A British man has been arrested and cautioned for stealing accounts for online game Runescape… A statement from the Police National e-crime unit said: “A 23-year-old man was arrested in Avon and Somerset… on suspicion of a number of computer misuse offences.”… Once hi-tech thieves have these credentials they plunder the accounts, strip characters of their items and sell off the rare virtual goods for Runescape gold.[From BBC News – Runescape creator pursues ‘phishing thieves’]
This is real identity theft. If criminals somehow get into my bank account and spirit the money away, I don’t really care because it’s the bank’s problem and they will give me the money back. But if the criminals take over my Runescape character, that’s a real personal violation. As I said before
a bank can easily restore my money, but it’s much harder for Facebook to restore my reputation (apart from anything else, a reputation takes time to build). Which is the worse crime?[From Digital Identity Forum: What identity is important?]
It’s the latter, clearly. So perhaps the “standard” use case for strong authentication should be switched from logging on for home banking to logging on to Facebook, which takes us into the world of OAuth and OpenID instead of EMV and OTP. In this world, there’s already plenty of work going on around authentication, credentials and federation that could provide key portions of the infrastructure that we know that we are going to need in the mass market.
When I was at the EURIM E-Crime meeting at the House of Commons the other day, I did get expect to hear more discussiond of this kind of thing rather than (basically) spam and phishing. (As an aside, we at least got through the first hour and a half before anyone asked what was actually meant by e-crime.) The chairman, Alun Michael (he’s an M.P.) — who of course said early on in his introduction “I’m a not a techie” but would never have dreamed of telling an education meeting “I can’t read” or a transport meeting “I’ve never been on a bus” — said that good policing is based on intelligence. I’m sure he’s right, but I’m not sure what that means. I saw a letter in The Telegraph recently from someone complaining that Abbey had been sending them e-mails about online banking security even though they didn’t have an Abbey account. You or I would simply ignore this sort of obvious spam (even if it did make it through my spam filters) and I imagine that in time members of the public can be taught to recognise this sort of thing as spam or, as my own teenagers have done, simply stop using e-mail in favour of Facebook, Instant Messaging and Twitter because of their albeit rudimentary authentication. Intelligence can tell you that this is spam and where it was from and what it was for. But would it stop it? No.
What about the law in general? As I was typing the first part of this post, I was listening to the BBC report on the multi-million dollar fine on some NZ spammers by an American court. The essence of the story was that this is completely pointless as the fine will never be collected and the spammers will continue making an estimated $250K per month from people buying herbal viagra and such like. I hate to be negative, but I can’t see either Intelligence or Law as practical ways of stopping this kind of abuse. I want to be able to set my Facebook preferences to the equivalent of “ignore anyone who hasn’t been strongly authenticated by one of these identity providers: Citibank etc etc” and I want those preferences enforced by code, not ombudsmen.
Incidentally, the purpose of the EURIM meeting was to discuss an “Internet Crime and Disorder Partnership”, but the truth is that this sort of thing has no chance of getting anywhere without some form of identity infrastructure, but it must be some sort of infrastructure that distributes liabilities accordingly, and this is something that requires considerably more thought. It may, however, make more sense than trying to legislate or regulate for minimum standards or particular technologies. For example: suppose you changed the law so that it was no longer considered fraud to log in to someone else’s bank account using only a password? Then all of the banks would have to compete to provide (and bear the cost) of two-factor authentication. This is very different to (for example) the record industry approach of expecting the rest of society to bear the cost of supporting your business model in the face of technological change. Choosing one model over the other is about politics, not technology.
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]