CROO: A Universal Infrastructure and Protocol to Detect Identity Fraud

  • D. Nali
  • P. C. van Oorschot
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5283)


Identity fraud (IDF) may be defined as unauthorized exploitation of credential information through the use of false identity. We propose CROO, a universal (i.e. generic) infrastructure and protocol to either prevent IDF (by detecting attempts thereof), or limit its consequences (by identifying cases of previously undetected IDF). CROO is a capture resilient one-time password scheme, whereby each user must carry a personal trusted device used to generate one-time passwords (OTPs) verified by online trusted parties. Multiple trusted parties may be used for increased scalability. OTPs can be used regardless of a transaction’s purpose (e.g. user authentication or financial payment), associated credentials, and online or on-site nature; this makes CROO a universal scheme. OTPs are not sent in cleartext; they are used as keys to compute MACs of hashed transaction information, in a manner allowing OTP-verifying parties to confirm that given user credentials (i.e. OTP-keyed MACs) correspond to claimed hashed transaction details. Hashing transaction details increases user privacy. Each OTP is generated from a PIN-encrypted non-verifiable key; this makes users’ devices resilient to off-line PIN-guessing attacks. CROO’s credentials can be formatted as existing user credentials (e.g. credit cards or driver’s licenses).


Credit Card User Credential Fraud Detection Identity Theft Credential Information 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Lomas, T.M.A., Needham, R.: Strengthening Passwords. Technical Report 1997 - 033, Digital Equipment Corporation (1997)Google Scholar
  2. 2.
    Balacheff, B., Chen, L., Pearson, S., Plaquin, D., Proudler, G.: Trusted Computing Platforms – TCPA Technology in Context. Prentice Hall, Englewood Cliffs (2003)Google Scholar
  3. 3.
    Chou, N., Ledesma, R., Teraguchi, Y., Boneh, D., Mitchell, J.C.: Client-Side Defense Against Web-Based Identity Theft. In: Network and Distributed System Security Symposium (NDSS 2004). The Internet Society (2004)Google Scholar
  4. 4.
    Dhamija, R., Tygar, J.D.: The Battle Against Phishing: Dynamic Security Skins. In: Symposium on Usable Privacy and Security (SOUPS 2005), pp. 77–88. ACM Press, New York (2005)CrossRefGoogle Scholar
  5. 5.
    Dodis, Y., Franklin, M., Katz, J., Miyaji, A., Yung, M.: Key-Insulated Public Key Cryptosystems. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 19–32. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  6. 6.
    Australian Center for Policing Research. Standardization of Definitions of Identity Crime Terms - Discussion Paper, Prepared by the Australian Center for Policing Research for the Police Commissioners’ Australian Identity Crime Working Party and the AUSTRAC POI Steering Committee (2005)Google Scholar
  7. 7.
    NFC Forum (accessed, January 2008),
  8. 8.
    Goodrich, M.T., Sirivianos, M., Solis, J., Tsudik, G., Uzun, E.: Loud and Clear: Human-Verifiable Authentication Based on Audio. In: IEEE International Conference on Distributed Computing Systems (ICDCS 2006). IEEE, Los Alamitos (2006)Google Scholar
  9. 9.
    Gordon, G.R., Willox, N.A.: Identity Fraud: A Critical National and Global Threat. Journal of Economic Crime Management 2(1), 1–47 (2005)Google Scholar
  10. 10.
    Network Working Group. RFC 3538 - Secure Electronic Transaction (SET) Supplement for the v1.0 Internet Open Trading Protocol (IOTP) (2003) (accessed, January 2008),
  11. 11.
    Halderman, J.A., Waters, B., Felten, E.W.: A Convenient Method for Securely Managing Passwords. In: International Conference on World Wide Web (WWW 2005), pp. 471–479. ACM Press, New York (2005)Google Scholar
  12. 12.
    Haskett, J.A.: Pass-algorithms: A User Validation Scheme Based on Knowledge of Secret Algorithm. Communications of the ACM 27(8), 777–781 (1984)CrossRefGoogle Scholar
