Recently in Privacy Category
As discussed in one of my earlier blog posts, two months ago it was announced that Microsoft, Google, IBM, and Yahoo were on board with OpenID. If you're not familiar with the technology, here's a quick summary provided by the always helpful Wikipedia, followed by a video explanation presented by Dave:
Today, however, the topic of discussion is crime in technology. And the most prominent issue I'm foreseeing with the rise of OpenID is its vulnerability to identity theft, which is already a rising problem with current security practices.
According to IdentityTheftSecurity.com, there are four primary methods of "high-tech" identity theft:
To elaborate a little on the previous definition, I've borrowed from F-Secure.com:
I have never done, or even thought of doing, anything like this before. You shouldn't either - don't be an assbag. The reason I posted the process was because I was surprised/frightened by how simple the whole ordeal is. It's no rocket science, and anyone with a little bit of computer knowledge (who would actually be willing to do something like this) could easily put together a similar operation...and get away with it. The scary thing about OpenID is that they only need to get away with it once. One simple scam and they have the credentials to every site you visit on the internet and every piece of information you store in your profile. All the eggs will be in one basket, making for a very desirable target.
OpenID is a shared identity service, which allows internet users to log on to many different web sites using a single digital identity, eliminating the need for a different username and password for each site. It is a decentralized, free and open standard that lets users control the amount of personal information they provide.
Essentially, OpenID is a system that facilitates a single universal login and profile for each user. There's a great deal to be said about the technology's benefits to users:
- Only one set of credentials to be concerned with
- No more registering for every other site on the Internet
- Improved analytics, resulting in better recommendations, integration, and advertising
Today, however, the topic of discussion is crime in technology. And the most prominent issue I'm foreseeing with the rise of OpenID is its vulnerability to identity theft, which is already a rising problem with current security practices.
According to IdentityTheftSecurity.com, there are four primary methods of "high-tech" identity theft:
- Hacking - stealing users' information from website networks and databases
- Phishing - imitating legitimate organizations and fooling users to send private information
- Trojans - computer program hidden in software applications that give hackers access to users' computers
- Spyware - inconspicuously logging users' internet activity and sending results to third parties
(although I'm not sure I would classify spyware as identity theft)
To elaborate a little on the previous definition, I've borrowed from F-Secure.com:
Phishing is an impersonation of a corporation or other trusted institution. The goal of the impersonation is to extract passwords or other sensitive information from the victim. It is a form of criminal activity that utilizes social engineering techniques. Phishing is typically done using e-mail or an instant messaging program. The attempt of the message is to appear to be from an authentic source so that victim will either directly respond, or will open a URL link to a fake web site run by the criminals.Here's what we'll need to do in preparation:
And now we're ready to go. Here's a little snippet of PHP that allows us to send mass e-mails, probably to a large list of recipients that we've purchased from some third party who gets their information from spyware:
- spend about $10/month on a domain (preferably one similar to the name of the institute we're trying to mimic - if we're going to be First National Bank, then we might try to get the domain 1stNational.org, which seems to be available),
- pull down the HTML files and images from the actual site we're going to replicate (File -> Save Page As and make sure the type is set to "Webpage, complete"),
- make a few minor tweaks (so any form information submitted will be stored in our database or sent to our e-mail),
- then upload these slightly modified files to our new domain.
<?phpReplace the subject variable with a formal-sounding message, explaining that there has been some suspicious use of the individual's account (logging in from distant locations, perhaps), and in order to prevent identity theft, it is recommended that the individual follow a provided link, log in using existing credentials, confirm his/her account number, then change the password. To make the whole scheme seamless, you might want to then have your website send a confirmation that the user's password has been changed, and then you could actually modify the user's password on the legitimate sight. And there you sit, with all the passwords and banking information of every individual that believed your e-mail was real.function sendEmail($name, $email) {?>$to = $name . " <" . $email . ">";}
$subject = "Account Confirmation";
$message = "Body of e-mail goes here.";
$headers = "From: First National Bank Customer Service <CustomerService@1stNational.org>\r\n$mail_sent = @mail($to, $subject, $message, $headers);Reply-To: First National Bank Customer Service <CustomerService@1stNational.org>";
echo $mail_sent ? "Mail sent.<br />" : "Mail failed.<br />";
I have never done, or even thought of doing, anything like this before. You shouldn't either - don't be an assbag. The reason I posted the process was because I was surprised/frightened by how simple the whole ordeal is. It's no rocket science, and anyone with a little bit of computer knowledge (who would actually be willing to do something like this) could easily put together a similar operation...and get away with it. The scary thing about OpenID is that they only need to get away with it once. One simple scam and they have the credentials to every site you visit on the internet and every piece of information you store in your profile. All the eggs will be in one basket, making for a very desirable target.
APRIL 4 - Pittsburgh Pair Claims Privacy Invaded By Posting of Home Photo -- A Pittsburgh couple is suing Google for invasion of privacy, claiming that the web giant's popular "Street View" mapping feature has made a photo of their home available to online searchers. Aaron and Christine Boring accuse Google of an "intentional and/or grossly reckless invasion" of their seclusion and privacy since they live on a street that is "clearly marked with a 'Private Road' sign," according to a lawsuit the couple filed this week in Allegheny County's Court of Common Pleas.
If you've never used Google's Street View feature on Maps, you can watch the short introductory video below and then (just a little bit farther down) try the functionality out for yourself with the embedded Street View map of Anchorage, Alaska.
