A.M.Marshall BSc CEng FRSA MBCS CITP
Centre for Internet Computing
University of Hull
Scarborough YO43 3DX, UK
Eur.Ing. B.C.Tompsett BSc MSc CEng MBCS CITP,
Dept. of Computer Science,
University of Hull
Hull HU6 7RX, UK
June 9, 2004
With the aid of an example case of identity-theft used to perpetrate an apparent beneﬁts fraud & consideration of other undesirable online activities, the authors examine the motives and methods of Internet-based identity theft. Consideration is given to how such cases may be detected, investigated and prevented in the future.
The problem of trust relationships and validation of identity tokens is discussed and recommendations for the prevention of identity theft are given.
Internet, crime, trust, identity, identity theft, fraud,
The authors are grateful to Mike Andrews, of the Digital Evidence Recovery and Internet Crime (DERIC) Unit of North Yorkshire County Council, and Karen Watson, an undergraduate of the Centre for Internet Computing, for their assistance with background for this paper.
Thanks also go to John Rayner and Mike Brayshaw for their invaluable proof-reading.
Services available on the Internet oﬀer many opportunities for the acquisition of personal data, and some provide signiﬁcant quantities of personal information for even casual users to see. Although much of this information is quite innocuous, aggregation of data from several sources can allow criminals to build up a large enough corpus that they can successfully impersonate another individual. Frequently such identity-theft is used to obtain ﬁnancial beneﬁt through credit-card fraud, but other types of fraudulent activity are possible.
Theft of identity is a concept which has been in existence for many years but, for the purposes of this exercise, we deﬁne it as “The acquisition of suﬃcient data for one individual to successfully impersonate another” . This does not, per se, constitute a theft, but certainly deﬁnes the concept in such a way that most instances of what is commonly described as identity theft are encompassed. In this document, we propose to examine a range of identity types existing in an online environment, the relationships between them, and the mechanisms of identity-acquisition available.
Conventionally, an identity theft exercise requires the acquisition or fabrication of suﬃcient information to be able to establish that the individual presenting that information as credentials is, beyond reasonable doubt, the subject of that information, and hence that the information veriﬁes that the presenter is the owner of the claimed identity.
The quantity and quality of information required to establish ownership of an identity, and hence gain access to an identity veriﬁcation token, vary greatly and aﬀect the acceptability of the token. Consider two common tokens - an e-mail address and a passport.
In order to register for an e-mail address, an applicant may have to provide no information other than the name they wish to be known by, a preferred username and a password. To obtain a passport, a considerable amount of personal data, ranging from date of birth to a photograph are required. In the case of the passport, most claims about information must be corroborated through the production of oﬃcial forms (e.g. birth certiﬁcate) or veriﬁcation by a trustworthy third party (e.g. having a GP, lawyer, academic or other trusted person, attest that the photograph is a true likeness).
As a weak token, an e-mail address should have little use other than for the sending and receiving of e-mail which, although it may be ﬁnancially rewarding (consider the spam problem), should have no particularly strong legal standing....