A.M.Marshall BSc CEng FRSA MBCS CITP
Centre for Internet Computing
University of Hull
Scarborough YO43 3DX, UK
Eur.Ing. B.C.Tompsett BSc MSc CEng MBCS CITP,
Dept. of Computer Science,
University of Hull
Hull HU6 7RX, UK
June 9, 2004
With the aid of an example case of identity-theft used to perpetrate an apparent beneﬁts fraud & consideration of other undesirable online activities, the authors examine the motives and methods of Internet-based identity theft. Consideration is given to how such cases may be detected, investigated and prevented in the future.
The problem of trust relationships and validation of identity tokens is discussed and recommendations for the prevention of identity theft are given.
Internet, crime, trust, identity, identity theft, fraud,
The authors are grateful to Mike Andrews, of the Digital Evidence Recovery and Internet Crime (DERIC) Unit of North Yorkshire County Council, and Karen Watson, an undergraduate of the Centre for Internet Computing, for their assistance with background for this paper.
Thanks also go to John Rayner and Mike Brayshaw for their invaluable proof-reading.
Services available on the Internet oﬀer many opportunities for the acquisition of personal data, and some provide signiﬁcant quantities of personal information for even casual users to see. Although much of this information is quite innocuous, aggregation of data from several sources can allow criminals to build up a large enough corpus that they can successfully impersonate another individual. Frequently such identity-theft is used to obtain ﬁnancial beneﬁt through credit-card fraud, but other types of fraudulent activity are possible.
Theft of identity is a concept which has been in existence for many years but, for the purposes of this exercise, we deﬁne it as “The acquisition of suﬃcient data for one individual to successfully impersonate another” . This does not, per se, constitute a theft, but certainly deﬁnes the concept in such a way that most instances of what is commonly described as identity theft are encompassed. In this document, we propose to examine a range of identity types existing in an online environment, the relationships between them, and the mechanisms of identity-acquisition available.
Conventionally, an identity theft exercise requires the acquisition or fabrication of suﬃcient information to be able to establish that the individual presenting that information as credentials is, beyond reasonable doubt, the subject of that information, and hence that the information veriﬁes that the presenter is the owner of the claimed identity.
The quantity and quality of information required to establish ownership of an identity, and hence gain access to an identity veriﬁcation token, vary greatly and aﬀect the acceptability of the token. Consider two common tokens - an e-mail address and a passport.
In order to register for an e-mail address, an applicant may have to provide no information other than the name they wish to be known by, a preferred username and a password. To obtain a passport, a considerable amount of personal data, ranging from date of birth to a photograph are required. In the case of the passport, most claims about information must be corroborated through the production of oﬃcial forms (e.g. birth certiﬁcate) or veriﬁcation by a trustworthy third party (e.g. having a GP, lawyer, academic or other trusted person, attest that the photograph is a true likeness).
As a weak token, an e-mail address should have little use other than for the sending and receiving of e-mail which, although it may be ﬁnancially rewarding (consider the spam problem), should have no particularly strong legal standing. Pervasiveness of Internet services and the need for a lightweight identity-veriﬁcation system (primarily because of end-user resistance to strong authentication) has led to the use of the e-mail address as a primary authentication token. In spite of this, most users still seem to consider that their e-mail address has little intrinsic value.
It has been shown , in the past, that even an apparently rigorous identity establishment process, such as the passport issuing mechanism, can be subverted by a determined individual who can bypass or override the chain of trust upon which it depends. Furthermore, it is known that identity veriﬁcation tokens can be created without going through the veriﬁcation progress. In spite of this, passports are still internationally-recognised, standardised, oﬃcial government-produced documents with a high perceived value. The critical element in determining the acceptability and perceived worth of an identity veriﬁcation token is thus the eﬀort required to complete the process used to create that token, which relates to the cost (ﬁnancial and/or time) required.
