Entries Tagged "fraud"

Page 31 of 33

Stupid People Purchase Fake Concert Tickets

From the Boston Herald

Instead of rocking with Bono and The Edge, hundreds of U2 fans were forced to “walk away, walk away” from the sold-out FleetCenter show Tuesday night when their scalped tickets proved bogus.

Some heartbroken fans broke down in tears as they were turned away clutching worthless pieces of paper they shelled out as much as $2,000 for.

You might think this was some fancy counterfeiting scheme, but no.

It took Whelan and his staff a while to figure out what was going on, but a pattern soon emerged. The counterfeit tickets mostly were computer printouts bought online from cyberscalpers.

Online tickets are a great convenience. They contain a unique barcode. You can print as many as you like, but the barcode scanners at the concert door will only accept each barcode once.

Only an idiot would buy a printout from a scalper, because there’s no way to verify that he will only sell it once. This is probably obvious to anyone reading this, but it tuns out that it’s not obvious to everyone.

“On an average concert night we have zero, zilch, zip problems with counterfeit tickets,” Delaney said. “Apparently, U2 has whipped this city into such a frenzy that people are willing to take a risk.”

I find this fascinating. Online verification of authorization tokens is supposed to make counterfeiting more difficult, because it assumes the physical token can be copied. But it won’t work if people believe that the physical token is unique.

Note: Another write-up of the same story is here.

Posted on June 2, 2005 at 2:10 PMView Comments

Spelling Errors as a Counterfeiting Defense

This is a weird rumor.

ID cards in Belgium are being printed with intentional misspellings in an attempt to thwart potential fraudsters.

Four circular arcs on the ID cards show the country’s name in different languages—French, Dutch, German and English. According to the article, the German and English arcs will be spelled incorrectly, and misspellings will also appear elsewhere on the cards. The idea is that people making counterfeit cards won’t notice the misspellings on the originals and will print the fraudulent cards with the names spelled properly.

More information is here:

To trick fraudsters, the Home Office has introduced three circular arcs on the card—just beneath the identity photos—where you will find the name of the country in the official languages spoken in Belgium—French, Dutch and German, as well as in English. But instead of ‘Belgien’ in German, the ID card incorrectly uses the name ‘Belgine’ and instead of ‘Belgium’ in English, the card reads ‘Belguim’. Vanneste has promised other errors will be printed on the card to “further confuse fraudsters”. With any luck, these will not be revealed.

I’m not impressed with this as a countermeasure. It’s certainly true that poor counterfeits will have all sorts of noticeable errors—and correct spelling might certainly be one of them. But the more people that know about the misspellings, the less likely a counterfeiter will get it wrong. And the more likely a counterfeiter will get it wrong, the less likely anyone will notice.

I’m all for hard-to-counterfeit features in ID cards. But why make them grammatical?

Posted on June 1, 2005 at 7:58 AMView Comments

Phishing and Identity Theft

I’ve already written about identity theft, and have said that the real problem is fraudulent transactions. This essay says much the same thing:

So, say your bank uses a username and password to login to your account. Conventional wisdom (?) says that you need to prevent the bad guys from stealing your username and password, right? WRONG! What you are trying to prevent is the bad guys STEALING YOUR MONEY. This distinction is very important. If you have an account with $0 dollars in it, which you never use, what does it matter if someone knows the access details? Your username and password are only valuable insofar as the bank allows anyone who knows them to take your money. And therein lies the REAL problem. The bank is too lazy (or incompetent) to do what Bruce Schneier describes as “authenticate the transaction, not the person”. While it is incredibly difficult to prevent the bad guys from stealing access credentials (especially with browsers like Internet Explorer around), it is actually much simpler to prevent your money disappearing off to some foreign country….

When something goes wrong, the bank will tell you that you “authorised” the transaction, where in fact the party who ultimately “authorised” it is the bank, based on the information they chose to take as evidence that this transaction is the genuine desire of a legitimate customer.

The essay provides some recommendations as well.

