identity

Getting past security on planes

From Bruce Schneier’s Crypto-Gram of 15 August 2003:

It’s actually easy to fly on someone else’s ticket. Here’s how: First, have an upstanding citizen buy an e-ticket. (This also works if you steal someone’s identity or credit card.) Second, on the morning of the flight print the boarding pass at home. (Most airlines now offer this convenient feature.) Third, change the name on the e-ticket boarding pass you print out at home to your own. (You can do this with any half-way decent graphics software package.) Fourth, go to the airport, go through security, and get on the airplane.

You can even make a knife on board the plane. Buy some steel epoxy glue at a local hardware store. It comes in two tubes: a base with steel dust and a hardener. Make a knifelike mold by folding a piece of cardboard in half. Then mix equal parts from each tube and form into a knife shape, using a metal fork from your first-class dinner service (or a metal spoon you carry aboard) for the handle. Fifteen minutes later you’ve got a reasonably sharp, very pointy, black steel knife.

Getting past security on planes Read More »

A nanny’s man-in-the-middle attack

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

Here’s a story of a woman who posts an ad requesting a nanny. When a potential nanny responds, she asks for references for a background check. Then she places another ad, using the reference material as a fake identity. She gets a job with the good references—they’re real, although for another person—and then robs the family who hires her. And then she repeats the process.

Look what’s going on here. She inserts herself in the middle of a communication between the real nanny and the real employer, pretending to be one to the other. The nanny sends her references to someone she assumes to be a potential employer, not realizing that it is a criminal. The employer receives the references and checks them, not realizing that they don’t actually belong to the person who is sending them.

A nanny’s man-in-the-middle attack Read More »

Problems with ID cards

From Bruce Schneier’s Crypto-Gram of 15 April 2004:

My argument may not be obvious, but it’s not hard to follow, either. It centers around the notion that security must be evaluated not based on how it works, but on how it fails.

It doesn’t really matter how well an ID card works when used by the hundreds of millions of honest people that would carry it. What matters is how the system might fail when used by someone intent on subverting that system: how it fails naturally, how it can be made to fail, and how failures might be exploited.

The first problem is the card itself. No matter how unforgeable we make it, it will be forged. And even worse, people will get legitimate cards in fraudulent names. …

Not that there would ever be such thing as a single ID card. Currently about 20 percent of all identity documents are lost per year. An entirely separate security system would have to be developed for people who lost their card, a system that itself is capable of abuse. …

But the main problem with any ID system is that it requires the existence of a database. In this case it would have to be an immense database of private and sensitive information on every American—one widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.

The security risks are enormous. Such a database would be a kludge of existing databases; databases that are incompatible, full of erroneous data, and unreliable. …

What good would it have been to know the names of Timothy McVeigh, the Unabomber, or the DC snipers before they were arrested? Palestinian suicide bombers generally have no history of terrorism. The goal is here is to know someone’s intentions, and their identity has very little to do with that.

Problems with ID cards Read More »

Refusing a technology defines you

From Sander Duivestein’s “Penny Thoughts on the Technium” (The Technium: 1 December 2009):

I‘m interested in how people personally decide to refuse a technology. I’m interested in that process, because I think that will happen more and more as the number of technologies keep increasing. The only way we can sort our identity is by not using technology. We’re used to be that you define yourself by what you use now. You define yourself by what you don’t use. So I’m interested in that process.

Refusing a technology defines you Read More »

Social networking and “friendship”

From danah boyd’s “Friends, Friendsters, and MySpace Top 8: Writing Community Into Being on Social Network Sites” (First Monday: December 2006)

John’s reference to “gateway Friends” concerns a specific technological affordance unique to Friendster. Because the company felt it would make the site more intimate, Friendster limits users from surfing to Profiles beyond four degrees (Friends of Friends of Friends of Friends). When people login, they can see how many Profiles are “in their network” where the network is defined by the four degrees. For users seeking to meet new people, growing this number matters. For those who wanted it to be intimate, keeping the number smaller was more important. In either case, the number of people in one’s network was perceived as directly related to the number of friends one had.

