NOTE: This is a draft article intended for a sophisticated, non-security audience. Comments are encouraged.
Identity theft is a term used to describe a variety of forms of impersonation and fraud. Here we will concentrate on financial fraud done to obtain money from bank accounts and/or to commit credit card, loan, and mortgage fraud. In a strict sense, someone’s identity cannot really be stolen, but their money can be and their reputation and credit worthiness can be damaged so that making repairs can be costly, time-consuming, and frustrating.
The purpose of this essay is to review the relationship between authentication and identify theft, with a focus on current and proposed electronic authentication methods. Because of the high rate and cost of identity theft and the rapid development of new authentication methods and services, there has been a lot of attention in this area. My goal is to examine what upcoming authentication solutions may improve things in the short-term, to examine what would be necessary for long term authentication solutions, and to consider identity theft in the broader context. The focus will be on financial services conducted electronically both on and off the Internet, such as online banking and automated teller machines (ATMs).
A key step in identity theft is impersonation, which involves obtaining and presenting some personal identifiers or credentials that will convince another person or institution of the false identity being claimed. Such identifiers traditionally include Social Insurance Numbers (Social Security Numbers in the US), birth certificates, passports, bank cards, etc. Using false, or falsely obtained, documents for identity theft is not a new crime, and the authentication and protection of these documents has been a long-standing problem.
Identity theft costs US$56 billion/year
Most recently, however, the growth of electronic transactions and the popularity of financial services offered over the Internet have broadened the types of identifiers that can be used for impersonation and fraud. Moreover, because of the nature of electronic information, it is now possible to fraudulently obtain and use identifying information on a large, cost-effective scale. As a result, identity theft is a very large personal and financial problem (2006 estimates are $56 billion per year in the USA).
Since impersonation is the foundation for identity theft, attempts at solutions have focused on the methods used to claim another identity. Authentication refers to the process of confirming something, or someone, as authentic. For authenticating a personal identity, we rely on a number of authentication factors, most commonly categorized into something you have, something you know, and something you are. Identification documents and credit cards are something you have, passwords and Personal Identification Numbers (PINs) are something you know, while biometrics (fingerprints, faces) are something you are.
Historically, we have used a variety of authentication factors. Most common was personal recognition and introductions among a network of people. When communicating at a distance, signatures and wax seals have been used to leave a mark or impression on documents so that they can be recognized as being authentic or not. The term indentured refers to an ancient practice where contracts could be cut into two pieces using a jagged (or toothed) pattern so that the two parts could be refitted to confirm authenticity. Secret passwords have also been used to confirm identity of individuals or groups, such as by sentries guarding a location. Today, the types of information and the forms of authentication have changed, but the fundamental issues remain.
Authentication and Identity Theft in Financial Transactions
The primary method for authentication for online banking is a username and password. The username may be a person’s given name, their bank account number, or the number on a bank card. The password is usually a string of characters (letters, numbers, and perhaps punctuation and symbols) assigned by the institution or, more commonly, chosen by the customer. So, online authentication uses a single authentication factor based on something you know. For authentication at ATM machines, the most common form of authentication is a bank or credit card and a PIN, where the PIN is again assigned or chosen by the customer. Thus, ATM banking involves two-factor authentication based on something you have (the card) and something you know (the PIN).
Identity theft related to online banking and ATMs is well known. For online banking, customers may record their passwords in insecure places, choose easily guessable passwords, or be tricked into revealing their passwords. Malicious software running on their computer may also record their username and password and relay that information to fraudsters. Using the identity information, an impersonator can access the online account and perform fraudulent transactions. These transactions include money transfers, money laundering, and the purchasing of goods to be shipped to different addresses.
There are a variety of ATM and point-of-sale frauds
For ATM banking, there are various forms of fraud that have been encountered. Fake or doctored ATMs and point-of-sale terminals can be installed and, when a customer attempts to use the machine, the cards themselves or information stored on the cards (on the magnetic strip on the back of the card) can be obtained. The false machines can also record the PINs that are entered by the customers, and these can later be used to withdraw funds. ATM cards can also be cloned by obtained the card number or information from the magnetic strip. If the PIN can also be obtained, either by covert observation (shoulder surfing or hidden cameras), or by tricking the user into revealing it, then the false card can be used. Using fraudulent, or fraudulently obtained, ATM cards and PINs to withdraw cash from bank accounts is commonly called “cashing” and, as we will see, it is an important step in many of today’s successful identity thefts.