Types of Identity Online
In online interactions identity can be associated with diﬀering aspects of an entity or transaction between entities. The interaction may be between two individuals who identify themselves using some form of online identity token. E-mail messaging or real time chats are examples of such online on-to-one transactions between individuals. The transaction may be between an individual and a Corporate identity, such as is the case of a purchase from a major online bookstore. In addition to these examples, which have analogues in the world of face to face interactions, there is also the identity associated with the network which are facilitating these other interactions. The network devices and the traﬃc ﬂow itself have associated identity tokens.
Personal Identity Online
Individuals, when they “go online”, or interact in an online context, need to create for themselves, or have created for them, an artiﬁcial representation of their identity. This artiﬁcially created version of identity is often primarily used to establish the person’s rights as a user of the online and computerised systems they are connected to and with. Its use establishes and controls their access to resources and limits or enables the actions they wish to take over the network. These identities, as already established, are primarily token based in nature, often characterised by a simple username, password pair, but can also involve cryptographic keys, physical devices such as dongles, swipe cards, or even biometric recognition.
Corporate Identity Online
A corporate identity, in an online environment, is established by the presence of websites, e-mail addresses, the registration of domain names and so forth. Much like the identity of a corporation in the physical world, where the physical presence of documents and, perhaps, of buildings and their human occupants establishes the company, the same is true in the online world, where the establishment of equally signiﬁcant online constructions and their population
with services, individuals and information, can been seen as the online corporate identity.
As in the real world, the recognition of one body by another further establishes corporate identity, such as the registration of a company name or the establishment of trading or partnership agreements. Similar recognitions and links serve to reinforce corporate identity in an online world. The established use of recognised names and trademarks which have the support and protection of the law confer various degrees of authority to different corporate identities when online. These are further conﬁrmed by their association with individual personal online identity credentials.
Network Identity Online
The components of the network that facilitate the interactions between individuals and corporate entities also have a network identity established for them. These are often the addresses of the devices themselves so that they can be uniquely distinguished from other similar devices and to permit the operation of the network. The identities can be associated with the actual hardware devices themselves (such as MAC addresses of network cards) or with the software being used for communication over the network (such as the IP address, or the Fully Qualiﬁed Domain Name [FQDN]).
The names associated with network identity, such as the domain are usually the creations of humans and are primarily a means for people to exchange online identity information. The network itself usually uses the more low level addresses in the operation of the communication infrastructure.
Identity vs. Identiﬁer
In fact, although we discuss identities in the preceding paragraphs, it must be remembered that the identities are properties of the entities themselves. Online, an identity association with a particular resource or activity is determined by the presence of one or more identiﬁers normally linked to that identity. Identiﬁers have a range of “trustability”, dependent on their intended usage. Often this “trustability” is a composite value, based on relationships between identiﬁers for several diﬀerent online identities.
Inter-relationships between Identity/Identiﬁer Types
The three forms of online identiﬁer are inextricably bound together. Their combination or juxtaposition can, in itself, provide further information that qualiﬁes aspects of the identity of each of them. For example, an e-mail address contains elements that relate to the person and a domain that receives the message. The domain part of the address can contain components that further identify aspects of the identity of the person’s organisational membership, and indeed can further show aspects of inherited trust relationships from which other information regarding the identity can be inferred. In addition, the network domain information will link to computer based addresses, and registration records that in turn can illustrate aspects of relationships between the e-mail address, individuals and the trust framework that bears the addresses. These can help someone decide if the identity is to be trusted, or not.
