Identity fraud isn’t only about people. It’s also about things. And there are some pretty big things out there (e.g., oil tankers) that are lying about their identity.
We tend to think about identity fraud as something involving human beings, but as “The Internet of Things” expands, identity fraud will increasingly affect stuff as much as people. In fact, it already does.
In July, almost 700 ships worldwide engaged in identity fraud, which has grown 30 percent in the past two years… To hide their crimes on the high-seas, these ships broadcast false identities by using transmitters taken from scrapped vessels on the black market and by typing in made-up ID numbers.
Who knew! There is maritime so-called “Internet of Things” (or “IoT”) fraud rampant even as I type. I had absolutely no idea that ships had identity devices on board, but I suppose the idea is to help the Somali pirates to work out which ships to attack and which ships to leave alone.
Fifteen percent of all ships transmitting fake identities are tankers, typically carrying oil or oil products.
Fascinating. There are tanker-loads of looted and expropriated oil pottering along the sea-lanes of the world masquerading as quinquiremes of Nineveh, illegal fishing boats masquerading as stately Spanish galleons and hulls laden with sanctions-busting weaponry masquerading as dirty British coasters. You really do learn something every day.
This Automatic Identification System (AIS) was designed to promote safety and avoid collisions by giving ships information on nearby vessels that might not be visible due to distance, bad weather conditions, or in crowded seas…. over the past year, there has been a 30% rise in AIS manipulation of IMO numbers (a ship’s identity number, which is not supposed to change throughout its ‘lifetime’), with over 1% of the AIS-transmitting ships now reporting false identification data.
As far as I can tell, everywhere that the IoT pops up — from health to transport to home control to in-car — it pops up with no security infrastructure (and, by the way, a password isn’t security).
The Internet of Things (IoT), despite being decades old in concept, is a muddle of emerging technologies with unnerving social, legal and moral implications, set in motion as the Internet and wireless became pervasive and sensor chips affordable.
There are no standards, no authentication, no audit, no identity infrastructure at all. The IOEET is a Chernobyl, people, a Chernobyl. I said this recently when the good people at Imperial College invited me along to give a guest lecture in their Smart Cities series. It was originally going to be called “Privacy in the Digital City” but I came up with a much better title. I called it “The Internet of Everyone Else’s Things“, my comment on the rush to build the IoT without having a realistic plan for securing and managing this new infrastructure. It’s one thing to joke about smart fridges, and who can resist it, but it’s not about fridges it’s about everything. And, a point I made eight years ago, it’s really not clear to me that IoT deployment is rational or, at the moment, useful.
In the UK, we’re already looking at using RFID in hospitals, but for tracking important things like equipment, not patients.
In the mass market, IoT deployment will, of course, have to be something that co-opts consumers to police it. When it’s something like wine labels, you can see why people will co-operate to make it work.
After all, who wants to be embarrassed serving a fake wine at dinner and, aside from that, who doesn’t want to learn more about a wine that they try and like?
But how can they trust it? How do you know if the ID of your wine is real or fake? What if you don’t want your guests to know which wine they are being served? Putting IDs into things, whether ships or bottles of wine or blood pressure monitors is not, by itself, the solution. We are missing a whole layer that needs to sit on top of the “things”.
How do we turn tags on and off? How do we grant and revoke privileges? How do we allow or deny requests for product or provenance?
Now, as I have previously written, the way forward is to trust the provenance rather than the product. The ID of the wine bottle is only useful to me if I can go online and see whether that ID is real, where the bottle was bought from, where it was bottled and so on and so forth. When it comes to consumer products, in security terms this means only one thing.
The counterfeiters will inevitably shift their attention to attacking the database.
Is Bitcoin the solution here too then? Perhaps we might all be getting a little carried away potential uses of the blockchain to make trustless infrastructure for the greater good, but I have strong suspicion that there is going to be a relationship between blockchain technology and IoT technology, because we need a means to ensure that virtual representations of things in the mundane cannot be duplicated in the virtual. We can do this three ways as far as I know: a database, tamper-resistant hardware or blockchain. It’s for the market to determine which method will deliver the right balance of cost and functionality.
P.S. For those of a literary bent, the title and ship descriptions in this post come from the John Masefield poem “Cargoes“, which I (and a great many other British schoolchildren of the era) had to learn by heart when small.