“I am happy with the number of friends I have. I can access over 26,000 profiles, which is enough for me!” — Abby

The number of Friends one has definitely affects the size of one’s network but connecting to Collectors plays a much more significant role. Because these “gateway friends” (a.k.a. social network hubs) have lots of Friends who are not connected to each other, they expand the network pretty rapidly. Thus, connecting to Collectors or connecting to people who connect to Collectors opens you up to a large network rather quickly.

While Collectors could be anyone interested in amassing many Friends, fake Profiles were developed to aid in this process. These Fakesters included characters, celebrities, objects, icons, institutions, and ideas. For example, Homer Simpson had a Profile alongside Jesus and Brown University. By connecting people with shared interests or affiliations, Fakesters supported networking between like-minded individuals. Because play and connecting were primary incentives for many Fakesters, they welcomed any and all Friends. Likewise, people who wanted access to more people connected to Fakesters. Fakesters helped centralize the network and two Fakesters — Burning Man and Ali G — reached mass popularity with over 10,000 Friends each before the Web site’s creators put an end to their collecting and deleted both accounts. This began the deletion of all Fakesters in what was eventually termed the Fakester Genocide [8].

While Friendster was irritated by fake Profiles, MySpace embraced this practice. One of MySpace’s early strategies was to provide a place for everyone who was rejected from Friendster or who didn’t want to be on a dating site [9]. Bands who had been kicked off of Friendster were some of the earliest MySpace users. Over time, movie stars, politicians, porn divas, comedians, and other celebrities joined the fray. Often, the person behind these Profiles was not the celebrity but a manager. Corporations began creating Profiles for their products and brands. While Friendster eventually began allowing such fake Profiles for a fee, MySpace never charged people for their commercial uses.

Investigating Friendship in LiveJournal, Kate Raynes-Goldie and Fono (2005) found that there was tremendous inconsistency in why people Friended others. They primarily found that Friendship stood for: content, offline facilitator, online community, trust, courtesy, declaration, or nothing. When I asked participants about their practices on Friendster and MySpace, I found very similar incentives. The most common reasons for Friendship that I heard from users [11] were:

1. Actual friends
2. Acquaintances, family members, colleagues
3. It would be socially inappropriate to say no because you know them
4. Having lots of Friends makes you look popular
5. It’s a way of indicating that you are a fan (of that person, band, product, etc.)
6. Your list of Friends reveals who you are
7. Their Profile is cool so being Friends makes you look cool
8. Collecting Friends lets you see more people (Friendster)
9. It’s the only way to see a private Profile (MySpace)
10. Being Friends lets you see someone’s bulletins and their Friends-only blog posts (MySpace)
11. You want them to see your bulletins, private Profile, private blog (MySpace)
12. You can use your Friends list to find someone later
13. It’s easier to say yes than no

These incentives account for a variety of different connections. While the first three reasons all concern people that you know, the rest can explain why people connect to a lot of people that they do not know. Most reveal how technical affordances affect people’s incentives to connect.

Raynes-Goldie and Fono (2005) also found that there is a great deal of social anxiety and drama provoked by Friending in LiveJournal (LJ). In LJ, Friendship does not require reciprocity. Anyone can list anyone else as a Friend; this articulation is public but there is no notification. The value of Friendship on LJ is deeply connected to the privacy settings and subscription processes. The norm on LJ is to read others’ entries through a “Friends page.” This page is an aggregation of all of an individual’s Friends’ posts. When someone posts an LJ entry, they have a choice as to whether the post should be public, private, Friends-only, or available to subgroups of Friends. In this way, it is necessary to be someone’s Friend to have access to Friends-only posts. To locate how the multiple and conflicting views of Friendship cause tremendous conflict and misunderstanding on LJ, Raynes-Goldie and Fono speak of “hyperfriending.” This process is quite similar to what takes place on other social network sites, but there are some differences. Because Friends-only posts are commonplace, not being someone’s Friend is a huge limitation to information access. Furthermore, because reciprocity is not structurally required, there’s a much greater social weight to recognizing someone’s Friendship and reciprocating intentionally. On MySpace and Friendster, there is little to lose by being loose with Friendship and more to gain; the perception is that there is much more to lose on LJ.