This is more easily seen in the form of an example. If an individual is identiﬁed by the e-mail address email@example.com, we might infer that they have a job function that is related, in an oﬃcial capacity, to sales for the named organisation. The registration records for the corporate domain name could be examined to determine if the e-mail address is likely to be a bona-ﬁde one for the company. The computer names, and their associated addresses and their registration details could be further examined to establish the credentials of that address. In this example, the domain name service might show that the IP address associated with this name is 126.96.36.199 and this, in turn, will lead to further registration records that could be examined . Conversely an example address such as windows firstname.lastname@example.org might instill an element of suspicion, both with the nature of the personal name used, and the fact that the corporation name is used in a context that might also imply it is not authentic. Someone else could be impersonating the corporate domain and further examination of associated computer addresses and registration records may conﬁrm this. If, as in the last example, the domain name system was used to obtain an associated IP address, such as 188.8.131.52, it might be ascertained that this is used by a dynamically connected machine (such as a dial-up) in Florida through one of the largest US public Internet Service Providers. This would give further indications that the address is, probably, less than authentic.
With smaller organisations the issue is less clear. They may use other bodies to provide their e-mail and web presence on the Internet, and the auditable and trustworthy chain of associations that link the network identity with the bonaﬁde usage may be harder to establish and easier to replicate fraudulently. (e.g. email@example.com),
In the example given above, the address is provided by a reputable UK ISP, but accounts such as this can be created in a few minutes with no form of right of usage veriﬁcation. Thus an apparently reputable organisation may become tainted by association with other users of the same low-cost service, through an implicit association created through the domain name. (For several years the “A” in AOL was often said, apocryphally, to stand for something other than “America” because of the unacceptable behaviour of some users of the system.) A further process of identity tainting arises where shared hosting is enabled. It is perfectly possible for a single server to host several domains at a single IP address. In this case a complete DNS examination, using both forward and backward lookups to reveal all IP addresses and domain names could reveal that an apparently reputable organisation shares its online location with several disreputable organisation (e.g. www.iamanhonesttrader.com could resolve to 184.108.40.206 which might reverse to www.ripemoffandselltheirfamilies.com 1). In addition to this, examination of IP block allocation would reveal network neighbours, whose presence may be considered undesirable. Conversely, careful choice of domain and/or IP neighbours may lend an additional air of trustworthiness to an untrustworthy domain. 1 at
the time of writing these domains were unregistered and considered to be ﬁctitious
Motives for Identity Theft
There are, perhaps, as many reasons for Identity Theft as the persons who attempt it, but several clear and common elements underpin most of the cases. Given the forms of online identity described above, however, we can group motives under the same three categories.
Motivation for theft of personal identity is, perhaps, the biggest category. Ranging from simple impersonation of a diﬀerent person for recreational purposes, through revenge to outright ﬁnancial fraud.
Corporate identities are often stolen, or perhaps more accurately, forged, to create for the criminal, a vehicle for crime that appears to provide an air of authority or legitimacy. In the same way as in non-networked fraud, where a letter on headed notepaper can be more eﬀective in fooling a victim, the corporate online forgery provide a similar vehicle. These false, stolen or facsimile corporate identities can also be used to play a role in further identity theft, by a means commonly known as phishing . In phishing the victim receives a letter (e-mail) from a ﬁnance transactor requesting the recipient conﬁrms some information through a web site which purports to be bona ﬁde, but only serves to obtain the users identity accreditation tokens.
Other forms of corporate identity theft in an online scenario can involve the taking over of the domain name and other network assets, such as IP addresses for a defunct (or bankrupt) corporate entity. These Corporate names may have established branding and other positive attributes that may be useful in the conduct of some other further crime, such as the sale of forged products or some elaborate fraud or scam.
Fraudsters have become adept at using the technology into fooling the victim in ever more elaborate ways. One of the modern variants involves using code that exploits ﬂaws in a victims application into showing the network identity of a proper corporate entity, but the traﬃc interaction is with some other place entirely. This can be achieved with web browsers and e-mail readers using appropriate forgery techniques. Here, then, no actual corporate identity theft has been conducted, only personation or misrepresentation of the corporate entities has been performed.
It has been established that the network identity is associated with a corporate or personal identiﬁer, and thus, in order to more fully establish a fraudulent identity, the network identity itself must be stolen or forged.
