July 25, 2013 By Diana Kelley 3 min read

If you’re not a Dickens or Dostoevsky scholar, you may have missed one of the most interesting cases of identity fraud in recent literary history.  On October 24, 2011 The New York Times published a review of Claire Tomalin’s biography “Charles Dickens.” The review led with an extraordinary anecdote recounted in Tomalin’s book about a meeting in 1862 between Charles Dickens and Fyodor Dostoevsky. During this purported meeting, Dickens shared with Dostoevsky insights into his authorial mindset that have long been suspected by some scholars but never validated in his letters or other known conversations. But to Dostoevsky, Dickens apparently confessed: “All the good simple people in his novels . . . are what he wanted to have been, and his villains were what he was.”

After the review was published, some readers and academics started asking reasonable questions. Why had Dickens confided in an, at the time, relatively unknown foreign author whom he had just met? How did the two even connect? What language did they use when speaking to one another? Dostoevsky did not speak English and Dickens did not speak Russian.  And, perhaps most perplexing, how had such a juicy bit of Dickens lore been overlooked for so long?

The short answer to that last question was that it hadn’t. The anecdote was invented, as was the academic, Stephanie Harvey, who first introduced the anecdote in Volume 98 of the journal The Dickensian.  Stephanie Harvey was a fraudulent academic identity created by “rejected scholar” AD Harvey as part of a much larger and convoluted scam of false identities created for publishing purposes which has been researched and reported painstakingly by Eric Naiman in the The Times Literary Supplement.

What’s interesting about the AD/Stephanie Harvey hoax is not simply that the editors of The Dickensian failed to authenticate Stephanie prior to publishing her work, but how this first broken link in the chain of trust created a cascading effect. The Dickensian is trusted by scholars so Claire Tomalin cited the original story and article without doing any additional validation.

We’ve got the same core issue in IT when we managing digital identities for our own companies or interacting with federated identity solutions. And while we spend a lot of time talking about how to pass identity information and assertions securely (OAuth, SAML), not as much time is spend on the processes surrounding that first validation check, the one before the initial ID is issued. Yet the trust chain is only as strong as that first link.

All of this was going through my head the other day while reading the text of Gunnar Peterson’s excellent Cloud Identity Summit 2013 keynote “Identity is the New Currency.” Gunnar makes an excellent case for the increasing value of identity in the coming years and issues a call to action for upfront and back-end integration work, and ponders how newer technologies like cloud computing and mobile device use will impact the identity space.

But what Gunnar doesn’t really touch on is that very first link – the issuance of the initial identity credentials and how much havoc can be wreaked down the line if the process isn’t managed well enough to prevent first link fraud. If identity does in fact become the new currency, then identify fraud will become even more attractive in the future.

Attackers tend to go for the easiest pickings, the lowest hanging fruit. If it’s easier to fabricate false identities, like the legion of fake twitter followers for sale to people desperate for Twitterverse cachet, than it is to steal real identities, that’s what the fraudsters will do. We’ve seen similar transitive trust attacks in the PKI space when the DigiNotar CAs were infiltrated, valid certificates were issued to attackers for high value domains like google.com and yahoo.com and man-in-the-middle (MitM) attackers were launched against some Gmail users.

Building strong integrations and passing identity tokens and data securely is critical. But we have to start at the beginning and strengthen how identities are created in the first place to make sure the chain is really strong or risk cascading fraud through trusted entities down the line.

Another editor that was duped by AD Harvey offered to step down after the fraud was uncovered. His resignation wasn’t accepted, but losing your job and reputation is a high price to pay for failing to validate an identity. If identity is the new currency, then putting controls in place to prevent issuance of credentials for non-existent entities will be the gold standard against which it’s pegged.

More from Identity & Access

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today