Security by asking the drunk whether he's drunk

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Dec 21 07:18:31 EST 2008 

In recently had an opportunity to talk to someone who had had a family member
become a victim of identity fraud, not in the usual manner to target them
directly but as a springboard to target others by registering a phishing site
in their name.  Variations on this theme include using stolen identities to
buy code-signing certificates for malware and a variety of other end-runs
around identity-based accountability mechanisms.  The problem here is the fact
that the market is so awash with stolen identities that vendors have to sell
them in bulk lots just to turn a profit.  In other words a system designed to
defeat the problem of identity theft relies on the flawless functioning of a
global identity-based accountability infrastructure in order to work, a
classic catch22-situation.  If it's possible to buy stolen identities with
almost arbitrary amounts of accompanying verification data to authenticate
them for purposes of financial fraud:

  We sell all you need to hack, shop & cashout.
  CardTipe / * CC Name / * CC Number / * CC Expiry / * CVV2 / * CC PIN
  First & Last Names / * Address & City / * State & Zip/Postal code / *
  Country (US) / * Phone #
  MMN [Mother's maiden name] / * SSN [Social security number] / * DOB
    [Date of birth]
  Bank Acc No / * Bank Routine [Routing] No

  On our forum you can buy:
  Active eBay accounts with as many positive feedbacks as you need
  Active and wealthy PayPal accounts
  PINs for prepaided AT&T and Sprint phone cards
  Carded Western Union accounts for safe and quick money transfers
  Carded UPS and FedEx accounts for quick and free worldwide shipping of
    your stuff
  Full info including Social Security Info, Driver Licence #, Mother'
    Maiden Name and much more
  Come and register today and get a bonus by your choice:
  One Citybank account with online access with 3k on board, or 5
    COB' cards with 5k credit line
    10 eBay active eBay accounts with 100+ positive feedbacks
    25 Credit Cards with PINs for online carding

then it's just as easy to turn those identities towards facilitating further
identity fraud, and indeed it's become pretty much standard practice to
register fraudulent domains and buy fraudulent X.509 certificates with stolen
credentials paid for with stolen financial information.  As a result, if the
putative owner of an AuthentiCode certificate used to sign a piece of malware
is ever tracked down then it's invariably some innocent victim somewhere,
possibly someone who doesn't even use a computer.  Even the argument that at
least the signed malware allows for the use of CRLs to disable it falls flat
when you consider the difference in speed between having the malware
identified and blocked by anti-virus software and the ponderous delays of the
CRL issue process, assuming that the end-user software even checks them.

Another online fraud technique that's seen use in some countries, although
it's not widespread because it's still much easier to do the same thing via
less labour-intensive means, is to use stolen credentials to establish an
online presence for an existing business with a good credit history, use it
for whatever fraud you want to perpetrate, and then vanish before anyone's the
wiser, for example before the end of the monthly billing cycle when the real
business either gets sent paperwork that it isn't expecting or doesn't get
sent paperwork that it is.  Since this is borrowing the identity of a bona
fide business rather than an individual, there's almost no way to catch such
problems because any (rational) amount of checking will simply confirm that
it's a long-established legitimate business.  This type of fraud could
probably even defeat the verification used for EV certificates (at least as
set out in the guidelines published by some CAs), although at the moment it's
entirely unnecessary since it's possible to achieve the same ends through far
less laborious means.

This is a classic case of asking the drunk whether he's drunk - a system
rampant with identity fraud is expected to function as the basis for an
identity-based accountability mechanism.  Or to put it another way, on the
remote chance that someone does finally figure out what it'll take to make PKI
work, it still won't actually work.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list