Research: Tor marketplaces as a threat to national e-ID infrastructures
Electronic identification (e-ID) has been increasingly adopted by many states during the past few years. The past decade has witnessed large-scale initiatives in many European countries to develop their very own e-ID infrastructures. These forms of digital infrastructures vary in terms of frameworks, institutional entities involved, and the types of services accessible by citizens via their issued digital identities. Occasionally, e-IDs can represent special platforms that grant registered citizens access to online services provided by governmental entities, as well as private companies. Such platforms rely on federated authentication frameworks throughout which certain certified companies serve as Identity Providers (IdP) under ongoing supervision of a federal entity.
Despite the massive market potential of electronic identification platforms, which involves the whole country’s population, governments are facing massive challenges throughout the process of establishing e-ID frameworks and attracting a large number of users. Privacy concerns are the most important challenges hindering the development of such digital frameworks. Other challenges include insufficient inter-governmental coordination efforts, lack of cooperation between governmental and private entities, and tensions involving the equilibrium between usability and security.
The current pervasiveness of various forms of digital technologies in business activities, as well as individuals’ private lives, has extended the scope of security to involve safety and other basic human rights. Fraudulent digital transactions, data breaches of financial and healthcare information, compromise of critical infrastructures (e.g. power grids, transportation, etc.), and hacking of e-voting systems are examples of violations of human rights including privacy, freedom, safety, and ownership. As e-ID infrastructures act as gateways to a myriad of services, their vulnerabilities can be associated with disastrous consequences on both the government and society.
A recently published research paper analyzed the risk of a malicious actor obtaining unauthorized access to federal services by digitally impersonating another user. The study also explored the risks of identity theft with special emphasis on the role of the Tor network and darknet markets, or cryptomarkets, in facilitating the trading of digital identities and its influence on the design of infrastructures of e-IDs. Throughout this article, we will overview the analysis presented via this paper.
Using Italian Identity as an example to study identity trading on the Tor network:
In order to develop the study’s dataset, six Tor marketplaces were crawled in December 2016. The investigated marketplaces were AlphaBay, Hansa, Dream Market, Outlaw, Leo, and Bloomfield. The analysis focused on product categories that are relevant to identity theft, e.g. “Digital goods/Fraud” on Dream market, “Fraud Related/Documents and Data” on Hansa, and “Counterfeit items/Fake IDs” and “Fraud/Personal information and scans” on AlphaBay.
For each Tor marketplace, a custom spider was programmed via means of the Scrapy1 framework. Spiders programmed to crawl Tor are capable of parsing anonymous marketplaces. Figure (1) shows the workflow of the study’s system for the collection, parsing and analysis of darknet marketplace data.
Figure (1): The system used to retrieve data from Tor marketplaces
The obtained dataset was analyzed per category and keyword. More specifically, the only categories which were crawled and analyzed are those presented in table (1). The final dataset was the following group of offers for each marketplace: Dream Market (18,506 offers), AlphaBay (9120 offers), Leo (382 offers), Hansa (13,068 offers), Bloomfield (111 offers), and Outlaw (1714 offers).
Table (1): Product listing categories with identity documents
Accordingly, Alphabay, Dream Market and Hansa were picked up as the three largest marketplaces in terms of relevant offers size. For each of these darknet marketplaces, every single offer was investigated to find data relevant to identity theft of the Italian Digital Identity Public Service (SPID). As such, key offers involved those including Italian documents and their listed prices.
The collected data yielded 58 relevant product offers, posing the key factors for the threat detection and examination via the attack tree model, as we will show later.
Research of digital identity product listings on Tor marketplaces resulted in 42,901 offerings from the relevant categories as shown in table (1) in the 6 most important Tor marketplaces, distributed as follows: 18,506 offerings on Dream Market; 9120 offerings on AlphaBay; 382 offerings on Leo; 13,068 offerings on Hansa; 111 offerings on Bloomfield; and 1714 offerings on Outlaw.
