Adam Shostack Identity, Economics, Security, and Terrorism
1Victor Lopez-Florez
• An illegal immigrant from El Salvador, was
paid $100 to help Ahmed Alghamdi get a
real Virginia ID card.
• Alghamdi was one of the hijackers on UA
flight 175.
• Lopez-Florez was convicted on November
19, 2001
Overview
• Terrorism and security and ID cards
• Economics of ID cards
• ID cards and privacy
Trust
• Trust, Trustworthy and Trusted
• Trust is the state of accepting a risk from, or
being vulnerable to someone
• Trustworthy people behave to reward your
trust
• Trusted is someone who is able to violate
the security system
Terrorism
• Terrorism: Use of violence to intimidate and
advance a political purposes
• We would like to be free of such violence
• To fight terrorism, our security goals:
– Intelligence
– Prevention
– Response
National ID Card:
The Ultimate Security Measure
“Most of us already carry several
identification cards, including a driver's
license and a Social Security card, so why
not something that's a little more robust?...
A card that really proves you are you would
simplify transactions and prevent future
applications from being hindered by
suspicion...”
Economics of ID Cards
• Huge market for fake ids (college students,
foreign workers)
• ID becoming harder to forge
• Transitioning to a huge market for
fraudulent ID
• Millions of Lopez-Florezes
New Jersey Press Release
April 21 2003
• “In 2002 ... the State Police arrested
members of two major document fraud
rings. Since the summer, approximately 200
individuals have been arrested for trying to
obtain fraudulent identification from the
DMV, 15 employees have been faced with
criminal charges, and dozens of others have
been fired.”
DHS Information Bulletin
July 23 2003
“DHS conducted a survey...”
“...from February to May, hundreds of official
identification cards, badges, decals,
uniforms, and government license plates
were reported stolen or lost.”
“No historical baseline data”
The American Identity
Infrastructure
• The national id card has many uses
• Driving, working, flying, drinking, voting
• Drives
– Fake ID
– Fraudulent ID
• ID cards lead to people being trusted
Nash Equilibria
• Game theory
• Everyone makes rational choices
• Suboptimal results are locked-in
Nash Equilibria and ID
• Checking ID as CYA
– Entering buildings
– Flying
– Bars
• Hard to be the first skyscraper to stop
wasting people’s time
Privacy and the ID infrastructure
• National ID infrastructure is free to use
– No cost to view an ID
• Required to have an ID to live (in practice)
• Anyone can ask to see it, copy down data
• No cost to company
• ID theft costs to citizens
• ID is government subsidy for privacy
invasion
Consequences of ID Theft
“Malcolm Byrd was home with his two children on a
Saturday night when a knock came at the door.
Three Rock County, Wis., sheriff’s officers were
there with a warrant for Byrd’s arrest. Cocaine
possession, with intent to distribute, it said. Byrd
tried to tell them that they had the wrong man, that
it was a case of mistaken identity, that he was a
victim of identity theft. But they wouldn’t listen.
Instead they put him in handcuffs and drove him
away. Again.”
Future of ID Theft
• Economics ensure its going to get much
worse
• Arrest records
– cost of arrests
• Mortgage theft
– cost of mortgages
• Virginia ID Theft passports
Advice to Businesses Designing
Systems
• Consider what an ID gets you
• Ask yourself about liabilities
– ID theft
– CA disclosure laws
– HIPPA, GLB, other laws
DHS encourages...
• “Check multiple forms of valid
identification for each facility visitor”
• “Improve ID card technology to eliminate
reuse or unauthorized duplication”
• (July 22, “Potential Terrorist Use of Official
Identification, Uniforms, or Vehicles”)
Challenge Your Executives
• Does this spending solve our security
problems?
• What problems does it create for our
employees?
• Can we talk to our industry association to
move to better measures?
Advice to Governments
Designing Systems
• Everyone checking IDs reduces the value of
ID systems where they really matter
• Identity infrastructures and “freeloading”
are a bad combination
• If their name is in a database, a terrorists are
really motivated to get fraudulent ID
“Missing Computer Adds to
Airport Screeners’ Woes”
• Federal officials are quietly scouring the
Washington DC area for a stolen laptop
with information on dozens of airport
baggage and passenger screeners that could
be used to forge IDs.”
• “We’ve let our screeners know they need to
safeguard their personal information”
– (TSA spokeswoman Chris Rhatigan)
Real Advice to Governments
• Legalize teen drinking
– Dry up the college student demand
• Legalize immigration
– Dry up the working demand
• Do it to save lives
Black Hat - USA - 2003
Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security