While users can scroll through their list of Friends, not all Friends are displayed on the participant’s Profile. Most social network sites display Friends in the order in which their account was created or their last login date. By implementing a “Top 8” feature, MySpace changed the social dynamics around the ordering of Friends. Initially, “Top 8” allowed users to select eight Friends to display on their Profile. More recently, that feature was changed to “Top Friends” as users have more options in how many people they could list [12]. Many users will only list people that they know and celebrities that they admire in their Top Friends, often as a way to both demarcate their identity and signal meaningful relationships with others.

There are many advantages to the Top Friends feature. It allows people to show connections that really say something about who they are. It also serves as a bookmark to the people that matter. By choosing to list the people who one visits the most frequently, simply going to one’s Profile provides a set of valuable links.

“As a kid, you used your birthday party guest list as leverage on the playground. ‘If you let me play I’ll invite you to my birthday party.’ Then, as you grew up and got your own phone, it was all about someone being on your speed dial. Well today it’s the MySpace Top 8. It’s the new dangling carrot for gaining superficial acceptance. Taking someone off your Top 8 is your new passive aggressive power play when someone pisses you off.” — Nadine

There are a handful of social norms that pervade Top 8 culture. Often, the person in the upper left (“1st” position) is a significant other, dear friend, or close family member. Reciprocity is another salient component of Top Friends dynamics. If Susan lists Mary on her Top 8, she expects Mary to reciprocate. To acknowledge this, Mary adds a Comment to Susan’s page saying, “Thanx for puttin me on ur Top 8! I put you on mine 2.” By publicly acknowledging this addition, Mary is making certain Susan’s viewers recognize Mary’s status on Susan’s list. Of course, just being in someone’s list is not always enough. As Samantha explains, “Friends get into fights because they’re not 1st on someone’s Top 8, or somebody else is before them.” While some people are ecstatic to be added, there are many more that are frustrated because they are removed or simply not listed.

The Top Friends feature requires participants to actively signal their relationship with others. Such a system makes it difficult to be vague about who matters the most, although some tried by explaining on their bulletins what theme they are using to choose their Top 8 this week: “my Sagittarius friends,” “my basketball team,” and “people whose initials are BR.” Still others relied on fake Profiles for their Top 8.

The networked nature of impressions does not only affect the viewer — this is how newcomers decided what to present in the first place. When people first joined Friendster, they took cues from the people who invited them. Three specific subcultures dominated the early adopters — bloggers, attendees of the Burning Man [14] festival, and gay men mostly living in New York. If the invitee was a Burner, their Profile would probably be filled with references to the event with images full of half-naked, costumed people running around the desert. As such, newcomers would get the impression that it was a site for Burners and they would create a Profile that displayed that facet of their identity. In decided who to invite, newcomers would perpetuate the framing by only inviting people who are part of the Burning Man subculture.

Interestingly, because of this process, Burners believed that the site was for Burners, gay men thought it was a gay dating site, and bloggers were ecstatic to have a geek socializing tool. The reason each group got this impression had to do with the way in which context was created on these systems. Rather than having the context dictated by the environment itself, context emerged through Friends networks. As a result, being socialized into Friendster meant connected to Friends that reinforced the contextual information of early adopters.

The growth of MySpace followed a similar curve. One of the key early adopter groups were hipsters living in the Silverlake neighborhood of Los Angeles. They were passionate about indie rock music and many were musicians, promoters, club goers, etc. As MySpace took hold, long before any press was covering the site, MySpace took off amongst 20/30-something urban socializers, musicians, and teenagers. The latter group may not appear obvious, but teenagers are some of the most active music consumers — they follow music culture avidly, even when they are unable to see the bands play live due to age restrictions. As the site grew, the teenagers and 20/30-somethings pretty much left each other alone, although bands bridged these groups. It was not until the site was sold to News Corp. for US$580 million in the summer of 2005 that the press began covering the phenomenon. The massive press helped it grow larger, penetrating those three demographics more deeply but also attracting new populations, namely adults who are interested in teenagers (parents, teachers, pedophiles, marketers).

