Schneier on Security
A blog covering security and security technology.
« Cell Phones and Hostage Situations |
| "No-Fly" Also Means "No-Flyover" »
April 28, 2009
How to Spot a Fake Census Worker
This apparently non-ironic video warns that people might impersonate census workers in an effort to rob you. But while you shouldn't trust the ID of a stranger, you should trust that same stranger to give you a phone number where you can verify that ID. This, of course, makes no sense.
Preventing impersonation is hard.
Posted on April 28, 2009 at 9:06 AM
• 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
If an attacker is advanced enough to generate fake ID, would they not also be able to have an accomplish purchase a disposable pre-paid cell phone to act as an identity validator?
This is a trusted third party would come in handy. Are there CA's for people? :)
Maybe there should be a central number you could call for confirmation whether a person with a given badge ID (from a given company) is working in your area. A text message or internet service could probably even send a photo back, so you can be certain the badge wasn't stolen (because you really want to validate the owner, not the badge).
This reminds me of a scam I saw about a year ago. Some people with clipboards in suits showed up at the store where I work claiming to be from the 'Audit Board'. There is no such thing. The liqour board does do audits but does not have a seperate 'Audit Board'. These people tried to gain access to the storage areas (presumably to steal liqour). The manager on duty was not fooled. However it was kind of funny just how unprepared these people were. They showed up at about 7:00pm on a sunday night to do their 'audit', didn't know the names of any liqour board employees, and didn't even have a fake phone number. They left when we called the police.
I agree that there are still attacks possible against the 'check that the badge looks authentic, call the provided number to verify, etc.' protocol, but by the time the attacker has gone to the effort to forge all of that and get an accomplice to answer the phone, I think we're entering movie plot threat territory. The cost of the attack (time, materials, & complexity leading to risk of getting caught) exceeds the expected payoff.
However, if the otherwise authentic seeming census worked tells you that they really need to you say the word 'passport', I might get suspicious.
> The cost of the attack (time, materials, & complexity leading to risk of getting caught) exceeds the expected payoff.
This is a notoriously difficult thing for the victim to assess adequately. There are scams in India, where a taxi driver will tell you that the hotel you are being taken to is closed. They'll offer to wait while you check at a 'tourist agency' that is actually run by an accomplice. The tourist information employee will even offer to phone the hotel for you, putting you through to a fake receptionist who will confirm that the hotel is closed at the moment for work.
All this, just to skim the referral fee from the hotel that the taxi driver then recommends to you.
Anybody here with experience in detecting impersonators have any suggestions? For example, if you call the number to confirm the identity of the worker, what questions could you ask to try and "break out of the script" to so speak? Purposely them the wrong # from the badge to see if they detect the error? Ask a procedural question of the person who visits you then ask the procedural question of the person on the phone? (e.g., what is the earliest time you are allowed to visit people?)
On the other hand, if the phony census worker is trying to case the joint, they only need to quick look around to see if they want to come back later.
The recent Lance Armstrong controversy was a case in point.
WADA recognize their own drug tests, those of sport ruling bodies and nominated national agencies - so in every country in the world, there are several different bodies that may be able to test you under the WADA code. As an athlete you tell WADA where you'll be, and recognized agencies can ask them for that information.
The next thing that happens is a tester from the agency turns up, with photographic ID from their agency, and the athlete is supposed to accept this.
Armstrong had not seen AFLD ID before - they became the delegated testers in 2006, after his last Tour - and decided to check with the UCI (cycling's governing body). The controversy arose over what happened during the 20 minutes it took to verify the ID, in part because there is no procedure for doing so.
Somehow, I think you'd want to verify ID before inviting some random bloke in to watch you take a leak.
The company I used to work for was almost a victim of a scam. The scammer had somehow gotten a hold of one of our checks, and had made a copy with a cell phone number on it. When the check cashing place called to verify the scammer's identity as an employee, the call went to an accomplice. The check cashing place gave the guy his money.
The bank caught the phony check, refused to honor it, leaving the check cashing place holding the bag.
It was unnerving to know that someone had done this - our bookkeeper was quite diligent about security.
