2.1 Identity Theft − Attacks on Digital Identity

Це відео відноситься до openHPI курсу Digital Identities. Бажаєте побачити більше?

2.1 Identity Theft − Attacks on Digital Identity

Часове навантаження: прибл. 23 хвилини

An error occurred while loading the video player, or it takes a long time to initialize. You can try clearing your browser cache. Please try again later and contact the helpdesk if the problem persists.

Прокрутити до поточної позиції

00:01Welcome to the second week of our openHPI course about digital identities.
00:06Digital Identities - Who am I on the Internet?
00:09And the topic of the second week is identity theft.
00:14So the theft of digital identities is really serious and we want to start
00:21to discuss what kind of attacks are possible
00:24and how we can protect us.
00:30When we speak about identities, you remember,
00:34on the internet we can use internet services and its resources
00:39by means of our digital identity. Digital identities is a set of data
00:44which helps to connect a physical person
00:49or an object with a digital acting
00:54person with a digital identity. So this is the way how the service provider
01:00can connect resources and usages of the data or its services to
01:09a physical person by means of the digital identity.
01:13If we are authenticated, that means, if the service
01:17or its ID provider is convinced that the digital identity belongs to us
01:24then we can use the service.
01:28But it's a very big problem if a third party comes into possession
01:32of a user's digital identity.
01:34Then this third party, the attacker can use all services,
01:40can use all the resources that are provided by the services in
01:45the users name for which the user is authenticated. For example
01:50in case of an online shopping service, a bank transfer or
01:55to watch videos.
01:58In the physical world it's much more difficult.
02:01Unlike physical identities it's relatively easy to steal and to abuse
02:10digital identities. Digital identities, you remember, this was a set
02:15of data that characterize a person.
02:19Due to a high potential of abuse, identity theft is very
02:24attractive to cyber criminals.
02:27With stolen digital identity, cybercriminals get all rights,
02:33all authorisation of the rightful owner.
02:38Since internet service is authorised on the basis of the digital identity alone,
02:45only on the basis of the digital identity,
02:48thieves can use the service at the expense of the rightful owner.
02:55And this could be very important services. So it could be a
03:00real problem if the digital identity of a user which is characterized
03:06but such type of data, if this
03:09comes into the hand of an attacker. How
03:14attacker get access to such identity data?
03:20There are different ways. For example the attacker can steal
03:25the account database or the customer database of an internet service.
03:31In this database there is
03:34the digital identities stored of a user, of all the users,
03:39and some information that's important for the service to serve the users
03:44in a personally liked way.
03:48So cyber criminals can get access to
03:52this database when they are able to get access to the system
03:57of an online service provider. For example by break in or by misusing malware.
04:04So if they have the chance to get access to the provider system
04:10then they can simply copy the database from the provider's authentication system
04:16and then the attacker gets all the identity data of the user
04:22of the service in their hand.
04:25Often these attacks are executed by so called SQL injections.
04:32It's not the place here to go into more detail.
04:36The data theft it can be done by means of malware.
04:41Malware is malicious software.
04:44There are different ways to smuggle malware
04:48to the website of a user. For example the malware informs of so called spyware.
04:55Spyware, this is malicious software that collects data directly
05:01from the user's computer,
05:03of particular interest, identity data. So when the user puts in
05:09its username password combination, then by means of such spyware the attacker
05:16can get access to this information. For example by means of keyloggers.
05:22Keyloggers, these are small malicious software system that read data,
05:29and in particular the thefts are interested
05:33in passwords, directly when entering and transmitting them to the cybercriminals.
05:40So when the data are typed in
05:44to the keyboard, then this software records this data and transmits
05:51it to the cybercriminals. This is the second way how it is possible for
05:56cybercriminals to get access to identity data
06:02from services or from user. Another way to get access to identity data
06:10is phishing, are phishing attacks.
06:15In the case of phishing users are lured in good faith to a malicious website
06:20that falsify claims to be a legitimate site. For example the
06:26user gets an email
06:29from the service of his bank, the service
06:34claims that a log-in is needed to do
06:39some update or some other
06:41technical activities and then there is a link presented to the
06:47user. The iser is not thinking and not looking carefully,
06:52push this link and got to a website that looks very very similar to the