Methods of Identity Theft
Classically, investigation of criminal activity revolves around a 3-element model of the activity : Motive, Method and Opportunity. If all 3 can be established, 6
then a suspect has been found.
Having considered, above, the motives for identity theft we now turn to methods of identity theft in an online environment.
Perhaps the simplest form of identity theft revolves around the inherent weaknesses present in a range of Internet standard protocols. It is clear that many of these protocols are designed with ease-of-use more in mind than security and veriﬁcation of identity. This, perhaps, reﬂects the fact that they were originally created with a much smaller Internet in mind than that which exists today. Consider SMTP  as an example. This protocol is designed to allow a rapid, lightweight dialogue between two hosts for the exchange of e-mail. Examination of the protocol itself reveals that the sending host is supposed to provide “From:”, “To:” and various other headers. The receiving host is under no obligation to check the validity of these ﬁelds, particularly the “From:” ﬁelds, unless it is the ﬁnal destination of the message. Indeed, from the point of view of the designer, attempting to validate these headers would, most likely, have been seen as impossible, or at least impractical, as it would have required a degree of network reliability which cannot be guaranteed even today. Equally, at the time the protocol was designed, the trust levels between networks were considerably stronger than those that exist in the modern Internet. The total number of hosts was small, dynamic address allocation was not performed, and connections tended to be ﬁxed leased-lines or virtual circuits, rather than ad-hoc dial-up connections. Provision of Internet connectivity was, in eﬀect, restricted to a technological elite club, whose members were known to each other. In such an environment, it was not necessary to introduce elements of distrust into protocols designed to eﬀect the rapid exchange of information between technological peers.
However, the growth of the Internet has been exponential , initially driven by technologists who wished to use work resources from home. The protocols have propagated beyond the conﬁnes of the elite club-members and are now in use by anyone who wishes to connect to an Internet service provider. The membership of the club has grown to the point where the trusted elite are outnumbered by “the great unwashed” and the strong trust relationships which allowed the use of insecure protocols have been overwhelmed. The protocols have not changed, but the users have. Whereas, when the Internet was small, it was largely unthinkable that anyone would lie in their SMTP headers (except perhaps to play a prank on another member of the club), less “honourable” users now use the weaknesses regularly to fake “From:”, “Reply-to:” and other headers for various purposes.
At another level, the na¨
ıvety of end-users is also a method of identity theft.
By exploiting protocol weaknesses, a miscreant may manage to create an Internet object(e-mail, web-page, application etc.) which appears to come from a trustworthy source (e.g. banks, online auction sites, software vendors). Na¨ ıve
users, unaware of protocol weaknesses, and unfamiliar with online security issues, further compromised by certain software which may hide the full audit-trail 7
information about the object (e.g. by suppressing all SMTP headers other than “From:” and “To:”) may take the object at face-value and be lured into participation in activity such as the many “Phishing” scams  which currently circulate.
These forms of attack are successful, not because users are particularly ignorant, but more because they assume that everyone else on the Internet operates within the same boundaries of acceptable behaviour as they themselves do. This is perhaps, most clearly demonstrated by cases of “grooming” involving paedophiles and children.
Even where the users are not na¨ and have taken basic steps to protect themıve selves, the problem of malicious software or “malware” still presents itself. No matter how good the anti-virus program and/or ﬁrewall, it must be remember that these technologies are reactive and, by deﬁnition, tend to lag behind the attack modes of malware. Thus the user who considers him/herself protected against attack may take risks on the grounds that “it can’t hurt me - I have protection!” and open un-trustworthy objects (e.g. e-mail attachments, untrusted web pages) or accidentally allow network-probing malware to infect their machine (perhaps by leaving a broadband node live, connected and unmonitored when it is not in use). This malware can then either turn their machine into a node in a virtual network used to propagate unwanted material (performing a network identity theft) or survey the contents of their system, gathering data (e.g. names, addresses, passwords, e-mail addresses, credit-card and bank account numbers) which can be sent back to the originator of the malware, to allow personal or corporate identity theft to be conducted.
