identity fraud in cyberspace - politiestudies luc beirens your identity in... · identity fraud in...

Identity fraud in cyberspaceIdentity fraud in cyberspace

A virtual battle to be who you pretend to beA virtual battle to be who you pretend to be

Chief commissioner Luc BeirensChief commissioner Luc Beirens

Head of Federal Computer Crime UnitHead of Federal Computer Crime Unit

Belgian Federal Judicial PoliceBelgian Federal Judicial Police

Direction for economical and financial crimeDirection for economical and financial crime

©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU

TopicsTopics

�� DogsDogs on the real world on the real world -- cyberspace fronteercyberspace fronteer

�� IdentityIdentity in cyberspace ?in cyberspace ?

�� Link between cyber identity and Link between cyber identity and ee--securitysecurity

�� Weak linksWeak links in the authentication processin the authentication process

�� So who did it ? So who did it ? Cyber tracesCyber traces

�� WhyWhy do they steal your cyber identity ?do they steal your cyber identity ?

�� CyberCyber identity fraud casesidentity fraud cases

�� EvidenceEvidence of cyber identity in courtof cyber identity in court

�� Ending Ending remarksremarks


But first in the real world ...But first in the real world ...

How do we identify a How do we identify a

manman’’s best friend ?s best friend ?

Transponder chipTransponder chip

TattooTattoo

Pet passportPet passport

Dog identification databaseDog identification database

Dog DB

121132132123 121132132123

Mickey German shepherd ...



But ...But ...

�� Humans donHumans don’’t like to have t like to have

transponder chips implanted ...transponder chips implanted ...

�� Fear for Big Brother situationsFear for Big Brother situations


Identity in cyberspace ?Identity in cyberspace ?

�� Identification : Identification : recognitionrecognition and and acceptanceacceptance as as a a unique personunique person authorised to take actions authorised to take actions when using cyberspace infrastructure ...when using cyberspace infrastructure ...

�� Cyber identityCyber identity is build upon :is build upon :�� the telecom services one uses in cyberspacethe telecom services one uses in cyberspace

�� subjects about which one communicatessubjects about which one communicates

�� the way in which one communicates, his languagethe way in which one communicates, his language

�� the way in which one acts, the names he usesthe way in which one acts, the names he uses

�� Recognised by Recognised by humanshumans but not by ICT infrastructure but not by ICT infrastructure


Different processesDifferent processes in cyberspacein cyberspace

�� IdentificationIdentification�� Getting a users Getting a users ““officialofficial”” identityidentity informationinformation

�� AuthenticationAuthentication�� Verify & Verify & certifycertify that the user isthat the user is

who he pretends to be (under any given identity)who he pretends to be (under any given identity)

�� AutorisationAutorisation�� Granting Granting accessaccess to the system andto the system and

allow use of the system according to allow use of the system according to user rightsuser rights


Identity in cyberspace ?Identity in cyberspace ?

�� Legal dispositionsLegal dispositions ? ? ““State RegistryState Registry””�� name, gender, nat, data birth, address,... name, gender, nat, data birth, address,...

�� existence of identity & signature certificate ?existence of identity & signature certificate ?

�� No physical information to compare No physical information to compare

�� Combinations of name, firstname, ...Combinations of name, firstname, ...are are not uniquenot unique

�� Unique numberUnique number : State registry number: State registry number

Dog identification databaseDog identification database

Dog DB

121132132123 121132132123

Mickey German shepherd ...


Natural Persons Natural Persons

State Registry databaseState Registry database

RRN DB

620423 888 54 620423 888 54

Hercule Poirot, Male, ...

Firm DB

Firm DBPers DB



Intermediate conclusionIntermediate conclusion

�� Because of :Because of :�� Limited Limited accessaccess to referential databaseto referential database

(State Registry of Natural Persons)(State Registry of Natural Persons)

�� Restricted Restricted useuse of State Registry numberof State Registry number

�� Non authorised services have to create their Non authorised services have to create their ownown�� databasesdatabases

�� unique identifying unique identifying numbernumber (different in each db)(different in each db)

�� Which leads toWhich leads to�� difficulty on difficulty on authenticationauthentication

�� accuracyaccuracy of data in databaseof data in database


So, how is a user authenticated ?So, how is a user authenticated ?

