Friday, November 09, 2007

Fraud technologies use persona cloning to attack social networks

Successful frauds have always exploited social connections. New age fraud now leverages social networks to the same end (emphases mine) ...

E-Mail Scammers Ask Your Friends for Money - Bits - Technology - New York Times Blog

... The scammer somehow breaks into a victim’s Web-based e-mail account. He then impersonates the victim and sends an emergency plea for help to everyone in the account’s address book, asking them to wire money to Nigeria. The e-mail includes some variation on a story about getting mugged or losing a wallet while on a trip to Nigeria.

This happened recently to Drew Biondo of Port Jefferson, N.Y. He said he was at home early one morning when his wife alerted him to an e-mail she had received from his Yahoo address about his Nigerian money troubles. He scrambled to try to regain control over his account, but trying to find a phone number for an actual human at Yahoo was “ridiculously difficult,” he said.

Mr. Biondo, a public relations executive, used the Yahoo account for work e-mail and had about 600 people in his contact list, many of them journalists. He said he soon experienced “an influx of phone calls from every reporter I’ve ever spoken to,” including some he had not heard from in years. “I credit this Nigerian scammer with one thing: he made me feel good inside because these people cared enough to drop me a phone call.”

Yahoo asked Mr. Biondo for various proofs of his identity, including the long-forgotten answer to a security question he had set up ten years earlier. Two and a half days after it all began, he successfully logged into his account and sent out a mass mailing: “The long Nigerian nightmare is over.”

The NYT blog post has many other examples. This method is pretty primitive of course, the next generation will leverage Google OpenSocial APIs or Facebook APIs to further leverage social network technologies.

In all cases the fundamental ploy is identity assumption and then exploitation of entities that "trust" the identity. A Yahoo email account is a form of identity, just like your Google/Gmail persona, LinkedIn account, Facebook and Amazon profiles, checking account, credit card accounts, Federal social security account, drivers license, passport and biometric account holder. Not to mention various overt standards for identity management.

Identity theft is a misleading term. It implies the identity is gone completely, and it implies a singular identity. Perhaps persona cloning is a better term.

We all have dozens of identities (personas) with varying degrees of power, authority, attachment, control and manageability. Each identity has a set of transaction-specific reputations.

Loss of control of any of these identities will expose one's reputation circle to exploits - as well as one's own life.

It would be nice if we would start thinking a bit about this topic.

Nice, but unlikely.

PS. I really, really, don't like "security questions". Dumbest idea ever. Note how well it worked here.

No comments: