NEW THREATS AND COUNTERMEASURES Identity Theft and Unauthorized Profiling vs Identity Management

Transcription

1 NEW THREATS AND COUNTERMEASURES Identity Theft and Unauthorized Profiling vs Identity Management, Ernesto Damiani (joint work with Marco Cremonini, Sabrina De Capitani di Vimercati, Pierangela Samarati) Università degli Studi di Milano Dipartimento di Tecnologie dell'informazione Crema (CR) Firenze, 19 Maggio 2005

2 Types of Cyber Crime Security Threats and Violations Access Control Violations Integrity/ Privacy Violations Fraud/ Identity Theft Sabotage Denial of Service/ Infrastructure Attacks Confidentiality Authentication Nonrepudiation Violations 2

3 Identity Theft Generic Definition Identity theft is a crime in which an impostor obtains key pieces of personal information in order to impersonate someone else. Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain. 3

4 Identity Theft Legal Definitions The Identity Theft and Assumption Deterrence Act of 1998 (Identity Theft Act) was passed to address the problem of Identity Theft. This act (codified at 18 U.S.C. 1028) makes it a federal crime when anyone. Knowingly transfers or uses, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable state or local law European Union: the EU (European Union) Privacy Directive and EU Electronic Commerce Policy Safe Harbor Provisions 4

5 Identity Theft Statistics In 1995, 8806 financial crimes investigation cases were related to identity theft. In 1996 there were 8686 cases 1997 there were 9455 cases. In 2002, an estimated 500,000 to 700,000 people were victimized by identity theft U.S. statistics showing ID-theft losses are growing 20 percent a year Source: Janine Benner, Beth Givens, and Ed Mierzwinski, < The Federal Trade Commission says, 6 percent of the 86,168 people who reported identity theft to the agency said a family member was responsible. 5

6 Identity Theft Cost In 2002, The General Accounting Office (GAO) released the second edition of a report to Congressional requesters entitled, "Identity Fraud: Information on Prevalence, Cost, and Internet Impact is Limited." The report noted that the Secret Service quantified identity theft losses to individuals and financial institutions at $442 million in fiscal year 1995, $450 million in fiscal year 1996, and $745 million in fiscal year This involved only those cases of financial crime that the Secret Service itself had tracked. MasterCard stated that dollar losses related to identity theft fraud represent 96% of member banks' overall fraud losses of $407 million in Also in 2001, U.S. fraud losses of VISA member banks totaled $490 million or about 0.1% of billing transactions. 6

7 Interesting Scams In 2002, the FBI has arrested Philip Cummings, who is alleged to have started the scam while he worked on the help desk at Teledata Communications Inc. (TCI), a company in Bay Shore, N.Y., that provides banks and other entities with computerized access to consumer credit reports from the three commercial credit history bureaus -- Equifax Inc., Experian Information Solutions Inc. and Trans Union LLC. Federal investigators have charged three men they say were involved in a massive identity theft scheme that spanned three years, involved more than 30,000 victims and, so far, has resulted in more than $2.7 million in losses. 7

8 Interesting Scams - continued FTD.COM Leaks Credit Card Numbers to the Internet. Source: Gerald Quakenbush, BugTraq Identity Thieves Strike e-bay. Source: Paul Festa Staff Writer, CNET News.com November 22, 2002 Identity Theft Targeted H&R Block Customers Source: AP Newswire, November 4, 2002 Latest ID Theft Scam: Fake Job Listings Source: Saturday, March 1, 2003 TriWest Healthcare Alliance Corp Broke Into And Record Stolen Source: Dennis Wagner,The Arizona Republic, Jan. 1,

9 Id Theft Categories Account takeover identity theft The impostor uses personal information to gain access to the person's existing accounts Example: credit card fraud; cell phone fraud A real life story True name and account takeover True name identity theft means that the thief uses personal information to open new accounts. Example: opening new credit card account; opening a new checking account A real life nightmare 9

10 Identity Theft Management Need for secure identity management Ease the burden of managing numerous identities Prevent misuse of identity: preventing identity theft Techniques for preventing identity thefts include Access control, Encryption, Digital Signatures A merchant encrypts the data and signs with the public key of the recipient Recipient decrypts with his private key 10

