DIGITAL IDENTITY VERIFICATION AND PROTECTION AGAINST FRAUD AND THEFT – EXPOSED VULNERABILITY

Any views or opinions presented in this article are solely those of the author.

By the third quarter of 2018, the world faces the largest heist of identity and records in United States’ history. In September 2018, the social network Facebook forced 90 million people to log out and log back in again. According to Facebook, around 50 million victims plus an additional 40 million that may have their “access tokens,” stolen. Access token is a digital key that Facebook mobile app creates when a user log in and allows the same user to stay logged in when the Facebook mobile app wants to open another part of Facebook inside a browser. An access token does not include a user’s password, but if this allows the user (or hacker) to stay logged in, having an access token means a malicious hacker can completely control the account.

This vulnerability was a Facebook protocol known as “single sign-on”. A single sign-on creates a new access token, and helps a Facebook user who is logged on to a mobile app or browser, open another part of Facebook inside the same browser without logging in again. The hackers took advantage of this vulnerability to steal the tokens. Facebook later acknowledged this vulnerability has existed since 2017 and was related to Facebook’s “View As” function. This “View As” function allows a user to view his or her own profile as if he or she was someone else. Take a Facebook user Bob. Bob can change his Facebook privacy settings to allow say, his girlfriend, Gail to only see certain posts. Then, to check that the changes to Bob’s privacy settings actually worked, Bob can use the View As feature to look at his profile as if he were Gail. Bob is not actually Gail, and Bob do not have access to Gail’s actual account. It is just a pretence (view as). But these chains of bugs can allow a hacker, to acquire Gail’s access token, and then log into Gail’s account using that token, therefore taking full control of Gail’s account.

In July 2018, Singapore’s largest group of healthcare institutions which include Singapore General Hospital and KK Women’s and Children’s Hospital – has been the target of a cyber-attack said to be the most serious breach of personal data in Singapore’s history. Prime Minister Lee Hsien Loong’s personal particulars, as well as information on his outpatient dispensed medicines, were stolen after specific and repeated efforts to attain them. About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally  accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. According to blogsites and facebook commentary, internet investigators shortlisted three countries to have state level deliberate cyberattack capabilities, United States, Russia, North Korea, and China. Considering Singapore hosted a Trump-Kim summit which was successfully completed on 15 June 2018, many cybersecurity experts have ruled out the US and North Korea. Internally, a committee of inquiry and investigations are undergoing, pointing to a failure to report by a senior IT manager who noticed unusual traffic and penetrations. This vulnerability is caused by a rogue access point.

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorisation from a local network administrator, whether added by a well-meaning employee or by a malicious attacker. Somewhat like a distributed denial of services, a large number of false request can be submitted, resulting in denial of bona fide online services or shared services. Although it is technically easy for a well-meaning employee to install a “soft access point” or an inexpensive wireless router, perhaps to make access from mobile devices easier, it is likely that they will configure this as “open”, or with poor security, and potentially allow access to unauthorised parties.

According to the 2018 Child Identity Fraud study by Javelin Strategy & Research, more than 1 million children in the US were identity theft victims, resulting in losses of US$2.67 billion dollars in 2017. Javelin found that two-thirds of the victims were under the age of eight. Another 20 percent were eight to 12 years old. Children are more likely to become fraud victims after a breach because their core identity elements, like Social Security Numbers (SSN), are more valuable for criminals. Criminals can have a field day with a child’s SSN because it has never been used before. When a bank or other financial institution pulls a credit report, they are not going to find anything, and so the criminal has a clean slate to work on.

Criminals can also buy a child’s SSN on the dark web for about two US dollars.  A child’s SSN is typically used to create a “synthetic identity”. The criminal takes this legitimate (stolen) number, adds a different name, birthdate, address and phone number to start a new and bogus credit file. The criminal can build up the credit score on that synthetic identity in days and then apply for loans and credit cards, get medical treatment or file fraudulent tax returns.