There’s an interesting article that was published a few days ago in the BBC business section on identity theft. It struck me as amusing that they focused on offline causes of identity theft in the same breath that they were talking about online fraud. In my mind they are really night and day.
Then I was gone over the weekend and there was something on the news about Al Queda hacking into non-profit organizations and routing charitable donations to their accounts to fund activities. Now wether that is all hype or not, it’s a scary statistic. If you think you are donating to the red cross it’s pretty inconcievable that you are funding international terrorism. But when I started thinking about it, it made a lot of sense.
As a peice of anecdotal evidence I fit their offline demographic as a tad nomadic. I’ve moved several dozen times in the last ten years and in every case I ended up getting mail from people who had lived there prior to me. Sometimes it’s something as stupid as a magazine, but other times it’s social security information, tax records or otherwise super sensitive healthcare information. Scary! Not that I would ever do anything with that information but it’s concievable that it would be.
The marriage of offline and online fraud is an interesting proposition. I was talking to a Pakistani phisher at one point who was telling me how he actually walked down to the local ATM to withdraw money from the fake credit cards he had made from user information. In fact, he was convinced that the physical security of the ATM was the biggest flaw in the whole part of the phishing scheme. I probably wouldn’t agree with that, but it’s an interesting point.
Because the physical infrastructure isn’t there, the ATMs in remote countries cannot make real-time decisions based on information presented them at the terminals. So therefore all the information they have must be delt with at the time of the transaction (or shortly thereafter, as bandwidth and time permit). Of course batch settlment at the end of the day is a requirement, and in some cases a dedicated phone line is availible, but certainly not in all cases.
The physical reality of security is an overlooked portion of the web application. Granted, the international terrorism is a leap but that is the physical manifestation of an online security flaw. When the homeland security office starts saying “Patch up to stop terrorism” I’ll be amazed, but it’s not that inconcievable. Especially if you consider how many machines are compromised and used for hosting phishing sites, or used as bot armies for spam which propogates identity theft. The secret service is the arm that monitors and goes after the 419 nigerian spam so the presidential arm realizes that identity theft is one of the greatest threats to national security, and if web application security flaws encourage identity theft, the government should have particular interest in patching application security flaws. Quod erat demonstrandum.