11 Platform for Privacy Preferences (P3P): What is it? P3P is an emerging industry standard that enables web sites t9o express their privacy practices in a standard format The format of the policies can be automatically retrieved and understood by user agents It is a product of W3C; World wide web consortium When a user enters a web site, the privacy policies of the web site is conveyed to the user If the privacy policies are different from user preferences, the user is notified User can then decide how to proceed 11

12 What To Do Social Engineering 12

13 Things To Look For At Work Information security procedures in your workplace. Process to screen employees who have access to personal information. Keep all personal information in locked files, and establish secure procedures for data services. Limit use of personal identifiers. Encrypt all personal and confidential information on computers. Secure methods for disposing of personal information 3rd party to carryout privacy audits/investigations that gauge how vulnerable records are to theft Supply employees with a yearly credit check as a benefit of employment 13

14 Risorse Web - U.S. government's central website for information about identity theft. - Official Website of the Social Security Administration - Privacy Rights Clearinghouse - Identity Theft Resource Center 14

15 What To Do Technological perspective 15

16 Digital Identity Management Digital identity is the identity that a user has to access an electronic resource A person could have multiple identities A physician could have an identity to access medical resources and another to access his bank accounts Digital identity management is about managing the multiple identities Manage databases that store and retrieve identities Resolve conflicts and heterogeneity Make associations Provide security 16

17 Digital Identity Management - II Federated Identity Management Corporations work with each other across organizational boundaries with the concept of federated identity Each corporation has its own identity and may belong to multiple federations Individual identity management within an organization and federated identity management across organizations Technologies for identity management Database management, data mining, ontology management, federated computing MORE LATER 17

18 RFID -- radio frequency identification RFID tags are miniscule microchips the size of grain of sand Retailers adore the concept: RFID tags in clothing and other products Networked RFID readers RFID can be tag with credit card you used to buy it and recognizes you by name Disabled at the cash register only if the consumer chooses to "opt out" and asks for the tags to be turned off. " 18

19 Biometrics Early Identication and Authentication (I&A) systems, were based on passwords Recently physical characteristics of a person are being sued for identification Fingerprinting Facial features Iris scans Blood circulation Facial expressions Biometrics techniques will provide access not only to computers but also to building and homes Other Applications 19

20 Biometric Technologies Pattern recognition Machine learning Statistical reasoning Multimedia/Image processing and management Managing biometric databases Information retrieval Pattern matching Searching Ontology management Data mining 20

21 Secure Biometrics Biometrics systems have to be secure Need to study the attacks for biometrics systems Facial features may be modified: E.g., One can access by inserting another person s features Attacks on biometric databases is a major concern Challenge is to develop a secure biometric systems Policy, Model, Architecture Need to maintain privacy of the individuals as appropriate 21

22 Negotiated Access Control-1 Negotiated AC differs from traditional identity-based access control in the following aspects: Trust between two strangers (requestor and service provider) is established based on parties properties Proven through negotiated disclosure of digital credentials or zero-knowledge proofs. Every party can define release policies to protect sensitive resources. Resources can include services accessible over the Internet, RBAC roles credentials, policies, and capabilities in capability-based systems. 22

23 Negotiated Access Control-2 Policies describe what properties each party must demonstrate (e.g., ownership of a driver s license issued by an EU country) in order to gain access to a resource. The parties negotiate directly without involving trusted third parties, other than credential issuers. Since both parties have policies, peer-to-peer negotiation is appropriate for Web Services on the Open Web. Instead of carrying out a one-shot authorization and authentication process, trust is established incrementally through a sequence of bilateral credential disclosure. 23

24 Negotiation protocol A negotiation process is triggered when one party requests to access a resource owned by another party. E.g., a remote requestor tries to access a Web-based service. The goal of a negotiation between a requestor and a service provider resp. holding policies P r and P s is: Finding a sequence of resources (C 1.x,...,C k.x,s s ) (C i.x : credential belonging to party x, S: service), such that when credential C i.x is disclosed, its release policy has been satisfied by credentials disclosed earlier in the sequence. E.g. C 2.s is released iff policy P s includes a rule like disclose C 2.s if C 1.r has been provided by requestor ). The use of release policies together with a negotiation process seems to be the most promising approach to providing privacy-aware access to services on the Open Web. 24

25 Privacy Issues Privacy issues PKI does not provide a comprehensive solution for avoiding unauthorized disclosure of personal information. Digital Identity Management System (privacy-aware) New solutions (management of partial identity) with support of privacy related features: privacy, minimal disclosure, anonymity support, legislation support. 25

