Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- D5.1: A survey on legislation on ID theft in the EU and….
- D5.2: ID Fraud Workshop.
- D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research.
- D5.2c: Identity related crime in the world of films.
- D5.3: A Multidisciplinary Article on Identity-related Crime.
- D5.4: Anonymity in electronic government: a case-study analysis of governments? identity knowledge.
- D6.1: Forensic Implications of Identity Management Systems.
- D6.5/D6.6: Second thematic Workshop forensic implications.
- D6.7b: Workshop on Forensic Profiling.
- D6.7c: Forensic Profiling.
- HighTechID.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research
The processes of authentication of a person by a system and the authentication of a system by a person can be described schematically as in .
Figure . Authentication procedures between persons and IT Systems.
During the enrolment phase, which is not shown in the diagram, authentication of the subject is performed and reference data is generated. Link 1 describes the association of the subject with the authentication data that is either supplied by this subject (for instance a fingerprint in the case of biometrics). Additionally, other data may be collected to be used in later authentication processes. These data establishes links 1 and 2.
In addition the person is made familiar with the use of the system, and the location where it is placed. In rare cases, further authentication information and reference data to authenticate the system to the user is generated and the appropriate links 3 and 4 are established.
As introduced in section , identity changes and thus identity fraud base on rearrangements of identity linkage. So the links between a physical person and authentication data shown in is the target of an attacker, though the attack in some cases is not directly carried out against that link (indirect attack). Various currently discussed occurrences of identity fraud and identity theft can be categorised as follows:
Identity Theft
Direct attack on the Link between the person and the authentication data (link 1, see ) using one or more steps
Worms installing for example a key logger
Authentication data is directly taken from a person by manipulation of his input device (in most cases local computer). This attack is directed non selective to many input devices (1 : n attack); the person is not addressed directly.Social engineering
Using communication for example via telephone authentication data is directly taken from the user by giving him a seemingly plausible reason for disclosing the requested data e.g. for testing purposes by administrative personal of the enterprise’s IT department. This type of attack is directed to a specific person.Trojan Horses / Key logging etc. sent via e-mail attachment
In the first step a spam mail containing malicious code in an attachment is not specifically sent to various users (1 : n attack). By opening the attachment for example a key logger is installed that starts obtaining the authentication data in a second step.Spoofing of (biometric) sensors without co-operation of the person to which they were originally linked
In the first step the needed biometric data such as a photo of the eyes is take from the person. In a second step, a printout of the photo is used to spoof for example an iris scanner. This type of attack is directed to a specific person.
Indirect attack on reference data or via other links
Readout of Person related identifiers, authorisations and reference data
In this case the attack is directed to the centrally stored reference data and related additional identifiers. This attack can either be carried out against the whole database (1 : n) or specific data records (1: 1).Manipulation of reference data concerning a person
By manipulation of the reference data, the attacker is able to redirect link 1 to himself while the IT systems expects an authentication by the person the not manipulated reference data originally was linked.Phishing (3 Steps, indirect attack, 1:n)
In the first step the attacker sends a spam mail that seems to originate from a trusted brand name (e.g. a bank) to many recipients (1 : n attack). This e-mail usually urges the recipients to click on an embedded link that leads them to a manipulated web site. This web site again has the layout of the trusted brand, so that the link between IT system and authentication data (link 3) is being attacked. On this site the user is duped to enter authentication data.
“Man in the middle” attacks; they allow for both forms of attacks
Identity theft by readout of authentication data not securely communicated by the user (direct attack on link 1, 1 : 1 attack).
Replay Attacks
An IP-packet containing authentication data is manipulated concerning the sender address and resent to the receiving system. This type of attack is directed to a user of a specific input device (direct attack on link 1, 1 : 1 attack).Identity theft by redirecting the communication to a manipulated web site e.g. by using DNS-spoofing, manipulated proxies or manipulation of rooting tables. On the manipulated web site the user is duped to enter authentication data. This type of attack is concerning some steps similar to phishing (2 steps, indirect attack on link 3, 1 : n attack).
Deceitful Identity delegation and deceitful identity exchange
In this case the person co-operates with the attacker giving his authentication data deliberately to him with the knowledge that this data will be abused. The attack is directed towards link 1 and is directed 1 : 1 (deceitful identity delegation) or more complex in cases of deceitful identity exchange.Identity Creation) so that the chain from him as the physical person to the authorisation breaks. Thus he probably can abuse the IT system for a certain (and probably long) time.
Denis Royer | 29 / 44 |