The three darknet marketplaces with the largest number of offerings (AlphaBay, Dream Market, and Hansa) were chosen, and the number of vendors and distribution of product offerings were used to calculate the CR10 (concentration ratio for the first 10 vendors). Results are shown in table (2). Results showed that Dream Market and Hansa had more relevant offers than Alphabay.
Table (2): Size and structure of the three biggest marketplaces
Among all the product offerings listed under the relevant categories, 58 offerings were related to the Italian citizens’ identity. Offerings were distributed as follows: 19 in Dream Market, 28 in Alphabay, and 11 in Hansa. Offerings were sold by 38 vendors, 4 of whom shipped the products directly from Italy. Table (3) shows details of the distribution of the product offering in different marketplaces.
Table (3): Distribution of Italian ID offerings
Analysis of relevant product offerings led to identification of three typologies of products that can be purchased in order to have access to fake Italian identities:
1- Scan/PSD: offerings that include scans of real documents or PSD template to produce a fake ID (e.g. Adobe Photoshop)
2- Fake: offerings include counterfeited IDs
3- Guide/Manual/Info: offerings that include guides or tutorials on how to produce a fake ID.
Scenario of attacks on e-ID infrastructures:
21 different generic e-ID attack subtrees were identified including:
– e-Id credentials physical theft
– e-Id credentials purchase via Tor marketplaces
– e-Id credentials online purchase via Clearnet or darknet criminal closed groups
-e-Id credentials exfiltration via means of third parties attacks
– valid registration via various authentication factors (CNS, smartphones, e-ID card, SSN etc.).
For every main attack subtree, the feasibility was analyzed with respect to products offered for sale on Tor marketplaces. More specifically, the cost of items needed for each attack scenario can be estimated by examining the resources needed for the scenario’s requirements. If the exploit requires a resource, then the total requirement for that resource is represented by the metrics of the scenario’s leaf nodes’ resource. If the resource is reusable (such as ID photoshop templates) then the resource cost can be represented by the maximum of metrics of the scenario’s leaf nodes’ resource. This result can be produced via the pruning technique, which serves as a simple means for the evaluation of the feasibility of an adversary launching an attack scenario. The technique compares the adversary’s resources with the scenario’s behavioral indicator costs. Those scenarios whose resource requirements are greater than the adversary’s capabilities can be eliminated from possible consideration (since it is not possible for that adversary to provide them). The remainder of the attacks are feasible and, depending on whether they are favorable to the threat agent, will yield some non-zero probability level.
The 21 attack scenarios, including those that require technical skills to succeed, mostly depend on the presence of a black market of identities which could be purchased over Tor marketplaces. More specifically, figure (2) illustrates an online registration weakness secondary to the ease of acquiring fake identity documents via Tor marketplaces. Practically speaking, in order to successfully complete registration of an e-ID, in the examined case, the following are needed:
(a) physical SSN
(b) a physical ID card
(c) a de-visu identification completed by an employee of the e-ID provider
Authentication factors in (a) and (b) can be purchased over Tor marketplaces for around EUR 500. As such, all the burden of the identification and authentication processes is the employee’s responsibility, whom should be trained to identify counterfeited documents. Nevertheless, this situation does not frequently take place, because identification is completed as an ancillary task. For the previously mentioned reasons, figure (2) represents a practical vulnerability to acquire an illegitimate e-ID.
Figure (2): Subtree of successful attacks
Furthermore, additional factors that can impact the risk of attack include:
– The cost is cheap and could not be considered an obstacle to commit this crime
– The technical skills required are minimal, related to the capability of obtaining bitcoin and purchasing items on Tor marketplaces
-Time is not a relevant variable
– The potential noticeability is very low in case of inexperienced operator for identification due to the difficulty to identify fake documents.
The exploitation of the aforementioned vulnerability represents a serious threat for all the e-ID based services. Practically speaking, it undermines the reliability and trust of the entire e-ID systems, whose security is closely related to the weakest provider. A secondary negative effect could be linked to the overall situational facilitation of occasional criminals to successfully commit identity theft.