In many cases, we have to consider the issue of data acquisition. In most cultures, there is a need for some personal data to be held by central and/or local authorities for governmental and legal purposes. In a non-networked environment, this information can only be accessed through the physical eﬀort of actually contacting or visiting the oﬃces where it is held and requesting speciﬁc documents.
In a networked world, however, data is being made available online in a desire, on the part of data controllers, to appear more open and provide better services.
However, by design, it has become possible to request not only speciﬁc records, but groups of similar records (e.g. not just the details for “Anthony Hancock of Railway Cuttings, East Cheam” but details of ALL “Hancocks” anywhere in the UK, and everyone at the same addresses, and all previous occupants of those addresses, and ....). The root cause of this added functionality lies, most probably, in the requirements capture process where an over-zealous software engineer has identiﬁed an opportunity to add extra functionality at low-cost and the customer has expressed a desire for such functionality, in spite of the fact that it does not exist in the current system, without considering the opportunities for misuse that it can create.
Because the systems fulﬁlling the requests are automated, little checking of the purposes of such requests is made, and even less notice is taken of unusual requests or successive requests for diﬀerent information from the same enquirer. Unlike the previous methods of identity theft, data acquisition does not involved any mis-use or abuse of equipment or resources. It succeeds by making the process of acquiring data easy to perform remotely and almost anonymously, by reducing the costs (physical eﬀort and monetary) to the data acquirer. Indeed, it can be argued that, by placing such services online, the data controllers have created a new opportunity (the ﬁnal component of the classical model) for identity theft to be perpetrated.
As noted above, to successfully impersonate and entity online, it may be necessary to steal the identity of a network component associated with that entity. Often, this can be as simple as “spooﬁng” the IP address of a legitimate machine on the network in order to gain access to, or impersonate, a legitimate node on a network. Given access to a network it is relatively simple, using any one of the multitude of traﬃc “sniﬀers” available to determine the exact range of addresses in use, and to detect when a known good address ceases to be used, perhaps because the node to which it is allocated, has been switched oﬀ. If appropriate lower-level security is not enabled, all the miscreant has to do is conﬁgure their machine to have the same IP address as the legitimate machine, and they thus gain the same level of access to the network as the original machine. Indeed, it is not necessary for them to conﬁgure their machine to use the same IP address. A common form of attack on a network involves sending IP packets in which the sender or return address, or both, have been forged to make it look like the packet is associated with a legitimate node on the network under attack. However, acquiring a legitimate, but allocated, IP address may allow for early detection of unwanted activity, as the ARP system should record the change in lower-level addresses associated with this IP address. The legitimate node is also likely to complain that its IP address is in use. A more eﬀective form of identity acquisition at the network level, is to identify unused, but allocated, addresses within the same block as the network under attack. Again, this can be achieved by use of network monitors, but often it is suﬃcient to examine public records of IP block allocation to identify blocks which have not yet been used.
At a lower level, where security based on the hardware identity (e.g. MAC address) is in use, it is still possible to acquire a network identity by spooﬁng the hardware address of the device being used to attach to the network.
Network Assisted Credit Card
Here we present a record of the investigative process for a case of identity-theft, used to perpetrate a beneﬁts fraud, commencing with the initial complaint in 2001 and terminating in 2003 with the discovery of further identity-theft related 9
activities. The case has not yet gone to trial so some details have been modiﬁed or anonymised to avoid tainting the judicial process.
In early 2003 information was received that a group of individuals, resident in a large, lavish country house might be perpetrating a beneﬁt fraud or similar. Suspicions had been aroused as the persons in question appeared to be unemployed and were not known to be independently wealthy enough to support their lifestyle.
In addition to the large house, they owned several high-speciﬁcation BMW cars, were known to take regular, expensive, foreign holidays and even managed to aﬀord riding and stabling fees.