The most common method of identity theft related to online banking today is phishing. In phishing, a customer is tricked into revealing their identification information, which is then used for fraudulent transactions. Typically, phishing is done by sending email messages that claim to be from a financial institution. For some reason, usually related to protecting the customers’ security, the message instructs the recipient to verify their identification information. The messages provide a convenient link for the user to follow when updating their information. The problem is that the link is not to the authentic financial institution, but instead to a forged website. Here the identification information is collected and later used to commit impersonation and fraud. Various techniques have been used to create authentic-looking forgeries of financial web sites, and the authentication-related information provided within web browsers (such as the padlock icon) can also be forged.
Phishing and ATM fraud can be related
Frequently, there is a relationship between phishing and ATM fraud. If a phishing attack can obtain bank card information and PINs, then false bank cards can be created and withdrawals can be made from ATM machines. It is common for the forged websites creating for phishing to request bank card numbers and PINs, even for financial services that don’t normally require such information, such as Paypal. Bank card numbers and PINs are frequently the target of phishing attacks because of the ease of the cashing phase of the fraud, where the identity information is converted to real cash.
Identity information can also be fraudulently obtained from financial institutions and processors. Infiltrations, equipment theft, and other forms of data breaches can allow criminals to obtain identity information that can be used in fraud. There have been a number of cases recently where personal information and credit card numbers have been lost or stolen, and later used for fraudulent financial transactions. Large scale thefts of thousands, or even millions, of records with account information are becoming far too common.
Improving Authentication for Finance
Given the current situation, there are a number of things that can be done to improve the identity theft problem in the financial industry. Educating users about password secrecy and phishing attacks will help prevent some fraud. Improving authentication methods, including using multi-factor authentication, will be better than today’s simple systems. Such changes, however, do not represent a long-term solution to all forms of fraud, and in some cases, they may even lead to more problems in the future. Moreover, it is not clear if purely technical solutions, such as enhanced authentication methods, will provide a complete solution. Instead, it is necessary to examine identity theft in the broader contexts of economics and liability.
There have been a number of recent attempts to increase the authentication factors used for electronic banking. Much of this is driven by new requirements by the US Federal Financial Institutes Examination Council (FFIEC), who stated that single-factor authentication is no longer considered adequate for Internet banking. As a result, US banks have been introducing a variety of methods to improve the authentication of customers. For examples, some banks are distributing special cards to their customers that resemble bingo cards (e.g., Circle Bank; see Figure below). During authentication, users are prompted with column and row numbers, and they have to provide the secret number contained in the corresponding cell. This provides a second form of authentication, something you have, along with the traditional username and password. Since an imposter does not have the security card, they are not able to look-up the correct information in each cell when they attempt to fraudulently access the bank account.
Security matrix used by Circle Bank.
Other financial institutions are turning to security tokens that provide one-time passwords that update every minute or so (e.g., ETrade). The RSA SecurID (see below) has a digital display that the user would read and then copy the number to a login form. Since an imposter does not have the device, they are not able to copy the correct number when they attempt to fraudulently access the bank account.
RSA SecurID two-factor token. (www.rsa.com)
Another method for improving customer authentication is to request more secret information beyond a username and password. So, a bank site might establish a series of questions and answers related to the customers’ personal history and preferences, such as their mother’s maiden name or favorite color. When the bank site is accessed later, these challenge questions can be presented to aid in the confirmation of identity. Some banks are combining these additional questions with methods to keep track of the computers used to access customer accounts. If a login is attempted from a computer not used in the past (established using web cookies), the bank may present one or more challenge questions in an attempt to increase security.
Finally, some banks are starting to use biometrics as an additional authentication factor. In a Bank of America pilot, customers are provided with a smart card and a fingerprint reader to attach to their personal computer. During authentication, the customer inserts the smart card into a reader and places a finger on a scanning device. If the fingerprint matches the one stored on the card, the customer is considered authentic and they are given access to the account.
