OpenID, a Sitting Target for Identity Theft

As discussed in one of my earlier blog posts, two months ago it was announced that Microsoft, Google, IBM, and Yahoo were on board with OpenID. If you're not familiar with the technology, here's a quick summary provided by the always helpful Wikipedia, followed by a video explanation presented by Dave:

OpenID is a shared identity service, which allows internet users to log on to many different web sites using a single digital identity, eliminating the need for a different username and password for each site. It is a decentralized, free and open standard that lets users control the amount of personal information they provide.

Essentially, OpenID is a system that facilitates a single universal login and profile for each user. There's a great deal to be said about the technology's benefits to users:

• Only one set of credentials to be concerned with
  
• No more registering for every other site on the Internet
• Improved analytics, resulting in better recommendations, integration, and advertising
  

as well as some concerns over how our information is being tracked, exploited and sold to third parties.

Today, however, the topic of discussion is crime in technology. And the most prominent issue I'm foreseeing with the rise of OpenID is its vulnerability to identity theft, which is already a rising problem with current security practices.

According to IdentityTheftSecurity.com, there are four primary methods of "high-tech" identity theft:

• Hacking - stealing users' information from website networks and databases
  
• Phishing - imitating legitimate organizations and fooling users to send private information
  
• Trojans - computer program hidden in software applications that give hackers access to users' computers
• Spyware - inconspicuously logging users' internet activity and sending results to third parties
  (although I'm not sure I would classify spyware as identity theft)
  

There are plenty of well-known precautions to be taken in order to prevent identity theft, yet we frequently neglect them. And even if we do take the utmost care in following the safe-internet-use rules, there's still a very real chance that our identities can be stolen. This is true even for the computer savvy 18-25 demographic that most of us fall into. For past generations, who, as a whole, know alarmingly little about modern technology, the odds are much worse. The most desirable victims (the older folk, who actually have money in their bank accounts and higher limits on their credit cards) tend to be the easiest targets...ridiculously easy. Let's take a moment to demonstrate how one might go about stealing the identity. We'll discuss phishing, as it's probably the simplest approach.

To elaborate a little on the previous definition, I've borrowed from F-Secure.com:

Phishing is an impersonation of a corporation or other trusted institution. The goal of the impersonation is to extract passwords or other sensitive information from the victim. It is a form of criminal activity that utilizes social engineering techniques. Phishing is typically done using e-mail or an instant messaging program. The attempt of the message is to appear to be from an authentic source so that victim will either directly respond, or will open a URL link to a fake web site run by the criminals.

Here's what we'll need to do in preparation:

1. spend about $10/month on a domain (preferably one similar to the name of the institute we're trying to mimic - if we're going to be First National Bank, then we might try to get the domain 1stNational.org, which seems to be available),
2. pull down the HTML files and images from the actual site we're going to replicate (File -> Save Page As and make sure the type is set to "Webpage, complete"),
3. make a few minor tweaks (so any form information submitted will be stored in our database or sent to our e-mail),
4. then upload these slightly modified files to our new domain.

And now we're ready to go. Here's a little snippet of PHP that allows us to send mass e-mails, probably to a large list of recipients that we've purchased from some third party who gets their information from spyware:

<?php

function sendEmail($name, $email) {

$to = $name . " <" . $email . ">";
$subject = "Account Confirmation";
$message = "Body of e-mail goes here.";
$headers = "From: First National Bank Customer Service <CustomerService@1stNational.org>\r\n

Reply-To: First National Bank Customer Service <CustomerService@1stNational.org>";

$mail_sent = @mail($to, $subject, $message, $headers);
echo $mail_sent ? "Mail sent.<br />" : "Mail failed.<br />";

}

?>

Replace the subject variable with a formal-sounding message, explaining that there has been some suspicious use of the individual's account (logging in from distant locations, perhaps), and in order to prevent identity theft, it is recommended that the individual follow a provided link, log in using existing credentials, confirm his/her account number, then change the password. To make the whole scheme seamless, you might want to then have your website send a confirmation that the user's password has been changed, and then you could actually modify the user's password on the legitimate sight. And there you sit, with all the passwords and banking information of every individual that believed your e-mail was real.

I have never done, or even thought of doing, anything like this before. You shouldn't either - don't be an assbag. The reason I posted the process was because I was surprised/frightened by how simple the whole ordeal is. It's no rocket science, and anyone with a little bit of computer knowledge (who would actually be willing to do something like this) could easily put together a similar operation...and get away with it. The scary thing about OpenID is that they only need to get away with it once. One simple scam and they have the credentials to every site you visit on the internet and every piece of information you store in your profile. All the eggs will be in one basket, making for a very desirable target.