When context is defined by whom one Friends, and addressing multiple audiences simultaneously complicates all relationships, people must make hard choices. Joshua Meyrowitz (1985) highlights this problem in reference to television. In the early 1960s, Stokely Carmichael regularly addressed segregated black and white audiences about the values of Black Power. Depending on his audience, he used very different rhetorical styles. As his popularity grew, he began to attract media attention and was invited to speak on TV and radio. Unfortunately, this was more of a curse than a blessing because the audiences he would reach through these mediums included both black and white communities. With no way to reconcile the two different rhetorical styles, he had to choose. In choosing to maintain his roots in front of white listeners, Carmichael permanently alienated white society from the messages of Black Power.

Notes

10. Friendster originally limited users to 150 Friends. It is no accident that they chose 150, as this is the “Dunbar number.” In his research on gossip and grooming, Robin Dunbar argues that there is a cognitive limit to the number of relations that one can maintain. People can only keep gossip with 150 people at any given time (Dunbar, 1998). By capping Friends at 150, Friendster either misunderstood Dunbar or did not realize that their users were actually connecting to friends from the past with whom they are not currently engaging.

12. Eight was the maximum number of Friends that the system initially let people have. Some users figured out how to hack the system to display more Friends; there are entire bulletin boards dedicated to teaching others how to hack this. Consistently, upping the limit was the number one request that the company received. In the spring of 2006, MySpace launched an ad campaign for X-Men. In return for Friending X-Men, users were given the option to have 12, 16, 20, or 24 Friends in their Top Friends section. Millions of users did exactly that. In late June, this feature was introduced to everyone, regardless of Friending X-Men. While eight is no longer the limit, people move between calling it Top 8 or Top Friends. I will use both terms interchangeably, even when the number of Friends might be greater than eight.

Social networking and “friendship” Read More »

Bruce Schneier on identity theft

From Stephen J. Dubner’s interview with Bruce Schneier in “Bruce Schneier Blazes Through Your Questions” (The New York Times: 4 December 2007):

Identity theft is a problem for two reasons. One, personal identifying information is incredibly easy to get; and two, personal identifying information is incredibly easy to use. Most of our security measures have tried to solve the first problem. Instead, we need to solve the second problem. As long as it’s easy to impersonate someone if you have his data, this sort of fraud will continue to be a major problem.

The basic answer is to stop relying on authenticating the person, and instead authenticate the transaction. Credit cards are a good example of this. Credit card companies spend almost no effort authenticating the person — hardly anyone checks your signature, and you can use your card over the phone, where they can’t even check if you’re holding the card — and spend all their effort authenticating the transaction.

Bruce Schneier on identity theft Read More »

A woman who never forgets anything

From Samiha Shafy’s “An Infinite Loop in the Brain” (Der Spiegel: 21 November 2008):

Price can rattle off, without hesitation, what she saw and heard on almost any given date. She remembers many early childhood experiences and most of the days between the ages of 9 and 15. After that, there are virtually no gaps in her memory. “Starting on Feb. 5, 1980, I remember everything. That was a Tuesday.”

“People say to me: Oh, how fascinating, it must be a treat to have a perfect memory,” she says. Her lips twist into a thin smile. “But it’s also agonizing.”

In addition to good memories, every angry word, every mistake, every disappointment, every shock and every moment of pain goes unforgotten. Time heals no wounds for Price. “I don’t look back at the past with any distance. It’s more like experiencing everything over and over again, and those memories trigger exactly the same emotions in me. It’s like an endless, chaotic film that can completely overpower me. And there’s no stop button.”