Online and Offline Attacks
These forms of enhanced authentication do provide improvements over today’s solutions. In particular, they can successfully prevent offline attacks where the identity information is collected and used at another time and place for a fraudulent transaction. So, phishing attacks that collect identity information to be used later to access accounts will not be successful. Data breaches that resulted in identifying information falling into the wrong hands would not work without the multi-factor authentication. Even malicious hardware or software that recorded authentication information as it was typed on a computer (e.g., key loggers) would not be successful because the identification information would not be valid when it was used later.
Multi-factor authentication does not prevent online attacks
These forms of authentication to not protect against online attacks, however. In an online attack, the fraud takes place at the same time as the customers’ legitimate transactions. Here the imposter relies on the customer to do whatever forms of authentication are necessary, and then hijacks the session to perform their fraud. The most common form of online attack is the man-in-the-middle attack. Here an imposter inserts themselves in the middle of a transaction by acting as a relay or proxy between the customer and the authentic financial site. The imposter relays information from the customer to the institution, such as any authentication information needed to login, and information from the institution to the customer, such as any prompts or challenges. Once the customer is authenticated, the imposter either disconnects the customer and uses the session to make fraudulent transactions, or conducts the fraud at the same time that the customer performs their legitimate transactions. Imposters can insert themselves into transactions between customers and financial institutions using a number of methods, including phishing attacks and malicious software installed on a customer’s computer. In both cases, customers would believe that they are interacting directly with their bank, when in fact they are interacting indirectly through the imposter.
Long term solutions require not only reliable authentication of the customer, but also reliable authentication of the bank website. If the customer is able to verify that they are interacting directly with a bank’s authentic website and not an imposter, than online risks can be reduced. This is the role that is supposed to be filled by the https web scheme, where Internet traffic is encrypted and transported using Secure Sockets Layer (SSL) or Transport Layer Security (TLS). A key component of SSL/TLS is authentication using security certificates. A certificate authority (CA) verifies that an organization is authentic, using traditional authentication documents and methods, and then creates an electronic certificate that is tied to a particular Internet name (e.g., bankofamerica.com). When a user makes a connection to the bank, they (or their browser software) can consult the certificate to confirm that the website is authentic. If there is any doubt about the authenticity of the certificate, the user (or their browser) can consult the CA to verify that they did issue the certificate and that it is still valid.
HTTPS and SSL can fail in a variety of ways
In theory, https and SSL/TLS can be quite effective in authenticating a banking site. In practice, however, there are a number of ways that the scheme can fail. First, the CA must reliably authenticate an application for a certificate, and there have been notable failures where certificates for well-known organizations were issued to imposters. Also, a verified SSL/TLS certificate only verifies that the user is connected to a registered web site, not the proper web site. Imposters have been known to obtain certificates for sound-alike names (e.g., visa-secure.com) and then to lure people to the false site to collect financial information. In addition, there have been attacks where malicious web code is inserted or combined on a legitimate site (e.g., cross-site scripting), so the certificate is valid even though an imposter is collecting the financial data.
There have been some recent efforts to improve this situation. Extended Validation (EV) certificates represent an effort to improve the authentication of the certificate application. This authentication includes established the legal identity and physical location of the requester, as well as confirming that the request is made by someone in authority. EV certificates are currently only supported in Internet Explorer 7, although other browsers may include support soon. There has been some criticism of the scheme because the certificates are not available to small businesses and organizations, perhaps giving them a disadvantage when competing with large businesses.
User behavior can also be the cause of https failures. The https scheme relies on the user to notice features and warnings displayed in the web browser when they connect to a banking site. To confirm that a site is authentic, users are supposed to check for the https scheme in the address bar and the presence of a padlock icon somewhere in the browser frame. If these features are not present, the user is not supposed to proceed.
Not only do users often not check for these features, but imposters have developed techniques to falsify these features so that the site appears authentic. Recent versions of web browsers (and special security add-ons) have added more salient features, such as turning the address bar yellow for https connections, but authentication still relies on the correct user behavior. The problem is made worse by sites that use the https scheme to only protect form submissions while not securing and authenticating the login page. These sites are using the encryption features of SSL/TLS but not the visible authentication features.
