If you’re not a Dickens or Dostoevsky scholar, you may have missed one of the most interesting cases of identity fraud in recent literary history. On October 24, 2011 The New York Times published a review of Claire Tomalin’s biography “Charles Dickens.” The review led with an extraordinary anecdote recounted in Tomalin’s book about a meeting in 1862 between Charles Dickens and Fyodor Dostoevsky. During this purported meeting, Dickens shared with Dostoevsky insights into his authorial mindset that have long been suspected by some scholars but never validated in his letters or other known conversations. But to Dostoevsky, Dickens apparently confessed: “All the good simple people in his novels . . . are what he wanted to have been, and his villains were what he was.”
After the review was published, some readers and academics started asking reasonable questions. Why had Dickens confided in an, at the time, relatively unknown foreign author whom he had just met? How did the two even connect? What language did they use when speaking to one another? Dostoevsky did not speak English and Dickens did not speak Russian. And, perhaps most perplexing, how had such a juicy bit of Dickens lore been overlooked for so long?
The short answer to that last question was that it hadn’t. The anecdote was invented, as was the academic, Stephanie Harvey, who first introduced the anecdote in Volume 98 of the journal The Dickensian. Stephanie Harvey was a fraudulent academic identity created by “rejected scholar” AD Harvey as part of a much larger and convoluted scam of false identities created for publishing purposes which has been researched and reported painstakingly by Eric Naiman in the The Times Literary Supplement.
What’s interesting about the AD/Stephanie Harvey hoax is not simply that the editors of The Dickensian failed to authenticate Stephanie prior to publishing her work, but how this first broken link in the chain of trust created a cascading effect. The Dickensian is trusted by scholars so Claire Tomalin cited the original story and article without doing any additional validation.
We’ve got the same core issue in IT when we managing digital identities for our own companies or interacting with federated identity solutions. And while we spend a lot of time talking about how to pass identity information and assertions securely (OAuth, SAML), not as much time is spend on the processes surrounding that first validation check, the one before the initial ID is issued. Yet the trust chain is only as strong as that first link.
All of this was going through my head the other day while reading the text of Gunnar Peterson’s excellent Cloud Identity Summit 2013 keynote “Identity is the New Currency.” Gunnar makes an excellent case for the increasing value of identity in the coming years and issues a call to action for upfront and back-end integration work, and ponders how newer technologies like cloud computing and mobile device use will impact the identity space.
But what Gunnar doesn’t really touch on is that very first link – the issuance of the initial identity credentials and how much havoc can be wreaked down the line if the process isn’t managed well enough to prevent first link fraud. If identity does in fact become the new currency, then identify fraud will become even more attractive in the future.
Attackers tend to go for the easiest pickings, the lowest hanging fruit. If it’s easier to fabricate false identities, like the legion of fake twitter followers for sale to people desperate for Twitterverse cachet, than it is to steal real identities, that’s what the fraudsters will do. We’ve seen similar transitive trust attacks in the PKI space when the DigiNotar CAs were infiltrated, valid certificates were issued to attackers for high value domains like google.com and yahoo.com and man-in-the-middle (MitM) attackers were launched against some Gmail users.
Building strong integrations and passing identity tokens and data securely is critical. But we have to start at the beginning and strengthen how identities are created in the first place to make sure the chain is really strong or risk cascading fraud through trusted entities down the line.
Another editor that was duped by AD Harvey offered to step down after the fraud was uncovered. His resignation wasn’t accepted, but losing your job and reputation is a high price to pay for failing to validate an identity. If identity is the new currency, then putting controls in place to prevent issuance of credentials for non-existent entities will be the gold standard against which it’s pegged.
Executive Security Advisor, IBM Security