Title: Privacy Issues with Identity Credentials: Identity Cards, Access Cards, and Account Tokens
1Privacy Issues with Identity Credentials
Identity Cards, Access Cards, and Account Tokens
- Daniel J. Theunissen, CISSP
- The MITRE Corporation
The author's affiliation with The MITRE
Corporation is provided for identification
purposes only, and is not intended to convey or
imply MITRE's concurrence with, or support for,
the positions, opinions or viewpoints expressed
by the author.
2Agenda
- Three Authentication Methods
- Privacy Concerns with IDs
- Identity Documents
- Access Cards
- Account Tokens
- Contactless Technologies
- The RealID Act
- Future trends?
- Privacy impacts discussion
- - multiple slides
3Three Authentication Methods
- Something you are/do (fingerprint)
- Something you know (password)
- Something you have (ID)
- Identity credential (universal use)
- Access card (specific to one use)
- Account token authorization to perform a
transaction against an account (check card,
pre-paid phone card, signed check)
4Privacy Concerns With Tokens
- Impersonation
- Theft and misuse of valid token
- Altering of valid ID called ID tampering
- Creation of falsified ID/token
- Activity tracking
- May be a tokens intended purpose
- May be acceptable (for example, credit card fraud
protection) - Re-purposing data through data mining (predict
interests behavior) - Tracking through updating information on card and
in database - Issuer retention of private data in database
- Some collections more valuable than others
- My identity information is important wherever it
is stored - Scope creep use of token for another purpose
5Identity Document Types
- Passports
- National IDs
- Driver's Licenses and State IDs
- HSPD-12 PIV Card (Fed. Govt. ID)
- Other IDs
6Passports
- Top-of-the-line, the primary identity document
- Highest impact if successfully forged
- Most difficult to forge
- Electronic passports improve resistance to
forging, especially by enabling automated checks
to back-end systems - Privacy issue with electronic passport
- Electronic passport always on even if hidden
- Only wealthy nations have implemented
- Recommended to keep e-passport in
electromagnetically opaque sleeve
7National IDs
- Needed for national health care plan ID
- Combines personal identity with health
information and some activities (residences,
phone numbers) - Useful for social welfare programs (unemployment,
social security) - Concern with state-sponsored prejudice
- Concern with scope-creep
- European laws prevent use for other than
specified purpose
8Drivers Licenses and State IDs
- Considered a primary identity document
- Inconsistent requirements to acquire. Examples
- MD birth certificate, utility bill, and canceled
check with imprinted name and address - DC Certified copy of high school records with
name and birthday, unexpired health insurance
card with name, SSN, and birthday, utility bill,
payroll statement with SSN - VA birth certificate and unexpired gun permit
(need birth certificate, residency proofs, and
take a safety course) - Stolen/forged birth certificate money time
DL - CA driver license forgeries readily available for
150 on the street, 300 on the Internet - Target customers are illegal immigrants and
underage drinkers - Customers may include identity thieves
9HSPD-12 PIV Card
- Intended to be a single standard for all U.S.
federal government workers for access to all
facilities and all systems - Expanding to emergency responders
- Expandable to state government employees who need
federal access - Privacy issues with undercover agent identities
- Value to organized crime of a database of all FBI
agents or customs inspectors? - FIXs PIV Card for commercial companies
10Other IDs (I-9)
- Form I-9 required to be completed for employment
- Must prove identity and employment eligibility
- Valid identity proven with
- State drivers license or ID
- School ID with a photograph
- Voters registration card
- Proof of employment eligibility with
- Native American tribal document
- Birth certificate
- US social security card (forgeries readily
available for 150)
11Agenda
- Three Authentication Methods
- Privacy Concerns with IDs
- Identity Documents
- Access Cards
- Account Tokens
- Contactless Technologies
- The RealID Act
- Future trends?
- Privacy impacts discussion
- - multiple slides
12Access Cards/Tokens
- Typically for building room access
- Electronic equivalent of physical key
- Can be contactless card, contact fob
- Usually combined with ID Card
- Sometimes not directly tied to identity (blank
access card/fob with lookup table) - Can track rest breaks, smoke breaks, time in
office - Can be configured to not record this info or
severely limit access to it
13Account Tokens
- Checks
- Credit cards
- Check card / Debit card
- On-line payment services
- Customer loyalty cards
14Checks
- Easy to print forged checks, easier to steal
- Can pre-cancel numbers on stolen checks
- Account number in electronic ink
- Some stores check that electronic ink exists
- Account number and check number usually only
verified when depositing check when it is too
late - Signature validation easy to forge
- Accounting practice is to expect 15 losses with
checks (compare to
15Credit Cards
- Store checks number validity with CC company
- Many reports of CC numbers stolen in bulk
- Infeasible to determine if your CC is affected
- Criminals cannot use many of them quickly, highly
unlikely your CC will be used - Logical response is recovery, not prevention
- One-time-use credit card numbers
- Annual report of all spending
16Check Card / Debit Card
- Often act like credit card
- Sometimes use PIN not physical signature, but PIN
is easy to capture via shoulder surfing - No authentication for low dollar amounts
- Transactions against bank account may not be
examined as extensively as CC - Compare to electronic purse cards (gift cards)
- Dollar value stored on card
- Less money, less tracking
- Possession is permission to use, possible to
steal and use
17On-line payment services
- Paypal fraud rampant
- Establish bank account
- Compromise Paypal accounts
- Transfer money
- Empty bank account
- Protect Paypal account always type address or
use Favorite, never click on e-mail links
18Customer Loyalty Cards
- Many grocery stores offer discount cards
- Extensive data mining for targeting customers
- Valid if geared towards the stores business
- Repeat business (savings this trip)
- Future up-sell (printed coupon at cashier)
- Item grouping (store layout)
- Customer trends (encourage future big spenders)
- Could be repurposed
- Are soda buyers likely to donate to charity?