In addition, if a certificate or a CA cannot be verified, browsers display a warning message to the customer. The intent is that the customer will heed the warning and not proceed with the transaction. Again, however, this protection relies on the correct customer behavior and many times the customer will proceed anyway. One reason for proceeding is that customers may have experienced times when legitimate sites have produced certificate warnings, perhaps if a certificate has recently expired or a new CA is not recognized by the browser. Thus, customers may have become accustomed to ignoring the certificate warnings.
Bank of America is using SiteKey for site authentication
Some bank sites are starting to implement other forms of site authentication. In the SiteKey method used by Bank of America, for example, the customer is asked to choose an image and piece of text at registration time. They are instructed to check for that image each time they access their bank account. Logging into the bank becomes a two-step process: in Step 1 the user submits their bank account number (the username), and in Step 2 they are shown their personalized image and text along with a prompt for their password. They are instructed to not enter their password if they do not recognize the image as their own. Since a false bank site won’t know the user’s personalized image and text, the false site will not show the right information and the user will not enter their password.
SiteKey again relies on the bank customers to do the right thing and not proceed when the authentication information is missing. We have already seen that the customers’ behavior cannot be relied upon, so it is likely that methods such as SiteKey will have limited success. SiteKey also does not protect against man-in-the-middle attacks because, if the https scheme fails, the imposter can relay the login information and personalized images between the customer and the bank before hijacking the connection.
Other forms of site authentication are possible. A pre-shared key could be generated by the bank and given to the customer, perhaps on a USB token. When the customer accesses the Internet bank site, they can check the authenticity of the site by checking that the pre-shared key is used properly. The bank could also authenticate the customer by checking the validity of their pre-shared key.
Another method of site authentication is out-of-band communication. Here another channel, such as text-message on a cellular telephone network, is used to authenticate an Internet banking service. When a customer connects to the site, the bank may send a text message to a pre-arranged telephone number. That message might even contain a one-time password, which can be used to enhance the authentication of the customer and reduce offline risks.
All of the authentication methods discussed above rely on the underlying security of the equipment being used. In the case of online banking, this means the customer’s personal computer and the bank’s web server. If the hardware and software is not secure, then the authenticity of any identification and transaction can never be assured.
Spyware can record passwords and banking information
Today, the biggest equipment risks come from malicious software installed on customer’s computers. Because of viruses, worms, and Trojan horse programs, customer’s computers can be infiltrated with a variety of programs, some of which provide methods for identity theft. Spyware is software designed to spy on the activities of the computer user. Often the purpose of spyware is to track Internet usage and display targeted advertising, but other spyware may record keystrokes, passwords, and financial information that can be used for identity theft.
Another common form of malicious software provides the ability for an attacker to remotely control the computer. Once the computer is taken over (often referred to as a zombie computer), it can be used for a variety of tasks including sending spam emails, hosting forged web sites for phishing attacks, and launching attacks on other computers. There is evidence that large groups of zombie computers, often called botnets, are responsible for most of the spam email and phishing attacks.
Keeping a customer’s computer equipment secure is a very difficult task. The customer may not know anything is wrong until their computer or Internet connection runs slower and slower as the computer is kept busy doing nefarious tasks. Anti-virus and anti-spyware programs do protect against known threats, but new attacks appear daily. Once a computer has been infiltrated, it is possible for malicious software to affect any of the processes that are run. This means that even the best authentication methods may be worthless if the customer’s computer has been compromised. Not only can passwords and bank numbers be stolen, but compromised computers can be made to transparently connect to forged web sites or man-in-the-middle proxies to facilitate identity theft.
As a result of these computer risks, there is some interest in developing secure hardware to be used with, or instead of, a personal computer. These devices have to be tamper-proof, and they must support authentication that is independent of the untrustworthy personal computer. One method is to provide the user with a smart card and a reader that is equipped with a small keypad and display. The customer begins a session by inserting their smart card into the reader and entering a PIN on the integrated keypad. During login, the bank site will present a challenge (e.g., a 9-digit number) that the customer enters using the keypad on the reader. The smart card will compute a response based on the customer’s personal key, and show it on the reader’s display. The customer would copy their response into a login form on the bank’s web site to complete the authentication. Since the smart card and reader are not connected to the customer’s computer in anyway, any malicious software on the computer cannot interfere with the authentication process. Of course, such a scheme is not completely effective against online attacks unless it is combined with some form of reliable site authentication.
