Скачать презентацию ID Theft Methods and Agenda John Black University Скачать презентацию ID Theft Methods and Agenda John Black University

a10b6675c995425afb28e9e8dd79a156.ppt

  • Количество слайдов: 19

ID Theft: Methods and Agenda John Black University of Colorado, Boulder April 15 th, ID Theft: Methods and Agenda John Black University of Colorado, Boulder April 15 th, 2005 DIMACS

Security in the Real World l Reality is complex, messy and hard to model. Security in the Real World l Reality is complex, messy and hard to model. – l Therefore I do cryptography. Recently interested in what is broadly called “Identity Theft” – WRFIS workshop in DC last month l l l 2 Workshop on Resilient Financial Information System https: //www. cs. columbia. edu/wrfis/idtheft If I learned anything, it was how complex and messy the problem is

“Identity? ? ” l Back to definitions in an attempt to understand the problem “Identity? ? ” l Back to definitions in an attempt to understand the problem – – Identities are associated to each (human) entity In the old days we had l l l – 3 Physical (eg, face, stature) Abstract (eg, name) Hybrid (eg, smell… works better if you’re a dog) Small communities, lack of technology, little incentive to crime

Modernity l New ways of tracking an entity – – – l Note how Modernity l New ways of tracking an entity – – – l Note how few of these were invented with the intent to identify the individual – 4 Population explosion, increased technology, transportation and communication necessitate new identification techniques Physical (eg, fingerprints, retinal scans) Abstract (eg, SSNs, CC#s, MMN, National IDs) Hybrid (eg, gait) Scary (eg, RFIDs) Analogs with the usual “security as an afterthought” complaint

Stealing an Identity: An Old Idea l l Impersonation Fake Login Screen – I Stealing an Identity: An Old Idea l l Impersonation Fake Login Screen – I did this too… sigh… l Fake ATM Machine l Official-seeming people – – 5 Lawyers from the 4 th floor Taxi guy at EWR

Modern ID Theft l 310, 000 DL#s, SSNs compromised in 2004 (WSJ) Along with Modern ID Theft l 310, 000 DL#s, SSNs compromised in 2004 (WSJ) Along with Nigerian 419 s, biggest Internet scams of recent times l Compelling stories by victims l News organizations love this stuff l – – Everything is ID theft now UC Berkeley Example l 6 CA Law kicks in

The Good News l FTC and Credit Agencies (Equifax, Experian, Trans. Union) all have The Good News l FTC and Credit Agencies (Equifax, Experian, Trans. Union) all have fraud divisions – – Very used to dealing with this type of thing Standardized process for flagging compromised accounts l l 7 Fraud Alert Tag Still a pain but (anecdotally) doesn’t ruin your life like it once did

Human Silliness (In My Opinion) 8 Human Silliness (In My Opinion) 8

IDs—Not that Easy l NRC Report – l Legit Assignments of Identities – l IDs—Not that Easy l NRC Report – l Legit Assignments of Identities – l Undercover gov officials, Witness Protection, etc Willing “lending” of IDs – 9 Implementing a national ID card has a lot of drawbacks as far as privacy is concerned Gaming

Phishing Survey l Some sources claim Phishing losses somewhat overstated – 10 Ah well, Phishing Survey l Some sources claim Phishing losses somewhat overstated – 10 Ah well, at least it’s something we can address technically

Phishing Stats l l l Number of active phishing sites reported in February 2005: Phishing Stats l l l Number of active phishing sites reported in February 2005: 2625 Average monthly growth rate in phishing sites, July through February: 26% Number of brands hijacked by phishing campaigns in February: 64 – l Country hosting the most phishing websites in February: United States – l l 11 Top 6 brands accounted for 80% of sites Though I might conjecture not authored in the United States Average time online for site: 5. 7 days Longest time online for site: 30 days

Hard to Believe But… l l Over 15% of respondents admit to having provided Hard to Believe But… l l Over 15% of respondents admit to having provided personal data to a spoofed site. l Small number of people (slightly more than 2%) affected, with an average cost of $115 dollars/victim. l 12 Most people (>60% of the American public) have inadvertently visited a fake or spoofed site. Extrapolating to the entire U. S. population, economic impact of fraud close to $500 M.

