Home / Blogs / Technology / Thinking Tech
Follow this blog:
RSS

How to steal an identity in seven easy steps

By | December 15, 2011, 3:17 PM PST

Herbert Thompson seems like just another smart academic software developer who loves formulas and geeking out. But he’s also stolen the identities of several casual acquaintances. In fact in one case he gained access to a bank account in seven shockingly simple steps. And he used no special programming tricks, just common sense.

Thompson stole identities as an experiment back in 2008 to show the public how easy it is to get access to personal data and banking information. He proved it only requires some simple surfing for freely available personal data and cobbling it together in powerfully creative ways.  Thompson began his experiments by first receiving permission from people he barely knew to try to break into their bank accounts. What the following steps show is how vulnerable we all are to security breach.

The victim:
He knew her name was Kim, where she was from, where she worked and roughly her age. He also knew the name of her bank and her username although as Thompson says, this was easy to guess—it was her first initial and last name. (Note: Change your username to something a bit less obvious.)

Seven Steps:
1)    Google search. He googles her. Finds a blog and a resume. (Thompson called her blog a “goldmine.”) He gets information about grandparents, pets, hometown. Most important he gets her college email address and current gmail address.
2)    Next stop: Password recovery feature on her bank’s web site. He attempts to reset her bank password. But the bank sends a reset link to her email, which he does not have access to. So he needs to get access to her gmail.
3)    Gmail access. He attempts to reset her gmail password but gmail sends this to her college email address. Gmail tells you this address’  domain (at least it did in 2008 when Thompson conducted the experiments) so he knew he had to get access to that specific address.
4)    College email account page. Thompson clicks the “forgot password” link on this page and winds up facing a few questions. Home address, home zip code and home country? No problem, Thompson has it all from her resume. The same resume found from the simple google search done earlier. Then came a stumbling block: the college wanted her birthday. But he only had a rough idea of her age, no actual birth date.
5)    State traffic court web site. Apparently you can search for violations and court appearances by name! And such records include a birth date. (Facebook also makes this piece of data very easy to get even if people do not note their birth year…remember Thompson knew roughly how old Kim was.) But he had no luck with the Department of Motor Vehicles.
6)    Thompson goes back to the blog and does a search for “birthday.” He gets a date but no year.
7)    Finally, Thompson attempts the college reset password again. He fills in her birth date, and simply guesses the year. He gets it wrong. But the site gives him five chances, and tells him which field has the error. So he continues to guess. He gets access in under five guesses. He changes her college password. This gives him access to her gmail password reset email. Google requires some personal information which he is able to get easily from her blog (e.g., father’s middle name.) Thompson changes the gmail password and that gives him access to the bank account reset password email. Here again he is asked for personal information but nothing that he could not glean from Kim’s blog (e.g., pet name and phone number.) He resets the bank password and bingo, has immediate access to all her records and money.

From Thompson:

Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What’s striking about Kim’s case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts.

Yes in this case the personal information came from her blog but it could have easily come from a Facebook page or other online community pages.

Thompson provides sage advice on Scientific American:

Go and do a self-check. Try to reset you passwords and see what questions are asked to verify your identity. Some questions are better than others. Date of birth, for example, is bad. In addition to the DMV, there is a wealth of public records available online where folks can track down when you were born. Most account reset features give you a choice of questions or methods to use. Go for questions that ask about obscure things that you won’t forget (or can at least look up), like your favorite frequent flyer number. Avoid questions that are easy to guess, such as which state you opened your bank account in.

It’s also critical to remember that once you put data online, it’s almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.

[via Scientific American]

[photo via manitou2121]

Start your week smarter with our weekly e-mail newsletter. It's your cheat sheet for good ideas. Get it.

Christie Nicholson

About Christie Nicholson

Christie Nicholson is a contributing editor for SmartPlanet.

Christie Nicholson

Christie Nicholson

Contributing Editor

Christie Nicholson produces and hosts Scientific American's podcasts 60-Second Mind and 60-Second Science and is an on-air contributor for Slate, Babelgum, Scientific American, Discovery Channel and Science Channel. She has spoken at MIT/Stanford VLAB, SXSW Interactive, the National Science Foundation, the National Research Council, the Space Studies Board and Brookhaven National Laboratory. She holds degrees from the Columbia University Graduate School of Journalism and Dalhousie University in Canada. She is based in New York.

Follow her on Twitter.

Christie Nicholson

Christie Nicholson

Christie Nicholson does not hold any investments in the technology companies she covers.

She writes for SmartPlanet and is not an employee of CBS.

If you liked this, don't miss...
30
Comments
Add Your Opinion

Join the conversation!

