Schneier on Security
A blog covering security and security technology.
« Hacking Mifare Transport Cards |
| UK Electronic Passport Cloned »
August 7, 2008
Indictments Against Largest ID Theft Ring Ever
It was really big news yesterday, but I don't think it's that much of a big deal. These crimes are still easy to commit and it's still too hard to catch the criminals. Catching one gang, even a large one, isn't going to make us any safer.
If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:
The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what's been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don't want made public. The posting of Paris Hilton's phone book on the Internet is a celebrity example of this.
The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn't take much personal information to apply for a credit card in someone else's name. It doesn't take much to submit fraudulent bank transactions in someone else's name. It's surprisingly easy to get an identification card in someone else's name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.
Proposed fixes tend to concentrate on the first issue -- making personal data harder to steal -- whereas the real problem is the second. If we're ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.
I am, however, impressed that we managed to pull together the police forces from several countries to prosecute this case.
Posted on August 7, 2008 at 12:45 PM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
"If we want to mitigate identity theft, we have to make it harder for people to get credit, make transactions, and generally do financial business remotely:"
Agreed. Again, as I've said before and in reference to liability concerns, the major effectiveness of combating this type of theft is going to come in the form of lowering the incentive (or return on investment) for the crime in the first place.
I've read on this blog before: National ID cards with an official citizen registry system and a fair amount of anti-forgery in its design are evil. But in e.g. Germany this system leads to the necessety to prove your ID with it in person at your bank before you can request a credit card. No one accepts just _some id_ (unless it's trivial) but only the official ID Card. That's effective.
"But in e.g. Germany this system leads to the necessety to prove your ID with it in person at your bank before you can request a credit card. No one accepts just _some id_ (unless it's trivial) but only the official ID Card. That's effective."
So what happens when someone in the government starts selling falsified official ID Cards?
That will happen. The market is just too valuable.
And once it becomes "official", it's even more difficult to remedy because everyone "knows" that the official ID card is "good".
Your described system has two aspects, and I believe you are focusing on the wrong one. The issue isn't the type of ID card. Much ID theft occurs without any ID card involved in the transaction at any point.
If people were required to present themselves in person in order to open financial accounts, ID theft in the U.S. would be much reduced.
Shane, I think your argument is tough in practice. For example, how do I lower the ROI on a stolen credit card? Assuming the criminal is able to prevent any fraud detection from kicking in, they can charge up to credit limit. Credit card companies only have incentive to increase rather than reduce the limit, and the owner will watch their FICO score go down if they ask for it to be lowered. Reducing the incentive for the criminal does not seem practical.
I would argue that the liability is the real crux of the issue. If credit card companies were liable for the losses on a stolen credit cards we would see the security improve tremendously. Apply this same economic model in other areas and security will likewise increase.
That is seriously the problem with today's society. It takes liability for anyone to do anything. Nobody does anything because it is right - it's all about money. It's sad.
People always ask "Why aren't things made like they used to be?". Because everyone accepts good enough and just deals with the fall out.
A major problem with us today is that we give out/publish too much personal information to anyone. Many ID theifs have used FaceBook, MySpace and other social websites to build profiles from little information, maybe just a name. They can even get this information by simply asking for it.
Our personal information is no longer personal.
What I dont understand is the whole 'pull' architecture of credit/debit card proccessing systems.
Better to use 'push' architecture like direct deposit, webmoney or such stuff in my opinion.
Computer insecurity works both ways. Hackers are now on the run, too easy to be hacked back, caught, tracked. Radar with signatures.
What Bruce is suggesting in a way is that the financial-processing sector considers identity fraud to be an acceptable part of keeping up the volume of transactions that have until recently kept the economy from sliding into recession. Make it harder, even a little harder, for people to buy stuff, and they won't buy it, and the economy goes into the tank. (As opposed to going into the tank because people bought stuff they couldn't afford.)
It's also possible, of course, that the issue isn't so much that people won't buy stuff as that -- if doing remote financial transactions is takes more steps, especially for bigger transactions -- people will spend more time actually looking at the terms and conditions rather than just signing two places and initialling five more.