06:58bank's website but it isn't. And the user sees the log in site
07:04of his bank, so he gives in his user data, he gives in his user name and
07:09his password and then
07:12enters it but the data are not sent and collected by his bank.
07:17The data are on this malicious website and collected by the cybercriminals.
07:23So the phishing attack is to
07:27lure users in good faith that they believe, yes it's the right website
07:35from the bankers.
07:39And then social networks and forums provide a lot of information,
07:48also identity data from the user.
07:51So the users often pose all data about themself, including identity data,
07:58including name of very personal sensitive data in such social networks
08:05like facebook or twitter or others.
08:08And anyone registered at those platforms can then view all those
08:14identity data and can steal it.
08:19Another way how attackers can get access to identity
08:27data and can steal identity data is the theft or the loss of data media.
08:33So for example the storages of personal data are not correctly
08:38protected against physical attacks. So someone is able to steal
08:43the USB stick or to get access to the
08:47to the laptop or to the tablet of a user and can take out
08:52personal identity data from that.
08:54Also people lose their smartphone with all the
09:00personal data or a laptop gets stolen or others.
09:05So all this provide ways.
09:09I also have to mention social engineering. Social engineering is
09:13manipulation of individuals to disclose sensitive data like identity data.
09:20So all this helps to get attackers,
09:26the attackers can get such digital identities
09:30in their hand and later misuse these identities.
09:35And it's a real problem. And this is shown by some security incidents,
09:41analysis reports which are published in the internet.
09:45So there are numbers available from different sources. One
09:50says that in two thousand nineteen, thirty thousand
09:54security breaks
09:58were registered. About four thousand confirmed that
10:06during these data breaks,
10:09identity data are stolen.
10:12The most common attacks which are used by attackers to attack the system
10:19of users or to attack systems of the service provider is
10:24Denial-of-Service. So that is
10:27only to disturb the real work of the service or the people.
10:32But second is phishing. Phishing, so it's
10:36already mentioned social engineering attack which brings users to,
10:44brings the user that they present their identity data
10:49to people they trust but people that misuse that trust.
10:54And social engineering. Here is
10:57another statistic which tells that the most common hacking attacks
11:01are the usage of stolen access data. And this is exactly the
11:08this is exactly the misuse of stolen identity data.
11:13There are other attacks which are very popular. So there is advantage of software vulnerabilities,
11:21exploiting some failures in protocols or in software systems
11:26and the use of actors which give attackers a possibility to access
11:32a system on an irregular way. But the most important is,
11:37the most common hacking attack is
11:40to steal digital identities.
11:44Most common malware attacks are e-mailing direct installation
11:48of malware or download by malware. This is to prepare,
11:55such kind of attacks are misused, are used by the attackers
11:59to prepare such an identity theft in many cases. And the most common
12:05social engineering attacks or attacks which
12:09attacks a human in a way to force him to do something
12:15for several reason is phishing, is a fake pretext and others.
12:22If you want to know whether your identity data
12:26got stolen then we can provide a service to you from HPI.
12:32It is free, this is the link - https://sec.hpi.de.
12:38Then you come to such a website which helps you to check whether your
12:48digital identity is published in the internet.
12:52Because often the attacker publish their leaks, the identity leaks
12:58to start, to trade it with other people or to claim they are
13:05the best and powerful. So there
13:08are several motivation. And over the years it is terrible what we found out.
13:13We found that there are twelve billion, more than twelve billion identity data that
13:21got stolen and are published in the open internet. We are not
13:26speaking about the dark internet, we are speaking about the internet.
13:30These data are available there,
13:33identity remember is the name, is the address, is the bank account, insurance number,
13:40is the password, the email address. So all what's needed to use the service.
13:45And coming back to our identity leak checker service, here one can type in
13:52an email address. Because each of these digital identities
13:56contains an email address, because this is a way a service communicates with the people.
14:02So we ask you or we offer you the possibility to type in your
14:07email address and then we will check in
14:12this twelve billion leaked identity data we will check whether there
14:18are, or your identity belongs to this.
14:23So the service collects
14:26such leaked user and identity databases which are published in the internet
14:31and we provide a search service. So we have to normalize the data
14:37so that the search service can work and you simply have to
