Thread: How I Stole Someone's Identity

How I Stole Someone's Identity
The author asked some of his acquaintances for permission to break into their online banking accounts. The goal was simple: get into their online accounts using the information about them, their families and acquaintances that is freely available online


By Herbert H. Thompson

As a professor, a software developer and an author I've spent a career in software security. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information. I asked some of my acquaintances, people I know only casually, if with their permission and under their supervision I could break into their online banking accounts. After a few uncomfortable pauses, some agreed. The goal was simple: get into their online banking account by using information about them, their hobbies, their families and their lives freely available online. To be clear, this isn't hacking or exploiting vulnerabilities, instead it's mining the Internet for nuggets of personal data. Here's one case. I share it here because it represents some of the common pitfalls and illustrates a pretty serious weakness that most of us have online.

Setup: This is the case of one subject whom I'll call "Kim." She's a friend of my wife, so just from previous conversations I already knew her name, what state she was from, where she worked, and about how old she was. But that's about all I knew. She then told me which bank she used (although there are some pretty easy ways to find that out) and what her user name was. (It turns out it was fairly predictable: her first initial + last name.) Based on this information, my task was to gain access to her account.

Step 1: Reconnaissance: Using her name and where she worked, I found two things with a quick Google search: a blog and an old resume. Her blog was a goldmine: information about grandparents, pets, hometown, etcetera (although it turns out I didn't need to use most of this). From the resume I got her old college e-mail address and from her blog I got her G-mail address.

Step 2: Bank Password Recovery Feature: My next step was to try the password recovery feature on her online banking site. The site didn't ask any personal questions, instead it first sent an e-mail to her address with a reset link which was bad news, because I didn't have access to her e-mail accounts. So e-mail became my next target.

Step 3: G-mail: I tried to recover her G-mail password, blindly guessing that this was where the bank would have sent its password-reset e-mail. When I tried to reset the password on her G-mail account, Google sent its password reset e-mail to her old college e-mail account. Interestingly, G-mail actually tells you the domain (for example, xxxxx.edu) where it sends the password reset e-mail to, so now I had to get access to that…ugh.

Step 4: College E-Mail Account: When I used the "forgot my password" link on the college e-mail server, it asked me for some information to reset the password: home address? (check—found it on that old resume online); home zip code? (check—resume); home country? (uh, okay, check—found it on the resume); and birth date? (devastating—I didn't have this). I needed to get creative.

Step 5: Department of Motor Vehicles: Hoping she had gotten a speeding ticket, I hit the state traffic courts' Web sites, because many states allow you to search for violations and court appearances by name. These records include a birth date (among other things). I played around with this for about 30 minutes with no luck when I realized that there was probably a much easier way to do this.

Step 6: Back to the Blog: In a rare moment of clarity I simply searched her blog for "birthday." She made a reference to it on a post that gave me the day and month but no year.

Step 7: Endgame (or How to Topple a House of Cards): I returned to the college e-mail password recovery screen and typed in her birth date, guessing on the year. Turns out that I was off on the year of birth but, incredibly, the university password reset Web page gave me five chances and even told me which field had inaccurate information! I then changed her college e-mail password, which gave me access to her G-mail password reset e-mail. After clicking the link, Google asked me personal information that I easily found on her blog (birthplace, father's middle name, etcetera). I changed the G-mail password, which gave me access to the bank account reset e-mail, and I was also asked for similar personal information (pet name, phone number and so forth) that I had found on her blog. Once I reset the password, I had access to her money (or at least I would have).

Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What's striking about Kim's case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.

Battling this threat requires us to make better choices about how we prove who we are online and what we make available on the Internet. Go and do a self-check. Try to reset you passwords and see what questions are asked to verify your identity. Some questions are better than others. Date of birth, for example, is bad. In addition to the DMV, there is a wealth of public records available online where folks can track down when you were born. Most account reset features give you a choice of questions or methods to use. Go for questions that ask about obscure things that you won't forget (or can at least look up), like your favorite frequent flyer number. Avoid questions that are easy to guess, such as which state you opened your bank account in. All of these are, of course, stopgap measures until we find better ways to prove our identities online.

It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.