19Agenda
- Three Authentication Methods
- Privacy Concerns with IDs
- Identity Documents
- Access Cards
- Account Tokens
- Contactless Technologies
- The RealID Act
- Future trends?
- Privacy impacts discussion
- - multiple slides
20Contactless Technologies
- Many standards for contactless technologies
- Cards respond to signal transmitted to them
- All have nominal ranges in inches based upon
standard transmission power - Bad guys build overpowered transmitters for
increased range (yards to miles) - RFID implantable contactless ID card
- Pro cant be lost or stolen
- Con cant be turned off, health questions,
extremely intrusive
21The Real-ID Act
- State IDs must comply for it to be used to enter
federal buildings or airplanes - If state does not comply, citizens would require
passport or undergo additional scrutiny - 17 states governments have rejected compliance
- Mandates address, 2D bar code
- Some states allow no address (stalker victims)
- If not softened, expect another huge spike in
passport applications
22Future trends?
- Need for "community" identity tokens
(intelligence, health care, law enforcement,
first responders) - Push for nationalized health care plans
- Political/Economic realities preventing
widespread identity tokens - Will biometrics make ID cards obsolete?
- Fingerprint and iris scans at 15ft
23Privacy Impact Discussion
- Collections of personal data
- Ease of forgery of identity credentials
- Difficulty verifying identity credentials
- Record of transactions used to develop
preferences and combinations - Misperceptions and a false sense of security
24Wrap-up
- Its a good thing there are very few criminals.
25References
26References
- General ID cards (privacy concerns as well)
- http//en.wikipedia.org/wiki/Id_card
- Privacy information breach of 6.2 million
customers of TD Ameritrade Holding Corp. - http//www.computerworld.com/action/article.do?com
mandviewArticleBasicarticleId9037083sourcerss
_ind130 - Fraud police buckling under mountains of data
- http//www.computerworld.com/action/article.do?com
mandviewArticleBasicarticleId9038978sourcerss
_ind130
27References
- Identity documents to obtain drivers license
- VA - http//www.dmv.state.va.us/webdoc/pdf/dmv141.
pdf - DC - http//dmv.dc.gov/serv/dlicense/get_DL.shtm
- MD - http//www.marylandmva.com/DriverServ/Apply/p
roof.htm - CA driver license forgeries readily available for
150-300 - http//www.sfgate.com/cgi-bin/article.cgi?f/n/a/2
006/06/02/state/n100321D11.DTLtypepolitics - Social Security Card forgeries readily available
for 150 - http//www.nytimes.com/2005/04/05/business/05immig
ration.html?ei5090en78c87ac4641dc383ex1270353
600adxnnl1partnerkmarxadxnnlx1151679977-5f7V
E0dNTtzts9n2va2LGA
28References
- Futility of protecting SSN
- http//www.freedom-to-tinker.com/?p1201
- Form I-9, last page List of Acceptable
Documents - http//www.uscis.gov/files/form/i-9.pdf
29References
- Visa payWave keyfob (25 or more requires PIN)
- http//usa.visa.com/personal/cards/paywave/index.h
tml - Paypal
- https//www.paypal.com/us/cgi-bin/webscr?cmd_secu
rity-center-outside
30References
- ReadID FAQ
- http//www.dhs.gov/xprevprot/laws/gc_1172767635686
.shtm - State Legislation against Real ID Act
- http//www.realnightmare.org/news/105/
31References
- DHS subcommittee report on The Use of RFID for
Human Identification - http//www.dhs.gov/xlibrary/assets/privacy/privacy
_advcom_rpt_rfid_draft.pdf - Biometric advances see last paragraph
- http//news.yahoo.com/s/nm/20070921/tc_nm/homeland
_technology_dc_2
32Blog References
- Threat Level (Ryan Singel and Kevin Poulsen)
http//blog.wired.com/27bstroke6/ - (Bruce) Schneier on Security http//www.schneier.c
om/blog/ - Freedom to Tinker (Ed Felton) http//www.freedom-t
o-tinker.com/ - Leadership Journal (Michael Chertoff)
http//www.dhs.gov/journal/leadership/