Electronic Identity Fraud Newsletter - No 14

[mea culpa <jericho () DIMENSIONAL COM>]

Forwarded From: Edentifica () aol com

ELECTRONIC
IDENTITY FRAUD
NEWSLETTER

Volume 2, Issue 10
December 24, 1999

From:        e-DENTIFICATION, Inc.
Voice:       (717) 859-2430
Fax:          (717) 627-5454
Email:       Headquarters () e-dentification com
Web Site: www.e-dentification.com

John F. Ellingson, Madison, WI - editor
President of e-DENTIFICATION, Inc.
Email Address: ellingson () e-dentification com
___________________________________________________________

This newsletter is only sent to subscribers. If you would like to receive or
terminate this newsletter email: Subscribe () e-dentification com and say
"Subscribe" or "Unsubscribe". Past issues of this newsletter are archived on
our web site: www.e-dentification.com
____________________________________________________________

DEVICES DON'T PERPETRATE FRAUD, USERS DO!

Until security is provided at the user interface, there will be no security
on the Internet. Users lie and information is unreliable. Without absolute
user identity and the ability to identify and deal with false information
there can be no real security.

As the two articles in this issue and the link to the discussion of the major
flaws in PKI abundantly point out, the Internet is not secure. No one's
identity and personal information is safe in the digital world. A little over
a year ago, the National Academy of Science published its wonderful report on
Trust in Cyberspace. The conclusion of that report was that cyberspace is not
trustworthy.

Because of the reliance on systems such as PKI, Secure Sockets, encryption,
certificating authorities, etc., we have a false sense of security about
cyberspace.  All of our approaches have been based on a flawed premise. That
flawed premise is that end-to-end security ends at the CPU. Securing
information and transmissions from device to device is a good thing to do,
but it does not provide much security.  The key element in the information
infrastructure is the user. To be meaningful, security must be end-to-end and
the "ends" must be the users.  We have finessed this issue by saying it is
the user's problem to address this issue, not the system designers. I had an
engineer dismiss user security as a "wet brained" problem, beyond an
engineering solution.

The approach that does not include the users, has demonstrated its
vulnerability and that vulnerability will only increase as the Internet and
electronic commerce grow and become a more attractive target for fraud and
abuse.

The maturation of biometric technology can provide a partial solution to the
user problem. However, as currently conceived, the approach to the use of
biometrics also finesses the same problem of user identity in the same way.

There isn't a single biometric technology that can identify anyone. Even the
best biometric, DNA, cannot by itself identify anyone. What biometrics can do
is provide a valid means of comparing one identity with another with a high
level of certainty.

The essential element that is missing from our system design criteria is
providing a trusted means of enrolling users in the system for biometric
verification. This is the point where we still fudge the solution. We
currently push the responsibility for secure enrollment off on to the users,
whom we don't know can be trusted and have no way of knowing if they are
trustworthy. Without this, biometrics may be more dangerous than what is
currently in place.

What is required to provide a user-to-user/end-to-end solution is a means of
providing absolutely reliable enrollment in the system without having to rely
on those enrolling being trustworthy. This trusted enrollment process is just
around the corner. Those interested in pursuing this concept are invited to
contact me.

The warmest of holiday wishes and best wishes for the new year and.

John Ellingson - Editor
Email: ellingson () e-dentification com


NEWS ITEM

CREDIT CARD SCAM TARGETS MILITARY

WASHINGTON (AP) - 12/8/99 Pentagon officials said Wednesday, that  the Secret
Service has jurisdiction and has taken the lead in an investigation regarding
 hundreds of military officers who have become victims of credit card fraud.

"It's something the Defense Department has been concerned about for some
time," Pentagon spokesman Bryan Whitman said after reports that one Web site
listed the names and Social Security numbers of 4,500 military officers. The
information was culled from the pages of the Congressional Record.

"Criminals posing as the officers have used the SSNs (Social Security
numbers) to obtain credit cards in the officers' names," according to a
Marine Corps. internal memo on Dec. 2. "Then criminals use the cards to make
fraudulent purchases and to receive cash advances.", mostly in amounts lower
than $1,000. Pentagon officials said most of the credit cards and monthly
statements were sent to postal boxes.

Two of the high ranking officers whose identities were stolen for purposes of
credit card fraud were retired Army Gen. John Shalikashvili, former chairman
of the Joint Chiefs of Staff, and Army Gen. John Tilelli, commander of U.S.
forces in Korea, according to Pentagon officials.

The Marine Corps memo alerts its officers to the possibility that their
identities may have been stolen and urges them to contact the fraud units of
the three major credit bureaus. The memo states that the First USA Bank in
Wilmington, Del., "has been the principal bank defrauded in this scheme due
to its issuance of credit cards and is keenly aware of the problem,'' and has
waived the $50 limit on fraudulent charges, set by federal law, for victims
of these crimes.

NEWS ITEM

NOVELL'S CHAIRMAN/CEO,VICTIM OF INTERNET IDENTITY THEFT

12/2/99 - Novell's Chairman and CEO Eric Schmidt, has firsthand experience
regarding the problem of Internet identity fraud. Speaking at San Francisco's
Digital Economy conference, Schmidt informed the crowd that in the past, his
credit card number had been stolen over the Internet.

Although he isn't sure exactly how his card number was lifted, Schmidt says
he believes it was through a mechanism that reads the cookies-files sitting
on a user's desktop and storing personal information, such as passwords and
preferences.

"Cookies are one of the biggest disasters for computers in the past [several]
years," says Schmidt, citing the lack of security and the blatant breach of
consumer privacy.

"Cookies are a great idea, [but] they are just stored in the wrong place,"
says Schmidt. Schmidt is trying to rectify this problem with his company's
new "digitalme" online identification-management service. Based on Novell
Directory Services technology, "digitalme" is aiming to store and consolidate
a user's multiple passwords, address books, favorite lists and purchasing
preferences.

NEWS ITEM

I highly recommend that you read the following news item:

TEN RISKS OF PKI: WHAT YOU'RE NOT BEING TOLD ABOUT PUBLIC KEY, INFRASTRUCTURE
~
by Carl M. Ellison, Senior Security Architect for Intel Corporation and Bruce
Schneier, author of the Blowfish and Twofish encryption algorithms.

You may find this news story at the Counter Pane web site:
http://www.counterpane.com/pki-risks-ft.txt

ISN is sponsored by Security-Focus.COM