  13. 13.
    Just, M., van Oorschot, P.C.: Addressing the Problem of Undetected Signature Key Compromise. In: Network and Distributed System Security (NDSS 1999). The Internet Society (1999)Google Scholar
  14. 14.
    Kirda, E., Kruegel, C.: Protecting Users Against Phishing Attacks with AntiPhish. In: Computer Software and Applications Conference 2005, pp. 517–524 (2005)Google Scholar
  15. 15.
    Koblitz, N., Menezes, A.J.: Another look at provable security II. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 148–175. Springer, Heidelberg (2006)Google Scholar
  16. 16.
    Koblitz, N., Menezes, A.J.: Another look at provable security. Journal of Cryptology 20(1), 3–37 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  17. 17.
    Lacey, D., Cuganesan, S.: The Role of Organizations in Identity Theft Response: the Organization-Individual Dynamic. Journal of Consumer Affairs 38(2), 244–261 (2004)CrossRefGoogle Scholar
  18. 18.
    Lamport, L.: Password Authentication with Insecure Communication. Communications of the ACM 24, 770–772 (1981)CrossRefGoogle Scholar
  19. 19.
    Lomas, T.M.A., Gong, L., Saltzer, J.H., Needham, R.M.: Reducing Risks from Poorly Chosen Keys. ACM SIGOPS Operating Systems Review 23(5) (1989)Google Scholar
  20. 20.
    MacKenzie, P., Reiter, M.K.: Delegation of cryptographic servers for capture-resilient devices. Distributed Computing 16(4), 307–327 (2003)CrossRefGoogle Scholar
  21. 21.
    Mannan, M., van Oorschot, P.C.: Using a personal device to strengthen password authentication from an untrusted computer. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 88–103. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    McCune, J.M., Perrig, A., Reiter, M.K.: Seeing-is-believing: Using camera phones for human-verifiable authentication. In: IEEE Symposium on Security and Privacy (May 2005)Google Scholar
  23. 23.
    Molloy, I., Li, J., Li, N.: Dynamic virtual credit card numbers. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 208–223. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Nali, D., van Oorschot, P.C.: CROO: A Generic Architecture and Protocol to Detect Identity Fraud (Extended Version). Technical Report, TR-08-17, School of Computer Science, Carleton University, Ottawa, Canada (2008)Google Scholar
  25. 25.
    Javelin Strategy & Research. 2005 Identity Fraud Survey Report (2005),
  26. 26.
    Ross, B., Jackson, C., Miyake, N., Boneh, D., Mitchell, J.C.: Stronger Password Authentication Using Browser Extensions. In: USENIX Security Symposium, pp. 17–32 (2005)Google Scholar
  27. 27.
    Roth, V., Richter, K., Freidinger, R.: A PIN-Entry Method Resilient Against Shoulder Surfing. In: ACM Conference on Computer and Communications Security (CCS 2004), pp. 236–245. ACM Press, New York (2004)Google Scholar
  28. 28.
    Rubin, A.D., Wright, R.N.: Off-line generation of limited-use credit card numbers. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 196–209. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  29. 29.
    Shamir, A.: Secureclick: A web payment system with disposable credit card numbers. In: Syverson, P.F. (ed.) FC 2001. LNCS, vol. 2339, pp. 232–242. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  30. 30.
    Singh, A., dos Santos, A.L.M.: Grammar based off line generation of disposable credit card numbers. In: ACM Symposium on Applied Computing 2002 (SAC 2002), pp. 221–228. ACM Press, New York (2003)Google Scholar
  31. 31.
    van Oorschot, P.C., Stubblebine, S.: Countering Identity Theft through Digital Uniqueness, Location Cross-Checking, and Funneling. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 31–43. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • D. Nali
    • 1
  • P. C. van Oorschot
    • 1
  1. 1.School of Computer ScienceCarleton UniversityOttawaCanada

Personalised recommendations