She’s constantly bombarded with fragments of memories, exposed to an automatic and uncontrollable process that behaves like an infinite loop in a computer. Sometimes there are external triggers, like a certain smell, song or word. But often her memories return by themselves. Beautiful, horrific, important or banal scenes rush across her wildly chaotic “internal monitor,” sometimes displacing the present. “All of this is incredibly exhausting,” says Price.

The scientists were able to verify her autobiographical data because she has meticulously kept a diary since the age of 10. She has filled more than 50,000 pages with tiny writing, documenting every occurrence, no matter how insignificant. Writing things down helps Price organize the thoughts and images shimmering in her head.

In fact, she feels a strong need to document her life. This includes hoarding every possible memento from childhood, including dolls, stuffed animals, cassette tapes, books, a drawer from dresser she had when she was five. “I have to be able to touch my memories,” Price explains.

[James McGaugh, founder of the Center for the Neurobiology of Learning and Memory at the University of California in Irvine,] and his colleagues concluded that Price’s episodic memory, her recollection of personal experiences and the emotions associated with them, is virtually perfect. A case like this has never been described in the history of memory research, according to McGaugh. He explains that Price differs substantially from other people with special powers of recall, such as autistic savants, because she uses no strategies to help her remember and even does a surprisingly poor job on some memory tests.

It’s difficult for her to memorize poems or series of numbers — which helps explain why she never stood out in school. Her semantic memory, the ability to remember facts not directly related to everyday life, is only average.

Two years ago, the scientists published their first conclusions in a professional journal without revealing the identity of their subject. Since then, more than 200 people have contacted McGaugh, all claiming to have an equally perfect episodic memory. Most of them were exposed as fakes. Three did appear to have similarly astonishing abilities. “Their personalities are very different. The others are not as anxious as Jill. But they achieve comparable results in the tests,” McGaugh reports.

The subjects do have certain compulsive traits in common, says McGaugh, especially compulsive hoarding. The three others are left-handed, and Price also showed a tendency toward left-handedness in tests.

In neurobiological terms, a memory is a stored pattern of links between nerve cells in the brain. It is created when synapses in a network of neurons are activated for a short time. The more often the memory is recalled afterwards, the more likely it is that permanent links develop between the nerve cells — and the pattern will be stored as a long-term memory. In theory there are so many possible links that an almost unlimited number of memories can be permanently stored.

So why don’t all people have the same powers of recollection as Jill Price? “If we could remember everything equally well, the brain would be hopelessly overburdened and would operate more slowly,” says McGaugh. He says forgetting is a necessary condition of having a viable memory — except in the case of Price and the other three memory superstars.

A woman who never forgets anything Read More »

Debt collection business opens up huge security holes

From Mark Gibbs’ “Debt collectors mining your secrets” (Network World: 19 June 2008):

[Bud Hibbs, a consumer advocate] told me any debt collection company has access to an incredible amount of personal data from hundreds of possible sources and the motivation to mine it.

What intrigued me after talking with Hibbs was how the debt collection business works. It turns out pretty much anyone can set up a collections operation by buying a package of bad debts for around $40,000, hiring collectors who will work on commission, and applying for the appropriate city and state licenses. Once a company is set up it can buy access to Axciom and Experian and other databases and start hunting down defaulters.

So, here we have an entire industry dedicated to buying, selling and mining your personal data that has been derived from who knows where. Even better, because the large credit reporting companies use a lot of outsourcing for data entry, much of this data has probably been processed in India or Pakistan where, of course, the data security and integrity are guaranteed.

Hibbs points out that, with no prohibitions on sending data abroad and with the likes of, say, the Russian mafia being interested in the personal information, the probability of identity theft from these foreign data centers is enormous.