A similar enhancement to equipment security is happening with bank cards used in ATMs and point-of-sale terminals. Since the current cards provide little protection of the information stored on the magnetic strip, and it is easy to produce forged cards, banks are turning to smart cards that contain microchips. EMV cards, also called “chip and PIN” in the UK, contain a chip that is capable of encryption and authentication functions. The chips and associated cryptographic keys are difficult to reproduce, reducing the chances of forgery. The solution is not fool-proof, however, because if the card is stolen and the PIN fraudulently obtained, perhaps by observation or coercion, than fraud can still take place. Also, to ease the transition to the new equipment, most new cards contain both a chip and the magnetic strip. So, as long as some ATMs only use the magnetic strip, the risk of forged cards still remains.
Risks with Enhanced Authentication
All the enhancements to authentication methods discussed above are welcome because they have the potential to reduce identity theft. There are some risks, however, as the new methods are developed and deployed. Even the most sophisticated authentication methods are not perfect. Cryptographic keys can be broken, smart cards can be compromised, and biometrics can be spoofed. Also, the age-old methods of impersonation and confidence tricks will still allow fraudsters to obtain authentication credentials. And there will still be risks from inappropriate insider activities and institutional data breaches.
Enhanced authentication could lead to new risks
If banks come to trust the new authentication methods beyond appropriate levels, then they run the risk of assuming transactions are legitimate when they may not be. Moreover, they may place the onus on the customer to show that a transaction is fraudulent, rather than the bank showing that the transaction was legitimate. This is a common criticism of the Chip and PIN system in the UK, where there are fears of a liability shift from the banks to the customers when transactions are disputed.
Over reliance on imperfect authentication technology can also lead to less vigilance and increased opportunities for fraud. Imposters can present a new Chip and PIN card, but pretend to forget a PIN and convince a bank or store to fall back to the old system. Or an imposter who can spoof a biometric characteristic, perhaps by creating a false finger, might be authenticated at a bank without having the produce the supporting identity documents that would normally be required.
Biometric identification is also not perfect. There have been important cases of misidentification using biometrics, even in a forensic context where the accuracy is supposed to be higher than automatic biometric devices being introduced for banking. In 2004, for example, the FBI mistakenly arrested Brandon Mayfield in Oregon after his fingerprints were matched “100 percent positive” to prints found at the site of a Madrid bombing. Two weeks later, the FBI admitted their error after Spanish authorities denied that the fingerprints matched and identified another man.
Focus on the Fraud
It should now be clear that authentication has an important role in identity theft, not only as a source of problems but also an opportunity for solutions. Better methods for authenticating customers to their banks, beyond simple usernames and passwords, will reduce the use of fraudulent credentials. Better methods of authenticating banks to their customers will make it harder for imposters to trick customers into revealing their credentials.
It should also be clear, however, that better authentication is not a complete solution. Authentication methods will always be fallible, customer behavior will always be imperfect, and institutions will continue to leak private data. When considering a more complete solution to identity theft, one has to focus on the act of fraud. For this we can turn to a recent essay by Bruce Schneier.
The customer cannot always prevent fraud
Schneier teaches that fraud is an act of deception for personal gain. In identity theft, the fraud involves impersonation, where an imposter claims another identity in order to make some financial transaction. It is important to note the role of the legitimate customer at the time of the impersonation and fraud. By definition, the customer is not present and not involved at the exact time of the fraudulent transaction. The customer may have provided the credentials that were used for the impersonation (perhaps they were a victim of phishing), although the credentials may never have been in their hands (in the case of data breaches). They may have even established the initial connection that is used for the fraud (as in session hijacking during man-in-the-middle attacks), but they are not involved in the actual fraudulent activity. This means that attempts to prevent identity theft that rely on customer authentication technologies are going to have limited success. Customers are not in a position to prevent identity theft at the time it occurs.