Accordingly, a surveillance programme was commenced, including the installation and use of CCTV cameras in post oﬃces. This conﬁrmed that the suspects were regularly using beneﬁt books and also suggested that some form of pension scheme fraud might be taking place.
Following a year of in-depth surveillance and investigation, it was decided that it would be appropriate to seek warrants for searches of he suspects’ premises and also premises of possible accomplices. Warrants were duly obtained and the premises entered. During searches of the premises, a number of computers were recovered, following standard procedures, and these were removed to DERIC in Northallerton for further examination.
It was apparent, at this stage, that a “traditional” beneﬁt fraud would not provide enough income to support the lifestyles of the suspects. It later became apparent that the frauds in question contained elements of identity theft in order to allow the suspects to use multiple identities to claim more beneﬁts. 7.1.4
Investigation of the computer followed conventional methods, with disks being securely copied as checksummed images and the images examined using standard tools. “Live” and deleted ﬁles were recovered showing e-mails, web pages and documents produced and used by the users of the computers. It is worth noting here that this is in line with the majority of “minor” oﬀences committed using online systems. Generally speaking, where web or e-mail is involved, Locard’s oft-misquoted principle of “every contact leaves a trace”  holds. This is due to the way in which most Internet client software is designed to operate to minimise the amount of Internet connection time required to complete a task. Standard practice is thus to retrieve data as quickly as possible from the online source and store a copy on the user’s computer’s local storage (typically a hard-disk) for later re-use. Thus, during a typical online session, several dozen or hundred temporary cache ﬁles will be created. Even when the user elects to clear the cache, the data in these ﬁles will remain in the store, although it will no longer be accessible to normal applications. In addition to this, modern operating systems also generally use a “swap” space on the local hard disk to extend available memory, and it is quite common 10
for portions of application memory to be swapped to this space. Thus fragments of data from previous sessions can sometimes be recovered from this space. 7.1.5
Of particular signiﬁcance, to the investigation, were a considerable number of cached WWW pages from the “192.com” site. This site acts as an information aggregator, drawing together a number of publicly available information sources such as electoral register, telephone directory, aerial photographs, etc. to produce a comprehensive database of names and addresses for the whole of the UK. For some time, the information on this site was made available for free in return for registration by the user. Registration information provided another opportunity for the content of the database to be updated and registration was the only way for details to be excluded from searches. This process has now been changed to require registration and a fee for searching. Changes to the rules governing publication and sale of the electoral register also aﬀect the completeness of the database.
Examination of the recovered web pages suggested that the suspects had been using 192.com to locate persons with similar names as the suspects themselves or their aliases. Given this information, it would be possible for the suspects to create a false credit history for themselves which could be used to make applications for credit cards, bank account and other ﬁnancial products. Closer examination of the suspects’ bank accounts revealed some evidence of such, apparently fraudulent, transactions taking place and went some way to explaining the anomalies in their income. A ﬁgure of around £300000 was thought to be the income generated through fraudulent activity. At the time of writing, he investigation had not yet been fully completed, but was expected to go to trial in late 2004.
The primary lesson learnt from this case appears to be that vigilance is required on the part of all individuals to safeguard their own private data, especially where such data is freely available. The appearance of aggregative databases, such as 192.com, which are not deliberately mischievous, presents opportunities for criminal elements to gain easy access to data required for identity theft from the comfort of their own homes, a far cry from the mechanisms outlined in works of ﬁction such as “The Day of the Jackal” .
Changes in the way statutory bodies make data available, in compliance with legal requirements [7, 8], go some way towards making the aggregation of data and its use for identity fraud more diﬃcult, but such data remains, quite correctly (in the authors’ opinions), available to any member of the public in other forms.