Follow via:
RSS
0 Votes
+ -
Scary
Time to redefine myself.
Posted by lhdurenberger
16th Dec 2011
0 Votes
+ -
Town of birth and birth certificates.
Sometimes you can reveal information that may seem of no help to a person seeking to get control of your life. An example: once I received a telephone call from an insurance agent (? )who quoted my birthdate month and year. He wanted the name of the town where I was born. I told him he had no need for that for insurance purposes and hung up. The risk: he writes to the county seat offices, quoting the birthdate information, and requests a birth certificate. He no doubt would have received it and away goes my identity.
Posted by danarid@...
16th Dec 2011
+2 Votes
+ -
Treat security questions as just another password prompt
One way to stop this line of attack is to treat security questions as just another password prompt. You can put any data into these fields, and it can be completely random. That way nobody can guess the answer from online info.

Of course, this is a bit of a problem when you're trying to remember one password by entering another. But you can use the same one or two passwords for all security questions. You will be no worse off than if the information can be obtained by anybody on the internet, and in most cases better off. Or you can store the info on USB keys, protected via Lastpass or similar online database which can be opened using a Yubico Yubikey, or even written down somewhere if that location is secure. Remember, this is a backup system for when you've forgotten a password, it doesn't have to be as convenient or easy as normal password entry.
Posted by zackers
Updated - 20th Dec 2011
0 Votes
+ -
use a password manager
hi
i agree with the first point, but using a password manager for those details can be helpful
Posted by kashyap.bikram@...
10th Jan 2012
0 Votes
+ -
Hi
I agree that using an obscure answer and question (not always allowed) is a great approach. It also makes sense to use a deadend email that is not setup for reset. Eventually you might need to send a letter and proof but all s protected. Plus you can create one that can be very specific and also use a local doc store to hold it's value with a reverse obscure reference.
Posted by jpralyea
11th Jan 2012
+1 Vote
+ -
all thanks to social media!
This should serve as a wake-up call to the multitudes of people who have laid themselves bare in the internet. I'm no Luddite, but aside from being a huge time suck, typical social media encourages posting way too much personal data. People are fools to post ANY details. If you want to promote a career stick to some high points and explain that details are available to qualified requestors.
Posted by pete_w_flynn@...
10th Jan 2012
0 Votes
+ -
Two Factor Authentication
Google provides it with GAuthenticator for free. It would have rendered this type of attack completely useless.
Posted by yzfdude1@...
10th Jan 2012
0 Votes
+ -
authenticator?
please enlighten us because i have looked for such an item and come up with nothing...how/where/ do we get said item?
Posted by varick
10th Jan 2012
0 Votes
+ -
google authenticator
http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447
Posted by airjos@...
24th Jan 2012
0 Votes
+ -
google...
...also use cell phone password reset. It's easy to hack someone's cell and hijack text messages specially if it's on a smartphone
Posted by Elis_re
10th Jan 2012
0 Votes
+ -
till an extent
one will need physical access or a clone of the phone/sim to access sms.
Posted by kashyap.bikram@...
10th Jan 2012
0 Votes
+ -
Just the tip of the iceberg.
Honestly this is just the tip of the iceberg.
Lock your cell phones there is a ton of information in there that someone could use against you.
Limit the information you have online. Yes facebook and google + allow you to put in all types of information but unless you lock your account then anyone can see it.
Have some idea of what information about you is out there. Do some searching yourself. If you find a site or page that has information you might not want to share find out how to remove it.
Posted by sanchanim
10th Jan 2012
+1 Vote
+ -
think before you give your info
I never give my real birth date to anyone that doesn't really need it. Especially not any social media site. I put in a fake date that still keeps my age over 18. There are a lot of bad guys out there that will use all the information you make public.
Posted by Al_nyc
10th Jan 2012
0 Votes
+ -
Advice
That's why your registration data should be minimum or fake (birthday, address, answer to secret question). The only true data you should give is your name, and that's it.
Posted by averageuser
10th Jan 2012
0 Votes
+ -
fake (birthday, address, answer to secret question
Not so with Google. I know somebody who gave a fake birthday for the Google phone number offer, and Google shut that person down until a birth certificate is produced to prove real age. That person refuses as Google is asking for information that is not necessary for the kind of service they are providing. It could be used for identity theft - after all - Google is not a totally secure service either!
Posted by cuttingsm@...
10th Jan 2012
+1 Vote
+ -
Identity theft
Whenever I seek a password from my various bank accounts, I get an email admonishing me to confirm that it was *I* who sought the information. Kim fell down on the job when she didn't reply to the emails sent by her bank or other financial branch acknowledging that she requested the information. The hacker could have been shut down completely if she had responded to the bank queries to assure that it was she who requested the information. That said, I have changed my challenge information to make sure that a hacker could not figure out what my password response was. Even my wife doesn't have a clue what the answer is. Nowhere on any site is the answer to my challenge question. Thanks for the insight to make my information less accessible to a knowledgeable hacker.
Posted by Mrfearless47