Though I more or less come here for your cynical dissent, I think you're going a little overboard. I'm not sure there's much point in making the arrest of criminals seem useless as if such laws should not be enforced. Clearly companies/other orgs should be more cautious but that's now law enforcements job.
Bruce: Careful reading of the indictments show that the media, card issuers and Federal Trade Commission over-reacted to the TJX incident. TJX was not as bad as we were led to believe. It is easier to steal card data than it is to actually turn the data into money, property or services. --Ben http://legal-beagle.typepad.com/...
Bruce, I'm somewhat surprised that you didn't comment on the cryptographic aspects of this case. Sure, this ring installed software that stole authorization messages from these retailers. What's more interesting is that they decrypted the PIN blocks, which they used to make ATM withdrawals. (See the indictment for Gonzales (http://searchjustice.usdoj.gov/search?q=cache:QMq7E294obgJ:www.usdoj.gov/usao/ma/Press%2520Office%2520-%2520Press%2520Release%2520Files/IDTheft/Gonzalez%2520Indictment%2520S-.pdf+segvec&access=p&output=xml_no_dtd&ie=UTF-8&lr=&client=default_frontend&num=10&site=default_collection&proxystylesheet=default_frontend&oe=UTF-8), count 1, section 3.f where they "Obtained technical assistance from criminal associates in decrypting encrypted PIN numbers"
These blocks are encrypted using a key "management" system called DUKPT - Derived Unique Key Per Transaction. A secret key (the Base Derivation Key) held by an authorizing network is injected into the PIN pads by a trusted third party. For each unique transaction an intermediate key is derived from that secret key plus some transaction specific data. The thieves must have first decrypted a PIN block, then cracked the protocol to recover the BDK, which they then used to decrypt the rest of the PINs.
If the PIN pads in question are older, the chances are good they used DES as their encryption algorithm. Newer PIN pads use 3DES.
@Brandioch: "So what happens when someone in the government starts selling falsified official ID Cards?"
This is practically unheard of - though it doesn't mean that it would be impossible.
Privacy data for the purpose of identification is just another kind of shared secret. A secret that needs to be shared between all the parties that wants to identify someone. If one party in some way shares the secret to an unauthorised party, the identity is at risk.
Just like countfebo said, a national id card solves the problem of identification in a lot of cases. Sure it can be stolen by someone that looks a bit like you, forged, someone can be bribed to create false, official id-cards etc, but it is harder to get access to thousends of identities that way.
With revocation lists one can even catch the people trying to use a id-card that one has detected to be stolen.
It will be interesting to compare the treatment these alleged criminals receive from the US legal system compared with the treatment to be received by Gary McKinnon.
Identification is a very poor proxy of intent, no matter how effective the method.
The 'credit crunch' provides the opportunity to test the hypothesis that restricting credit decreases fraud; the problem however is the context of an economic downturn which i would expect increases fraud. D'oh, back to the drawing board.
"Identity theft"? What's that? Nobody can steal my identity. I thought you were opposed to the use of such sloppy terminology!
data mines and credit companies are accessories before the fact in "identity theft" and should be held liable in appropriate degree. meaning courts should hold them liable for some of the loss and order changes. Read about how Wachovia bank has recently been aiding and abetting frauds. And would someone in the government sell identity information, like the looking at passport files that amused state department officials, this is as likely as bushchenty buying a fake memo from general habbush. If someone is using your hard drive to store their cookies for their purposes, they are tresspassing on your property and should be at least charged rent.
The only way law enforcement is ever going to increase its effectiveness against these kinds of crimes is by pulling together law enforcement internationally -- including in countries that seem to have a vested interest in not cracking down on hackers.
There are some good related posts on this topic of ID theft here:
Who Is In Charge of Your Identity?
What Are Strangers Doing With All of Your Information?
The naivete of several posters above me is amusing (if not sad). You really think national ID cards will make identity theft harder, and not easier? You honestly believe that *every* official who participates in the issuing of passports and other valuable ID documents is a scrupulous, honest, incorruptible person? As usual, Bruce is right on target. I think his detractors are deluded, or at least refusing to see the world as it actually is.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..