also imply it is not authentic. Someone else could be impersonating the corporate domain and further examination of associated computer addresses and registration records may confirm this. If, as in the last example, the domain name system was used to obtain an associated IP address, such as 68.54.192.211, it might be ascertained that this is used by a dynamically connected machine (such as a dial-up) in Florida through one of the largest US public Internet Service
Providers. This would give further indications that the address is, probably, less than authentic.
With smaller organisations the issue is less clear. They may use other bodies to provide their e-mail and web presence on the Internet, and the auditable and trustworthy chain of associations that link the network identity with the bonafide usage may be harder to establish and easier to replicate fraudulently. (e.g. conferences@forensic-science-society.fsbusiness.co.uk), In the example given above, the address is provided by a reputable UK ISP, but accounts such as this can be created in a few minutes with no form of right of usage verification. Thus an apparently reputable organisation may become tainted by association with other users of the same low-cost service, through an implicit association created through the domain name. (For several years the
“A” in AOL was often said, apocryphally, to stand for something other than
“America” because of the unacceptable behaviour of some users of the system.)
A further process of identity tainting arises where shared hosting is enabled.
It is perfectly possible for a single server to host several domains at a single
IP address. In this case a complete DNS examination, using both forward and backward lookups to reveal all IP addresses and domain names could reveal that an apparently reputable organisation shares its online location with several disreputable organisation (e.g. www.iamanhonesttrader.com could resolve to
1.2.3.4 which might reverse to www.ripemoffandselltheirfamilies.com 1).
In addition to this, examination of IP block allocation would reveal network neighbours, whose presence may be considered undesirable. Conversely, careful choice of domain and/or IP neighbours may lend an additional air of trustworthiness to an untrustworthy domain.
1 at
the time of writing these domains were unregistered and considered to be fictitious
5
5
Motives for Identity Theft
There are, perhaps, as many reasons for Identity Theft as the persons who attempt it, but several clear and common elements underpin most of the cases.
Given the forms of online identity described above, however, we can group motives under the same three categories.
5.1
Personal
Motivation for theft of personal identity is, perhaps, the biggest category. Ranging from simple impersonation of a different person for recreational purposes, through revenge to outright financial fraud.
5.2
Corporate
Corporate identities are often stolen, or perhaps more accurately, forged, to create for the criminal, a vehicle for crime that appears to provide an air of authority or legitimacy. In the same way as in non-networked fraud, where a letter on headed notepaper can be more effective in fooling a victim, the corporate online forgery provide a similar vehicle. These false, stolen or facsimile corporate identities can also be used to play a role in further identity theft, by a means commonly known as phishing [3]. In phishing the victim receives a letter (e-mail) from a finance transactor requesting the recipient confirms some information through a web site which purports to be bona fide, but only serves to obtain the users identity accreditation tokens.
Other forms of corporate identity theft in an online scenario can involve the taking over of the domain name and other network assets, such as IP addresses for a defunct (or bankrupt) corporate entity. These Corporate names may have established branding and other positive attributes that may be useful in the conduct of some other further crime, such as the sale of forged products or some elaborate fraud or scam.
Fraudsters have become adept at using the technology into fooling the victim in ever more elaborate ways. One of the modern variants involves using code that exploits flaws in a victims application into showing the network identity of a proper corporate entity, but the traffic interaction is with some other place entirely. This can be achieved with web browsers and e-mail readers using appropriate forgery techniques. Here, then, no actual corporate identity theft has been conducted, only personation or misrepresentation of the corporate entities has been performed.
5.3
Network
It has been established that the network identity is associated with a corporate or personal identifier, and thus, in order to more fully establish a fraudulent identity, the network identity itself must be stolen or forged.
6
Methods of Identity Theft
Classically, investigation of criminal activity revolves around a 3-element model of the activity : Motive, Method and Opportunity. If all 3 can be established,
6
then a suspect has been found.
Having considered, above, the motives for identity theft we now turn to methods of identity theft in an online environment.