  • Restrict IP addresses outside Australia
  • Restrict odd times of day (or at least be more vigilant)
  • Set cookies to identify machines
  • Record IP usually used
  • Record times of day usually accessed
  • Record days of week/month
  • Send emails when suspicious activity is detected
  • Lock accounts when fraud is suspected
  • Introduce a delay in transfers out—for suspicious amounts, longer
  • Make care proportional to risk
  • Define risk relative to customer, not bank

These are good ideas, but need more refinement in the specifics. But they’re a great start, and banks would do well to pay attention to them.

Posted on May 10, 2005 at 4:24 PMView Comments

REAL ID

The United States is getting a national ID card. The REAL ID Act (text of the bill and the Congressional Research Services analysis of the bill) establishes uniform standards for state driver’s licenses, effectively creating a national ID card. It’s a bad idea, and is going to make us all less safe. It’s also very expensive. And it’s all happening without any serious debate in Congress.

I’ve already written about national IDs. I’ve written about the fallacies of identification as a security tool. I’m not going to repeat myself here, and I urge everyone who is interested to read those two essays (and even this older essay). A national ID is a lousy security trade-off, and everyone needs to understand why.

Aside from those generalities, there are specifics about REAL ID that make for bad security.

The REAL ID Act requires driver’s licenses to include a “common machine-readable technology.” This will, of course, make identity theft easier. Assume that this information will be collected by bars and other businesses, and that it will be resold to companies like ChoicePoint and Acxiom. It actually doesn’t matter how well the states and federal government protect the data on driver’s licenses, as there will be parallel commercial databases with the same information.

Even worse, the same specification for RFID chips embedded in passports includes details about embedding RFID chips in driver’s licenses. I expect the federal government will require states to do this, with all of the associated security problems (e.g., surreptitious access).

REAL ID requires that driver’s licenses contain actual addresses, and no post office boxes. There are no exceptions made for judges or police—even undercover police officers. This seems like a major unnecessary security risk.

REAL ID also prohibits states from issuing driver’s licenses to illegal aliens. This makes no sense, and will only result in these illegal aliens driving without licenses—which isn’t going to help anyone’s security. (This is an interesting insecurity, and is a direct result of trying to take a document that is a specific permission to drive an automobile, and turning it into a general identification device.)

REAL ID is expensive. It’s an unfunded mandate: the federal government is forcing the states to spend their own money to comply with the act. I’ve seen estimates that the cost to the states of complying with REAL ID will be $120 million. That’s $120 million that can’t be spent on actual security.

And the wackiest thing is that none of this is required. In October 2004, the Intelligence Reform and Terrorism Prevention Act of 2004 was signed into law. That law included stronger security measures for driver’s licenses, the security measures recommended by the 9/11 Commission Report. That’s already done. It’s already law.

REAL ID goes way beyond that. It’s a huge power-grab by the federal government over the states’ systems for issuing driver’s licenses.

REAL ID doesn’t go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver’s license will bring a new level of “show me your papers” checks by the government. Already you can’t fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I’ve already heard rumblings about requiring states to check identities against “government databases” before issuing driver’s licenses. I’m sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?

Americans overwhelmingly reject national IDs in general, and there’s an enormous amount of opposition to the REAL ID Act. This is from the EPIC page on REAL ID and National IDs:

More than 600 organizations have expressed opposition to the Real ID Act. Only two groups—Coalition for a Secure Driver’s License and Numbers USA—support the controversial national ID plan. Organizations such as the American Association of Motor Vehicle Administrators, National Association of Evangelicals, American Library Association, Association for Computing Machinery (pdf), National Council of State Legislatures, American Immigration Lawyers Association (pdf), and National Governors Association are among those against the legislation.

And this site is trying to coordinate individual action against the REAL ID Act, although time is running short. It’s already passed in the House, and the Senate votes tomorrow.

If you haven’t heard much about REAL ID in the newspapers, that’s not an accident. The politics of REAL ID is almost surreal. It was voted down last fall, but has been reintroduced and attached to legislation that funds military actions in Iraq. This is a “must-pass” piece of legislation, which means that there has been no debate on REAL ID. No hearings, no debates in committees, no debates on the floor. Nothing.

