Posting in Technology
Stealing another's identity requires no professional hacking experience, just common sense. A software engineer points the way.
Herbert Thompson seems like just another smart academic software developer who loves formulas and geeking out. But he’s also stolen the identities of several casual acquaintances. In fact in one case he gained access to a bank account in seven shockingly simple steps. And he used no special programming tricks, just common sense.
Thompson stole identities as an experiment back in 2008 to show the public how easy it is to get access to personal data and banking information. He proved it only requires some simple surfing for freely available personal data and cobbling it together in powerfully creative ways. Thompson began his experiments by first receiving permission from people he barely knew to try to break into their bank accounts. What the following steps show is how vulnerable we all are to security breach.
He knew her name was Kim, where she was from, where she worked and roughly her age. He also knew the name of her bank and her username although as Thompson says, this was easy to guess—it was her first initial and last name. (Note: Change your username to something a bit less obvious.)
1) Google search. He googles her. Finds a blog and a resume. (Thompson called her blog a “goldmine.") He gets information about grandparents, pets, hometown. Most important he gets her college email address and current gmail address.
2) Next stop: Password recovery feature on her bank's web site. He attempts to reset her bank password. But the bank sends a reset link to her email, which he does not have access to. So he needs to get access to her gmail.
3) Gmail access. He attempts to reset her gmail password but gmail sends this to her college email address. Gmail tells you this address’ domain (at least it did in 2008 when Thompson conducted the experiments) so he knew he had to get access to that specific address.
4) College email account page. Thompson clicks the “forgot password” link on this page and winds up facing a few questions. Home address, home zip code and home country? No problem, Thompson has it all from her resume. The same resume found from the simple google search done earlier. Then came a stumbling block: the college wanted her birthday. But he only had a rough idea of her age, no actual birth date.
5) State traffic court web site. Apparently you can search for violations and court appearances by name! And such records include a birth date. (Facebook also makes this piece of data very easy to get even if people do not note their birth year…remember Thompson knew roughly how old Kim was.) But he had no luck with the Department of Motor Vehicles.
6) Thompson goes back to the blog and does a search for “birthday.” He gets a date but no year.
7) Finally, Thompson attempts the college reset password again. He fills in her birth date, and simply guesses the year. He gets it wrong. But the site gives him five chances, and tells him which field has the error. So he continues to guess. He gets access in under five guesses. He changes her college password. This gives him access to her gmail password reset email. Google requires some personal information which he is able to get easily from her blog (e.g., father’s middle name.) Thompson changes the gmail password and that gives him access to the bank account reset password email. Here again he is asked for personal information but nothing that he could not glean from Kim’s blog (e.g., pet name and phone number.) He resets the bank password and bingo, has immediate access to all her records and money.
Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What's striking about Kim's case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts.
Yes in this case the personal information came from her blog but it could have easily come from a Facebook page or other online community pages.
Thompson provides sage advice on Scientific American:
Go and do a self-check. Try to reset you passwords and see what questions are asked to verify your identity. Some questions are better than others. Date of birth, for example, is bad. In addition to the DMV, there is a wealth of public records available online where folks can track down when you were born. Most account reset features give you a choice of questions or methods to use. Go for questions that ask about obscure things that you won't forget (or can at least look up), like your favorite frequent flyer number. Avoid questions that are easy to guess, such as which state you opened your bank account in.
It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.
[via Scientific American]
[photo via manitou2121]
Dec 15, 2011
Great article actually! Somebody brave and smart enough to show people tangible evidence that stealing one's identity is very easy to do. There is no information being offered here that identity thieves don't already know about I'm sure. This article is a great illustration that we need to make protecting our identities a top priority. Thanks. Here is some other good info: http://topcreditmonitoringservices.com/
Eon are the power source of the Olympics so if the withdraw from the deal at the last minute they will be no power at the Olympics. http://www.ultraseksy.com
baby talk words for pets as passwords works for me, because there so damn goofy and personal, and there easy to remember.
The idea is that the bad guys know all of this already - at least let their potential vicitms in on it too...
I have over 50 passwords in my Chrome password list! The problem is you really need to use different passwords for each site. These passwords need to be unpredictable to a hacker if he happens to know one of them (so he can't guess the others). At the same time, we need to be able to remember or have a note of these passwords so we can use them from any other computer. Keeping them in the cloud is a solution, but we then put all our eggs in someone else's basket. What can/do you do?
Why don't I at least get some kind of error message when a well thought out response is posted but does not appear. All I can make are stupid little posts like this.
