Privacy Issues with Identity Credentials: Identity Cards, Access Cards, and Account Tokens

1 / 32

About This Presentation

Title:

Privacy Issues with Identity Credentials: Identity Cards, Access Cards, and Account Tokens

Description:

Compromise Paypal accounts. Transfer money. Empty bank account. Protect Paypal account: always type address or use Favorite, never click on e-mail links ' ... – PowerPoint PPT presentation

Number of Views:163

Avg rating:3.0/5.0

Slides: 33

Provided by: mitreem

more less

Transcript and Presenter's Notes

Title: Privacy Issues with Identity Credentials: Identity Cards, Access Cards, and Account Tokens

1
Privacy Issues with Identity Credentials
Identity Cards, Access Cards, and Account Tokens

Daniel J. Theunissen, CISSP
The MITRE Corporation

The author's affiliation with The MITRE
Corporation is provided for identification
purposes only, and is not intended to convey or
imply MITRE's concurrence with, or support for,
the positions, opinions or viewpoints expressed
by the author.
2
Agenda

Three Authentication Methods
Privacy Concerns with IDs
Identity Documents
Access Cards
Account Tokens
Contactless Technologies
The RealID Act
Future trends?
Privacy impacts discussion
- multiple slides

3
Three Authentication Methods

Something you are/do (fingerprint)
Something you know (password)
Something you have (ID)
Identity credential (universal use)
Access card (specific to one use)
Account token authorization to perform a
transaction against an account (check card,
pre-paid phone card, signed check)

4
Privacy Concerns With Tokens

Impersonation
Theft and misuse of valid token
Altering of valid ID called ID tampering
Creation of falsified ID/token
Activity tracking
May be a tokens intended purpose
May be acceptable (for example, credit card fraud
protection)
Re-purposing data through data mining (predict
interests behavior)
Tracking through updating information on card and
in database
Issuer retention of private data in database
Some collections more valuable than others
My identity information is important wherever it
is stored
Scope creep use of token for another purpose

5
Identity Document Types

Passports
National IDs
Driver's Licenses and State IDs
HSPD-12 PIV Card (Fed. Govt. ID)
Other IDs

6
Passports

Top-of-the-line, the primary identity document
Highest impact if successfully forged
Most difficult to forge
Electronic passports improve resistance to
forging, especially by enabling automated checks
to back-end systems
Privacy issue with electronic passport
Electronic passport always on even if hidden
Only wealthy nations have implemented
Recommended to keep e-passport in
electromagnetically opaque sleeve

7
National IDs

Needed for national health care plan ID
Combines personal identity with health
information and some activities (residences,
phone numbers)
Useful for social welfare programs (unemployment,
social security)
Concern with state-sponsored prejudice
Concern with scope-creep
European laws prevent use for other than
specified purpose

8
Drivers Licenses and State IDs

Considered a primary identity document
Inconsistent requirements to acquire. Examples
MD birth certificate, utility bill, and canceled
check with imprinted name and address
DC Certified copy of high school records with
name and birthday, unexpired health insurance
card with name, SSN, and birthday, utility bill,
payroll statement with SSN
VA birth certificate and unexpired gun permit
(need birth certificate, residency proofs, and
take a safety course)
Stolen/forged birth certificate money time
DL
CA driver license forgeries readily available for
150 on the street, 300 on the Internet
Target customers are illegal immigrants and
underage drinkers
Customers may include identity thieves

9
HSPD-12 PIV Card

Intended to be a single standard for all U.S.
federal government workers for access to all
facilities and all systems
Expanding to emergency responders
Expandable to state government employees who need
federal access
Privacy issues with undercover agent identities
Value to organized crime of a database of all FBI
agents or customs inspectors?
FIXs PIV Card for commercial companies

10
Other IDs (I-9)

Form I-9 required to be completed for employment
Must prove identity and employment eligibility
Valid identity proven with
State drivers license or ID
School ID with a photograph
Voters registration card
Proof of employment eligibility with
Native American tribal document
Birth certificate
US social security card (forgeries readily
available for 150)

11
Agenda

Three Authentication Methods
Privacy Concerns with IDs
Identity Documents
Access Cards
Account Tokens
Contactless Technologies
The RealID Act
Future trends?
Privacy impacts discussion
- multiple slides

12
Access Cards/Tokens

Typically for building room access
Electronic equivalent of physical key
Can be contactless card, contact fob
Usually combined with ID Card
Sometimes not directly tied to identity (blank
access card/fob with lookup table)
Can track rest breaks, smoke breaks, time in
office
Can be configured to not record this info or
severely limit access to it