Debt collection business opens up huge security holes Read More »

The real solution to identity theft: bank liability

From Bruce Schneier’s “Mitigating Identity Theft” (Crypto-Gram: 15 April 2005):

The very term “identity theft” is an oxymoron. Identity is not a possession that can be acquired or lost; it’s not a thing at all. …

The real crime here is fraud; more specifically, impersonation leading to fraud. Impersonation is an ancient crime, but the rise of information-based credentials gives it a modern spin. A criminal impersonates a victim online and steals money from his account. He impersonates a victim in order to deceive financial institutions into granting credit to the criminal in the victim’s name. …

The crime involves two very separate issues. The first is the privacy of personal data. Personal privacy is important for many reasons, one of which is impersonation and fraud. As more information about us is collected, correlated, and sold, it becomes easier for criminals to get their hands on the data they need to commit fraud. …

The second issue is the ease with which a criminal can use personal data to commit fraud. …

Proposed fixes tend to concentrate on the first issue — making personal data harder to steal — whereas the real problem is the second. If we’re ever going to manage the risks and effects of electronic impersonation, we must concentrate on preventing and detecting fraudulent transactions.

… That leaves only one reasonable answer: financial institutions need to be liable for fraudulent transactions. They need to be liable for sending erroneous information to credit bureaus based on fraudulent transactions.

… The bank must be made responsible, regardless of what the user does.

If you think this won’t work, look at credit cards. Credit card companies are liable for all but the first $50 of fraudulent transactions. They’re not hurting for business; and they’re not drowning in fraud, either. They’ve developed and fielded an array of security technologies designed to detect and prevent fraudulent transactions.

The real solution to identity theft: bank liability Read More »

Two-factor authentication: the good & the bad

From Bruce Schneier’s “More on Two-Factor Authentication” (Crypto-Gram: 15 April 2005):

Passwords just don’t work anymore. As computers have gotten faster, password guessing has gotten easier. Ever-more-complicated passwords are required to evade password-guessing software. At the same time, there’s an upper limit to how complex a password users can be expected to remember. About five years ago, these two lines crossed: It is no longer reasonable to expect users to have passwords that can’t be guessed. For anything that requires reasonable security, the era of passwords is over.

Two-factor authentication solves this problem. It works against passive attacks: eavesdropping and password guessing. It protects against users choosing weak passwords, telling their passwords to their colleagues or writing their passwords on pieces of paper taped to their monitors. For an organization trying to improve access control for its employees, two-factor authentication is a great idea. Microsoft is integrating two-factor authentication into its operating system, another great idea.

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

One way to think about this is that two-factor authentication solves security problems involving authentication. The current wave of attacks against financial systems are not exploiting vulnerabilities in the authentication system, so two-factor authentication doesn’t help.

Two-factor authentication: the good & the bad Read More »

Why disclosure laws are good

From Bruce Schneier’s “Identity-Theft Disclosure Laws” (Crypto-Gram Newsletter: 15 May 2006):

Disclosure laws force companies to make these security breaches public. This is a good idea for three reasons. One, it is good security practice to notify potential identity theft victims that their personal information has been lost or stolen. Two, statistics on actual data thefts are valuable for research purposes. And three, the potential cost of the notification and the associated bad publicity naturally leads companies to spend more money on protecting personal information — or to refrain from collecting it in the first place.

Why disclosure laws are good Read More »

Offshoring danger: identity theft

From Indian call centre ‘fraud’ probe (BBC News: 23 June 2005):

Police are investigating reports that the bank account details of 1,000 UK customers, held by Indian call centres, were sold to an undercover reporter.

The Sun claims one of its journalists bought personal details including passwords, addresses and passport data from a Delhi IT worker for £4.25 each. …

The Sun alleged the computer expert told the reporter he could sell up to 200,000 account details, obtained from fraudulent call centre workers, each month.

Details handed to the reporter had been examined by a security expert who had indicated they were genuine, the paper said.

Offshoring danger: identity theft Read More »

Identity theft method: file false unemployment claims

From Michael Alter’s States fiddle while defrauders steal (CNET News.com: 21 June 2005):

More than 9 million American consumers fall victim to identity theft each year. But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims.

It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve made a quick $1.04 million. It’s tough to make crime pay much better than that.