10th Jan 2012
0 Votes
+ -
That Would Not Have Helped
Once the hacker gets into your email accounts, he can delete the emails that the bank sent. I don't know about you, but most students are not checking their email every few minutes. Now, if she had a smartphone (he could have determined that from the blog, maybe), she might hve had a chance.
Posted by hforman@...
10th Jan 2012
0 Votes
+ -
OTP
Most Banks nowa days use OTP. So the password will be sent via sms than email.
Posted by vuyiswamb
10th Jan 2012
0 Votes
+ -
Pathetic bank's security questions
If some one needs to access some else's bank account, some bank accounts are easy to get. Mostly only the account number is needed for telephonic interactions. One bank asks me the following details for 'security' reasons:
email Id: easy to get
mobile number: again not too difficult
dob: may be a bit difficult if the target is a bit security conscious, else all details from facebook.
Posted by kashyap.bikram@...
10th Jan 2012
0 Votes
+ -
Steal Identity
Hi:
Thanks for this, "How to steal an identity"
This can get some evil guys rich; stealing homeowner's houses.
Thanks Sir,
Mr Innocenti.
Posted by desmondhs
10th Jan 2012
0 Votes
+ -
password questions
One of the tricks I learned, and taught, as an IT specialist was quite simple. When creating answers to security questions, LIE! i emphasize this only to be funny, but the procedure works. As long as you remember or safely record the answers, you can say your father's middle name is anything! Your elementary school could suddenly be in Bangkok! People who can find real answers aren't helped unless you do something too routine or obvious when you create the fictitious answers. You can't fake some things, but most of you will know what you CAN alter.
Posted by aeromechdesigner
Updated - 12th Jan 2012
0 Votes
+ -
I wish I knew about the easy ways to reset passwords
Try to open a Hotmail e-mail account and then, without knowledge of secondary account or computer with Vista or Windows 7 that may have been used (the only computer allowed to make changes btw), try to change the password and get access. As a tech savy user, I tried to help a friend who could not get access to her account. We even knew that other e-mail addy but since it was also a hotmail account and hadn't been used in some time, could not get access to it. At least Gmail has a way to call someone, but not sure how well that works, just saw the phone number which Microsoft does not have. Best solution is to have a local ISP and e-mail. You cannot change password without contacting them directly and you have people to talk with instead of a computer. Better security and less hassle for those in real need of changing information. Don't have too many passwords either. For the average user, they will forget passwords unless they are written down either in a file or on paper. This makes information less secure right off the top. If requirements were the same on all sensitive accounts it would be a blessing, but some require you to reset your password or access account within a certain time period. Some require letters and numbers, at least 8 while others require at least one upper case and one lower case as well as a number and some kind of symbol. Why not make it universal? I'm sure the government could simply tell people their url will be removed from the DNS unless they comply and have it happen. Pretty easy to force companies to stop being so lazy.
Posted by clyman
Updated - 12th Jan 2012
0 Votes
+ -
oh goodie, i just added nothing (again)
this sux
Posted by clyman
12th Jan 2012
0 Votes
+ -
Every time i put effort into reply, it won't post
Why don't I at least get some kind of error message when a well thought out response is posted but does not appear. All I can make are stupid little posts like this.
Posted by clyman
12th Jan 2012
0 Votes
+ -
Identity crisis
Am I crazy? Why do you print a blue print of this for all to see and learn?
Posted by bhester1
13th Jan 2012
0 Votes
+ -
over 50 passwords!
I have over 50 passwords in my Chrome password list! The problem is you really need to use different passwords for each site. These passwords need to be unpredictable to a hacker if he happens to know one of them (so he can't guess the others). At the same time, we need to be able to remember or have a note of these passwords so we can use them from any other computer. Keeping them in the cloud is a solution, but we then put all our eggs in someone else's basket. What can/do you do?
Posted by s2926
14th Jan 2012
0 Votes
+ -
@bhester1
The idea is that the bad guys know all of this already - at least let their potential vicitms in on it too...
Posted by bjosephs
24th Jan 2012
0 Votes
+ -
junbug20
baby talk words for pets as passwords works for me, because there so damn goofy and personal, and there easy to remember.
Posted by junietoons
2nd Feb 2012
0 Votes
+ -
password
Eon are the power source of the Olympics so if the withdraw from the deal at the last minute they will be no power at the Olympics.
http://www.ultraseksy.com
Posted by ultraseksy
18th Feb 2012
0 Votes
+ -
Protect Yourself
Great article actually! Somebody brave and smart enough to show people tangible evidence that stealing one's identity is very easy to do. There is no information being offered here that identity thieves don't already know about I'm sure. This article is a great illustration that we need to make protecting our identities a top priority. Thanks. Here is some other good info: http://topcreditmonitoringservices.com/
Posted by A Standt
29th Apr
Join the conversation
Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

Join the SmartPlanet community and join the conversation! Signing up is fast and free. Don't wait -- we want to hear your opinion!

Join Login

Keep Up with SmartPlanet

SmartPlanet Weekly Newsletter
SmartPlanet Weekly Newsletter

Facebook Activity

View Results

Quick Poll

Where do you believe consumers are in their adoption of the cloud?

View Results

Blog Archive