Near as I can tell, this whole thing is being pushed by Wisconsin Rep. Sensenbrenner primarily as an anti-immigration measure. The huge insecurities this will cause to everyone else in the United States seem to be collateral damage.

Unfortunately, I think this is a done deal. The legislation REAL ID is attached to must pass, and it will pass. Which means REAL ID will become law. But it can be fought in other ways: via funding, in the courts, etc. Those seriously interested in this issue are invited to attend an EPIC-sponsored event in Washington, DC, on the topic on June 6th. I’ll be there.

Posted on May 9, 2005 at 9:06 AM

Biometric Passports in the UK

The UK government tried, and failed, to get a national ID. Now they’re adding biometrics to their passports.

Financing for the Passport Office is planned to rise from £182 million a year to £415 million a year by 2008 to cope with the introduction of biometric information such as fingerprints.

A Home Office spokesman said the aim was to cut out the 1,500 fraudulent applications found through the postal system last year alone.

Okay, let’s do the math. Eliminating 1,500 instances of fraud will cost £233 million a year. That comes to £155,000 per instance of fraud.

Does this kind of security trade-off make sense to anyone? Is there absolutely nothing better the UK government can do to ensure security and safety with £233 million a year?

Yes, adding additional biometrics to passports—there’s already a picture—will make them more secure. But I don’t think that the additional security is worth the money and the additional risks. It’s a bad security trade-off.

And I’m not a fan of national IDs.

Posted on April 21, 2005 at 1:18 PMView Comments

State-Sponsored Identity Theft

In an Ohio sting operation at a strip bar, a 22-year-old student intern with the United States Marshals Service was given a fake identity so she could work undercover at the club. But instead of giving her a fabricated identity, the police gave her the identity of another woman living in another Ohio city. And they didn’t tell the other woman.

Oddly enough, this is legal. According to Ohio’s identity theft law, the police are allowed to do it. More specifically, the crime cannot be prosecuted if:

The person or entity using the personal identifying information is a law enforcement agency, authorized fraud personnel, or a representative of or attorney for a law enforcement agency or authorized fraud personnel and is using the personal identifying information in a bona fide investigation, an information security evaluation, a pretext calling evaluation, or a similar matter.

I have to admit that I’m stunned. I naively assumed that the police would have a list of Social Security numbers that would never be given to real people, numbers that could be used for purposes such as this. Or at least that they would use identities of people from other parts of the country after asking for permission. (I’m sure people would volunteer to help out the police.) It never occurred to me that they would steal the identity of random citizens. What could they be thinking?

Posted on April 18, 2005 at 3:02 PMView Comments

Mitigating Identity Theft

Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions—credit card companies in particular—the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.

Unfortunately, the solutions being proposed in Congress won’t help. To see why, we need to start with the basics. The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. Someone’s identity is the one thing about a person that cannot be stolen.

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. He impersonates a victim to the Post Office and gets the victim’s address changed. He impersonates a victim in order to fool the police into arresting the wrong man. No one’s identity is stolen; identity information is being misused to commit fraud.

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. This is what’s been in the news recently: ChoicePoint, LexisNexis, Bank of America, and so on. But data privacy is more than just fraud. Whether it is the books we take out of the library, the websites we visit, or the contents of our text messages, most of us have personal data on third-party computers that we don’t want made public. The posting of Paris Hilton’s phone book on the Internet is a celebrity example of this.

The second issue is the ease with which a criminal can use personal data to commit fraud. It doesn’t take much personal information to apply for a credit card in someone else’s name. It doesn’t take much to submit fraudulent bank transactions in someone else’s name. It’s surprisingly easy to get an identification card in someone else’s name. Our current culture, where identity is verified simply and sloppily, makes it easier for a criminal to impersonate his victim.

Proposed fixes tend to concentrate on the first issue—making personal data harder to steal—whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

Fraudulent transactions have nothing to do with the legitimate account holders. Criminals impersonate legitimate users to financial intuitions. That means that any solution can’t involve the account holders. That leaves only one reasonable answer: financial intuitions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

They can’t claim that the user must keep his password secure or his machine virus free. They can’t require the user to monitor his accounts for fraudulent activity, or his credit reports for fraudulently obtained credit cards. Those aren’t reasonable requirements for most users. The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions. They’ve pushed most of the actual costs onto the merchants. And almost no security centers around trying to authenticate the cardholder.