The victims in this crime–the state work force agencies that tirelessly oversee our unemployment insurance programs and the U.S. Department of Labor–are reluctant to discuss this topic for obvious reasons. …

The slow response of state and federal agencies is quickly threatening the integrity of the unemployment insurance system. It turns out that crime is a very efficient market and word spreads quickly. Got a stolen Social Security number? You can more easily turn it into money by defrauding the government than by defrauding the credit card companies.

The net result of this fraud is that unemployment taxes are going up, and that makes it that much harder for small businesses and big businesses to do business. Even more, higher payroll taxes slow down economic growth because they make it more expensive to hire new employees.

Identity theft method: file false unemployment claims Read More »

Credit cards sold in the Underground

From David Kirkpatrick’s “The Net’s not-so-secret economy of crime” (Fortune: 15 May 2006):

Raze Software offers a product called CC2Bank 1.3, available in freeware form – if you like it, please pay for it. …

But CC2Bank’s purpose is the management of stolen credit cards. Release 1.3 enables you to type in any credit card number and learn the type of card, name of the issuing bank, the bank’s phone number and the country where the card was issued, among other info. …

Says Marc Gaffan, a marketer at RSA: “There’s an organized industry out there with defined roles and specialties. There are means of communications, rules of engagement, and even ethics. It’s a whole value chain of facilitating fraud, and only the last steps of the chain are actually dedicated to translating activity into money.”

This ecosystem of support for crime includes services and tools to make theft simpler, harder to detect, and more lucrative. …

… a site called TalkCash.net. It’s a members-only forum, for both verified and non-verified members. To verify a new member, the administrators of the site must do due diligence, for example by requiring the applicant to turn over a few credit card numbers to demonstrate that they work.

It’s an honorable exchange for dishonorable information. “I’m proud to be a vendor here,” writes one seller.

“Have a good carding day and good luck,” writes another seller …

These sleazeballs don’t just deal in card numbers, but also in so-called “CVV” numbers. That’s the Creditcard Validation Value – an extra three- or four-digit number on the front or back of a card that’s supposed to prove the user has physical possession of the card.

On TalkCash.net you can buy CVVs for card numbers you already have, or you can buy card numbers with CVVs included. (That costs more, of course.)

“All CVV are guaranteed: fresh and valid,” writes one dealer, who charges $3 per CVV, or $20 for a card number with CVV and the user’s date of birth. “Meet me at ICQ: 264535650,” he writes, referring to the instant message service (owned by AOL) where he conducts business. …

Gaffan says these credit card numbers and data are almost never obtained by criminals as a result of legitimate online card use. More often the fraudsters get them through offline credit card number thefts in places like restaurants, when computer tapes are stolen or lost, or using “pharming” sites, which mimic a genuine bank site and dupe cardholders into entering precious private information. Another source of credit card data are the very common “phishing” scams, in which an e-mail that looks like it’s from a bank prompts someone to hand over personal data.

Also available on TalkCash is access to hijacked home broadband computers – many of them in the United States – which can be used to host various kinds of criminal exploits, including phishing e-mails and pharming sites.

Credit cards sold in the Underground Read More »

The difficulty of recovering from identity theft

From TechWeb News’s “One In Four Identity-Theft Victims Never Fully Recover“:

Making things right after a stolen identity can take months and cost thousands, a survey of identity theft victims released Tuesday said. Worse, in more than one in four cases, victims haven’t been able to completely restore their good name.

The survey, conducted by Nationwide Mutual Insurance Co., found that 28 percent of identity thieves’ marks aren’t able to reconstruct their identities even after more than a year of work. On average, victims spent 81 hours trying to resolve their case.

According to the poll, the average amount of total charges made using a victim’s identity was $3,968. Fortunately, most were not held responsible for the fraudulent charges; 16 percent, however, reported that they had to pay for some or all of the bogus purchases.

Other results posted by the survey were just as dispiriting. More than half of the victims discovered the theft on their own by noticing unusual charges on credit cards or depleted bank accounts, but that took time: on average, five and a half months passed between when the theft occurred and when it was spotted.