Try to open a Hotmail e-mail account and then, without knowledge of secondary account or computer with Vista or Windows 7 that may have been used (the only computer allowed to make changes btw), try to change the password and get access. As a tech savy user, I tried to help a friend who could not get access to her account. We even knew that other e-mail addy but since it was also a hotmail account and hadn't been used in some time, could not get access to it. At least Gmail has a way to call someone, but not sure how well that works, just saw the phone number which Microsoft does not have. Best solution is to have a local ISP and e-mail. You cannot change password without contacting them directly and you have people to talk with instead of a computer. Better security and less hassle for those in real need of changing information. Don't have too many passwords either. For the average user, they will forget passwords unless they are written down either in a file or on paper. This makes information less secure right off the top. If requirements were the same on all sensitive accounts it would be a blessing, but some require you to reset your password or access account within a certain time period. Some require letters and numbers, at least 8 while others require at least one upper case and one lower case as well as a number and some kind of symbol. Why not make it universal? I'm sure the government could simply tell people their url will be removed from the DNS unless they comply and have it happen. Pretty easy to force companies to stop being so lazy.
One of the tricks I learned, and taught, as an IT specialist was quite simple. When creating answers to security questions, LIE! i emphasize this only to be funny, but the procedure works. As long as you remember or safely record the answers, you can say your father's middle name is anything! Your elementary school could suddenly be in Bangkok! People who can find real answers aren't helped unless you do something too routine or obvious when you create the fictitious answers. You can't fake some things, but most of you will know what you CAN alter.
Hi: Thanks for this, "How to steal an identity" This can get some evil guys rich; stealing homeowner's houses. Thanks Sir, Mr Innocenti.
If some one needs to access some else's bank account, some bank accounts are easy to get. Mostly only the account number is needed for telephonic interactions. One bank asks me the following details for 'security' reasons: email Id: easy to get mobile number: again not too difficult dob: may be a bit difficult if the target is a bit security conscious, else all details from facebook.
Whenever I seek a password from my various bank accounts, I get an email admonishing me to confirm that it was *I* who sought the information. Kim fell down on the job when she didn't reply to the emails sent by her bank or other financial branch acknowledging that she requested the information. The hacker could have been shut down completely if she had responded to the bank queries to assure that it was she who requested the information. That said, I have changed my challenge information to make sure that a hacker could not figure out what my password response was. Even my wife doesn't have a clue what the answer is. Nowhere on any site is the answer to my challenge question. Thanks for the insight to make my information less accessible to a knowledgeable hacker.
That's why your registration data should be minimum or fake (birthday, address, answer to secret question). The only true data you should give is your name, and that's it.
I never give my real birth date to anyone that doesn't really need it. Especially not any social media site. I put in a fake date that still keeps my age over 18. There are a lot of bad guys out there that will use all the information you make public.
Honestly this is just the tip of the iceberg. Lock your cell phones there is a ton of information in there that someone could use against you. Limit the information you have online. Yes facebook and google + allow you to put in all types of information but unless you lock your account then anyone can see it. Have some idea of what information about you is out there. Do some searching yourself. If you find a site or page that has information you might not want to share find out how to remove it.
...also use cell phone password reset. It's easy to hack someone's cell and hijack text messages specially if it's on a smartphone
Google provides it with GAuthenticator for free. It would have rendered this type of attack completely useless.
This should serve as a wake-up call to the multitudes of people who have laid themselves bare in the internet. I'm no Luddite, but aside from being a huge time suck, typical social media encourages posting way too much personal data. People are fools to post ANY details. If you want to promote a career stick to some high points and explain that details are available to qualified requestors.
One way to stop this line of attack is to treat security questions as just another password prompt. You can put any data into these fields, and it can be completely random. That way nobody can guess the answer from online info. Of course, this is a bit of a problem when you're trying to remember one password by entering another. But you can use the same one or two passwords for all security questions. You will be no worse off than if the information can be obtained by anybody on the internet, and in most cases better off. Or you can store the info on USB keys, protected via Lastpass or similar online database which can be opened using a Yubico Yubikey, or even written down somewhere if that location is secure. Remember, this is a backup system for when you've forgotten a password, it doesn't have to be as convenient or easy as normal password entry.
Sometimes you can reveal information that may seem of no help to a person seeking to get control of your life. An example: once I received a telephone call from an insurance agent (? )who quoted my birthdate month and year. He wanted the name of the town where I was born. I told him he had no need for that for insurance purposes and hung up. The risk: he writes to the county seat offices, quoting the birthdate information, and requests a birth certificate. He no doubt would have received it and away goes my identity.
Once the hacker gets into your email accounts, he can delete the emails that the bank sent. I don't know about you, but most students are not checking their email every few minutes. Now, if she had a smartphone (he could have determined that from the blog, maybe), she might hve had a chance.
Not so with Google. I know somebody who gave a fake birthday for the Google phone number offer, and Google shut that person down until a birth certificate is produced to prove real age. That person refuses as Google is asking for information that is not necessary for the kind of service they are providing. It could be used for identity theft - after all - Google is not a totally secure service either!
please enlighten us because i have looked for such an item and come up with nothing...how/where/ do we get said item?
I agree that using an obscure answer and question (not always allowed) is a great approach. It also makes sense to use a deadend email that is not setup for reset. Eventually you might need to send a letter and proof but all s protected. Plus you can create one that can be very specific and also use a local doc store to hold it's value with a reverse obscure reference.