Information Security News mailing list archives
Electronic Identity Fraud Newsletter - No 14
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Mon, 27 Dec 1999 17:49:31 -0700
Forwarded From: Edentifica () aol com ELECTRONIC IDENTITY FRAUD NEWSLETTER Volume 2, Issue 10 December 24, 1999 From: e-DENTIFICATION, Inc. Voice: (717) 859-2430 Fax: (717) 627-5454 Email: Headquarters () e-dentification com Web Site: www.e-dentification.com John F. Ellingson, Madison, WI - editor President of e-DENTIFICATION, Inc. Email Address: ellingson () e-dentification com ___________________________________________________________ This newsletter is only sent to subscribers. If you would like to receive or terminate this newsletter email: Subscribe () e-dentification com and say "Subscribe" or "Unsubscribe". Past issues of this newsletter are archived on our web site: www.e-dentification.com ____________________________________________________________ DEVICES DON'T PERPETRATE FRAUD, USERS DO! Until security is provided at the user interface, there will be no security on the Internet. Users lie and information is unreliable. Without absolute user identity and the ability to identify and deal with false information there can be no real security. As the two articles in this issue and the link to the discussion of the major flaws in PKI abundantly point out, the Internet is not secure. No one's identity and personal information is safe in the digital world. A little over a year ago, the National Academy of Science published its wonderful report on Trust in Cyberspace. The conclusion of that report was that cyberspace is not trustworthy. Because of the reliance on systems such as PKI, Secure Sockets, encryption, certificating authorities, etc., we have a false sense of security about cyberspace. All of our approaches have been based on a flawed premise. That flawed premise is that end-to-end security ends at the CPU. Securing information and transmissions from device to device is a good thing to do, but it does not provide much security. The key element in the information infrastructure is the user. To be meaningful, security must be end-to-end and the "ends" must be the users. We have finessed this issue by saying it is the user's problem to address this issue, not the system designers. I had an engineer dismiss user security as a "wet brained" problem, beyond an engineering solution. The approach that does not include the users, has demonstrated its vulnerability and that vulnerability will only increase as the Internet and electronic commerce grow and become a more attractive target for fraud and abuse. The maturation of biometric technology can provide a partial solution to the user problem. However, as currently conceived, the approach to the use of biometrics also finesses the same problem of user identity in the same way. There isn't a single biometric technology that can identify anyone. Even the best biometric, DNA, cannot by itself identify anyone. What biometrics can do is provide a valid means of comparing one identity with another with a high level of certainty. The essential element that is missing from our system design criteria is providing a trusted means of enrolling users in the system for biometric verification. This is the point where we still fudge the solution. We currently push the responsibility for secure enrollment off on to the users, whom we don't know can be trusted and have no way of knowing if they are trustworthy. Without this, biometrics may be more dangerous than what is currently in place. What is required to provide a user-to-user/end-to-end solution is a means of providing absolutely reliable enrollment in the system without having to rely on those enrolling being trustworthy. This trusted enrollment process is just around the corner. Those interested in pursuing this concept are invited to contact me. The warmest of holiday wishes and best wishes for the new year and. John Ellingson - Editor Email: ellingson () e-dentification com NEWS ITEM CREDIT CARD SCAM TARGETS MILITARY WASHINGTON (AP) - 12/8/99 Pentagon officials said Wednesday, that the Secret Service has jurisdiction and has taken the lead in an investigation regarding hundreds of military officers who have become victims of credit card fraud. "It's something the Defense Department has been concerned about for some time," Pentagon spokesman Bryan Whitman said after reports that one Web site listed the names and Social Security numbers of 4,500 military officers. The information was culled from the pages of the Congressional Record. "Criminals posing as the officers have used the SSNs (Social Security numbers) to obtain credit cards in the officers' names," according to a Marine Corps. internal memo on Dec. 2. "Then criminals use the cards to make fraudulent purchases and to receive cash advances.", mostly in amounts lower than $1,000. Pentagon officials said most of the credit cards and monthly statements were sent to postal boxes. Two of the high ranking officers whose identities were stolen for purposes of credit card fraud were retired Army Gen. John Shalikashvili, former chairman of the Joint Chiefs of Staff, and Army Gen. John Tilelli, commander of U.S. forces in Korea, according to Pentagon officials. The Marine Corps memo alerts its officers to the possibility that their identities may have been stolen and urges them to contact the fraud units of the three major credit bureaus. The memo states that the First USA Bank in Wilmington, Del., "has been the principal bank defrauded in this scheme due to its issuance of credit cards and is keenly aware of the problem,'' and has waived the $50 limit on fraudulent charges, set by federal law, for victims of these crimes. NEWS ITEM NOVELL'S CHAIRMAN/CEO,VICTIM OF INTERNET IDENTITY THEFT 12/2/99 - Novell's Chairman and CEO Eric Schmidt, has firsthand experience regarding the problem of Internet identity fraud. Speaking at San Francisco's Digital Economy conference, Schmidt informed the crowd that in the past, his credit card number had been stolen over the Internet. Although he isn't sure exactly how his card number was lifted, Schmidt says he believes it was through a mechanism that reads the cookies-files sitting on a user's desktop and storing personal information, such as passwords and preferences. "Cookies are one of the biggest disasters for computers in the past [several] years," says Schmidt, citing the lack of security and the blatant breach of consumer privacy. "Cookies are a great idea, [but] they are just stored in the wrong place," says Schmidt. Schmidt is trying to rectify this problem with his company's new "digitalme" online identification-management service. Based on Novell Directory Services technology, "digitalme" is aiming to store and consolidate a user's multiple passwords, address books, favorite lists and purchasing preferences. NEWS ITEM I highly recommend that you read the following news item: TEN RISKS OF PKI: WHAT YOU'RE NOT BEING TOLD ABOUT PUBLIC KEY, INFRASTRUCTURE ~ by Carl M. Ellison, Senior Security Architect for Intel Corporation and Bruce Schneier, author of the Blowfish and Twofish encryption algorithms. You may find this news story at the Counter Pane web site: http://www.counterpane.com/pki-risks-ft.txt ISN is sponsored by Security-Focus.COM
Current thread:
- Electronic Identity Fraud Newsletter - No 14 mea culpa (Dec 27)