13
Account Tokens

Checks
Credit cards
Check card / Debit card
On-line payment services
Customer loyalty cards

14
Checks

Easy to print forged checks, easier to steal
Can pre-cancel numbers on stolen checks
Account number in electronic ink
Some stores check that electronic ink exists
Account number and check number usually only
verified when depositing check when it is too
late
Signature validation easy to forge
Accounting practice is to expect 15 losses with
checks (compare to

15
Credit Cards

Store checks number validity with CC company
Many reports of CC numbers stolen in bulk
Infeasible to determine if your CC is affected
Criminals cannot use many of them quickly, highly
unlikely your CC will be used
Logical response is recovery, not prevention
One-time-use credit card numbers
Annual report of all spending

16
Check Card / Debit Card

Often act like credit card
Sometimes use PIN not physical signature, but PIN
is easy to capture via shoulder surfing
No authentication for low dollar amounts
Transactions against bank account may not be
examined as extensively as CC
Compare to electronic purse cards (gift cards)
Dollar value stored on card
Less money, less tracking
Possession is permission to use, possible to
steal and use

17
On-line payment services

Paypal fraud rampant
Establish bank account
Compromise Paypal accounts
Transfer money
Empty bank account
Protect Paypal account always type address or
use Favorite, never click on e-mail links

18
Customer Loyalty Cards

Many grocery stores offer discount cards
Extensive data mining for targeting customers
Valid if geared towards the stores business
Repeat business (savings this trip)
Future up-sell (printed coupon at cashier)
Item grouping (store layout)
Customer trends (encourage future big spenders)
Could be repurposed
Are soda buyers likely to donate to charity?

19
Agenda

Three Authentication Methods
Privacy Concerns with IDs
Identity Documents
Access Cards
Account Tokens
Contactless Technologies
The RealID Act
Future trends?
Privacy impacts discussion
- multiple slides

20
Contactless Technologies

Many standards for contactless technologies
Cards respond to signal transmitted to them
All have nominal ranges in inches based upon
standard transmission power
Bad guys build overpowered transmitters for
increased range (yards to miles)
RFID implantable contactless ID card
Pro cant be lost or stolen
Con cant be turned off, health questions,
extremely intrusive

21
The Real-ID Act

State IDs must comply for it to be used to enter
federal buildings or airplanes
If state does not comply, citizens would require
passport or undergo additional scrutiny
17 states governments have rejected compliance
Mandates address, 2D bar code
Some states allow no address (stalker victims)
If not softened, expect another huge spike in
passport applications

22
Future trends?

Need for "community" identity tokens
(intelligence, health care, law enforcement,
first responders)
Push for nationalized health care plans
Political/Economic realities preventing
widespread identity tokens
Will biometrics make ID cards obsolete?
Fingerprint and iris scans at 15ft

23
Privacy Impact Discussion

Collections of personal data
Ease of forgery of identity credentials
Difficulty verifying identity credentials
Record of transactions used to develop
preferences and combinations
Misperceptions and a false sense of security

24
Wrap-up

Its a good thing there are very few criminals.

25
References
26
References

General ID cards (privacy concerns as well)
http//en.wikipedia.org/wiki/Id_card
Privacy information breach of 6.2 million
customers of TD Ameritrade Holding Corp.
http//www.computerworld.com/action/article.do?com
mandviewArticleBasicarticleId9037083sourcerss
_ind130
Fraud police buckling under mountains of data
http//www.computerworld.com/action/article.do?com
mandviewArticleBasicarticleId9038978sourcerss
_ind130

27
References

Identity documents to obtain drivers license
VA - http//www.dmv.state.va.us/webdoc/pdf/dmv141.
pdf
DC - http//dmv.dc.gov/serv/dlicense/get_DL.shtm
MD - http//www.marylandmva.com/DriverServ/Apply/p
roof.htm
CA driver license forgeries readily available for
150-300
http//www.sfgate.com/cgi-bin/article.cgi?f/n/a/2
006/06/02/state/n100321D11.DTLtypepolitics
Social Security Card forgeries readily available
for 150
http//www.nytimes.com/2005/04/05/business/05immig
ration.html?ei5090en78c87ac4641dc383ex1270353
600adxnnl1partnerkmarxadxnnlx1151679977-5f7V
E0dNTtzts9n2va2LGA