"Preventing impersonation is hard"
No it's not you just pass a law that says that everybody has to have all their Bio-info stored in a huge DB and give everybody invasive Bio-readers...
And back to the real world where politicians fantasies are not exploited by junk technologist start ups...
Yup a hard problem it is and sadly not recognised as such by those who should know better...
As most know it's not exactly difficult to get "official" uniforms from any number of legitimate establishments (otherwise the costumes in TV drama is going to look oh so phoney).
Further hands up those who know what a local LEO ID looks like let alone be able to tell if it's phoney.
So why on earth do the judges and other members of the national legislature think so little of those that attempt to verify a suposed LEO's ID?
Fortunately it doesn't matter if someone is an impersonator or not. If they ask anything other than "how many people live here," they've exceeded the Constitutional authority of the Census Bureau and are invading your privacy. Which criminal gang they're doing so on behalf of is irrelevant.
How about if you ask them for a phone number, then google that phone number before you call it? Finding your local census bureau's phone number might be hard, but verifying their number may be significantly easier.
Of course I assume this video is not that smart.
I worked as a census worker in 1990 and 2000.
1) A worker will only come to a home if that residence has not submitted a census form. So one way to deter is if you fill out the census form.
2) I NEVER went further into the home than the threshold and I only asked the questions listed on the official form. Any worker who does any more or venture through the home should be reported/fired.
As always, the best defense is being well informed.
@Clive "Preventing impersonation is hard"
No it's not you just pass a law that says that everybody has to have all their Bio-info stored in a huge DB and give everybody invasive Bio-readers...
...hmmm maybe that's what all those aliens are doing to abductees with thier uh-oh probes.
> if you call the number to confirm the identity of the worker
Don't even bother calling that number. Look up the phone number for their organization yourself, and if possible, take care of whatever business with whoever answers the official phone number.
"Authorities have obtained a warrant accusing Caskey of impersonating
a public servant, a third-degree felony punishable by up to 10 years
in prison and a $10,000 fine, police said."
Posted by itwasnoti
It should have been obvious when he didn't beat up the suspects and
acted intelligent and polite in any way. How could they miss this?
Posted by dragn1
If the cops don't even know who other cops are how am I supposed to
trust any of them?
Check the phone number at http://whocalled.us/ where you may find out if other people have complained about the same number.
@ Clive Robinson
Now imagine if someone cracks in to that Bio-database.
I remember there is an old movie entitled "Hackers". If I remember correctly, in it, an evil cracker modifies a computer database so that a good cracker's mother is listed as a drug dealer who escaped from prison. He says since she's listed as listed as a fugitive, she'll be sent to prison without a trial, and because she's listed as a drug dealer, she'll be strip-searched.
I would be wary of any electronic database that does not have a paper trail to confirm its contents.
Yes, there are CAs for people, but the problem is bigger and more complex than it looks.
As an example think about how authority n should establish the 'quality' of a certificate issued by authority m. If they need to contact organization m (securely) ... who is the contact and what is the channel, how much should they be trusted. Realize this may have to be done roughly m * (n-1) times. This trust problem exists at every level...
As a result, people give up on the above and decide to start from scratch and create a bridge with a single subset of rules that will apply to everybody. (lowest common denominator)
If you got this far ... There is still a problem of bootstrapping trust to the new person. How do you set the standard for if the new person to get an ID from you? If you set it too high ... you will have some people that will do more activities without any authentication. If you set it too low, well people understand that risk.
Remember, IDs can generally be obtained with forged utility bills or with an accomplice who is willing to lie on an affidavit saying you are someone you are not.
Estonia has a smartcard based national ID system, btw and the certificate on the smartcard is usable for electronic signatures. It is a great example of what is possible.
I have not used it, but after all those problems are solved ... there are still lots of annoying real world impersonation / MiTM attacks that are possible ... like how do you know what you are signing? The smart card doesn't have a display... Who's keypad get's used for an exchange? What if the card is 'broken' ?
Trust is established through contact and experience .. brokering trust is fundamentally difficult.