That’s an important lesson. Identity theft solutions focus much too much on authenticating the person. Whether it’s two-factor authentication, ID cards, biometrics, or whatever, there’s a widespread myth that authenticating the person is the way to prevent these crimes. But once you understand that the problem is fraudulent transactions, you quickly realize that authenticating the person isn’t the way to proceed.

Again, think about credit cards. Store clerks barely verify signatures when people use cards. People can use credit cards to buy things by mail, phone, or Internet, where no one verifies the signature or even that you have possession of the card. Even worse, no credit card company mandates secure storage requirements for credit cards. They don’t demand that cardholders secure their wallets in any particular way. Credit card companies simply don’t worry about verifying the cardholder or putting requirements on what he does. They concentrate on verifying the transaction.

This same sort of thinking needs to be applied to other areas where criminals use impersonation to commit fraud. I don’t know what the final solutions will look like, but I do know that once financial institutions are liable for losses due to these types of fraud, they will find solutions. Maybe there’ll be a daily withdrawal limit, like there is on ATMs. Maybe large transactions will be delayed for a period of time, or will require a call-back from the bank or brokerage company. Maybe people will no longer be able to open a credit card account by simply filling out a bunch of information on a form. Likely the solution will be a combination of solutions that reduces fraudulent transactions to a manageable level, but we’ll never know until the financial institutions have the financial incentive to put them in place.

Right now, the economic incentives result in financial institutions that are so eager to allow transactions—new credit cards, cash transfers, whatever—that they’re not paying enough attention to fraudulent transactions. They’ve pushed the costs for fraud onto the merchants. But if they’re liable for losses and damages to legitimate users, they’ll pay more attention. And they’ll mitigate the risks. Security can do all sorts of things, once the economic incentives to apply them are there.

By focusing on the fraudulent use of personal data, I do not mean to minimize the harm caused by third-party data and violations of privacy. I believe that the U.S. would be well-served by a comprehensive Data Protection Act like the European Union. However, I do not believe that a law of this type would significantly reduce the risk of fraudulent impersonation. To mitigate that risk, we need to concentrate on detecting and preventing fraudulent transactions. We need to make the entity that is in the best position to mitigate the risk to be responsible for that risk. And that means making the financial institutions liable for fraudulent transactions.

Doing anything less simply won’t work.

Posted on April 15, 2005 at 9:17 AMView Comments

More on Two-Factor Authentication

Recently I published an essay arguing that two-factor authentication is an ineffective defense against identity theft. For example, issuing tokens to online banking customers won’t reduce fraud, because new attack techniques simply ignore the countermeasure. Unfortunately, some took my essay as a condemnation of two-factor authentication in general. This is not true. It’s simply a matter of understanding the threats and the attacks.

Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.

Credit cards are a perfect example. Notice how little attention is paid to cardholder authentication. Clerks barely check signatures. People use their cards over the phone and on the Internet, where the card’s existence isn’t even verified. The credit card companies spend their security dollar authenticating the transaction, not the cardholder.

Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they’ll stop advocating stronger authentication measures and the sooner security will actually improve.

This essay previously appeared in Network World as a “Face Off.” Joe Uniejewski of RSA Security wrote an opposing position. Another article on the subject was published at SearchSecurity.com.

One way to think about this—a phrasing I didn’t think about until after writing the above essay—is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.

Posted on April 12, 2005 at 11:02 AMView Comments

Insider Attack Against Citibank

Insiders are the biggest threat:

The Pune police have unearthed a major siphoning racket involving former and serving callcentre employees.

They allegedly transferred a total of [15 million rupees (US $350,000)] from a multinational bank into their own accounts, opened under fictitious names. The money was used to splurge on luxuries like cars and mobile phones.

The call center was in India. The victim was Citibank.

Posted on April 11, 2005 at 9:14 AMView Comments

Sidebar photo of Bruce Schneier by Joe MacInnis.