Only 17 percent were notified by a creditor or financial institution of suspicious activity, a figure that’s certain to fuel federal lawmakers pondering legislation that would require public disclosure of large data breaches.

The difficulty of recovering from identity theft Read More »

Familiar strangers

From danah boyd’s “G/localization: When Global Information and Local Interaction Collide“:

In the early 1970s, Stanley Milgram was intrigued by what he called “familiar strangers” – people who recognized each other in public life but never interacted. Through experiments, he found that people are most likely to interact with people when removed from the situation in which they are familiarly strangers. In other words, two people who take the same bus every day for years may never interact, but if they were to run into each other in a different environment across town, they would say hello and talk about the bus. If they run into each other in a foreign country, they will immediately be close friends.

Familiar strangers Read More »

Culture, values, & designing technology systems

From danah boyd’s “G/localization: When Global Information and Local Interaction Collide“:

Culture is the set of values, norms and artifacts that influence people’s lives and worldview. Culture is embedded in material objects and in conceptual frameworks about how the world works. …

People are a part of multiple cultures – the most obvious of which are constructed by religion and nationality, but there are all sorts of cultures that form from identities and communities of practice. … Identification and participation in that culture means sharing a certain set of cultural values and ideas about how the world should work. …

Cultural norms evolve over time, influenced by people, their practices, and their environment. Culture is written into law and laws influence the evolution of culture. Cultures develop their own symbols as a way of conveying information. Often, these symbols make sense to those within a culture but are not parsable to those outside. Part of becoming indoctrinated into a culture is learning the symbols of that culture. …

… there are numerous cultural forces affecting your life at all times. How you see the world and how you design or build technology is greatly influenced by the various cultural concepts you hold onto. …

… algorithms are simply the computer manifestation of a coder’s cultural norms.

Culture, values, & designing technology systems Read More »

How much does stolen identity info cost?

From The New York Times‘ “Countless Dens of Uncatchable Thieves“:

In the online world, he operates under the pseudonym Zo0mer, according to American investigators, and he smugly hawks all manner of stolen consumer information alongside dozens of other peddlers at a Web site he helps manage.

“My prices are lowers then most of other vendors have and I will deliver them in real time,” reads a typically fractured Zo0mer post.

At the same forum, another user, “tabbot,” offers “any U.S. bank accounts” for sale.

“Balance from 3K and above: $40,” he writes. “Regular brokerage accounts from 3K and above: $70.”

Tabbot also offers full access to hacked accounts from credit unions. One, with a $31,000 balance, is being sold for $400. “I can try search specific info such as signature, ssn, dob, email access,” tabbot writes. “Account with an extra info will be more expensive.”

How much does stolen identity info cost? Read More »

Identity production & sharing during adolescence

From danah boyd’s “Friendster lost steam. Is MySpace just a fad?“:

No, it is not just a moral panic that could make MySpace a fad. The primary value right now has to do with identity production and sharing, practices that are more critical to certain populations at certain times in their lives and it is possible that “growing up” will be marked by leaving MySpace (both for the teens and the 20-somethings).

Identity production & sharing during adolescence Read More »

SSL in depth

I host Web sites, but we’ve only recently [2004] had to start implementing SSL, the Secure Sockets Layer, which turns http into https. I’ve been on the lookout for a good overview of SSL that explains why it is implemented as it is, and I think I’ve finally found one: Chris Shiflett: HTTP Developer’s Handbook: 18. Secure Sockets Layer is a chapter from Shiflett’s book posted on his web site, and boy it is good.

SSL has dramatically changed the way people use the Web, and it provides a very good solution to many of the Web’s shortcomings, most importantly:

  • Data integrity – SSL can help ensure that data (HTTP messages) cannot be changed while in transit.
  • Data confidentiality – SSL provides strong cryptographic techniques used to encrypt HTTP messages.
  • Identification – SSL can offer reasonable assurance as to the identity of a Web server. It can also be used to validate the identity of a client, but this is less common.

Shiflett is a clear technical writer, and if this chapter is any indication, the rest of his book may be worth buying.

SSL in depth Read More »