Title: A TECHNICAL CATEGORISATION OF IDENTITY-RELATED CRIME: IDENTIFICATION ATTACKS

In identity-related crime, an established authentication and/or authorisation procedure is passed successfully while it should not have been (false positives), or is not passed successfully while it should have been (false negatives), in both cases because the link between the identifier and the right physical person is broken due to rearrangement of identity linkage. Criminals can exploit various points of attack to cause such a rearrangement and perform this in various ways, e.g., directed at a specific person, or undirected in relation to many, unselected persons. For an analysis of various techniques, we refer to Leenes (2006, pp. 84-86).  

A first basic distinction is that identity-related crime, at least the most prevalent ones in the category of identity fraud, is essentially a two-stage process. The first stage involves – lawfully or unlawfully – gathering identity data of others or creating new identity data. The second stage is using these data in some unlawful way. Sometimes, more subdivisions are made in the literature, but these two stages are common to all analyses of identity fraud (Leenes 2006, p. 114).  

Helpful as this distinction in two stages is, it gives little understanding of all the ways in which identity-related crime can be committed in practice. Since this distinction only addresses the identity-fraud part of identity-related crime, but not identity deletion or identity restoration, we have opted for another kind of categorisation of identity-crime techniques. In order to better understand the diversity of attacks and their relation with our conceptual categorisation (section 4), we explore these in more detail by considering the following simplified picture of online interactions. This allows us to determine the various points of attack and hence to uncover vulnerabilities in identification mechanisms.  

Figure 3. General view of online interactions showing 17 points of attack 

The threats are the following.  

T1    is a direct attack on the user, for instance by threatening her to make her disclose identity data, by applying social engineering, such as phishing attacks, by stealing credit cards from a wallet, or even by replacing the individual by a look-alike.

T2    is ‘dumpster diving’: an attack on identity data people leave behind in the physical world, such as user names and passwords written on post-it notes, receipts of account details in the garbage can, or forensically scanning second-hand PCs for remaining identity data.

T3    represents the creation of forged identity data or credentials, for instance by acquiring a credit card with self-generated identity data, or forging a medical diploma.

T4    is any attack on the communication between users and their IT systems, such as their PC. This includes malware phishing (Levy 2004), like keystroke loggers, presenting faked biometric data e.g., a Synthetic Biometric Feature Attack, and intercepting or interfering with Bluetooth communication between keyboard and PC.

T5    is the manipulation of user applications such as web browsers, to record data entered by the user, e.g., through Trojan horses, or to redirect the user to fake websites, by spoofing attack. The reading of cookies set in the user’s browser is another example of this kind of attack.

T6    relates to the interception and manipulation of data at the level of the operating system, for instance, by viruses, root-kits, and spyware.

T7    concerns attacks on the client’s PC itself, like intrusion by hackers or the installation of physical devices, such as modified hardware.

T8    are attacks on the link between the user’s PC and storage devices, both internal ones and external ones like USB sticks, with the goal of obtaining or redirecting identity data.

T9    are attacks on the communication channel between the user’s system and the internet, for instance interception of WiFi signals from a user’s home, or using the user’s WiFi installation to obtain a communication channel.

T10    are attacks on Internet Service Providers involved in the communication, for instance, by spoofing DNS entries resulting in the redirection of the user’s communication to a rogue site.

T11    represent attacks on the network, for example, man-in-the-middle attacks, wiretapping, node redirection, denial-of-service attacks, or cyberterrorism.

T12    is analogous to T9, as also the service provider’s internal network can be attacked by snoopers and sniffers – network infiltration.

T13    are attacks on the service provider’s IT system, such as hacking into the service provider’s databases.

T14    is symmetrical to T4, concerning any attack on the communication between the system administrator and the service provider’s IT system, for instance, by installing key-loggers or root-kits.

T15    represents physical or logical attacks on or by the service provider’s staff; personnel leaking identity data to outsiders is an example.

T16    involves any attack on the service provider’s data storage, like the La Salle Bank backup tapes that went missing in December 2005.

T17    concerns attacks on the communication between service providers and their business partners, like a bank or accountant.

In principle, all possible cases of identity-related crimes involve one or more of the threats outlined. The categorisation shows the wide variety of possible attacks and modi operandi in identity-related crime. This is important to bear in mind when devising countermeasures, since a chain is as strong as its weakest link. This means that a risk assessment is necessary that covers all potential points of attack. It would be useful, in that respect, to have data available on the actual risks involved in the various attacks, i.e., the likelihood – or actual incidence in the past – of an attack and the associated expected – or real suffered – loss. This is a topic for further research.