idtheft

Societal Context: Internet use has become extremely widespread, ranging from entertainment, to casual browsing, to information gathering, to Internet commerce of different sorts. In interactions between individuals with web browsers and commercial sites that manage money or process web-initiated transactions, the user must authenticate herself or himself to the commercial site. Although many authentication methods have been developed by researchers over past decades, the vast majority of web sites accessible to ordinary individuals use password-based authentication. Unfortunately, passwords are subject to various forms of subversion, including phishing attacks, keystroke logging, and related methods. These attacks have been carried out on a huge scale in recent years, with law enforcement and large private companies estimating annual losses over $1 billion. In addition, password theft and identity theft have pierced the public consciousness.

Since current attacks involve tricking human users by presenting replicas of trusted interfaces, there are substantial social science issues involved, including legal issues related to the responsibility of financial and other institutions that use web authentication, and human factors questions about how users are fooled into entering sensitive data into malicious web sites, or fooled into installing spyware that then carries out malicious activity on the users computing platform. Because this problem is highly visible and affects many users beyond the research community, this area presents an excellent opportunity for outreach, education, and technology transfer. We believe that practical methods, delivered directly to concerned individuals or concerned enterprises, will have broad societal impact and will reflect positively on the TRUST center and its sponsors.

Integrative Testbed: This collaborative TRUST project, involving faculty and students from computer science and law, will examine the social and legal context of identity theft, develop improved technology to combat phishing, spyware, botnets, and related threats, pursue technology transfer opportunities, and study the policy and legal implications of intrusive activities and possible defensive measures. Participation to date has come from computer science departments and law schools at Berkeley, CMU, and Stanford; additional participation from other universities or TRUST industrial partners will be welcomed. The identity theft thrust has four primary objectives.

1. Understand how users perceive their vulnerability to identity theft attacks and how well they understand the privacy threats associated with installed software.
2. Develop mechanisms for detecting potential and actual loss of personal data from computers.
3. Build and demonstrate active systems that prevent identity theft.
4. For each of our proposed mechanisms for detecting identity theft and preventing identity theft, understand the policy implications and legal implications

Research Collaboration: Berkeley participants Tygar and Dhamija have developed dynamic skins anti-phishing technology, have performed user studies of anti-phishing methods, and have analyzed other identity theft techniques such as acoustic emanations. Berkeley Law member Deidre Mulligan has experience with legal issues related to identity theft, as does Stanford Law member Jennifer Granick, co-leader of a recent study of spyware technology and legal issues at Stanford. CMU faculty Perrig and Song and their students have worked on botnet detection and enhanced web authentication methods. Stanford faculty Boneh and Mitchell, with their students, have developed a series of software browser extensions that combat identity theft and collaborated with Granick on spyware study. Stanford professor Rosenblum designed virtualization methods that are central to the planned SpyBlock effort.

External collaborators in the ID Theft project include:

• DHS/SRI Identity Theft Technology Council, a group that includes representatives from financial service companies, leading auction sites, and related organizations.
• RSA Securities has engaged with Stanford, under DHS sponsorship, to transition a password hashing method to their commercial identity management product.
• Google has hosted a Stanford intern who has helped incorporate Stanford SpoofGuard technology into a Google toolbar release in spring, 2006.

Activities: Our accomplishments to date are decentralized, although collaborative discussion began at the June TRUST kickoff meeting and has continued through the 2006-2007 planning process. We plan to compare methods from different campuses in our evaluative studies, and integrate compatible methods in future software distributions.

• SpoofGuard is a browser extension designed to help prevent phishing by detecting attacks in progress. The extension, which predates the TRUST center, is freely available at http://crypto.stanford.edu/SpoofGuard/. Integration into a Google toolbar was completed in the past year.
• Dynamic skins automatically customize secure windows and provide visual cues that help prevent phishing attacks.
• A "phoolproof phishing prevention" effort produced an authentication protocol that leverages Bluetooth-enabled cell phones to circumvent malicious code on a client station.
• PwdHash, developed in part before TRUST funding was received, produces a custom passwords for each site, in a manner that combats phishing and other password attacks. The software is freely available at http://crypto.stanford.edu/PwdHash/
• Initial progress on botnet detection has been completed, with planned conference submission for summer 2006.
• A spyware project studied commonly deployed spyware and developed technical foundation for legal action, in collaboration with Stanford Law School.
• A semantics-based malware detection method has been developed and tested (at CMU).
• Education and outreach efforts include course modules on identity theft (to be completed spring 2006) and interaction with law enforcement (Secret Service, FBI Infragard) and private companies concerned with identity theft (e.g. PassMark Security).

About Trust TRUST Overview TRUST Orgchart Our TRUST Partners TRUST Research Conferences Education FAQ Key Publications Trust Introduction (PPT) Annual Report 5 yr. Strategic Plan

Getting Involved with Trust Getting started with this web site How can I request a login account on this website? Who can get a login? How does a corporation become a partner? How do a set up a proxy account so I can register a VIP? How do I join a group? How do I reset my password Missing menus/Javascript disabled? Online Conference Registration How do I register for a conference? Contact Information and Directions How do I contact the Trust Center? Directions to Cory Hall

Recent Publications for idtheft

• Jason Franklin, Vern Paxson, Stefan Savage, Adrian Perrig. An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants, ACM Conference on Computer and Communications Security (CCS), ACM, November, 2007.
• John Mitchell, Doug Tygar. Online ID Theft, Phishing, and Malware, Talk or presentation, 19, March, 2007; Presented at the TRUST March 2007 NSF Site Visit/All Hands Meeting, Berkeley, CA. .
• Doug Tygar, John Mitchell. ID Theft Technology Transfer, Talk or presentation, 19, March, 2007.
• Doug Tygar, John Mitchell. Online Identity Theft Web Authentication and Threats, Talk or presentation, 9, October, 2006.

Faculty