1 / 19

ID Theft: Methods and Agenda

ID Theft: Methods and Agenda. John Black University of Colorado, Boulder. April 15 th , 2005 DIMACS. Security in the Real World. Reality is complex, messy and hard to model. Therefore I do cryptography. Recently interested in what is broadly called “Identity Theft”

kilpatrick
Download Presentation

ID Theft: Methods and Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ID Theft: Methods and Agenda John Black University of Colorado, Boulder April 15th, 2005 DIMACS

  2. Security in the Real World • Reality is complex, messy and hard to model. • Therefore I do cryptography. • Recently interested in what is broadly called “Identity Theft” • WRFIS workshop in DC last month • Workshop on Resilient Financial Information System • https://www.cs.columbia.edu/wrfis/idtheft • If I learned anything, it was how complex and messy the problem is

  3. “Identity??” • Back to definitions in an attempt to understand the problem • Identities are associated to each (human) entity • In the old days we had • Physical (eg, face, stature) • Abstract (eg, name) • Hybrid (eg, smell… works better if you’re a dog) • Small communities, lack of technology, little incentive to crime

  4. Modernity • New ways of tracking an entity • Population explosion, increased technology, transportation and communication necessitate new identification techniques • Physical (eg, fingerprints, retinal scans) • Abstract (eg, SSNs, CC#s, MMN, National IDs) • Hybrid (eg, gait) • Scary (eg, RFIDs) • Note how few of these were invented with the intent to identify the individual • Analogs with the usual “security as an afterthought” complaint

  5. Stealing an Identity: An Old Idea • Impersonation • Fake Login Screen • I did this too… sigh… • Fake ATM Machine • Official-seeming people • Lawyers from the 4th floor • Taxi guy at EWR

  6. Modern ID Theft • 310,000 DL#s, SSNs compromised in 2004 (WSJ) • Along with Nigerian 419s, biggest Internet scams of recent times • Compelling stories by victims • News organizations love this stuff • Everything is ID theft now • UC Berkeley Example • CA Law kicks in

  7. The Good News • FTC and Credit Agencies (Equifax, Experian, TransUnion) all have fraud divisions • Very used to dealing with this type of thing • Standardized process for flagging compromised accounts • Fraud Alert Tag • Still a pain but (anecdotally) doesn’t ruin your life like it once did

  8. Human Silliness (In My Opinion)

  9. IDs—Not that Easy • NRC Report • Implementing a national ID card has a lot of drawbacks as far as privacy is concerned • Legit Assignments of Identities • Undercover gov officials, Witness Protection, etc • Willing “lending” of IDs • Gaming

  10. Phishing Survey • Some sources claim Phishing losses somewhat overstated • Ah well, at least it’s something we can address technically

  11. Phishing Stats • Number of active phishing sites reported in February 2005: 2625 • Average monthly growth rate in phishing sites, July through February: 26% • Number of brands hijacked by phishing campaigns in February: 64 • Top 6 brands accounted for 80% of sites • Country hosting the most phishing websites in February: United States • Though I might conjecture not authored in the United States • Average time online for site: 5.7 days • Longest time online for site: 30 days

  12. Hard to Believe But… • Most people (>60% of the American public) have inadvertently visited a fake or spoofed site. • Over 15% of respondents admit to having provided personal data to a spoofed site. • Small number of people (slightly more than 2%) affected, with an average cost of $115 dollars/victim. • Extrapolating to the entire U.S. population, economic impact of fraud close to $500M.

  13. Monetization >20-30k always online SOCKs4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices. >$350.00/weekly - $1,000/monthly (USD) >Type of service: Exclusive (One slot only) >Always Online: 5,000 - 6,000 >Updated every: 10 minutes >$220.00/weekly - $800.00/monthly (USD) >Type of service: Shared (4 slots) >Always Online: 9,000 - 10,000 >Updated every: 5 minutes September 2004 postings to SpecialHam.com, Spamforum.biz

  14. Organized Crime and Spammers • Estimated 65% of spam now originates from bots • Commonly used in DDoS for years • Useful for Distributed Phishing • Some zombies log keystrokes, redirect URLs, and skim CC#s and passwords • Moral: Once you’re 0wned there is really no point in talking about countermeasures

  15. Buy This Identity!! • Your name is: Sally S. Davidson • You live at: 9216 Avenida Del Ladrón, San Jose, CA, 95131 • You are a computer programmer • You make $57K per year • You have two children • You have a M.S. degree in Computer Science from University of Idaho • Your Visa credit card number is: 9012-881-1313-100 • Your Phone credit card number is: 781-982-3172-1192 • Your Social Security Number is: 078-05-1120 • You have a California Driver's License, number 4439-1917421 • Your mother‘s maiden name is Friedman • Your checking account with West Coast Civil Savings is 43-91-90321 • Your telephone number is 202-224-3121 • Your Fidelity investment account number is 451-910934, and the password is "fidelis". • You were born on Feb 13, 1961, in Fresno, California • You have an AOL account with username SSD9143 and password "fidelis" • This identity is available for a payment of only $79.95, payable in cash (do you think we would take a check or credit card from someone using this service?).

  16. Phishing Countermeasures • Uhh, use common sense? • Aaron argued that even we might fall victim to “contextual phishing” • SpoofGuard and PhishHook and Others… • PwdHash • If only it worked…

  17. Fundamental Issues • Current course is reactive and incremental • Technology is hard to use • Eg, remote users and PwdHash • Research is fun, but unless tools can be used with little sophistication… • Getting people to run a virus checker, firewall, and windows update is already way too much • Yeah, I know it’s easy to stand up here and say all of this

  18. Security: State of the Practice • ARP • No authentication • Cache poisoning (local) • DNS • No authentication (DNSSEC where are you?) • Cache poisoning (local and remote) • ICMP • No authentication • DoS attacks via spoofed hard errors, MTU discovery, source quench • SSL • Spoofing, MITM • http • Javascript (ugh), PHP/etc scripting vulnerabilities • DYI protocols • Netscape NRG, Diebold, WEP, Poker, ICC, DST RFIDs

  19. Education: It CAN Have an Impact • 150 million people use Windows Update • That’s not all windows users, but it’s a significant fraction • People are buying shedders in record numbers • Fewer people leave mail in their unsecured curbside boxes • But (for example) very few people know that “erasing” their hard disk doesn’t really do much

More Related