As for Kim, she's still blogging, but now she's a little more careful about the information she volunteers and has cleaned house on her old passwords and password reminder questions. Next time I do this, I'll have to figure out the name of her favorite primary school teacher.
Further Reading

* How RFID Tags Could Be Used to Track Unsuspecting People
* Data Fusion: The Ups and Downs of All-Encompassing Digital Profiles
* Cryptography: How to Keep Your Secrets Safe
* Planning to E-Vote? Read This First



* The Web Ushers In New Weapons of War and Terrorism
* How to Be Popular during the Olympics: Be H. Lee Sweeney, Gene Doping Expert
* The Latest Buzz: Aldrin Flies to the Moon Again
* When Clones Attack: Q&A with Clone Wars Director David Filoni




http://www.sciam.com/article.cfm?id=ana ... ocial-hack

Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What's striking about Kim's case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.

Show your kids this article. I would print it and save it. This is EXACTLY why we ask you to NOT give personal information on the forums.

Does anyone know of instances of citizens' identities being stolen in countries like Russia or China, or is it just the US and Europe that are subjects of this crap?

Originally Posted by vortex

Does anyone know of instances of citizens' identities being stolen in countries like Russia or China, or is it just the US and Europe that are subjects of this crap?

With all of the outsourcing and data sharing, i am sure this is more widespread than you think.

Think a NAtional ID card or Real ID will help?

Here is what Michael Chertoff Said.

The first thing we do, using again traditional 20th Century methods, is we try to make it harder to counterfeit a card and this is a pretty good approach if you're going to use a card-based identifying method by itself. We've put chips in passports. We've created pass cards. We've put bar codes in. We've embedded certain kinds of holograms, all of which are designed to make it more difficult for people to fabricate these cards, and we've required higher standards through things like our Western Hemisphere Travel Initiative which governs what people need to show when they cross a land border or our Transportation Worker Identity Card or even the Real ID Initiative to strengthen the security of our driver's licenses.

But while this has done something to deal with the issue of forgery and counterfeiting, it's certainly not a complete solution because time and again, I certainly have seen intelligence that tells me that sophisticated criminals and sophisticated terrorists spend a great deal of time learning to fabricate and forge even these improved cards. The net effect of this may be that it's going to be harder for people on campus here to get a drink when they're under 21, but unfortunately it's not going to be that much harder for the most sophisticated dangerous people to counterfeit an identity card.

With respect to the vulnerability that we experience when we give people our social security number or our PIN number, again here a partial solution that works somewhat well is encryption. If you encrypt, if you safeguard, then you do in fact minimize the possibility that someone is going to steal your number and therefore make off with it.

http://www.dhs.gov/xnews/speeches/sp_1219162986509.shtm

It is getting very depressing that everyone's identity (especially those of US citizens born to citizen parents) in this country are prime targets for the rest of the world.
Replacing my SS card a couple years ago, as I was smart enough to run it through the washer and dryer before checking my pockets, I received a new one in the mail--not any nifty tamper-proof plastic, but a cute little shard of paper with thickness less than the quality of file cards, and the only security measure I could find were multi-colored little dots all over the place.
I suppose DHS will get around to solving that problem as soon as they finish building the border fence, which seems like neither goal is very likely.

They already know Real ID will not make a dent if the terrorists are intent on doing what they want to do. They cannot do anything to protect our identities by putting our papers into a massive database.

When you have SunTrust bank outsourcing to Mexico for your calls, are you going to do business with a bank like that. Your personal information in a corrupt country like Mexico?

Originally Posted by vortex

Does anyone know of instances of citizens' identities being stolen in countries like Russia or China, or is it just the US and Europe that are subjects of this crap?

Our company just had a guy from Singapore try to order some products using a stolen credit card number including the PIN. The actual owner of the card lived in Alabama. The victim has never been to Asia, who knows how they got his number.

Originally Posted by Bowman

Originally Posted by vortex

Does anyone know of instances of citizens' identities being stolen in countries like Russia or China, or is it just the US and Europe that are subjects of this crap?

Our company just had a guy from Singapore try to order some products using a stolen credit card number including the PIN. The actual owner of the card lived in Alabama. The victim has never been to Asia, who knows how they got his number.

They are sophisticated criminals. They probably hacked a web site he went to of bought it online from a hacker.