Month: October 2014

Swedish e-leg fiasco

by

30 October 2014

21:37

Leave a comment on Swedish e-leg fiasco

Sweden

, , ,

Since the rather public display of identity fraud via Telia’s e-leg a couple of weeks ago, it is interesting to do some more digging, and what a better place to start than with the Swedish e-leg? Apparently the architecture will be using SAML federation, i.e. they have a relationship that they trust each other. Every ticket includes an identity (a SAML assertion) it is digitally signed but the signing is not embedded in the SAML assertion.  The YouTube video below describes this specific inherent weaknesses in SAML, but clearly (and hopefully) these issues have now been fixed. However according to the speaker (questions at the end) the signature signing standard in SAML is very complex, and there are not many that really understand it fully enough to implement properly. The main problem seems to be the way the signature is separate from the SAML assertion. [youtube=http://youtu.be/RHIkb9yEV1k] If the vulnerabilities mentioned from 2012 have been fixed, there is in any case potentially integrity issues for customers with the Swedish e-leg implementation, namely: You can’t see what you are signing!

  • What you will see in the web-browser has a very weak connection to what you are signing. What this means is that your digital signature is not encapsulated with the text you are signing online, i.e. your signature and text are not married. I could leave the rest to your imagination, but I’ll give you one risk just to start with, and that is a Man-in-the-browser (MitB) trojan changes the content in the browser.

What you do maybe not be exactly what you expect!

  • This is exactly it, the customer… well that could be you, can potentially be ‘lured’ into signing something that you were not expecting to sign.  It is likely that the e-leg service works so that the identification of a user leads to a legitmate transaction. However this could be a logon to a service or digital signing of a transaction. There are other services available today that differentiate a signing transaction from a logon request. Swedish e-leg does not differentiate these two different transactions.

However, now the Myndigheten för samhällsskydd och beredskap (MSB) has published a summary report “Analys av informationssäkerheten i Svensk e-legitimation” (link broken, 2015-05-21). The detailed reports has been labelled as Secret.  However I guess that they are fixing all the potential security flaws, of just a couple I have named above. The thing that bothers me still is that even in the recommendations they are still fixated on using SAML for the infrastructure. Funny that this report came out though in the wake of the Telia e-leg identity fraud fiasco 😉 Have fun reading!

Identity and Trust in a digital world

by

28 October 2014

20:35

Leave a comment on Identity and Trust in a digital world

Sweden

14:00 Future Trends and Innovation at the Nordic IT Security Conference on 5th November in Stockholm. This is what I am going to talk about…

“I dare to challenge: that what you state as your digital identity today, is not a digital identity at all! This is why information security programs do not work. Your so called ‘digital identity’ is the weakest link in the chain; in a verbose, connected and dynamic digital society. What’s more is that your digital identity can be stolen. Identity fraud is on the rise, even in Sweden. So how did we get into such a mess and what is the future for our digital identities?”

Let’s talk about merino.se too…..

by

26 October 2014

18:35

Leave a comment on Let’s talk about merino.se too…..

Sweden

, ,

Following up my previous posts on identity theft/fraud is should give more credit to merinfo.se…….

Merinfo.se is probably one of the best websites for finding an all-round picture of an individual. In here you will find their first 6 digits of their personal number which is their date-of-birth…but what’s new? Also where they live, same as other websites. In addition if you are lucky there is a Google maps picture of their home, and list of where they are sitting in board positions in companies and a timeline for these relationships.

Surprise! 10 more years of PII exposure in Sweden….

by

26 October 2014

13:25

Leave a comment on Surprise! 10 more years of PII exposure in Sweden….

Legislation, Sweden

, , ,

It seems that many of the utgivningsbevis that were granted in 2004 are due to expire this year in 2014, and in 2014 it is still legal in Sweden for those holding this exemption certificate can share your personal information, if you are a Swedish resident, or/and Swedish citizen….here is information on this.

So how many companies have been granted an utgivningsbevis, and have the right to publish your personal information public? Well 917 is what I found, and you have not a legal leg to stand on to get your personal information removed.

This includes ratsit.se and birthday.se. Here you can type in the name of the target and search, bingo! Happy hunting!

ratsit

How much do you earn?

by

26 October 2014

12:06

Leave a comment on How much do you earn?

European Union, identity_quest, Information Privacy, Legislation, Sweden

,

I want to know how much you earn because you are applying for a job with my company and I want to check what your present employer thinks you are worth.

extrakollpng

This is easy to do in Sweden, and you as the data subject have no idea that this has happened. It is possible for any person to go online and request anonymously your earnings for 2 completed tax years in Sweden at http://www.extrakoll.se/, and the requester to get the information by SMS.

How do you do this is:

  1. Visit www.extrakoll.se and search for the name of the individual you are investigating;
  2. Then you will be requested to send an SMS to number 72323 with word INKOMST+code or/and STORKOLL+code;
  3. You are given choices of payment methods, 20kr or 40kr, depending on which option you choose;
  4. The earnings for the targeted person for 2 of the previously reported tax years will be sent to your mobile telephone!