@Or not: "an evil cracker modifies a computer database so that a good cracker's mother is listed as a drug dealer who escaped from prison. He says since she's listed as listed as a fugitive, she'll be sent to prison without a trial"
Actually that wouldn't be complicated to refute. If she supposedly escaped from prison on April 10, there would likely be a trail of transactions, work appearances, etc., from before then when she was supposedly locked up. It would be unlikely she clocked into work the day before her big escape. Not to mention, it is likely that the prison that she supposedly escaped from would have no recollection of the escape, no records of the prisoner, and no one would recognize the "fugitive."
I'm not saying that data security in these instances is not important, of course it is. What I am saying is how decentralization of information is quite important to our liberty and security (i.e., can't have all our eggs in one basket).
An person claiming to be an investigator for the U.S. Office of Personnel Management called me last year, saying she was investigating a friend that had listed me as a reference on his government security clearance application. She asked if she could ask me some questions about my friend. I told her "certainly, give me your name and office phone number. I'll call you back."
She then explained to me that she doesn't have an office and her phone is a government issued cell phone. I asked for her supervisor's name and his office phone number. She said he also doesn't work out of an office and also uses a cell phone. Explaining my need to verify her identify, I asked if I could call any government agency found in the phone book that would vouch for her. "How about the local FBI office?", I suggested. She said it was her job to investigate all the FBI agent's security clearances, but none of them would probably know her.
The only public office this agency has is in Washington D.C. (I live in Texas.) All others have unlisted phone numbers. The investigator offered to drive the two hours to visit me and show me her badge and credentials. Since I don't know what a valid credential looks like, that really wouldn't help.
I ended up calling my friend (who had the security clearance being renewed) and had him confirm her identify, since there was no other easy method of doing so here in the U.S.
Just ask the Census worker if you can see their official ID, driver's license, and if you can take a photograph of them. The odds of the first two matching (if they'll even show the license), and letting you take a photo of them, I would bet, are very slim.
I agree with the poster above: the risk/reward of doing something like this isn't worth it.
@the other Alan: "I agree with the poster above: the risk/reward of doing something like this isn't worth it."
I would agree. The odds of being targetted at random are slim, there would probably be some other factor involved. Specific target, known fool, etc.
This is a rough transcript, from memory, of a recent phone conversation:
Ring ring (number withheld)..
Her: Hello, this is the Co-operative Bank. Is that Mr Brown?
Her: We'd like to talk to you about some possible fraudulent activity on your account.
Her: First, I need to take you through security. Can I have letters one and three of your password, please.
Me: How do I know you are really who you say you are?
Her: You can call 08453550305 and they can take you through security.
Me: OK. Thank you. Bye.
/me checks number given on the Cooperative Bank's web-site. Not listed.
This is a common and typical pattern for several UK banks. They don't appear to understand that this behaviour is setting a precedent that will enable fraudsters to obtain information from their customers. What's more trying to explain this problem to them seems to be beyond their intelligence level.
Bruce, please help!
For example, my Swedish National ID card has a phone number on the reverse side of the card. The instruction says in Swedish and English "To proof the validity of this card call 114 14".
Then it strikes you -- if I'm going to fake this card, might as well fake the number.
It depends on who you want to fool though; in some cases, having the wrong number there might be noticed!
@ Or not,
"I would be wary of any electronic database that does not have a paper trail to confirm its contents."
As they say,
"You and me both brother"
Hence my coment about it being an exploitable,
On a side note the UK Gov has very recently anounced (quite quietly) that they are not going to have a "mega database" to store every internet transaction and the data involved.
The reason they cite is "the people don't trust us" which is oh so true.
But what they go on to say is that the job will fall to ISP's and employers...
So you have a Government that has bankrupted the country in every way but name. Deciding that they are going to force all organisations to store vast amounts of data at their own expense and risk on fear of putting executives in prison if they either don't store the right data or inadvertantly lose it or alow (publicaly known) unauthorised access...
Hmm... "like I trust them" not "to put the screws on" company executives via overt or otherwise threats etc to gain access to the data as and when they see fit with absolutly no judicial oversight...
I suspect the real reason they are not building the DB themselves is they have neither the money or the expertise to do it, and if they try to get the latter it will (as with all things Gov mandataed ICT) be leaked to the press fairly rapidly.
