If you’re not a Dickens or Dostoevsky scholar, you may have missed one of the most interesting cases of identity fraud in recent literary history.  On October 24, 2011 The New York Times published a review of Claire Tomalin’s biography “Charles Dickens.” The review led with an extraordinary anecdote recounted in Tomalin’s book about a meeting in 1862 between Charles Dickens and Fyodor Dostoevsky. During this purported meeting, Dickens shared with Dostoevsky insights into his authorial mindset that have long been suspected by some scholars but never validated in his letters or other known conversations. But to Dostoevsky, Dickens apparently confessed: “All the good simple people in his novels . . . are what he wanted to have been, and his villains were what he was.”

After the review was published, some readers and academics started asking reasonable questions. Why had Dickens confided in an, at the time, relatively unknown foreign author whom he had just met? How did the two even connect? What language did they use when speaking to one another? Dostoevsky did not speak English and Dickens did not speak Russian.  And, perhaps most perplexing, how had such a juicy bit of Dickens lore been overlooked for so long?

The short answer to that last question was that it hadn’t. The anecdote was invented, as was the academic, Stephanie Harvey, who first introduced the anecdote in Volume 98 of the journal The Dickensian.  Stephanie Harvey was a fraudulent academic identity created by “rejected scholar” AD Harvey as part of a much larger and convoluted scam of false identities created for publishing purposes which has been researched and reported painstakingly by Eric Naiman in the The Times Literary Supplement.

What’s interesting about the AD/Stephanie Harvey hoax is not simply that the editors of The Dickensian failed to authenticate Stephanie prior to publishing her work, but how this first broken link in the chain of trust created a cascading effect. The Dickensian is trusted by scholars so Claire Tomalin cited the original story and article without doing any additional validation.

We’ve got the same core issue in IT when we managing digital identities for our own companies or interacting with federated identity solutions. And while we spend a lot of time talking about how to pass identity information and assertions securely (OAuth, SAML), not as much time is spend on the processes surrounding that first validation check, the one before the initial ID is issued. Yet the trust chain is only as strong as that first link.

All of this was going through my head the other day while reading the text of Gunnar Peterson’s excellent Cloud Identity Summit 2013 keynote “Identity is the New Currency.” Gunnar makes an excellent case for the increasing value of identity in the coming years and issues a call to action for upfront and back-end integration work, and ponders how newer technologies like cloud computing and mobile device use will impact the identity space.

But what Gunnar doesn’t really touch on is that very first link – the issuance of the initial identity credentials and how much havoc can be wreaked down the line if the process isn’t managed well enough to prevent first link fraud. If identity does in fact become the new currency, then identify fraud will become even more attractive in the future.

Attackers tend to go for the easiest pickings, the lowest hanging fruit. If it’s easier to fabricate false identities, like the legion of fake twitter followers for sale to people desperate for Twitterverse cachet, than it is to steal real identities, that’s what the fraudsters will do. We’ve seen similar transitive trust attacks in the PKI space when the DigiNotar CAs were infiltrated, valid certificates were issued to attackers for high value domains like google.com and yahoo.com and man-in-the-middle (MitM) attackers were launched against some Gmail users.

Building strong integrations and passing identity tokens and data securely is critical. But we have to start at the beginning and strengthen how identities are created in the first place to make sure the chain is really strong or risk cascading fraud through trusted entities down the line.

Another editor that was duped by AD Harvey offered to step down after the fraud was uncovered. His resignation wasn’t accepted, but losing your job and reputation is a high price to pay for failing to validate an identity. If identity is the new currency, then putting controls in place to prevent issuance of credentials for non-existent entities will be the gold standard against which it’s pegged.

More from Identity & Access

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

CISA, NSA issue new IAM best practice guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…