Category Archives: Identity Theft

New School: New Book by Adam Shostack

51jF+BW+JAL._SS500_.jpg Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.
We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven’t read the book yet, since it’s not published yet, but if it’s like the material he posts in his blog, it’s a good thing.

One of his commenters doesn’t get it: Continue reading

Publicity about Internal Fraud: Still an Issue after 30 Years

top_hansom_cab.gif Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn’t adequately protect taxpayers’ information and promises to do better. His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That’s why corporations fear a breach reporting reputation system. That’s also why we need one.

-jsq ~

Phishing Verified

jeremy_clarkson.jpg Or is it really phishing when the victim first broadcasts his bank account details?
BTop Gear presenter Jeremy Clarkson has admitted he was wrong to brand the scandal of lost CDs containing the personal data of millions of Britons a “storm in a teacup” after falling victim to an internet scam.

The outspoken star printed his bank details in a newspaper to try and make the point that his money would be safe and that the spectre of identity theft was a sham.

He also gave instructions on how to find his address on the electoral roll and details about the car he drives.

However, in a rare moment of humility Clarkson has now revealed the stunt backfired and his details were used to set up a £500 direct debit payable from his account to the British Diabetic Association.

The charity is one of many organisations that do not need a signature to set up a direct debit.

Clarkson stung by fraud stunt, Guardian Unlimited, Monday January 7 2008

He admits he was wrong, but nonetheless tries to pin the blame partly on a privacy law:
“The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again,” he said. “I was wrong and I have been punished for my mistake.”
At least he doesn’t call for revoking that Act; he does call for going after the perpetrators.


PS: Seen on BoingBoing.

Breached Party: Labour Loses Confidence Due to Lack of Breach Security

breachedwhale.jpg The U.K. Revenue ministry has been leaking massive amounts of personal information, and now it’s affected the ruling party:
The Government will face fresh questions over the loss of millions of voters’ personal data amid evidence the debacle has helped fuel a massive slump in public confidence.

One poll showed those backing Labour’s ability to handle economic problems had been more than halved to 28%, with just a quarter deeming Gordon Brown’s administration “competent and capable”.

And another gave the Tories a nine-point overall lead, its strongest position for 15 years, just weeks after Labour enjoyed an 11-point advantage in the same poll.

Confidence in Labour ‘plummets’, Press Association, Guardian Unlimited, Friday November 23, 2007 7:03 AM

A government in risk of falling due to lack of breach security and perceived lack of technical confidence might be what it takes to get governments and industry to take breach security seriously. For example by requiring breach reporting.


Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

figure4.gif How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.


eCrime Papers Posted

ecrimetitle.gif The APWG eCrime Researchers Summit has released its papers by linking them to its agenda. Lots of interesting stuff there about phishing and website takedown, capture and recapture, password reuse, behavorial reaction, etc.

There were also sessions on getting technology solutions adopted and user education, but those appeared to be panels, and don’t have papers posted.


APWG in Pittsburgh and Fraud in Japan

gm2007logo.jpg The Anti-Phishing Working Group is having one of its periodic member meetings, this time in Pittsburgh. Probably I shouldn’t report too much detail, but I’ll say that interesting things are going on worldwide that may spread to other countries. For example, in Japan it seems that fake programming sites are more popular than phishing. Also, if I heard correctly, most phishing in the Japanese language originates from phishers in Japan. This would make sense, since it’s very hard for foreigners to write well enough to pretend to be Japanese. So that one probably won’t spread too widely, but the fake programming scam could.

My favorite is the history attack. World War II ended on 15 August 1945 in Japan, so a timeline of that war can get a lot of hits on a war’s end link in August of any year. Who would have known history could be so popular?

Meanwhile, during Carnival in Brazil, nobody reports malware, so there’s a dip in measurements…. Then and the rest of the year, sophisticated personalized social engineering attacks seem to be popular in Brazil.


To Insure or Not to Insure?

firewallmovie.jpg Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.

He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.

Then he gets to the real quesion:

How viable is this model? The first thing would be to ask: can’t we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren’t too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight’s pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

If Insurance is the Answer to Identity, what’s the Question?, Iang, Financial Cryptography, September 11, 2007

This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.

I have several thoughts about this:

Continue reading

Identity Theft as Marketing Opportunity

Since identity thieves are making many people worried about losing control of their identities, of course somebody has found a way to cash in on all that free publicity:
By now you’ve heard the stories about Americans whose identities have been stolen. They’re not pretty…people working for hundreds of hours over many years to get their lives back in order, kids not getting student loans because someone has already ruined their credit, people losing homes because thieves placed mortgages they never knew existed, even innocent individuals ending up in jail.

LifeLock can keep this from happening to you and we guarantee our service up to $1,000,000.


I seem to recall reading that the typical identity theft is only worth $1,000, but nevermind that.

Look who recommends it:

You’ve heard Rush Limbaugh, Paul Harvey, Dr. Laura, Sean Hannity, Howard Stern, Dr. Joy and others endorse us.
Well! None of those people would ever sell pure fear, would they?

I have to give them credit for honesty, though: LifeLock admits right out that the main four preventive things they do you could do for yourself. Beyond that, the main substance they seem to offer is essentially an insurance package:

If your Identity is stolen while you are our client, we’re going to do whatever it takes to recover your good name. If you need lawyers, we’re going to hire the best we can find. If you need investigators, accountants, case managers, whatever, they’re yours. If you lose money as a result of the theft, we’re going to give it back to you.
For $110/year or $10/month, is such an insurance policy overpriced, underpriced, or what?


Are You Ready for Some Football Storm?

storm_nfltracker_2.jpg What do you do with the world’s fastest supercomputer? Use it to follow football, of course!
Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL) which is timely considering the 2007 NFL season started on the 6th of September. The website even has the correct score, statistics, and schedule information.

Storm and NFL, by Patrik, F-Secure Weblog, Sunday, September 9, 2007

It’s sort of like gambling on the game; gambling that some suckers will think the site is legit.


PS: Seen on Fergie’s Tech Blog.