14:42enter your email address because this is part of identity
14:47and then we can find the complete digital identity which is
14:51connected to this email address and we can warn you.
14:56So the idea is to send the report with the checked results.
15:02This is sent to the provider email address. So the address, the
15:08email that's put in here gets our report and the report says no,
15:14we could not find your data then you can be happy. Or the report says
15:19be careful we found your data for example with financial context or another context.
15:26We do not send exactly the information of the digital identity
15:32so that also hacker cannot misuse this, and then we advise you to
15:38change your passwords
15:41because when you change your password then your identity data
15:45can no more be misused.
15:48What's interesting is, on the basis of this
15:52service, we can also provide some password statistics.
15:58Because many of the passwords of these data services
16:03are not hashed, not encrypted and so we can check them and can make
16:11top lists and others.
16:15So here are some statistics
16:18on identity theft. We can
16:24do on the basis of the collected leaked identity data.
16:30We started the online service in May two thousand fourteen. At the
16:34beginning it was an activity to warn our students
16:39that their
16:42identities cannot be misused and then we become aware that
16:47this question is not only interesting and important for our students, but for
16:52everyone because typically one does not know whether the own identity data
17:00with one service got stolen from that service.
17:04Up to now, I mentioned already more than twelve billion stored identities
17:09we could find within more than a thousand leaks.
17:15Fifteen point three million requests we got in our service and
17:21we gave almost four million people's information.
17:26Be careful, your identity data is published on the internet.
17:32Everyone can access this and everyone can misuse this because in many cases
17:39the password is published in clear text and not encrypted as
17:46it should be if the service works in the correct way.
17:50So the leaked users, the leaked identity data published on the internet
17:54vary in size. Therefore we have to normalize them before we can start our
18:01search service. They vary in size and in type because
18:06for a financial service other data are collected
18:10inside a digital identity then for example with a shopping or
18:17teaching website. What we found is more than three thousand identity leaks
18:25with millions of credentials
18:29that have not been normalised yet. So we do this piece by piece,
18:35because every month there is a huge amount of such identity data
18:40which are newly published in the internet.
18:44Here are some motivations for the attacker
18:48to publish such a database, such identity
18:53data collections and such identity theft.
18:59That is the motivation to prove and to prove reputation. Cybercriminals want to show
19:07that they are able to steal such data,
19:11the captured data is publicly posed on the internet as evidence
19:16that a service has been hacked or that the attacker is such
19:21a professional to be able to get access to such data. And of
19:25course another important motivation is profit.
19:28So such identity data can be sold profitably
19:33on the black market and because everyone who has such data
19:38in hand can use or can use these data to
19:44misuse a service or to do other criminal activities, for example sending spam,
19:52debiting of financial services, the use of false identity in case
19:58of a service. Then hacktivism is motivation for such identity theft.
20:04Some people want to claim that they do it for political or for ideological goals
20:11and that they have to fight for it and then
20:16use the data to damage the reputation of the victim, of a service, of the company
20:24which they prove to have stolen their data. For example Anonymous
20:30is such a group which works in that way. And then revenge is the reason.
20:37So someone feels to be wrongly treated. So
20:42it wants to take back revenge by stealing and publishing personal details
20:48of this person he feels
20:52approached. So this are very different motivations which
21:00lead to the fact that stolen identity data are stolen and
21:06published in the internet.
21:09So let's summarize our sayings about identity theft.
21:14Identity theft means that an attacker takes over the digital
21:19identity of a user.
21:22And when he is able to do this, so he or she can use all the services or resources
21:29for which the user's identity is authorized.
21:34The more information attacker has about his victim,
21:39the easier is it for him to abuse his digital identity.
21:44So many of this information also can be guessed.
21:47So be careful, think twice before you publish something about you
21:54in the internet.
21:56Attackers have various possibilities to
22:00steal such access or to steal such identity data, for example by
22:07theft of a password database, by malware attacks, by phishing
22:12and other social engineering attacks, by analyzing social networks and
22:17by theft of data media.
22:21So identity theft is a real serious problem and we will consider
22:26in this week more details about it.