As a side note as to just how bad it gets the UK has the world's largest IT project/contract called amongst other names the "NHS Spine". Put simply it is a central database where every person who has a medical record within the NHS (that includes overseas visitors who have had emergancy treatment as well) has it stored centraly. Also every action for treatment including diagnosis is added in. Satalite DBs include "chose and book" "cerna" "rio" and many others are part and parcel of this lunacy.
The security of these highly confidential records is virtualy non existant.
"Chose and book" has patient passwords that are stored in plain text that any one with provider side access can see with effectivly no audit. Apparently this is OK as it does not give access to "medical records" but it does to names addressess if you live alone and other identifing information such as phone numbers etc as well as where, when and what you are going to be treated for... (so if you are a burgler or ID thief it's spot on). Oh and provider side staff includes bored student doing summer jobs for various "associated organisations" as call center staff etc who are unlikley to have been veted in any way. Further I know from personal experiance that some of these organisations copy the data across to spread sheet programs on the hard drive of insecure MS PC's that have had the HDs misplaced, but as the medical records where not lost (just all the persons other details) thats alright...
Likewise some hospitals in the London area use RiO which stores similar personal details as Chose and Book but related medical information as well (including clinicians notes) and one major major trust (St Georges) copied all of the data onto a number of laptops whilst upgrading facilities and five of these laptops went walkies and have not been seen again. And no the records where not protected in any way as several staff needed to access each laptop...
And again I know from personal experiance that the data held in atleast one NHS trusts RiO database is dangerously inacurate (they still have the wrong blood type for me even though they have been told several times). Another trust have the wrong phone number and several other details like my name incorect, oh and that I have surgical apliancies that I need to return or pay for...).
Then there is Cerna which the Gov has been trying to roll out to "favourd status" hospitals. It is a compleate and utter disaster from an unusable human interface to providing incorrect figures for accounting and other purposes and it has been found that it is possible to have one patients records on screen and the updates go to another patients records that might still be held open invisably on the same machine...
One quite famous hospital in a leafy suburb of North London has had to right of tens of millions of pounds due to the usless system as they cannot bill for work carried out. [Urther they have had to take on significant numbers of new staff to try and keep the system instep with what is happening within the hospital. The Chief Executive who was once the "darling of New Labour" has come out publicaly to say what a disaster the system is, and knowing that he is going to be permanently "re-organised" into oblivion by the Politicos has jumped the gun and taken a job on the other side of the world.
And the closer you get to the back bone of this mamoth the worse it gets. Records are lost badly updated, the suposadly "secure system" has infected a number of hospitals with trojans and viruses and lost many thousands of man hours of NHS staff time.
Not only is it a compleate and utter disaster for the patients and hospitals, it has virtualy bankrupted quite major organisations.
One of which is Bruce's employer BT, who appear to have played fast and lose with company financial records to cover it up, and still pay the senior directors huge bonuses (ie they are claiming that work done has earned money for BT where as in fact no money has been paid to them, effectivly the same as calling "cold dead eggs laying hens" and saying that egg production is therefore increased...).
Oh and to add to BT's missery the EU is currently investigating (and apparently starting to take action against) them over their "personalised Internet advertising" system.
(Sorry Bruce it is not as though I and others did not warn you about BT's sorry state and slow tail spin when you anounced you had sold your company to them).
To most telecoms savy people in the UK the only real asset BT can claim to have is "the copper in the ground" and unfortunatly "it would cost more to dig it up than it would fetch as scrap" and as it has to be maintained at quite high cost you could easily view it not as an assett but a significant liability. Not that BT accountants have not tried to write it up as an asset worth what it would cost to replace...
I was at a meeting when John Lindsay said this to a bunch of their senior executives back in the early 90's as an invited speaker, to say you could cut the air with a knife was an understatment...
I received a call on my personal cell phone on a weekend. The caller indicated she was from the IRS and was following up on unfiled taxes. She then preceeded to ask me several "security" questions to ensure she was in fact talking to me.
Now I did indeed know that I was not up to snuff on my taxes, but I refused to give my personal details (e.g. SSN, bank details, etc) without verifying her identity.
She was very nice and seemed to enjoy the fact that it was actually a hard problem.