It also appears to have been relatively easy for the suspects to make successful fraudulent applications for credit etc., suggesting that checking procedure on the part of the ﬁnancial institutions involved were somewhat lax. This may have arisen because they are dependent on the same corpus of personal data that the suspects were using to create their forged histories. Recent changes to the land registry system  oﬀer an additional cause for concern because, although the service is charged for, it is now possible to obtain
a considerable amount of data about ownership of properties and the mortgages on those properties through another public online service. Again, public access to this information is a legal requirement, but previously it required a visit to a land registry oﬃce. The fee involved for the online service is trivial and is unlikely to act as a deterrent to those with criminal intent. Given current trends towards integrated “e-government” and increased provision of services and statutory information online, we fear that opportunities for identity theft are increasing and that little can be done to reduce them.
One method used by senders of spam to avoid detection, is to utilise compromised machines elsewhere on the Internet to operate as proxies on their behalf. A large number of proxies are used to provide vehicles for the delivery of e-mail as well as support the delivery of web pages in an indirect manner, which eﬀectively hides the true origin of the material.
One of these techniques has become known as Superzonda. In this method, an Internet domain is utilised for the distribution of web pages. A number of insecure relay (or proxy) machines are selected to act as blind server for those web pages, and a domain name server is implemented to answer requests for the Internet addresses (IP addresses) of the web servers in the domain. The machines that act as a proxy can be a standard PC installed with, perhaps, an unpatched version of the vendors software that permits them to be exploited, or they could be infected by an agent (such as a Trojan Horse) that explicitly facilitates the relaying. The creation of Trojan Horse infection agents for this purpose has been seen as a response to improved system security by PC owners patching the previously untrustworthy software.
The victim (or viewer of the web pages) clicks on a link (or types a URL) in their browser. The browser issues a request to the domain name server which responds with an IP address of a compromised machine. This machine is then asked for the web page, but it does not know about the web pages. It will make a further domain name request to ﬁnd the server (as it knows it does not have the pages). The domain name server knows the request is coming from the compromised machine and issues a diﬀerent IP address (that of the real page server). The compromised machine requests the page and then sends it (by relay) to the original browser. By this means someone has been able to visit a web page, without being able to determine the true origin of the page, and in fact has been hoodwinked into believing the compromised machine is the true origin.
This basic method can be further elaborated, by adding several levels of relay through a series of compromised hosts, adding greater distance between the criminal and the crime, and to protect against possible interceptions that may point back to the true origin. The method also has a weakness that one system that is controlled by the perpetrator is known, that is the domain name server. There are elaborations of the techniques that further hide this element. One method of hiding the domain name server, is to also place this on compromised machines, and perhaps to have a cluster of compromised machines that act as servers, so that in the event that one is cleansed of the infection, the others will continue to supply responses. This is enabled by domain registrars who permit their clients to make automated updates to their master domain 12
records on a frequent basis. The domain name servers for such a domain could then be updated as frequently as every minute (or even second). No one could then know who controlled them, and where the real source of data was. These techniques can, and are, being used to enable those that attempt to steal identity information, to mask their identity and also appear to be more genuine.
We can see that the wide variety of identity information available, and the ability for anyone, with basic facilities, to exploit this information, is becoming a vehicle for identity theft. The Internet, in eﬀect, acts as a provider of both method and opportunity. The human beings provide motive.
The ease by which this can be done, and the diﬃculty in the authorities enforcing the law is promoting and encouraging this form of crime. Identity Theft is the modern equivalent of the outlaw bank robbers in the wild west. We have yet to recruit the Town Sheriﬀ, although some small local vigilante groups are making fruitless attempts to “clean up” their locality. One of the contributors to the epidemic in modern identity theft crimes is both the ease, and the low cost of the activity. The cost is low because those that grant identity tokens, such as domain names, and Internet addresses, for example, take identity information themselves from automated mechanisms, with little or no checking and veriﬁcation. This has its origins in the historical backgrounds to Internet registrations, which were originally a free service within a elite community, and have evolved to a commercially competitive least cost service. The level of trust is, at present, not perceived to be a marketable commodity or requirement.