View Larger Map
I intentionally selected a not-so-heavily-trafficked residential area to demonstrate the more intrusive side of Google's Street View. As you can see, you have a front-row seat to just about any house in the neighborhood, and if you zoom in, you can walk right up the driveway and onto the porch of some of the homes. It's understandable that habitants dwelling in Street View-able areas might be concerned. Millions of strangers can freely roam the streets and inspect the layout and landscape of any house near a road. For those with children, this is even more alarming. What a convenient tool for potential predators and burglars! Even more worrying, perhaps, is knowing that this is just the beginning of our home privacy concerns. Take a minute to watch the PhotoSynth demonstration below.
While Google's Street View might be too close for comfort to some, the potential of PhotoSynth digs deeper, reaching degrees of privacy invasion that even the more carefree individuals might consider threatening. According to an article on ReadWriteWeb,
The Street View maps are developed in partnership with Immersive Media, which, according to the O'Reilly Radar blog, is "a company that has an eleven lens camera capable of taking full, high-res video while driving along city streets." What that means is that these Street View maps, because they are extracted from video shot while driving, are not just static images at random points around the city. They can be advanced fluidly down the street.
In order to create the Street View experience, Google had to send out vehicles equipped with these super cameras to roam the city streets. I don't think we need to worry about them getting too much closer, because I doubt the day will come when cameramen are knocking on our doors, asking to be let in our homes to film for Google Maps.
PhotoSynth, on the other hand, isn't limited to the resources of a single organization. Because the technology utilizes the metadata associated with each image, it doesn't matter where the media is coming from. If it's available on the internet and properly tagged, it can be used to construct a three-dimensional representation of the real world. Pictures taken at parties, holidays, or during rainy afternoons lounging around the house, whatever the occasion, are fair game if they're posted online. And because of the nature of our photo-sharing (Facebook, WebShots, Flickr, blogs, personal webpages, etc.), it wouldn't be hard for friends, family and peers to tag any information that might be left out. Before long, anyone could take a full tour of your home or business from the comfort of their computer chair. Even one album of photos might be enough to reconstruct the interior of a building.
The end result? If the proper precautions aren't made, then just about anybody might be able to take a virtual tour of the inside of your house. A cool technology in many respects, but with the benefits we'll need to take the privacy and security issues as well.
In a situation similar to the next-gen disc war, universal identification protocols have been at a standstill for quite some time. The technology has been available for ages, but until now, few have been willing to make a firm commitment to any one approach. This sort behavior is completely understandable, of course. How willing were/are you to run out and drop a few hundred dollars on an HD or Blu-Ray player before knowing which brand will be triumphant in the great format battle? If you're like me, you probably weren't/aren't particularly eager to make such a purchase. If you're not like me, then I hope you either choose wisely or really enjoy movies made between 2005 and 2008, because that's about all you'll be able to watch on your fancy new multimedia device if it doesn't become the new standard. But anyhow, online identity management systems have been involved with the same dilemma. What company wants to invest in a technology that may very well become obsolete in a year or two? It's a catch twenty-two. Nobody wants to sign up because there isn't a large user base, but in order to get a larger user base, people need to sign up. There's only one clear solution as far as I can see – the powerhouses need to take the reigns and make a decision for the rest of us...
And finally, it's happened. Google, Microsoft, IBM, Yahoo and VeriSign seem to have come to an agreement, and the consensus is OpenID.
So what's this mean? It means that in the relatively near future (within the next two years?), we'll be done saving those text files with dozens of usernames and passwords, and registering for websites will start to become a thing of the past. Almost any time authentication is required on the Internet, our identity will be established by a single set of credentials. And even further down the road, our profiles (which I imagine to be like very extended Facebook profiles) will be utilized by several sites for personalized advertising and product recommendations, automatically customized news feeds, search suggestions, social networking and much, much more. The implementation of OpenID could be the beginning of a giant leap toward a fully “connected” Internet. Everything we do will feed into the always-expanding knowledge base about us. Finding what we want (whether we know exactly what that is or not) will be unbelievably efficient, because the online systems could quite possibly know us better than we know ourselves. While I'm personally optimistic about this whole movement, I do acknowledge that there's a price to pay for such openly available information. Below is a video that we watched in class the other day, which effectively communicates the fear many have about such smart systems.
Undoubtedly, we need to be careful about how we handle OpenID's, but I do believe that with well-designed privacy controls, nearly all of the problems suggested by this video could be eliminated. This is a good thing.
And finally, it's happened. Google, Microsoft, IBM, Yahoo and VeriSign seem to have come to an agreement, and the consensus is OpenID.
So what's this mean? It means that in the relatively near future (within the next two years?), we'll be done saving those text files with dozens of usernames and passwords, and registering for websites will start to become a thing of the past. Almost any time authentication is required on the Internet, our identity will be established by a single set of credentials. And even further down the road, our profiles (which I imagine to be like very extended Facebook profiles) will be utilized by several sites for personalized advertising and product recommendations, automatically customized news feeds, search suggestions, social networking and much, much more. The implementation of OpenID could be the beginning of a giant leap toward a fully “connected” Internet. Everything we do will feed into the always-expanding knowledge base about us. Finding what we want (whether we know exactly what that is or not) will be unbelievably efficient, because the online systems could quite possibly know us better than we know ourselves. While I'm personally optimistic about this whole movement, I do acknowledge that there's a price to pay for such openly available information. Below is a video that we watched in class the other day, which effectively communicates the fear many have about such smart systems.
Undoubtedly, we need to be careful about how we handle OpenID's, but I do believe that with well-designed privacy controls, nearly all of the problems suggested by this video could be eliminated. This is a good thing.