WHO ARE YOU ?


Cyber identity & eCyber identity & e--securitysecurity

�� Three basic principlesThree basic principles

�� What do I What do I knowknow ? ?

�� Passwords Passwords –– User IDUser ID

�� What do I What do I havehave ??

�� cards, certificates, eIDcards, certificates, eID

�� What I What I amam ??

�� retina scan, fingerprintretina scan, fingerprint

�� CombinationsCombinations


What do I know ?What do I know ?

WHO ARE YOU ?

My username is IAMSOVIP

My password isABCDEFG

OK Welcome IAMSOVIP


What do I know ?What do I know ?

WHO ARE YOU ?

My username is

IAMSOVIP but

I FORGOTmy password

!!!??? Mmmm...What’s the

name of your dog ?

OK Welcome IAMSOVIP

Change password

My dogs name is Mickey


Problems with what I knowProblems with what I know

�� Did I change the Did I change the standardstandard settings ?settings ?

�� Do I always remember my password ?Do I always remember my password ?

�� To To easyeasy / to / to shortshort

�� Can they know/guess/crack it with trial & error ?Can they know/guess/crack it with trial & error ?

�� HowHow do I remember my password ?do I remember my password ?

�� PostPost--it / automatic memory function on PCit / automatic memory function on PC

�� Do I Do I shareshare my password ?my password ?

�� With collegues ? Your wife ? Your Boss ?With collegues ? Your wife ? Your Boss ?

�� Fall backFall back procedures for forgetful peopleprocedures for forgetful people


Problems with what I haveProblems with what I have

�� It gets It gets lostlost=> no more access=> no more access

�� It gets It gets stolenstolen or or copiedcopied=> abuse of your access=> abuse of your access

�� Solution : Solution : combinationcombination of of

�� what I havewhat I have

�� what I knowwhat I know


Problems with what I amProblems with what I am

�� FingerprintsFingerprints

�� Retina scanRetina scan

�� What if I have an accident ?What if I have an accident ?

�� DoesnDoesn’’t it cause damage ?t it cause damage ?

�� Is Big Brother watching ?Is Big Brother watching ?



Some weak links in the Some weak links in the

authentication processauthentication process

�� LocationLocation of the authentication deviceof the authentication device�� not tamperproof / under control => replacednot tamperproof / under control => replaced

�� TransmissionTransmission lineslines�� not encrypted => interception / modificationnot encrypted => interception / modification

�� Location/formatLocation/format of the reference databaseof the reference database�� not encrypted => hacking / copy / modifiednot encrypted => hacking / copy / modified

�� CreationCreation of a of a new identitynew identity in the databasein the database�� not stringently => very not stringently => very oftenoften fake IDfake ID data in ref databasedata in ref database

(subscriber information, domain name registration, mail, ...)(subscriber information, domain name registration, mail, ...)

Weak links in the Weak links in the

authentication processauthentication process

DB

Myidentification Myidentification

Hercule Poirot, Male, ...

Creation of account &referential data in the database



Cyberspace = anonimity ?Cyberspace = anonimity ?

�� Very commonVery common

�� NicknamesNicknames

�� False identities False identities

�� Other users Other users ““recogniserecognise”” the user butthe user but

�� cannot always identify cannot always identify

�� cannot always authenticate cannot always authenticate


So ... who did it ?So ... who did it ?

�� Use of identification certificates (eID)Use of identification certificates (eID)

�� Traces left by financial transactionsTraces left by financial transactions�� accountsaccounts

�� use of accountless money transfertsuse of accountless money transferts

�� Telecommunications traces : 3 levelsTelecommunications traces : 3 levels�� physical connection levelphysical connection level

�� internet (network) access levelinternet (network) access level

�� internet service levelinternet service level

PhysicalPhysical

connectionconnection

Internet Internet

accessaccess

Use of Use of

Internet Internet

servicesservices

InternetInternet

02 / 123 12 12

123.132.213.231

[email protected]

Internetaccessprovider

Telecomoperator

End user

Internet service provider



Why do they steal your identity ?Why do they steal your identity ?