6.1
Protocol Weakness
Perhaps the simplest form of identity theft revolves around the inherent weaknesses present in a range of Internet standard protocols. It is clear that many of these protocols are designed with ease-of-use more in mind than security and verification of identity. This, perhaps, reflects the fact that they were originally created with a much smaller Internet in mind than that which exists today.
Consider SMTP [4] as an example. This protocol is designed to allow a rapid, lightweight dialogue between two hosts for the exchange of e-mail. Examination of the protocol itself reveals that the sending host is supposed to provide “From:”, “To:” and various other headers. The receiving host is under no obligation to check the validity of these fields, particularly the “From:” fields, unless it is the final destination of the message. Indeed, from the point of view of the designer, attempting to validate these headers would, most likely, have been seen as impossible, or at least impractical, as it would have required a degree of network reliability which cannot be guaranteed even today.
Equally, at the time the protocol was designed, the trust levels between networks were considerably stronger than those that exist in the modern Internet. The total number of hosts was small, dynamic address allocation was not performed, and connections tended to be fixed leased-lines or virtual circuits, rather than ad-hoc dial-up connections. Provision of Internet connectivity was, in effect, restricted to a technological elite club, whose members were known to each other. In such an environment, it was not necessary to introduce elements of distrust into protocols designed to effect the rapid exchange of information between technological peers.
However, the growth of the Internet has been exponential [5], initially driven by technologists who wished to use work resources from home. The protocols have propagated beyond the confines of the elite club-members and are now in use by anyone who wishes to connect to an Internet service provider. The membership of the club has grown to the point where the trusted elite are outnumbered by “the great unwashed” and the strong trust relationships which allowed the use of insecure protocols have been overwhelmed.
The protocols have not changed, but the users have. Whereas, when the
Internet was small, it was largely unthinkable that anyone would lie in their
SMTP headers (except perhaps to play a prank on another member of the club), less “honourable” users now use the weaknesses regularly to fake “From:”,
“Reply-to:” and other headers for various purposes.
6.2
Na¨ Users ıve At another level, the na¨ ıvety of end-users is also a method of identity theft.
By exploiting protocol weaknesses, a miscreant may manage to create an Internet object(e-mail, web-page, application etc.) which appears to come from a trustworthy source (e.g. banks, online auction sites, software vendors). Na¨ ıve users, unaware of protocol weaknesses, and unfamiliar with online security issues, further compromised by certain software which may hide the full audit-trail
7
information about the object (e.g. by suppressing all SMTP headers other than
“From:” and “To:”) may take the object at face-value and be lured into participation in activity such as the many “Phishing” scams [3] which currently circulate. These forms of attack are successful, not because users are particularly ignorant, but more because they assume that everyone else on the Internet operates within the same boundaries of acceptable behaviour as they themselves do.
This is perhaps, most clearly demonstrated by cases of “grooming” involving paedophiles and children.
6.3
Malicious Software
Even where the users are not na¨ and have taken basic steps to protect themıve selves, the problem of malicious software or “malware” still presents itself.
No matter how good the anti-virus program and/or firewall, it must be remember that these technologies are reactive and, by definition, tend to lag behind the attack modes of malware. Thus the user who considers him/herself protected against attack may take risks on the grounds that “it can’t hurt me - I have protection!” and open un-trustworthy objects (e.g. e-mail attachments, untrusted web pages) or accidentally allow network-probing malware to infect their machine (perhaps by leaving a broadband node live, connected and unmonitored when it is not in use). This malware can then either turn their machine into a node in a virtual network used to propagate unwanted material
(performing a network identity theft) or survey the contents of their system, gathering data (e.g. names, addresses, passwords, e-mail addresses, credit-card and bank account numbers) which can be sent back to the originator of the malware, to allow personal or corporate identity theft to be conducted.