The Internet provides technical means for establishing secure methods of data transfer, such as encryption, and also digital certiﬁcates  which purport to strengthen identity establishment. However, most of these mechanisms rely on key exchange between a client and server, using asymmetric encryption, at the commencement of a secure session. The keys used for the encryption are provided by the two ends of the channel, without reference to any other sources. The strongest trust veriﬁcation in such a session is typically the question “Do you wish to accept the certiﬁcate?” asked of the user.
Identity, therefore, is established by chains of trust, which in these cases are very weak. To make these identify thefts more diﬃcult, the chains of trust by which an identity is established or conﬁrmed need to be made stronger and more trustworthy, through being open to scrutiny.
This argument also has resonance with the Identity Card debate, where similar to the Internet arguments, there might be an apparently strongly authenticated token which is used with a weak chain of trust, and permits identity fraud to take place. An example, is that if the biometrics associated with such a card are not authenticated each time the card token is presented, then the strength and validity of the card as identity can easily be subverted, and yet the the identity would be trusted implicitly without check, as the card itself might be trusted.
These cases indicate that chains of trust are important to the establishment of a trust of identity. On the Internet, in particular, those involved in these chains, such as those registering domains, Internet address assignments, and the issuing of e-mail addresses or web page services, should take more care in capturing and recording identity information, and also have recognised mechanisms available to them for evaluating a chain of trust of credentials presented to them. The wide variety of information sources available on the net, and the aggregation of this data for easy use and selection (such as by search engines) also needs some form of protection. There are three categories of identity information that relate to our ability to trust credentials based on the data. The ﬁrst relates to the originality of the data; is it probable that it could be found in a data search. The second relates to the likelihood that the information has been obtained/discovered and the third relates to the cost of locating and replicating the information acceptably.
This is expressed in ﬁgure 1
U = Unreliability or “Untrustworthiness” of an ID Token. P = Pervasiveness of the token. i.e. the number of occurrences of the token that can be easily discovered (e.g. an e-mail address used in Usenet postings may be easily found through Internet searches). N = Number of “hits”. i.e. the number of times a copy of the token has been accessed. (e.g. how many times a credit-card holder has disclosed the “secret” number on the signature strip.)
C = Cost of obtaining and/or replicating the token in terms of money, time and/or eﬀort.
Figure 1: A Metric for ID Token Untrustworthiness
Identity theft should be made, therefore, more expensive to conduct, which in turn would ensure that it is only used for more signiﬁcant crimes. These will in turn have greater resources put to their detection due to their lower incident rate. The increase in the signal to noise ratio also means that incidents are more obvious, and can therefore be tackled more promptly.
 Forsyth, F. Day of the Jackal, 1970
 Marshall, A.M. An improved protocol for the examination of rogue WWW sites, Science & Justice. 2003; 43 : 237 - 248
http://www.imc.org/ietf-mxcomp/mail-archive/msg00481.html, 2004. 14
 Crocker, D.H. Standard for ARPA Internet Text Messages, 1982.  Zakon,
 Locard,E. L’Enquete Criminelle et les Methodes Scientiﬁque, Ernest Flammarion, Paris, 1920.  Data Protection Act 1998. HMSO 1998.
 Representation of the People Act 2000, HMSO, 2000.
 Land Registry Online System, http://www.landregistry.gov.uk/, 2004.  Marshall A.M. and Tompsett B.C. Spam ’n’ Chips - a discussion of internet crime. Science & Justice. 2002; 42 : 117-122
 Tompsett B.C. The Role of Insecured Proxies in Internet Abuse, Asia Paciﬁc Advanced Networking Conference, Busan Korea, 2003.  Marshall A.M, Tompsett, B.C., Silicon Pathology, Science & Justice. 2004; 44; 43-50.
 Dierks, T., Allen, C., The TLS Protocol version 1.0, RFC2246, 1999.