26 Nyms and Partial Identities Digital Identity Nyms Partial Identities Non-disjoint concepts. Nyms give users different identities to use when interacting with other parties in different environments. Behind a nym, strong authentication tools such as tokens, smart cards, digital certificates, or biometrics associate individuals with their true digital identities. 26

27 Partial Identities Partial identities are any subset of the properties associated with users (such as name, age, credit-card number, or employment) that the user can select for interacting with other parties. A partial identity can be named or unnamed, which means it might or might not be related to the user s true identity. 27

28 Partial Identities Examples of partial identities. Each dashed line delimits a subset of the user s attributes that can be used as a partial identity when interacting with a party such as an airline or a car rental company. 28

29 Multiple and Dependable Digital Identity (MDDI) : Requirements Reliability and dependability Protect users against forgery and related attacks while also guaranteeing to other parties (such as suppliers and brokers in an ebusiness transaction) that the users can meet transaction-related obligations. Controlled information disclosure Users must have control over which identity to use in specific circumstances, as well as over its secondary use and the possible replication of any identity information revealed in a transaction. Mobility support The mobile computing infrastructure must be able to take into account its own peculiarities (such as limited bandwidth and display size) to apply MDDI technology successfully. 29

30 MDDI System Design Issues Multiple and dependable digital identity (MDDI) system design issues.the shaded boxes represent the main categories of problems and the clear boxes the specific issues to be addressed. 30

31 Identities Life Cycle Management Open issues: Provisioning: users must be given the ability to efficiently obtain/create identities. Revocation: Identities may become obsolete and not applicable anymore. Profile management: users must be given the ability to manage their own identity information. Prevention of identity proliferation: impose soft/hard limit on the number of identities that can be associated with a single individual. 31

32 Digital Identities Representation Ontology: domain ontology, task ontology. Need to allow for sound reasoning about the identity equivalence and trust propagation. Identity interoperability and portability: Identity must be provided in a common interchange format. The identity management service must support extensible mapping between identities. Identity extensibility: Unlimited number of attributes that may be associated with an identity. 32

33 Cross-domain Identity Communication Federated identity management support: need to investigate techniques for identity composition and interchange. Challenge is to balance complete retrieval with privacy. Distributed profile management: retrieval of different chunks of identity information. Distributed update support: Distribution of profile information and update support. 33

34 Controlled Dissemination Privacy and secondary usage control: identity attributes should be enriched with privacy preferences. Current languages are still in their infancy. Negotiation protocols (e.g., avoid cases when identity is released and no service is given in return). Linkability control between transactions and different information releases. 34

35 Trust management Control on single sign-on identity disclosure: SSO approaches delegate to the infrastructure all decisions on identity communication. Solutions are needed enabling users to retain some control on such disclosure. Trust models to determine under which conditions a party can trust others for their security and privacy. E.g., reputation models. Support of trust levels for instance non-sensitive information can be provided directly by the user, while for others certificates may be needed. 35

36 The PRIME Project Objective of the project PRIME focuses on solutions for privacy-enhancing identity management that supports end-users sovereignty over their private sphere and enterprises privacy-compliant data. Main features: anonymity and end-user control flexible and expressive access control rules client side restrictions 36

37 Model and Format Privacy-aware access control model New privacy-aware access control model together with an access control protocol for the communication of policies and of identity information among parties. Profiles and Ontologies Profiles associated with subjects and objects define the name and value of some properties that characterize the subjects and objects. Ontologies (Subject and Object) contain terms that can be used to make generic assertions on subjects and objects. 37

38 Privacy Policies Access control policies. They govern access to data/services managed by the user/server-side party (as in traditional access control). Release policies. They govern release of properties/credentials/pii of the party and specify under which conditions they can be disclosed. Data handling policies. Specified by the user that decide how his/her personal information must be managed by the counterpart (also called Sticky policies). Sanitized policies. They provide filtering functionalities on the response to be returned to the counterpart to avoid release of sensitive information related to the policy itself. The first version of the language (Feb. 05), integrated in PRIME Prototype V1, deals with access control and release policies only. 38

39 Access Request Each request is characterized by: the Subject that makes the request, defined as a pair: User: identifier of the human entity (possible anonymous) that connected to the system and submitted the request. Purpose: reason for which data are being requested and will be used (e.g., Commercial, Teaching, Research, etc.). the Action that is being requested (e.g., read, write, download). the Object on which the subject wishes to perform the action. 39

