Title: TECHNICAL ASPECTS

Technical Aspects

Introduction

As discussed in the previous chapter, authentication and authorisation are crucial processes for ID fraudsters as they play a key role in establishing trust that can consequently be misused for criminal purposes. Chapter four focussed on the social aspects of authentication and authorisation. Technical authentication and authorisation procedures thus are the Achilles heels of information and communication systems. 

In general, identity theft is likely to be feared in cases where powerful authorisations are used together with weak authentications. For example, identity theft becomes more attractive to the thief if a stolen identifier has multiple purposes. One example of this is the social security number, or the driving license number, that is used as the de facto ID standard in the US. These numbers are particularly valuable for prospective culprits. The same rule applies to integration of authentication and authorisation procedures in technical systems by using single sign on (SSO). 

Further problems arise from the use of internal verification patterns in authentication procedures. One example was the verification procedure of credit card numbers which was used until 2001 by an algorithm that takes name as additional inputs. When the credit card was used to pay via the Internet the internal verification of the submitted credit card number in these days was often done automatically by the online shop system against the submitted name. Once the verification algorithm was known, anyone could generate faked credit card numbers (identity creation) and got them verified easily when using them via the Internet. As described above, the fraudulent creation and use of a credit card number that already exists turns into identity theft. The verification procedure has been changed since and now relies on additional random verification numbers, such as the three digit SVC number on the back of MasterCards.

A principal cause for the increase in ID-related crimes in the online world is the fact that authentication procedures here are intrinsically less secure than those in the offline world. When moving a system from offline to online, often the technical authentication procedures is adapted to the online capabilities, frequently without adapting the security measures. For instance, instead of relying on a “physical credit card”, which requires possession, the online process relies on “submitting a number”. The offline procedure allows for more security checks to be performed than the online procedure that it replaces. Another problem is that the explicit procedures usually are transformed to the online world, but the implicit procedures and contextual cues are not. Security and trustworthiness therefore often decrease. The frequent phishing cases involving online banking sites reported in the media are an example here. The authentication of the actual site may be adequate, but if people are incapable of establishing the trustworthiness of the site they are lured to, this does not help. 

Another major problem often seen is unrealistic trust in technology and security of complex systems. In many cases, a user, from his perspective, trusts one component used for a special purpose, but does not oversee the complex nature of the system and the multiple purposes it has or could be used for. As a result, the security of the system is constantly under threat, for example because users do not install updates or patches which are necessary for the system as a whole, but not for the user’s limited view on the system. Such weaknesses can then be used to steal authentication data and thus to prepare identity theft. Possible targets are: 

• Hardware and operating systems including drivers (PCs, PDAs, ID cards etc.)

• Applications such as mail clients, browsers etc. 

• Electronic communication (Chat, eMail, www) 

The current chapter addresses ID-related crimes from a technical perspective. It first describes common methods of (technical) attacks against authentication procedures and analyses the associated vulnerabilities, both with respect to the identity of persons and with respect to the identity of IT systems. Next, two scenarios are sketched more in detail focusing on attacks against biometrics. 

Authentication of a person by an IT system

Authentication of persons is primarily related to the verification of the identity of an individual for the purpose of controlling access to restricted resources or areas. This process is regarded to be the gatekeeper, as well as the “Achilles heel” of the security of a system. Authentication is mainly based on something someone possesses, such as an identity card, a passport, a smart card, something one knows, for instance a password, a PIN, an answer to a question, or something one is, their human characteristics (physiological or behavioural). The main advantage of the first two ways of authentication is the fact that they are inexpensive, simple to set up, and user-friendly. Moreover, both a password and a smart card can be easily replaced in case they are lost. Most systems using these methods of authentication will also “lock” the associated accounts in the case of loss of the key, which will also happen in the case a password or PIN is incorrectly entered several times. Nevertheless, smart cards or passwords can be easily lost, stolen or shared, and thus a high level of security is not offered. As pure knowledge-based or pure possession-based authentication processes are not very strong, usually the two methods are combined. An example is the all familiar ATM, which uses a two-factor authentication requiring not only a user PIN (something you know), but also a physical card (something you possess).

From a technical viewpoint, an identity is just a digital pseudonym that represents a person. So, there must be measures to prove that the digital pseudonym actually belongs to the person who claims it does. 

Such a technology should ensure the following properties: 

• A person can use its own digital pseudonym without restriction; 

• Another person cannot use this digital pseudonym. 

