Anonymous Remailers VS Identity Theft
- September 1, 2013
- Francois Mouton
- no comments.
Identity theft can have a large impact on an individual, especially if the identity is in the hands of a social engineer. This can lead to information gathering and eventual social engineering attacks. I explored some ideas of how identity theft can be stopped, or at least made more difficult and eventually coded an anonymous remailer to see if this might work.
The idea is that the remailer can protect the identity of the sender of an email, and with some modifications can protect the receiver as well. If someone phones a call centre and convinces the call centre agent to send them an email containing some documents (something related to the “call”), the recipient then has access to the agent’s email address and the information gathering process can start. This can lead to penetration into the organisation due to one employee.
In our article, “Protecting e-mail anonymity with an anonymizer bouncer”, we proposed a model to protect the identity of the call centre agent, so that the above mentioned scenario can be prevented. A middle-man remailer is created which handles all e-mails being sent to and from the call centre. The call centre agent sends an email to the remailer, with the caller’s email address integrated in the subject. The remailer system then encrypts the sender’s email address, changes the header of the email and forwards it to the caller, removing all traces of the call centre agent’s email address. The caller can then hit reply at which point it will go back to the remailer, which will decrypt the agent’s email and forward the reply to the agent.
This may not be the ultimate solution to all our identity theft problems, but it at least makes it a bit harder as all emails are traced back to the remailer (which is on a separate server not linked to the call centre).