6.4
Data Acquisition
In many cases, we have to consider the issue of data acquisition. In most cultures, there is a need for some personal data to be held by central and/or local authorities for governmental and legal purposes. In a non-networked environment, this information can only be accessed through the physical effort of actually contacting or visiting the offices where it is held and requesting specific documents. In a networked world, however, data is being made available online in a desire, on the part of data controllers, to appear more open and provide better services. However, by design, it has become possible to request not only specific records, but groups of similar records (e.g. not just the details for “Anthony
Hancock of Railway Cuttings, East Cheam” but details of ALL “Hancocks” anywhere in the UK, and everyone at the same addresses, and all previous occupants of those addresses, and ....). The root cause of this added functionality lies, most probably, in the requirements capture process where an over-zealous software engineer has identified an opportunity to add extra functionality at low-cost and the customer has expressed a desire for such functionality, in spite of the fact that it does not exist in the current system, without considering the opportunities for misuse that it can create.
8
Because the systems fulfilling the requests are automated, little checking of the purposes of such requests is made, and even less notice is taken of unusual requests or successive requests for different information from the same enquirer.
Unlike the previous methods of identity theft, data acquisition does not involved any mis-use or abuse of equipment or resources. It succeeds by making the process of acquiring data easy to perform remotely and almost anonymously, by reducing the costs (physical effort and monetary) to the data acquirer.
Indeed, it can be argued that, by placing such services online, the data controllers have created a new opportunity (the final component of the classical model) for identity theft to be perpetrated.
6.5
Network Impersonation
As noted above, to successfully impersonate and entity online, it may be necessary to steal the identity of a network component associated with that entity.
Often, this can be as simple as “spoofing” the IP address of a legitimate machine on the network in order to gain access to, or impersonate, a legitimate node on a network. Given access to a network it is relatively simple, using any one of the multitude of traffic “sniffers” available to determine the exact range of addresses in use, and to detect when a known good address ceases to be used, perhaps because the node to which it is allocated, has been switched off. If appropriate lower-level security is not enabled, all the miscreant has to do is configure their machine to have the same IP address as the legitimate machine, and they thus gain the same level of access to the network as the original machine. Indeed, it is not necessary for them to configure their machine to use the same IP address.
A common form of attack on a network involves sending IP packets in which the sender or return address, or both, have been forged to make it look like the packet is associated with a legitimate node on the network under attack.
However, acquiring a legitimate, but allocated, IP address may allow for early detection of unwanted activity, as the ARP system should record the change in lower-level addresses associated with this IP address. The legitimate node is also likely to complain that its IP address is in use.
A more effective form of identity acquisition at the network level, is to identify unused, but allocated, addresses within the same block as the network under attack. Again, this can be achieved by use of network monitors, but often it is sufficient to examine public records of IP block allocation to identify blocks which have not yet been used.
At a lower level, where security based on the hardware identity (e.g. MAC address) is in use, it is still possible to acquire a network identity by spoofing the hardware address of the device being used to attach to the network.
7
7.1
7.1.1
Case Studies
Network Assisted Credit Card
Introduction
Here we present a record of the investigative process for a case of identity-theft, used to perpetrate a benefits fraud, commencing with the initial complaint in
2001 and terminating in 2003 with the discovery of further identity-theft related
9
activities. The case has not yet gone to trial so some details have been modified or anonymised to avoid tainting the judicial process.
7.1.2
Background
In early 2003 information was received that a group of individuals, resident in a large, lavish country house might be perpetrating a benefit fraud or similar.
Suspicions had been aroused as the persons in question appeared to be unemployed and were not known to be independently wealthy enough to support their lifestyle.
In addition to the large house, they owned several high-specification BMW cars, were known to take regular, expensive, foreign holidays and even managed to afford riding and stabling fees.
7.1.3
Surveillance
Accordingly, a surveillance programme was commenced, including the installation and use of CCTV cameras in post offices. This confirmed that the suspects were regularly using benefit books and also suggested that some form of pension scheme fraud might be taking place.
Following a year of in-depth surveillance and investigation, it was decided that it would be appropriate to seek warrants for searches of he suspects’ premises and also premises of possible accomplices. Warrants were duly obtained and the premises entered.
During searches of the premises, a number of computers were recovered, following standard procedures, and these were removed to DERIC in Northallerton for further examination.