It is the banks who are in a position to detect and prevent impersonation and fraud at the time it occurs. The banks are the only ones in a position to check the authenticity of an identity claim at the time the fraud takes place. Which brings us back to cashing, that crucial step in successful identity theft where authentication information is converted into real goods and cash. For online banking, cashing often involves using forged bank cards to withdraw money from ATMs. It might also involved receiving funds from a fraudulent loan, or picking up goods ordered and shipped using a compromised bank accounts. It is this final act of cashing that represents the actual fraud.
Since the final transaction is the ultimate act of fraud, it is also a crucial place for preventing identity theft. Authenticating the transaction might be more important than authenticating the customer or the bank. This is how banks deal with fraud associated with standard credit card transactions today. Instead of emphasizing customer authentication by collecting additional information, or attempting to keep the card number secret, banks usually emphasize protecting the transaction. Banks have developed a variety of predictive analytics to identify likely fraudulent transactions. These techniques involve monitoring credit histories, spending patterns, geographic locations, etc. Transactions can be accepted, declined, or flagged for investigation on the basis of this analysis. There is always a risk of misses and false alarms when attempting to predict and prevent fraud, but the accuracy and effectiveness can be very high.
Credit and debit(check) cards have different risks
The economic context is also such that it is in the bank’s best interest to protect credit card transactions. Most countries have regulations that limit a customer’s liability for credit card fraud to a small amount, often $50, and this amount is often waived in clear fraud cases. Any fraud beyond that amount has to be covered by the bank, so methods to reduce fraud are valuable to them. Banks can also set their interest rates high so they have a steady source of income to cover any fraud that does occur.
The same economic context is not in place, however, for ATM fraud. With debit cards (also called Checkcards and Electronic Fund Transfer cards), a customer’s liability in case of fraudulent use may be as low as $50 or as high as the total amount available in their accounts, including whatever overdraft line of credit is available. The actual liability is determined by the bank’s policies and any delay before the fraud is reported. There are many reports where customers have had a great deal of trouble recovering their money after debit card fraud. This is the same liability risk that has concerned people with the adoption of Chip and PIN cards.
The economic context does not encourage banks to prevent impersonation. If an imposter impersonates another person to establish a credit card, mortgage, or loan, the liability and risk is often borne by the legitimate customer and not the bank. At the least, it can take consumers hundreds of hours and thousands of dollars in legal fees to restore their credit. And a bank is generally not held liable for any of these costs. Without liability, it is in the bank’s interest to easily grant credit without due diligence.
Consider the dozens of pre-approved credit card applications that many of use receive each year. Each one is an opportunity for identity theft, and the banks are motivated by high interest rate returns and limited liability to continue the practice. Just how risky these credit applications are was dramatically demonstrated by Rob Cockerham. Rob took an application for a new MasterCard and tore it into small bits. He then haphazardly taped the pieces together and completed the form. He even chose the option of changing the mailing address for the new card to an address that was not his, and he provided a cell phone number as a contact point. He then sent the application to the bank in the postage-paid envelope they provided.
The torn, taped, and completed credit card application. (http://www.cockeyed.com/citizen/creditcard/application.shtml)
A few weeks later, a new card was delivered to the fraudulent address, and it was easily activated using the cell phone. Because of the authentication practices of this bank, identity theft can be that easy.
What are we to do?
So what are we to do about authentication and identity theft? The new methods being introduced for authenticating users and bank sites are useful and they will have some success. It is not clear how easy multi-factor authentication methods will be to use and whether they will be generally accepted by banking customers. Certainly any method that relies on a card or token runs the risk of high loss rates.
Identity thieves will turn to sophisticated methods
These new authentication methods will not prevent identity theft, even if they do make it harder for a while. Since identity theft is so lucrative, it is likely that fraudsters will quickly move to more sophisticated methods, such as online attacks and malicious software. It is important for adopters of new authentication methods to realize the limitations and not create unrealistic expectations or liabilities. It is also important for customers and regulators to pressure financial institutions to use all appropriate prevention and recovery measures, and this may mean changing the economic incentives.