Identity fraud in cyberspaceIdentity fraud in cyberspace
A virtual battle to be who you pretend to beA virtual battle to be who you pretend to be
Chief commissioner Luc BeirensChief commissioner Luc Beirens
Head of Federal Computer Crime UnitHead of Federal Computer Crime Unit
Belgian Federal Judicial PoliceBelgian Federal Judicial Police
Direction for economical and financial crimeDirection for economical and financial crime
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
TopicsTopics
�� DogsDogs on the real world on the real world -- cyberspace fronteercyberspace fronteer
�� IdentityIdentity in cyberspace ?in cyberspace ?
�� Link between cyber identity and Link between cyber identity and ee--securitysecurity
�� Weak linksWeak links in the authentication processin the authentication process
�� So who did it ? So who did it ? Cyber tracesCyber traces
�� WhyWhy do they steal your cyber identity ?do they steal your cyber identity ?
�� CyberCyber identity fraud casesidentity fraud cases
�� EvidenceEvidence of cyber identity in courtof cyber identity in court
�� Ending Ending remarksremarks
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
But first in the real world ...But first in the real world ...
How do we identify a How do we identify a
manman’’s best friend ?s best friend ?
Transponder chipTransponder chip
TattooTattoo
Pet passportPet passport
Dog identification databaseDog identification database
Dog DB
121132132123 121132132123
Mickey German shepherd ...
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
But ...But ...
�� Humans donHumans don’’t like to have t like to have
transponder chips implanted ...transponder chips implanted ...
�� Fear for Big Brother situationsFear for Big Brother situations
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Identity in cyberspace ?Identity in cyberspace ?
�� Identification : Identification : recognitionrecognition and and acceptanceacceptance as as a a unique personunique person authorised to take actions authorised to take actions when using cyberspace infrastructure ...when using cyberspace infrastructure ...
�� Cyber identityCyber identity is build upon :is build upon :�� the telecom services one uses in cyberspacethe telecom services one uses in cyberspace
�� subjects about which one communicatessubjects about which one communicates
�� the way in which one communicates, his languagethe way in which one communicates, his language
�� the way in which one acts, the names he usesthe way in which one acts, the names he uses
�� Recognised by Recognised by humanshumans but not by ICT infrastructure but not by ICT infrastructure
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Different processesDifferent processes in cyberspacein cyberspace
�� IdentificationIdentification�� Getting a users Getting a users ““officialofficial”” identityidentity informationinformation
�� AuthenticationAuthentication�� Verify & Verify & certifycertify that the user isthat the user is
who he pretends to be (under any given identity)who he pretends to be (under any given identity)
�� AutorisationAutorisation�� Granting Granting accessaccess to the system andto the system and
allow use of the system according to allow use of the system according to user rightsuser rights
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Identity in cyberspace ?Identity in cyberspace ?
�� Legal dispositionsLegal dispositions ? ? ““State RegistryState Registry””�� name, gender, nat, data birth, address,... name, gender, nat, data birth, address,...
�� existence of identity & signature certificate ?existence of identity & signature certificate ?
�� No physical information to compare No physical information to compare
�� Combinations of name, firstname, ...Combinations of name, firstname, ...are are not uniquenot unique
�� Unique numberUnique number : State registry number: State registry number
Dog identification databaseDog identification database
Dog DB
121132132123 121132132123
Mickey German shepherd ...
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Natural Persons Natural Persons
State Registry databaseState Registry database
RRN DB
620423 888 54 620423 888 54
Hercule Poirot, Male, ...
Firm DB
Firm DBPers DB
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Intermediate conclusionIntermediate conclusion
�� Because of :Because of :�� Limited Limited accessaccess to referential databaseto referential database
(State Registry of Natural Persons)(State Registry of Natural Persons)
�� Restricted Restricted useuse of State Registry numberof State Registry number
�� Non authorised services have to create their Non authorised services have to create their ownown�� databasesdatabases
�� unique identifying unique identifying numbernumber (different in each db)(different in each db)
�� Which leads toWhich leads to�� difficulty on difficulty on authenticationauthentication
�� accuracyaccuracy of data in databaseof data in database
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
So, how is a user authenticated ?So, how is a user authenticated ?