We talked for a while and it was very difficult to verify her identity to me either without giving out any of my personal info. I think we settled on reading off alternate numbers in my SSN in sequence to authenticate each other (kind of a shared secret).
You would think we/they would have a process, however half assed, for this.
Huh. so do you US census workers stand at the door asking questions? It must take an enormous number of person hours!
When fake census workers crawled out of the woodwork for the last Australian census in 2006, the Australian Bureau of Statistics issued several pieces of advice on spotting fakes. None of them were foolproof (e.g. will be wearing photo ID) but the strongest was quite simple: census collectors are not allowed to ask questions, they are only there to collect the official form.
(Of course I would be uneasy about handing over the form to a fake census collector, but none of the official questions are actually of much interest to a thief.)
They also distributed pictures of the special bag they would use to collect the form. It would not be very hard to make a fake bag -- but fairly challenging to do it in the ~24 hours available.
I had an almost identical conversation with HSBC and I had a workmate who used receive similar calls from his bank almost daily.
The worst thing about HSBC was that they were completely flummoxed when I asked them to prove who they were. They had no idea how to do that, presumably because no one had ever challenged them before. I suggested that I ring the number on their website but once I made it through the phone tree and asked why they had called me, no one knew.
This sort of thing happened to me once, though I was the one in a position of questionable identity, not the one trying to verify it.
Once upon a time, I was working late and a police officer arrived because someone called in an open door. (Hey, it was warm!) To verify I was supposed to work there, the officer checked my ID and called a number I gave him.
Maybe next time I'll offer my own number just to make a point.
I was recently cold called by a Fed Investigative Agency to help resolve a case.
The agent left a personal office and cell number.
I called the agency out of the phone book and offered the name as left and the phone numbers,
and asked if there was any cause to have suspicion of the contact request.
They confirmed the agent's identity, and said that the numbers raised no suspicion.
I have done this recently.
I bought something with my credit card which was out of the ordinary (a Windows XP license, as it happens!). My CC phoned me the next day, asked me to confirm my identity.
I refused, asked them for a number I could call them on, so that I know who I am talking to before I give them any personal details.
They replied that the phone number on my card could be used, told me how to get to their department (#1#3#7 or whatever!), and the caller's name. I phoned them back, got to the department, asked for the person who called me, and continued to identify myself and okay the transaction.
In this case, I had the number on my card; if I don't trust that, there's not much more I can do! In other similar scenarios, I would simply google the number I had been asked to call. That can provide useful information about the company. If a search for an alleged HSBC phone number turns up on hsbc.com, it's likely to be legit. Check the details of the URL to be sure; if it's hbos.com/peoplewhoscamus.html then it's not legit ;-)
Roger wrote: "Huh. so do you US census workers stand at the door asking questions? It must take an enormous number of person hours!"
The survey is sent by mail and the response is sent by mail. As far as I know, workers do not go door to door.
>The worst thing about HSBC was that they were completely flummoxed when
>I asked them to prove who they were. They had no idea how to do that,
>presumably because no one had ever challenged them before.
The people working the call centres may not know, but I'm sure the security teams at these organisations understand the problem - they just choose to ignore it.
What they don't seem to understand though is that they are conditioning their customers to accept that this as normal behaviour. Even if they stop this practice fraudsters will still be able to use it.
A similar thing happened with email in the early days of Internet banking and the banks are still suffering from that one.
Bruce, you assert the problem is limited to strangers:
"No one could successfully impersonate your brother, your best friend, or your boss, because you know them intimately."
The term "intimately" is misleading as even these can be impersonated. It is a question of secrets and biometrics.
Check out the movie called "The Reunion Impersonator" where a woman hires a stripper to pose as her during a ten-year reunion.
Note the biometric reference towards the end.
@ i need a name
The US Census survey is sent out by mail, but many people do not complete the forms.
After the mail-in deadline (I think it's the start of the summer/end of April) Census workers are sent to gather the information in person from those who did not return their form.
There is a form with a list of questions that need to be asked. Some of the forms are longer than others - predetermined by the agency (Dept. of Commerce).