It was apparent, at this stage, that a “traditional” benefit fraud would not provide enough income to support the lifestyles of the suspects. It later became apparent that the frauds in question contained elements of identity theft in order to allow the suspects to use multiple identities to claim more benefits.
7.1.4
Investigative process
Investigation of the computer followed conventional methods, with disks being securely copied as checksummed images and the images examined using standard tools. “Live” and deleted files were recovered showing e-mails, web pages and documents produced and used by the users of the computers.
It is worth noting here that this is in line with the majority of “minor” offences committed using online systems. Generally speaking, where web or e-mail is involved, Locard’s oft-misquoted principle of “every contact leaves a trace” [6] holds. This is due to the way in which most Internet client software is designed to operate to minimise the amount of Internet connection time required to complete a task. Standard practice is thus to retrieve data as quickly as possible from the online source and store a copy on the user’s computer’s local storage (typically a hard-disk) for later re-use. Thus, during a typical online session, several dozen or hundred temporary cache files will be created. Even when the user elects to clear the cache, the data in these files will remain in the store, although it will no longer be accessible to normal applications.
In addition to this, modern operating systems also generally use a “swap” space on the local hard disk to extend available memory, and it is quite common
10
for portions of application memory to be swapped to this space. Thus fragments of data from previous sessions can sometimes be recovered from this space.
7.1.5
Evidence
Of particular significance, to the investigation, were a considerable number of cached WWW pages from the “192.com” site. This site acts as an information aggregator, drawing together a number of publicly available information sources such as electoral register, telephone directory, aerial photographs, etc. to produce a comprehensive database of names and addresses for the whole of the UK. For some time, the information on this site was made available for free in return for registration by the user. Registration information provided another opportunity for the content of the database to be updated and registration was the only way for details to be excluded from searches. This process has now been changed to require registration and a fee for searching. Changes to the rules governing publication and sale of the electoral register also affect the completeness of the database.
Examination of the recovered web pages suggested that the suspects had been using 192.com to locate persons with similar names as the suspects themselves or their aliases. Given this information, it would be possible for the suspects to create a false credit history for themselves which could be used to make applications for credit cards, bank account and other financial products.
Closer examination of the suspects’ bank accounts revealed some evidence of such, apparently fraudulent, transactions taking place and went some way to explaining the anomalies in their income. A figure of around £300000 was thought to be the income generated through fraudulent activity.
At the time of writing, he investigation had not yet been fully completed, but was expected to go to trial in late 2004.
7.1.6
Analysis
The primary lesson learnt from this case appears to be that vigilance is required on the part of all individuals to safeguard their own private data, especially where such data is freely available. The appearance of aggregative databases, such as 192.com, which are not deliberately mischievous, presents opportunities for criminal elements to gain easy access to data required for identity theft from the comfort of their own homes, a far cry from the mechanisms outlined in works of fiction such as “The Day of the Jackal” [1].
Changes in the way statutory bodies make data available, in compliance with legal requirements [7, 8], go some way towards making the aggregation of data and its use for identity fraud more difficult, but such data remains, quite correctly (in the authors’ opinions), available to any member of the public in other forms.
It also appears to have been relatively easy for the suspects to make successful fraudulent applications for credit etc., suggesting that checking procedure on the part of the financial institutions involved were somewhat lax. This may have arisen because they are dependent on the same corpus of personal data that the suspects were using to create their forged histories.
Recent changes to the land registry system [9] offer an additional cause for concern because, although the service is charged for, it is now possible to obtain
11
a considerable amount of data about ownership of properties and the mortgages on those properties through another public online service. Again, public access to this information is a legal requirement, but previously it required a visit to a land registry office. The fee involved for the online service is trivial and is unlikely to act as a deterrent to those with criminal intent.
Given current trends towards integrated “e-government” and increased provision of services and statutory information online, we fear that opportunities for identity theft are increasing and that little can be done to reduce them.
7.2
Superzonda
One method used by senders of spam[10] to avoid detection, is to utilise compromised machines elsewhere on the Internet to operate as proxies[11] on their behalf. A large number of proxies are used to provide vehicles for the delivery of e-mail as well as support the delivery of web pages in an indirect manner, which effectively hides the true origin of the material.
