ID theft, again

[Dave Birch] Well, depending on which particular definition of "identity" and "theft" you choose, the problem grows.  In the US, 15 million Americans were victimized in just a 12-month period.  The amount of money that is being stolen from them is on the rise, as well, more than doubling between 2005 and 2006, Gartner analysts report in a study. And more of what they’re losing is staying lost: people managed to recover 87 percent of what was stolen from them back in 2005, but in 2006 that number dropped to 61 percent.  And here’s a surprise from the UK: most identity fraud appears to take place in and around London with its concentration of wealthy people (eg, not me) and "upmarket" addresses.  So, basically, the fraudsters are targeting rich people who bank online.

Technorati Tags: fraud, identity, security

The thieves are, rather predictably, getting smarter too.  They’ve now successfully attacked several "token" (two factor authentication, 2FA) schemes.  This is why we need end-to-end 2FA (ie, PKI-based 2FA) because until all of the messages between you and your bank (or the government, or anyone else) are encrypted and signed, the fraudsters can intercept the confidential details and exploit them.

Not going down this route leaves banks and their customers vulnerable to attack (as it will should PayPal, for example, decide to go the same way).  On the other hand, it is going to cost issuers more money, hence something will eventually get done.  Look at the recent example from ABN Amro where the bank had to compensate victims of just such an attack.  Four ABN Amro customers activated a virus allowing a man-in-the-middle attack that overcame the bank’s two-factor authentication. After the attack, ABN Amro removed an ‘urgent payment’ option from its Web site as a precaution, compensated the customers and launched a campaign to remind users about internet banking safety.  The bank says that its customers opened an email attachment that resulted in a virus being executed on their machines, which is undoubtedly true.  The virus re-directed the customers’ web browsers away from the real ABN and to the a fake ABN site run by fraudsters.  The customers then typed in their passwords, which the fraudsters then used to access the bank’s real web site. The customer’s own transactions were passed along to the real site, so they didn’t notice anything wrong right away, while the attacker simultaneously made their own fraudelent transactions using the bank’s "urgent payment" feature.  You’ve got to admit it’s clever, but the truth is until there’s end-to-end security from the bank’s hardware security module to the customer’s smart card (whether in a mobile phone or not) then this sort of attack is inevitable.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]