WHO ARE YOU ?
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Cyber identity & eCyber identity & e--securitysecurity
�� Three basic principlesThree basic principles
�� What do I What do I knowknow ? ?
�� Passwords Passwords –– User IDUser ID
�� What do I What do I havehave ??
�� cards, certificates, eIDcards, certificates, eID
�� What I What I amam ??
�� retina scan, fingerprintretina scan, fingerprint
�� CombinationsCombinations
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
What do I know ?What do I know ?
WHO ARE YOU ?
My username is IAMSOVIP
My password isABCDEFG
OK Welcome IAMSOVIP
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
What do I know ?What do I know ?
WHO ARE YOU ?
My username is
IAMSOVIP but
I FORGOTmy password
!!!??? Mmmm...What’s the
name of your dog ?
OK Welcome IAMSOVIP
Change password
My dogs name is Mickey
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Problems with what I knowProblems with what I know
�� Did I change the Did I change the standardstandard settings ?settings ?
�� Do I always remember my password ?Do I always remember my password ?
�� To To easyeasy / to / to shortshort
�� Can they know/guess/crack it with trial & error ?Can they know/guess/crack it with trial & error ?
�� HowHow do I remember my password ?do I remember my password ?
�� PostPost--it / automatic memory function on PCit / automatic memory function on PC
�� Do I Do I shareshare my password ?my password ?
�� With collegues ? Your wife ? Your Boss ?With collegues ? Your wife ? Your Boss ?
�� Fall backFall back procedures for forgetful peopleprocedures for forgetful people
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Problems with what I haveProblems with what I have
�� It gets It gets lostlost=> no more access=> no more access
�� It gets It gets stolenstolen or or copiedcopied=> abuse of your access=> abuse of your access
�� Solution : Solution : combinationcombination of of
�� what I havewhat I have
�� what I knowwhat I know
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Problems with what I amProblems with what I am
�� FingerprintsFingerprints
�� Retina scanRetina scan
�� What if I have an accident ?What if I have an accident ?
�� DoesnDoesn’’t it cause damage ?t it cause damage ?
�� Is Big Brother watching ?Is Big Brother watching ?
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Some weak links in the Some weak links in the
authentication processauthentication process
�� LocationLocation of the authentication deviceof the authentication device�� not tamperproof / under control => replacednot tamperproof / under control => replaced
�� TransmissionTransmission lineslines�� not encrypted => interception / modificationnot encrypted => interception / modification
�� Location/formatLocation/format of the reference databaseof the reference database�� not encrypted => hacking / copy / modifiednot encrypted => hacking / copy / modified
�� CreationCreation of a of a new identitynew identity in the databasein the database�� not stringently => very not stringently => very oftenoften fake IDfake ID data in ref databasedata in ref database
(subscriber information, domain name registration, mail, ...)(subscriber information, domain name registration, mail, ...)
Weak links in the Weak links in the
authentication processauthentication process
DB
Myidentification Myidentification
Hercule Poirot, Male, ...
Creation of account &referential data in the database
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Cyberspace = anonimity ?Cyberspace = anonimity ?
�� Very commonVery common
�� NicknamesNicknames
�� False identities False identities
�� Other users Other users ““recogniserecognise”” the user butthe user but
�� cannot always identify cannot always identify
�� cannot always authenticate cannot always authenticate
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
So ... who did it ?So ... who did it ?
�� Use of identification certificates (eID)Use of identification certificates (eID)
�� Traces left by financial transactionsTraces left by financial transactions�� accountsaccounts
�� use of accountless money transfertsuse of accountless money transferts
�� Telecommunications traces : 3 levelsTelecommunications traces : 3 levels�� physical connection levelphysical connection level
�� internet (network) access levelinternet (network) access level
�� internet service levelinternet service level
PhysicalPhysical
connectionconnection
Internet Internet
accessaccess
Use of Use of
Internet Internet
servicesservices
InternetInternet
02 / 123 12 12
123.132.213.231
Internetaccessprovider
Telecomoperator
End user
Internet service provider
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Why do they steal your identity ?Why do they steal your identity ?