One of these techniques has become known as Superzonda. In this method, an Internet domain is utilised for the distribution of web pages. A number of insecure relay (or proxy) machines are selected to act as blind server for those web pages, and a domain name server is implemented to answer requests for the Internet addresses (IP addresses) of the web servers in the domain. The machines that act as a proxy can be a standard PC installed with, perhaps, an unpatched version of the vendors software that permits them to be exploited, or they could be infected by an agent (such as a Trojan Horse[12]) that explicitly facilitates the relaying. The creation of Trojan Horse infection agents for this purpose has been seen as a response to improved system security by PC owners patching the previously untrustworthy software.
The victim (or viewer of the web pages) clicks on a link (or types a URL) in their browser. The browser issues a request to the domain name server which responds with an IP address of a compromised machine. This machine is then asked for the web page, but it does not know about the web pages. It will make a further domain name request to find the server (as it knows it does not have the pages). The domain name server knows the request is coming from the compromised machine and issues a different IP address (that of the real page server). The compromised machine requests the page and then sends it
(by relay) to the original browser. By this means someone has been able to visit a web page, without being able to determine the true origin of the page, and in fact has been hoodwinked into believing the compromised machine is the true origin. This basic method can be further elaborated, by adding several levels of relay through a series of compromised hosts, adding greater distance between the criminal and the crime, and to protect against possible interceptions that may point back to the true origin. The method also has a weakness that one system that is controlled by the perpetrator is known, that is the domain name server. There are elaborations of the techniques that further hide this element.
One method of hiding the domain name server, is to also place this on compromised machines, and perhaps to have a cluster of compromised machines that act as servers, so that in the event that one is cleansed of the infection, the others will continue to supply responses. This is enabled by domain registrars who permit their clients to make automated updates to their master domain
12
records on a frequent basis. The domain name servers for such a domain could then be updated as frequently as every minute (or even second). No one could then know who controlled them, and where the real source of data was.
These techniques can, and are, being used to enable those that attempt to steal identity information, to mask their identity and also appear to be more genuine. 8
Conclusion
We can see that the wide variety of identity information available, and the ability for anyone, with basic facilities, to exploit this information, is becoming a vehicle for identity theft. The Internet, in effect, acts as a provider of both method and opportunity. The human beings provide motive.
The ease by which this can be done, and the difficulty in the authorities enforcing the law is promoting and encouraging this form of crime. Identity
Theft is the modern equivalent of the outlaw bank robbers in the wild west. We have yet to recruit the Town Sheriff, although some small local vigilante groups are making fruitless attempts to “clean up” their locality.
One of the contributors to the epidemic in modern identity theft crimes is both the ease, and the low cost of the activity. The cost is low because those that grant identity tokens, such as domain names, and Internet addresses, for example, take identity information themselves from automated mechanisms, with little or no checking and verification. This has its origins in the historical backgrounds to Internet registrations, which were originally a free service within a elite community, and have evolved to a commercially competitive least cost service. The level of trust is, at present, not perceived to be a marketable commodity or requirement.
The Internet provides technical means for establishing secure methods of data transfer, such as encryption, and also digital certificates [13] which purport to strengthen identity establishment. However, most of these mechanisms rely on key exchange between a client and server, using asymmetric encryption, at the commencement of a secure session. The keys used for the encryption are provided by the two ends of the channel, without reference to any other sources.
The strongest trust verification in such a session is typically the question “Do you wish to accept the certificate?” asked of the user.
Identity, therefore, is established by chains of trust, which in these cases are very weak. To make these identify thefts more difficult, the chains of trust by which an identity is established or confirmed need to be made stronger and more trustworthy, through being open to scrutiny.
This argument also has resonance with the Identity Card debate, where similar to the Internet arguments, there might be an apparently strongly authenticated token which is used with a weak chain of trust, and permits identity fraud to take place. An example, is that if the biometrics associated with such a card are not authenticated each time the card token is presented, then the strength and validity of the card as identity can easily be subverted, and yet the the identity would be trusted implicitly without check, as the card itself might be trusted.