There is no way you can prevent others from requesting this information on yourself.

Nevertheless, it is against the EU Directive on Data Protection because you, the data subject are not informed that this information has been requested, and your Personal Identifying Information (PII) is public domain. I am sure identity thieves find extrakoll.se a useful tool to research their victims. I just hope it’s not you!

naughty naughty HQ-bank for falsification of financial statements

by

22 October 2014

16:42

Leave a comment on naughty naughty HQ-bank for falsification of financial statements

Sweden, TRACE

, , , , , , , ,

 

So information security in financial reporting is unnecessary? So you think… I guess you’re not following the HQ-Bank saga in Sweden? Well the stars of this saga are going to prison to pay for falsification of financial information. It seems that even the KPMG auditor (Johan Dyrefors) approved 2009 and 2010 accounts. Credit to KPMG that it didn’t get approved internally. Evidence of malpractice started in 2009. It seems that this was just the tip of the iceberg of accounting malpractices for HQ-Bank.

You know information security is not purely about protecting the confidentiality of financial information, it is about protecting its integrity; ensuring absolute traceability back to the originating source, which is the identity in whichever role they are acting within when financial records are submitted. The financial reports that are submitted should be digitally time-stamped and digitally signed to protect integrity.

It is XBRL that gives transparency. XBRL gives a single language for all financial information from creation through to consumption. However in order to enforce Accountability, Responsibility and Traceability (ART), i.e. quality and integrity in financial reporting, you need information security. You know those deep cryptographic magical stuff that tells you if the financial information has been tampered with.

Lars Berlöf is going to be talking about this at the Nordic IT Security Conference on 5th November, I may even keep him company on stage, for a short time 😉 Lars knows about the challenges of transparency in financial reporting and is driven to enforce traceability hence, legality in all financial reporting, in Sweden, and across the whole world!

Here is a taster of what we will be talking about……

[youtube=http://youtu.be/an1yIoby_pc]

How embarrassing for Sweden’s e-leg!

by

19 October 2014

21:40

1 Comment on How embarrassing for Sweden’s e-leg!

Sweden, TRACE

, , ,

law-legislationOr is it?  Not really, it was an id fraud just waiting to happen, so if it is no surprise than it is not embarrassing really….. except it was top Swedish profiles that had their e-leg used fraudulently. That was pretty awkward for Telia, SBAB, Avanza and the Swedish Tax Authority ….and the party poppers were out this weekend for Swedish press.

SBAB and Avanza immediately issued a statement saying that they had stopped using the Telia e-leg. However the Swedish Tax Authority are waiting to see how things develop…..

But why do I say it was an id fraud waiting to happen? The problem is pretty straightforward. All credentials pertaining to access to information that we as natural and legal persons need to access/process is organised with the information, what I call ‘information silos’, not with the natural person. An ‘information silo’ can be financial information, i.e. your money in the bank, it could be your tax returns, or it could be your health information, your children’s information held by government authorities. In fact every ‘information silo’ has your logon credentials, i.e. your so called ‘digital identity’ or as was the case in this rather embarrassing crime, your e-leg. If you were to add to this list your credentials on LinkedIn, Facebook, your store cards, and loyalty schemes… you have potentially 100s of ‘digital identities’ that are fair game to identity fraud. Although I said this wrong… you don’t have 100s of ‘digital identities’, because they don’t belong to you. You have no control over your so called ‘digital identities’ whether these are in the form of e-leg or not. Well e-leg is yours, right? No it is not, it’s not controlled by you. In this example of id fraud, your digital id is created by a third party, and they even send the secret codes for access to information through the post.

I don’t know anyone that knows exactly how many ‘digital identities’ they have, because all so called ‘digital identities’ are owned and managed by the owners of the ‘information silos’. Clearly if you trust the 100s of information owners to be doing their job right, and to care about you and your personal privacy, then I guess it’s not a problem, but I don’t. I am sure that I care more about my digital identity than anyone else out there controlling my access to their information silos.

I don’t know anyone that has complete control over their digital identity or their digital footprint. What is more is that if anything bad happened to any of these identities, you would have no idea… even if you check your bank account daily, it doesn’t matter, because this is only one of many opportunities for identity fraudsters to take over and cause temporary chaos (for just a year or two) in your, and your family’s life.

So what’s the future? What I visualise is a world whereby I own my digital identity. I control my digital identity. I have only a single digital identity that is a digital and legal representative of my natural self. The fact that I own my digital identity, all transactions pertaining to my digital self will be mine.   This means that if I have a 100 places that I conduct digital interactions, that regardless of which legal entity has been agreed to own the content of the interaction, both parties will receive details of all transactions pertaining to the digital interactions. This would give me, as the identity owner, absolute transparency, and legal traceability.

It is how it should work after all. One digital identity for each natural/legal person. It’s pretty obvious really, isan’t it?