» Israeli’s don’t get security right all the time

September 22nd, 2005 by Chandler Howell

Saar Drimer details an interesting variation on Identity Theft Fraud-by-Impersonation involving selling stolen cars which I think illustrates nicely why this is really an Authentication problem.

He details the fraud and provides some nice analysis. I’ll borrow the bit I’m interested in but let you go read the rest on his site.

1. The “title” or “pink slip” is an easily forged piece of paper, there is one piece of silver impression that is more for style than protection (it included the VIN number, owner ID/address/name and car info.)
2. In order to sell a car the seller and the buyer need to appear _in person_ at the DMV (or equivalent), bank or post office to show their ID just for the purpose of showing they both actually exists. Clearly, those places have no access to any car registry database except the former and they don’t have the ability to examine the car. This step is to authenticate the people, not the car.
3. No authority ever looks at the car in any step of the transaction.
4. There is no Carfax in Israel (this is critical, although the thief could provide a fake report while the buyer is excited to get the car for cheap and never runs it on his own.)

This is the same core misunderstanding that enables Identity Theft Fraud-by-Impersonation here in the States.

When someone applies for credit or otherwise tries to make use of a “stolen” identity, the assumption by the credit issuer is that if they authenticate the person as having the expected credential (typically, SSN+Name+Date of Birth), then that person must be that person, when in fact there is no reason to assume at this time that the credentials being presented actually belong to the applicant.

What seems to be missed by many people is that the fraudulent transaction is not the one where goods are obtained, but rather the transaction where the criminal is granted access to the means to purchase the goods.

In this case, the Israeli DMV also assumed erroneously that if a person presented a Personal ID which matched the name on the car’s (forged) title, then they must be the owner of the vehicle being sold.

As a bit of an aside, this could also be seen as a variation on bypassing airport no-fly lists by printing your own boarding passes.

- Posted in Security and Risk Management, Risk Management

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.


« Fill your tanks
Surge Protectors, Part 2 »


Saar Drimer Says:

you forgot “emphasis mine” :)
Thanks for the mention,,,
cheers.

- September 22nd, 2005 at 8:27 am |

Chandler Howell Says:

funny…I could swear I had that in there at some point. Oh, well.

On the blockquote, everyone, emphasis mine!

Everyone is now picking up on it. I wrote my entry over the course of the past couple of days and published it this morning to try to keep to my goal of at least one post a day.

- September 22nd, 2005 at 11:55 am |

Saar Drimer Says:

One a day, huh? I often wondered if it would increase readership or cause the “regulars” to miss some… let us know how it worked out.

- September 23rd, 2005 at 3:45 am |

Saar Drimer Says:

Alright, now I got it fixed :)

- September 23rd, 2005 at 4:16 am |

Adam Says:

Yeah, I am for one post a day, too. I so rarely stay there.

- September 23rd, 2005 at 1:48 pm |

- Leave a Reply