13
8.1
Recommendations
These cases indicate that chains of trust are important to the establishment of a trust of identity. On the Internet, in particular, those involved in these chains, such as those registering domains, Internet address assignments, and the issuing of e-mail addresses or web page services, should take more care in capturing and recording identity information, and also have recognised mechanisms available to them for evaluating a chain of trust of credentials presented to them.
The wide variety of information sources available on the net, and the aggregation of this data for easy use and selection (such as by search engines) also needs some form of protection. There are three categories of identity information that relate to our ability to trust credentials based on the data. The first relates to the originality of the data; is it probable that it could be found in a data search. The second relates to the likelihood that the information has been obtained/discovered and the third relates to the cost of locating and replicating the information acceptably.
This is expressed in figure 1
U=
PN
C
where:
U = Unreliability or “Untrustworthiness” of an ID Token.
P = Pervasiveness of the token. i.e. the number of occurrences of the token that can be easily discovered (e.g. an e-mail address used in Usenet postings may be easily found through Internet searches).
N = Number of “hits”. i.e. the number of times a copy of the token has been accessed. (e.g. how many times a credit-card holder has disclosed the
“secret” number on the signature strip.)
C = Cost of obtaining and/or replicating the token in terms of money, time and/or effort.
Figure 1: A Metric for ID Token Untrustworthiness
Identity theft should be made, therefore, more expensive to conduct, which in turn would ensure that it is only used for more significant crimes. These will in turn have greater resources put to their detection due to their lower incident rate. The increase in the signal to noise ratio also means that incidents are more obvious, and can therefore be tackled more promptly.
References
[1] Forsyth, F. Day of the Jackal, 1970
[2] Marshall, A.M. An improved protocol for the examination of rogue WWW sites, Science & Justice. 2003; 43 : 237 - 248
[3] Crocker,
D.H.
Definition of Joe
Job
and
Phishing,
http://www.imc.org/ietf-mxcomp/mail-archive/msg00481.html, 2004.
14
[4] Crocker, D.H. Standard for ARPA Internet Text Messages, 1982.
[5] Zakon,
R.H.
Hobbes’
Internet
http://www.zakon.org/robert/internet/timeline/, 2004.
Timeline,
[6] Locard,E. L’Enquete Criminelle et les Methodes Scientifique, Ernest Flammarion, Paris, 1920.
[7] Data Protection Act 1998. HMSO 1998.
[8] Representation of the People Act 2000, HMSO, 2000.
[9] Land Registry Online System, http://www.landregistry.gov.uk/, 2004.
[10] Marshall A.M. and Tompsett B.C. Spam ’n’ Chips - a discussion of internet crime. Science & Justice. 2002; 42 : 117-122
[11] Tompsett B.C. The Role of Insecured Proxies in Internet Abuse, Asia Pacific Advanced Networking Conference, Busan Korea, 2003.
[12] Marshall A.M, Tompsett, B.C., Silicon Pathology, Science & Justice. 2004;
44; 43-50.
[13] Dierks, T., Allen, C., The TLS Protocol version 1.0, RFC2246, 1999.
15
References: [1] Forsyth, F. Day of the Jackal, 1970 [2] Marshall, A.M sites, Science & Justice. 2003; 43 : 237 - 248 [3] Crocker, http://www.imc.org/ietf-mxcomp/mail-archive/msg00481.html, 2004. http://www.zakon.org/robert/internet/timeline/, 2004. [8] Representation of the People Act 2000, HMSO, 2000. [9] Land Registry Online System, http://www.landregistry.gov.uk/, 2004. [11] Tompsett B.C. The Role of Insecured Proxies in Internet Abuse, Asia Pacific Advanced Networking Conference, Busan Korea, 2003. [12] Marshall A.M, Tompsett, B.C., Silicon Pathology, Science & Justice. 2004; 44; 43-50. [13] Dierks, T., Allen, C., The TLS Protocol version 1.0, RFC2246, 1999.