Monetization >20 -30 k always online SOCKs 4, url is de-duped and updated every Monetization >20 -30 k always online SOCKs 4, url is de-duped and updated every >10 minutes. 900/weekly, Samples will be sent on request. >Monthly payments arranged at discount prices. >$350. 00/weekly - $1, 000/monthly (USD) >Type of service: Exclusive (One slot only) >Always Online: 5, 000 - 6, 000 >Updated every: 10 minutes >$220. 00/weekly - $800. 00/monthly (USD) >Type of service: Shared (4 slots) >Always Online: 9, 000 - 10, 000 >Updated every: 5 minutes 13 September 2004 postings to Special. Ham. com, Spamforum. biz

Organized Crime and Spammers l l Estimated 65% of spam now originates from bots Organized Crime and Spammers l l Estimated 65% of spam now originates from bots Commonly used in DDo. S for years Useful for Distributed Phishing Some zombies log keystrokes, redirect URLs, and skim CC#s and passwords – 14 Moral: Once you’re 0 wned there is really no point in talking about countermeasures

Buy This Identity!! • Your name is: Sally S. Davidson • You live at: Buy This Identity!! • Your name is: Sally S. Davidson • You live at: 9216 Avenida Del Ladrón, San Jose, CA, 95131 • You are a computer programmer • You make $57 K per year • You have two children • You have a M. S. degree in Computer Science from University of Idaho • Your Visa credit card number is: 9012 -881 -1313 -100 • Your Phone credit card number is: 781 -982 -3172 -1192 • Your Social Security Number is: 078 -05 -1120 • You have a California Driver's License, number 4439 -1917421 • Your mother‘s maiden name is Friedman • Your checking account with West Coast Civil Savings is 43 -91 -90321 • Your telephone number is 202 -224 -3121 • Your Fidelity investment account number is 451 -910934, and the password is "fidelis". • You were born on Feb 13, 1961, in Fresno, California • You have an AOL account with username SSD 9143 and password "fidelis" This identity is available for a payment of only $79. 95, payable in cash (do you think we would take a check or credit card from someone using this service? ). 15

Phishing Countermeasures l Uhh, use common sense? – Aaron argued that even we might Phishing Countermeasures l Uhh, use common sense? – Aaron argued that even we might fall victim to “contextual phishing” l Spoof. Guard and Phish. Hook and Others… l Pwd. Hash – 16 If only it worked…

Fundamental Issues l l Current course is reactive and incremental Technology is hard to Fundamental Issues l l Current course is reactive and incremental Technology is hard to use – l Research is fun, but unless tools can be used with little sophistication… – – 17 Eg, remote users and Pwd. Hash Getting people to run a virus checker, firewall, and windows update is already way too much Yeah, I know it’s easy to stand up here and say all of this

Security: State of the Practice l ARP – – l DNS – – l Security: State of the Practice l ARP – – l DNS – – l – Javascript (ugh), PHP/etc scripting vulnerabilities DYI protocols – 18 Spoofing, MITM http – l No authentication Do. S attacks via spoofed hard errors, MTU discovery, source quench SSL – l No authentication (DNSSEC where are you? ) Cache poisoning (local and remote) ICMP – l No authentication Cache poisoning (local) Netscape NRG, Diebold, WEP, Poker, ICC, DST RFIDs

Education: It CAN Have an Impact l 150 million people use Windows Update – Education: It CAN Have an Impact l 150 million people use Windows Update – l l l 19 That’s not all windows users, but it’s a significant fraction People are buying shedders in record numbers Fewer people leave mail in their unsecured curbside boxes But (for example) very few people know that “erasing” their hard disk doesn’t really do much