�� Why do we want it ?Why do we want it ?�� certainty about our communication/business partnerscertainty about our communication/business partners
�� if transactions fail, find the other party to indemnify youif transactions fail, find the other party to indemnify you
�� Why do the criminals want it ?Why do the criminals want it ?�� Be recognised as trustworthy party and get services, Be recognised as trustworthy party and get services,
favours, deliveries for which you payfavours, deliveries for which you pay
�� Get access to your private information / spyingGet access to your private information / spying
�� Commit crime under cover of your identityCommit crime under cover of your identity
�� Blackmail youBlackmail you
�� Cause you damage by acting in a malicious wayCause you damage by acting in a malicious way
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Cyber identity fraud toolsCyber identity fraud tools
�� PhishingPhishing web site publishingweb site publishing�� with copy of your company sitewith copy of your company site
�� routing to website by spam / pharming / search enginerouting to website by spam / pharming / search engine
�� Most important tool for criminal : Most important tool for criminal : trojantrojan�� infection at large scale of PCs of individuals / firmsinfection at large scale of PCs of individuals / firms
�� administration via intermediate Command&Control Svradministration via intermediate Command&Control Svr
�� thus forming thus forming botnetsbotnets
�� UsedUsed�� information collection and transmission to serversinformation collection and transmission to servers
�� informing of ongoing transaction => man in the middleinforming of ongoing transaction => man in the middle
Challenge based
eService user
Authentication systems
eService website
New authentication systemsOne time passwordsTime based
user :password :
Give token 15 :
u123 secret123
Word15
Give OT password : Timedependentcode
Calculate OTP with challenge 12345678
Calculated OTP Consultation & Transfers
Authentication
Consultation & Transfers
Intercepted userid + pw
Intercepting 36 sessionsPhishing website 3 x 12
Waiting the authenticationAfterwards perform transaction
Waiting the authenticationNeed for user cooperation ????
Consultation & Transfers
If technical security is ok ...If technical security is ok ...
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
False criminal DNS server rerouts for critical domain names to servers under control of the criminalsto get victim’s ID credentials and identity
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Getting proof of cyber identityGetting proof of cyber identity
�� Authentication need depends on situationAuthentication need depends on situation
�� private chatprivate chat
�� business transactionsbusiness transactions
�� sending a cyber criminal to jailsending a cyber criminal to jail
�� Cyber identity in a criminal caseCyber identity in a criminal case
�� subscriber informationsubscriber information
�� telecommunication traffic datatelecommunication traffic data
�� Identification => Identification => devicedevice ! ! WhoWho’’s behind it ?s behind it ?
�� well protected device / environment ?well protected device / environment ?
�� what if infected with trojan horses ?what if infected with trojan horses ?
©© Luc Beirens DJF Luc Beirens DJF -- FCCUFCCU
Ending remarksEnding remarks
�� Cyberspace :Cyberspace :�� allows for a reasonable level of anonimityallows for a reasonable level of anonimity
�� but needs also identification / authenticationbut needs also identification / authentication
�� Old authentication concepts still used Old authentication concepts still used –– too weaktoo weak
�� Need for strong authenticationNeed for strong authentication�� move towards digital certificates / biometricsmove towards digital certificates / biometrics
�� Risk for more Risk for more ““agressiveagressive”” authenticationauthentication
Stay vigilant ...Stay vigilant ...
CContact informationontact information
Belgian Federal Judicial PoliceBelgian Federal Judicial Police
Direction for economical and financial crimeDirection for economical and financial crime
Federal Computer Crime UnitFederal Computer Crime UnitNotelaarstraat 211 Notelaarstraat 211 -- 1000 Brussels 1000 Brussels –– BelgiumBelgium
TelTel office office : +32 : +32 2 2 743 74 74743 74 74
Fax Fax : +32 : +32 2 2 743 74 19743 74 19
Head of UnitHead of Unit : : [email protected]@fccu.be
TwitterTwitter : @LucBeirens : @LucBeirens