�� Why do we want it ?Why do we want it ?�� certainty about our communication/business partnerscertainty about our communication/business partners

�� if transactions fail, find the other party to indemnify youif transactions fail, find the other party to indemnify you

�� Why do the criminals want it ?Why do the criminals want it ?�� Be recognised as trustworthy party and get services, Be recognised as trustworthy party and get services,

favours, deliveries for which you payfavours, deliveries for which you pay

�� Get access to your private information / spyingGet access to your private information / spying

�� Commit crime under cover of your identityCommit crime under cover of your identity

�� Blackmail youBlackmail you

�� Cause you damage by acting in a malicious wayCause you damage by acting in a malicious way



Cyber identity fraud toolsCyber identity fraud tools

�� PhishingPhishing web site publishingweb site publishing�� with copy of your company sitewith copy of your company site

�� routing to website by spam / pharming / search enginerouting to website by spam / pharming / search engine

�� Most important tool for criminal : Most important tool for criminal : trojantrojan�� infection at large scale of PCs of individuals / firmsinfection at large scale of PCs of individuals / firms

�� administration via intermediate Command&Control Svradministration via intermediate Command&Control Svr

�� thus forming thus forming botnetsbotnets

�� UsedUsed�� information collection and transmission to serversinformation collection and transmission to servers

�� informing of ongoing transaction => man in the middleinforming of ongoing transaction => man in the middle

Challenge based

eService user

Authentication systems

eService website

New authentication systemsOne time passwordsTime based

user :password :

Give token 15 :

u123 secret123

Word15

Give OT password : Timedependentcode

Calculate OTP with challenge 12345678

Calculated OTP Consultation & Transfers

Authentication

Consultation & Transfers

Intercepted userid + pw

Intercepting 36 sessionsPhishing website 3 x 12

Waiting the authenticationAfterwards perform transaction

Waiting the authenticationNeed for user cooperation ????

Consultation & Transfers

If technical security is ok ...If technical security is ok ...



False criminal DNS server rerouts for critical domain names to servers under control of the criminalsto get victim’s ID credentials and identity


Getting proof of cyber identityGetting proof of cyber identity

�� Authentication need depends on situationAuthentication need depends on situation

�� private chatprivate chat

�� business transactionsbusiness transactions

�� sending a cyber criminal to jailsending a cyber criminal to jail

�� Cyber identity in a criminal caseCyber identity in a criminal case

�� subscriber informationsubscriber information

�� telecommunication traffic datatelecommunication traffic data

�� Identification => Identification => devicedevice ! ! WhoWho’’s behind it ?s behind it ?

�� well protected device / environment ?well protected device / environment ?

�� what if infected with trojan horses ?what if infected with trojan horses ?


Ending remarksEnding remarks

�� Cyberspace :Cyberspace :�� allows for a reasonable level of anonimityallows for a reasonable level of anonimity

�� but needs also identification / authenticationbut needs also identification / authentication

�� Old authentication concepts still used Old authentication concepts still used –– too weaktoo weak

�� Need for strong authenticationNeed for strong authentication�� move towards digital certificates / biometricsmove towards digital certificates / biometrics

�� Risk for more Risk for more ““agressiveagressive”” authenticationauthentication

Stay vigilant ...Stay vigilant ...

CContact informationontact information

Belgian Federal Judicial PoliceBelgian Federal Judicial Police

Direction for economical and financial crimeDirection for economical and financial crime

Federal Computer Crime UnitFederal Computer Crime UnitNotelaarstraat 211 Notelaarstraat 211 -- 1000 Brussels 1000 Brussels –– BelgiumBelgium

TelTel office office : +32 : +32 2 2 743 74 74743 74 74

Fax Fax : +32 : +32 2 2 743 74 19743 74 19

Head of UnitHead of Unit : : [email protected]@fccu.be

TwitterTwitter : @LucBeirens : @LucBeirens

identity fraud in cyberspace - politiestudies luc beirens your identity in... · identity fraud in...

Documents