There are different technologies aiming at this goal, but with a certain probability of failure. When a pseudonym is used, it must always be in connection with proof that it was used by the person to whom it belongs. 

IT systems are able to recognize a human by (Pfitzmann 2005): 

• what he is (by using biometric techniques);  

• what he possesses, or; 

• what he knows. 

shows some examples of what can be used as proof for a particular pseudonym. Some of the proofs can also be applied to the process of recognition of humans by humans, for instance look, and voice. Hand geometry, retina patterns, magnet strip cards, chip cards and calculators do not play an important role here for obvious reasons. Of course, combinations are possible and useful, e.g. a passport combines “what you are” (appearance through a picture and partially unconscious actions through an autograph signature) with “What he has got” - the passport itself.  

Figure . Authentication of a Human by an IT System.

The methods of proof can be decomposed further. Biometric proof, for instance, can be decomposed in product checking and process checking. Checking the validity of an autograph signature, for instance, can be taken to mean to “check the results of the signing process” (product) by comparing two static line patterns, but also as meaning to “analyse the dynamics of the signing process” (process), for instance by comparing pressure and acceleration values of signatures. Process checks are very suitable for behavioural biometrics, such as vocal patterns, typing patterns, gait analysis and the style of writing for pen inputs.  

Within process checks, one furthermore has to decide whether the tests is to be performed just at the beginning of the process, at additional (fixed) time intervals or permanently. Some biometrics are suitable for permanent monitoring, for example key stroke monitoring that can run as a permanent background process thereby continuously confirming the presence of the authorised person, whereas other clearly only suitable for one-shot authentication: one cannot demand the subject to keep his hand permanently on the hand geometry scanner. 

One-shot versus permanent authentication also plays a role in the other types of authentication. A metal key, or a USB dongle can be required to be present permanently during an interaction, but also only to unlock an application or access door. 

Up to now, most authentication in the online world is carried out by means of the ‘what you have’ and ‘what you know’ methods. Both types of authentication means, as we have seen, are relatively easy to obtain which makes them relatively insecure. Biometrics are deemed more secure as they are more closely linked to the person. The iris never leaves the human body, for instance. Yet, also these methods of proof can be misused. We will turn to ways to spoof this kind of biometrics in section . In recent years, physiological biometrics have started to enter the marketplace in larger numbers. Fingerprint scanners are becoming affordable and already standard on some laptops, and also portable hard disks (such as the LaCie SAFE Mobile Hard Drive.

Experiments on human actions by psychologists and mathematicians have demonstrated that human behaviour can be predictable as far as it concerns repetitive tasks. In this way not only physiological but also behavioural human characteristics can provide valuable information for human authentication. The traits used by these methods are less susceptible to duplication or loss when compared to the traditional means of authentication, and even the physiological biometrics methods mentioned above. They are portable and may involve a non-contact authentication, yet use something integral to something the person is. The proper implementation of these systems prevents the sharing of secrets that could be used fraudulently. Therefore, we may expect to see more of authentication methods such as keystroke analysis and mouse gestures. 

Authentication of an IT System by a Person

Most cases of ID fraud will involve using one or more of the means of authentication in the previous section to mislead an IT system into believing the culprit is mentioned is who he claims, to be. Yet, ID theft may involve tricking a human into believing that an IT system is what it claims to be in order to misappropriate ID data from this person. We therefore have to look into how a person authenticates an IT system 

They can use: 

• what the IT system is

• what it knows

• where it is located

gives some examples of specific measures.

Figure . Authentication of an IT System by a Human.

Some of these are frequently used to establish the authenticity of the IT system. Consider, for instance the digital certificates used in SSH connections. The user can in principle verify the trust chain and establish that such a certificate is valid, notwithstanding the problems associated with the opaque CA system as mentioned in section .

An interesting proof for the authenticity of the IT system is the location. Usually we take it for granted that this indeed is a signal for the validity of the system. Yet, there are numerous cases where this assumption proves wrong. Dummy cash machines and magnetic swipe devices have been installed in front of a real ones, typically during weekends, covering them to the extend that users did not notice. The dummy machine initiates a transaction just like the valid machine would do, so it asks the personal identification number (PIN) for the inserted EC cash cards and stores it. Next, then system will display something along these lines: “Your faulty EC cash card will be impounded, please contact your bank on Monday for assistance.” Needless to say that the culprits then have both the physical EC card and the corresponding PIN, which can then be used to withdraw cash until the card is blocked by the bank on the victims request.