If a worker cannot reach the family listed for the address, they try to gather the basic information from neighbors.
Sometimes several visits are required in order to get the replies.
This process can last for several months. Workers are told not to enter the house/home.
In 2000, workers had badges with no picture and a write-in space for the name that was filled in by hand.
"If you're not certain someone is who they are"
"Bruce Please Help"
Oh my .. I thought this was technical blog -- let's make sure Bruce doesn't have a keg of kool-aid in the front yard.
Come on Mr. Brown -- you can handle it yourself; you aren't robbed yet, are you?
For US Government employees (Federal/state/local) there should be a single nation-wide 800 number doing nothing but confirming badges etc. Their computers should have a limited protocol access (input badge, return confirmation facts/off-duty/stolen/bogus) to the various federal/state/local databases. This would cost some tax dollars as it cannot be staffed with prisoners or minimum wage staff for security reasons. The call center computers should also call-trace/GPS locate callers to make sure callers are at least physically close to the real badge holder (scam-to-prevent: Bad guy calls from phonebooth/disposable cell to get info on soon-to-be victimized officer) Also calls should be randomly assigned to workers so no single or small group of staff can be bribed / pressured to mishandle certain calls.
For banks and credit companies: The call center that handles reporting of stolen credit cards and phone-in credit card checks should also verify bank staff and facility ids at the same well-published phone number. The infrastructure and staff training is mostly in place, just add a new class of data to be confirmed. (Typical conversation 1: Please give me the call-back number for Smallville S&L worker Joan, Reply: Sorry, Joan has not been calling your number lately from her work phone OR yes, she just called you at the number you are calling from, call her back at 555-555-5555 extension 5555). (Typical conversation 2: Hi, is the ATM at the corner of 55th avenue and 55th street in metropolis real, Answer: Yes there should be 3 Green ATMs in a row there and 2 Red ones round the corner/No/It is out of service, try the one at 54th and 56th). (Typical conversation 3: Does the website www.citibanknewcampaign.org really belong to CitiBank? Answer yes/no it is a known scam/It is not on their list, let me double check with Citibank security, please hold).
Actually I completely disagree with all the suggestions here that this wouldn't be an effective way for *YOU* to avoid being scammed. It's just not a strategy that would be effective if applied generally.
I mean having a prepared number for you to call and a person ready to answer it is an added expense/annoyance/risk (what if they forget and answer the phone incorrectly). It's far easier on the part of the con man to simply target the majority of the population who won't ask and if he is feeling paranoid pick a permanently busy number to offer up if asked.
So no, it's not a good way to be sure it's really a census agent but it's probably a way to reduce your risk of being scammed.
As a US Census lister/enumerator this year, I can vouch that IDs do not have pictures, and a hand written name is on the hanging ID as in previous Census years.
I think we are becoming far too paranoid as a society. A professional crook does not need for you to answer your door to size you up as a potential target. And an addled crack-head would not even bother showing an ID badge.
@ Or Not & HJohn
I recall a case (names forgotten, though Angela Davis pops to mind just now) where a flight attendant was was mistakenly identified as the perp (through a passing resemblance), and was immediately jailed, even though she was certifiably out of country at the time. Her airline, who could have provided corroboration, effectively disavowed all knowledge of her "extra-curricular" activities.
I regret I don't remember the final outcome, except that she was eventually freed.
The point being, refutation may happen, but may also take a considerable toll on one's life and reputation, even if it were a 'false alarm', like in the case of the flight attendant.
(PS timeframe from my faulty memory c. late 1970s-early 1980s)
Well it's worse than the matter of merely printing the number on the ID. To some extant, authentication relys upon trusting the person asking for authentication. Just as you trust the clerk that you hand your credit card not to skim the number and rack up charges, this implys that you trust the person that the census worker is handing ID to. Because once they have the information off of the ID, they have sufficient information to impersonate a census worker. Even if you were convicted of a home invasion robbery, once you're out on parole, you can ensure that a census worker will drop by with the simple expedient of not returning your form. Then you know what the ID looks like, and have enough CORRECT information that you can make an ID that can witstand a blind call ID check.
You'd need the census workers to have a set of single use authentication numbers to hand out to people.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.