D5.2b: ID-related Crime: Towards a Common Ground for Interdisciplinary Research

Title: METHODS TO MANIPULATE AUTHENTICATION PROCEDURES

The processes of authentication of a person by a system and the authentication of a system by a person can be described schematically as in .

Figure . Authentication procedures between persons and IT Systems.

During the enrolment phase, which is not shown in the diagram, authentication of the subject is performed and reference data is generated. Link 1 describes the association of the subject with the authentication data that is either supplied by this subject (for instance a fingerprint in the case of biometrics). Additionally, other data may be collected to be used in later authentication processes. These data establishes links 1 and 2.  

In addition the person is made familiar with the use of the system, and the location where it is placed. In rare cases, further authentication information and reference data to authenticate the system to the user is generated and the appropriate links 3 and 4 are established. 

As introduced in section , identity changes and thus identity fraud base on rearrangements of identity linkage. So the links between a physical person and authentication data shown in is the target of an attacker, though the attack in some cases is not directly carried out against that link (indirect attack). Various currently discussed occurrences of identity fraud and identity theft can be categorised as follows:

• Identity Theft 

  • Direct attack on the Link between the person and the authentication data (link 1, see ) using one or more steps

    • Worms installing for example a key logger     
      Authentication data is directly taken from a person by manipulation of his input device (in most cases local computer). This attack is directed non selective to many input devices (1 : n attack); the person is not addressed directly.

    • Social engineering    
      Using communication for example via telephone authentication data is directly taken from the user by giving him a seemingly plausible reason for disclosing the requested data e.g. for testing purposes by administrative personal of the enterprise’s IT department. This type of attack is directed to a specific person.

    • Trojan Horses / Key logging etc. sent via e-mail attachment    
      In the first step a spam mail containing malicious code in an attachment is not specifically sent to various users (1 : n attack). By opening the attachment for example a key logger is installed that starts obtaining the authentication data in a second step.

    • Spoofing of (biometric) sensors without co-operation of the person to which they were originally linked    
      In the first step the needed biometric data such as a photo of the eyes is take from the person. In a second step, a printout of the photo is used to spoof for example an iris scanner. This type of attack is directed to a specific person.

  • Indirect attack on reference data or via other links 

    • Readout of Person related identifiers, authorisations and reference data
      In this case the attack is directed to the centrally stored reference data and related additional identifiers. This attack can either be carried out against the whole database (1 : n) or specific data records (1: 1).

    • Manipulation of reference data concerning a person    
      By manipulation of the reference data, the attacker is able to redirect link 1 to himself while the IT systems expects an authentication by the person the not manipulated reference data originally was linked.

    • Phishing (3 Steps, indirect attack, 1:n)    
      In the first step the attacker sends a spam mail that seems to originate from a trusted brand name (e.g. a bank) to many recipients (1 : n attack). This e-mail usually urges the recipients to click on an embedded link that leads them to a manipulated web site. This web site again has the layout of the trusted brand, so that the link between IT system and authentication data (link 3) is being attacked. On this site the user is duped to enter authentication data.

• “Man in the middle” attacks; they allow for both forms of attacks

  • • Identity theft by readout of authentication data not securely communicated by the user (direct attack on link 1, 1 : 1 attack). 

    • Replay Attacks     
      An IP-packet containing authentication data is manipulated concerning the sender address and resent to the receiving system. This type of attack is directed to a user of a specific input device (direct attack on link 1, 1 : 1 attack).

    • Identity theft by redirecting the communication to a manipulated web site e.g. by using DNS-spoofing, manipulated proxies or manipulation of rooting tables. On the manipulated web site the user is duped to enter authentication data. This type of attack is concerning some steps similar to phishing (2 steps, indirect attack on link 3, 1 : n attack). 

• Deceitful Identity delegation and deceitful identity exchange    
  In this case the person co-operates with the attacker giving his authentication data deliberately to him with the knowledge that this data will be abused. The attack is directed towards link 1 and is directed 1 : 1 (deceitful identity delegation) or more complex in cases of deceitful identity exchange.

• Identity Creation) so that the chain from him as the physical person to the authorisation breaks. Thus he probably can abuse the IT system for a certain (and probably long) time.