You May Also Find These Documents Helpful
-
Without certain acts being put into place someone could easily take the information from one person and pretend to be them in a different place, either on the internet or within the work place. Repercussions could mean the user loses their job or money because it would look like they would be doing things they shouldn’t be.…
- 676 Words
- 3 Pages
Good Essays -
Identity theft is when someone steals another person’s identity through the internet. The identity stolen can be personal information such as account names and security numbers to use it for their own benefit. For example, a Facebook user can steal another Facebook user’s personal details by either hacking or visiting their profile, uploading their profile picture, gaining personal details and using it to create a fake account of that Facebook…
- 769 Words
- 4 Pages
Good Essays -
Wojna, Lisa. Identity Theft in Canada. Outrageous Tales and Preventions Strategies, 2012. Wed. 8 October 2014…
- 2325 Words
- 10 Pages
Satisfactory Essays -
Provide answers to three of the following questions based on your readings and your personal experiences. Answers should be 100-to 150-words each.…
- 497 Words
- 2 Pages
Good Essays -
2. There are many organizations that claim they will repair your credit for a fee. From your readings, should someone use a credit repair service? Why or why not? What are some actions these organizations can take that should be a red flag?…
- 630 Words
- 3 Pages
Good Essays -
When people steal the identity of another person it causes that person to lose a lot of money feel…
- 263 Words
- 2 Pages
Satisfactory Essays -
"Identity theft is the unauthorized use or attempted use of an existing credit or debit card, bank account, telephone account, online account, or insurance account; the unauthorized use or attempted use of another person’s information to open such an account, secure a loan, or commit another crime; or the misuse of another person’s information for a fraudulent purpose" (Conklin, 2013, p. 58). The techniques performed by offenders to achieve identity theft can be very strategic, focusing on naiveness of focal groups. One example is where offenders impersonate government officials and ask for personal information with threats of losing benefits by not submitting. Due to this, the most appropriate theory that applies is rational choice theory.…
- 258 Words
- 2 Pages
Good Essays -
Provide three specific examples of how the Internet has aided criminal activity. One of the examples could be considered as identity theft. Identity theft is the use of one person 's personal information by another to commit fraud or other crimes. The most common forms of identity theft occur when someone obtains another person 's social security number, driver 's license number, date of birth, and the like and uses it to open a fraudulent bank, credit card, cellular telephone, or other account, or to obtain false…
- 1217 Words
- 5 Pages
Better Essays -
When an identity thief calls or emails you pretending to be someone else in order to get your personal information.…
- 402 Words
- 2 Pages
Satisfactory Essays -
1. If you find errors on your credit report, what steps would you take to correct them?…
- 584 Words
- 3 Pages
Good Essays -
Once they have your personal information, identity thieves use it in a variety of ways.…
- 350 Words
- 2 Pages
Satisfactory Essays -
If you find errors on your credit report, what steps would you take to correct them?…
- 599 Words
- 3 Pages
Satisfactory Essays -
Identity theft is an important crime in society today and it needs to be heavily enforced and prosecuted. According to Transunion.com, As of 2015, 9.9 million Americans are victims of identity theft, with an incident happening on average every 19 seconds. This proves just how important of a crime identity theft is and that it should be better protected and have harsher consequences. The legal definition of identity theft according to Dakota Family Bank and Foundations of Computer Society is “the fraudulent acquisition and use of a person's private identifying information, usually for financial gain.” Identity theft is in relation to the crime of stealing as if someone is committing Identity Theft, then they are taking the name of someone…
- 928 Words
- 4 Pages
Good Essays -
Another prime example of the dangers of data is the possibility of data tracking. Companies and government agencies alike, use data based on people’s internet activity to actively…
- 1537 Words
- 7 Pages
Better Essays -
Identity Theft is a form of fraudulent activity, which involves using someone else’s personal details and assuming their identity. There are several forms of identity theft, but the most common are business/commercial identity theft, and financial identity theft – in which the victim’s credit might be severely affected and could be accountable for the perpetrator’s actions. This paper will highlight ways to prevent identity theft, and what to do if you are a victim of identity theft.…
- 671 Words
- 2 Pages
Good Essays