40 Access Request: Examples <tom.smith,research>, read, object1 user tom.smith requires to read object1 for research purposes. <john.doe, _>, read, object1 user john.doe with undeclared purpose requires to read object1. <_,_,>, browse, object5 an anonymous user with undeclared purpose requires to browse object5. 40

41 Subject and Object Information Each party's portfolio contains properties that the party can use to gain (or offer) services: data declarations: statements issued by the party. credentials: statements issued and signed (i.e., certified) by authorities trusted for making the statements. To refer to specific data in a credential we introduce the concept of credential term. A credential term is an expression of the form credential name(predicate list) Users and Objects can be grouped into groups. Ontologies represent relationships (part-of and is-a) among attributes and credentials to establish what credentials can be provided to fulfill a declaration or credential request. 41

42 Basic elements of the language-1 A predicate declaration where the argument is a list of predicates of the form predicate name(arguments); A binary predicate credential where the first argument is a credential term and the second argument is a public key term. Intuitively, a ground atom credential(c;k) is evaluated to true if and only if there exists a credential c verifiable with public key K. A set of standard built-in mathematic predicates, such as equal(), greater_than(), less_than(), and so on. 42

43 Basic elements of the language-2 A set of location-based predicates of the form predicate name(arguments); A set of trusted-based predicates of the form predicate name(arguments); A set of non predefined predicates that evaluate information stored at the site. 43

44 Obligation An obligation establishes how a released personal data must be managed by the counterpart. Obligations are associated to release policies and linked to released data. Types of obligations: Transactional Obligation: to be immediately enforced (e.g. delete PII data as soon as the transaction is over) Data Retention and Handling Obligation: driven by timebased or specific events (e.g. delete PII data after x days from the reception, or delete PII data after 3 accesses) 44

45 Access Control rules - 1 subject WITH subject-expression CAN action FOR purpose ON object WITH object-expression IF conditions FOLLOW obligations An access is granted if there is satisfaction of at least one of the AC rules that apply to the given request. Rule structure: subject identifies the subject to which the rule refers. subject-expression is an expression defining conditions on the subject that must be evaluated on the subject's portfolio (declarations and credentials); 45

46 Access Control rules - 2 subject WITH subject-expression CAN action FOR purpose ON object WITH object-expression IF conditions FOLLOW obligations action is the action to which the rule refers (e.g., read, write, etc.). purpose is the purpose to which the rule refers and represents how the data is going to be used by the recipient. object identifies the object to which the rule refers. object-expression is an expression defining conditions on the object that must be evaluated on object's data (stored in DB or other repositories). 46

47 Access Control rules - 3 subject WITH subject-expression CAN action FOR purpose ON object WITH object-expression IF conditions FOLLOW obligations conditions is a boolean expression of generic conditions that an access request to which the rule applies has to satisfy. For instance, trust properties, or the user's consent to disclose. obligations is a boolean expression of obligations that the server must follow when manage the information/data/pii. E.g., all accesses against a certain type of data for a given purpose must be logged. 47

48 Examples of rules - 1 A registered user who works as a doctor, can read for research the patientxxx-data with the agreement of the patient. registeredusers WITH declaration(equal(user.work, "doctor")) CAN read FOR research ON patientxxx-data with declaration(equal(object.patient_agreement, yes)) IF no-condition FOLLOW no-obligation 48

49 Examples of rules 2 Anybody with age>18 can book two seat for the movie "Full Metal Jacket" giving a credit card and accepting a contract. Server must delete credit card after the end of transaction. Anonymous WITH declaration(greater than(user.age,18)) CAN book FOR no-purpose ON movie with declaration(equal(object.title, "Full Metal Jacket")) IF sign_contract() and credential(credit_card, K) FOLLOW delete(credit_card) 49

50 Open problems Policy correctness Unfortunately, real-world policies tend to be very complex. Policy errors could allow outsiders to gain inappropriate access to services, possibly inflicting huge and costly damages. Leakage in automated negotiation Very specific policies may leak information about what we want to protect. Malicious services may try to get information which is not relevant to the resource the requestor needs to access. 50

51 Conclusions Identity: a central concept in the e- infrastructure Identity theft/misuse and unauthorized profiligs: two major security threats Identity management: a key technology for securing the global infrastructure 51