July 25, 2013 By Diana Kelley 3 min read

If you’re not a Dickens or Dostoevsky scholar, you may have missed one of the most interesting cases of identity fraud in recent literary history.  On October 24, 2011 The New York Times published a review of Claire Tomalin’s biography “Charles Dickens.” The review led with an extraordinary anecdote recounted in Tomalin’s book about a meeting in 1862 between Charles Dickens and Fyodor Dostoevsky. During this purported meeting, Dickens shared with Dostoevsky insights into his authorial mindset that have long been suspected by some scholars but never validated in his letters or other known conversations. But to Dostoevsky, Dickens apparently confessed: “All the good simple people in his novels . . . are what he wanted to have been, and his villains were what he was.”

After the review was published, some readers and academics started asking reasonable questions. Why had Dickens confided in an, at the time, relatively unknown foreign author whom he had just met? How did the two even connect? What language did they use when speaking to one another? Dostoevsky did not speak English and Dickens did not speak Russian.  And, perhaps most perplexing, how had such a juicy bit of Dickens lore been overlooked for so long?

The short answer to that last question was that it hadn’t. The anecdote was invented, as was the academic, Stephanie Harvey, who first introduced the anecdote in Volume 98 of the journal The Dickensian.  Stephanie Harvey was a fraudulent academic identity created by “rejected scholar” AD Harvey as part of a much larger and convoluted scam of false identities created for publishing purposes which has been researched and reported painstakingly by Eric Naiman in the The Times Literary Supplement.

What’s interesting about the AD/Stephanie Harvey hoax is not simply that the editors of The Dickensian failed to authenticate Stephanie prior to publishing her work, but how this first broken link in the chain of trust created a cascading effect. The Dickensian is trusted by scholars so Claire Tomalin cited the original story and article without doing any additional validation.

We’ve got the same core issue in IT when we managing digital identities for our own companies or interacting with federated identity solutions. And while we spend a lot of time talking about how to pass identity information and assertions securely (OAuth, SAML), not as much time is spend on the processes surrounding that first validation check, the one before the initial ID is issued. Yet the trust chain is only as strong as that first link.

All of this was going through my head the other day while reading the text of Gunnar Peterson’s excellent Cloud Identity Summit 2013 keynote “Identity is the New Currency.” Gunnar makes an excellent case for the increasing value of identity in the coming years and issues a call to action for upfront and back-end integration work, and ponders how newer technologies like cloud computing and mobile device use will impact the identity space.

But what Gunnar doesn’t really touch on is that very first link – the issuance of the initial identity credentials and how much havoc can be wreaked down the line if the process isn’t managed well enough to prevent first link fraud. If identity does in fact become the new currency, then identify fraud will become even more attractive in the future.

Attackers tend to go for the easiest pickings, the lowest hanging fruit. If it’s easier to fabricate false identities, like the legion of fake twitter followers for sale to people desperate for Twitterverse cachet, than it is to steal real identities, that’s what the fraudsters will do. We’ve seen similar transitive trust attacks in the PKI space when the DigiNotar CAs were infiltrated, valid certificates were issued to attackers for high value domains like google.com and yahoo.com and man-in-the-middle (MitM) attackers were launched against some Gmail users.

Building strong integrations and passing identity tokens and data securely is critical. But we have to start at the beginning and strengthen how identities are created in the first place to make sure the chain is really strong or risk cascading fraud through trusted entities down the line.

Another editor that was duped by AD Harvey offered to step down after the fraud was uncovered. His resignation wasn’t accepted, but losing your job and reputation is a high price to pay for failing to validate an identity. If identity is the new currency, then putting controls in place to prevent issuance of credentials for non-existent entities will be the gold standard against which it’s pegged.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today