​The Digital Land Grab

In the Internet of Things era, fraudsters are cashing in on the scarcity of Internet Protocol numbers.

Comments Views

​A South Carolina technology company faces charges of fraudulently obtaining more than 750,000 Internet Protocol addresses, The Post and Courier reports. U.S. federal prosecutors accuse Charleston, S.C.-based Micfo LLC and its CEO Amir Golestan of using at least 11 businesses to acquire the routing numbers from the American Registry for Internet Numbers (ARIN) Ltd.

The 32-digit addresses allow computers, mobile phones, and other devices to connect to Internet sites. However, the supply of numbers ran out four years ago, making unused numbers a hot commodity. ARIN said Micfo's businesses sent legitimate-looking requests, complete with notarized documents and links to "sophisticated" websites.

Lessons Learned

The topic of this story may seem technical, but what happened in this case is a significant contributor to the worldwide increase in internet scams. In the early days of the internet, Internet Protocol version 4 (IPv4) addresses (e.g., 4.4.4.4) were given out to essentially anyone who asked. At that time, there were 4 billion possible numbers that were 32-bit combination numbers.

More recently, Internet Protocol version 6 (IPv6) has been introduced to alleviate the shortage, but in this interregnum period where people are switching from IPv4 to IPv6, the v4 addresses have monetary value. ARIN was created to oversee IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean. The nonprofit now is fighting a wave of shady brokers who secure new IP address blocks under false pretenses and then resell them to spammers.

It is commendable that ARIN personnel eventually detected the 11 phony companies and sales of thousands of illegally obtained IPv4 numbers. And the registry's website contains references to fraud detection and prevention as well as its due diligence processes. For example, ARIN's Registration Services Department staff reviews all requests for resources and address transfers. Ultimately, it was ARIN's practice of requiring notarized documents for allocation and transfer that gave a factual device to demonstrate fraud and intent to authorities.

However, industry experts such as John Levine, author of The Internet for Dummies and a member of the security and stability advisory committee at the Internet Corporation for Assigned Names and Numbers, say ARIN does not have a reputation for going after IP address scammers. Given how valuable IPv4 space is, ARIN has to be more vigilant because the incentive for crooks to defraud is very high.

This is a challenge ARIN did not originally have to face. It was created in the context of the move to open up the internet to many more institutions and people, and away from its origins with the U.S. Defense Advanced Research Projects Agency. To check the validity of every IP address application and transfer may require much greater use of data analytics to detect flags. Perhaps ARIN may need to move away from its nonprofit orientation toward a more regulatory position, supported by government and businesses together.

One specific example of what a more regulatory stance could help improve is ARIN's annual validation exercise. Criminals look for dormant ARIN records and try to establish themselves as the rightful administrator. The registry has more than 30,000 legacy network records but only a validated point of contact for 54 percent of those networks. The remaining networks are ripe for targeting by hijackers who are interested in establishing legitimacy with ARIN so they can find a buyer for unused IPv4 addresses possessed by dormant legacy networks. Requiring a prompt response to validate contact information could help here, particularly where it is coupled with a delisting consequence for a nonresponse.

Art Stewart
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Art StewartArt Stewart<p>​Art Stewart is an independent management consultant with more than 35 years of experience in internal audit, financial management, performance measurement, governance, and strategic policy planning.​​​</p>https://iaonline.theiia.org/authors/Pages/Art-Stewart.aspx

 

Comment on this article

comments powered by Disqus
  • AuditBoard_Dec 2091_Premium 1
  • IIA CIA_Dec 2019_Premium 2
  • IIA AEC_Dec 2019_Premium 3