How Identity Theft Works - Tech Learning

How Identity Theft Works

A security firm tries to penetrate a college network, with alarming results.
Author:
Publish date:

Courtesy of Dark Reading There’s been a lot of talk about identity theft in recent days, and a lot of technology is being thrown at the problem. But with all the technology that’s out there, it’s still pretty easy for a good social engineer to steal an identity and exploit it swiftly, even if they only have a single piece of personal information. In a recent project, my penetration testing firm was able to gain an alarming amount of access to personal information--and even financial accounts--with only a birth date to go on. We were hired by a private college to assess the security of its network. After completing numerous tests for vulnerabilities in the primary systems, we started looking at the Internet sites for the various departments and schools within the college. We found a major flaw in the alumni site, so we asked for permission to exploit it. The college agreed, as long as we agreed to stop our attack before any of its alumni were actually robbed. We began the exploit immediately. The alumni site contained a list of all of the college’s past students, along with the year they had graduated. Each alum’s name was hyperlinked to a profile page that the alum could access and edit, first authenticating themselves with a birth date. We started our attack by looking at a recent year of graduates, focusing specifically on athletes. We found a male athlete whose name was also posted on the college’s sports Website, which gave his statistics as well as a birth date. Using that birth date, we were authenticated into his alumni profile. We then edited his profile, indicating he was employed by a company we had created. We provided specifics in the profile, including a spurious job title, job description, a mailing address, and an email account that we controlled. Using one of the world’s oldest social engineering techniques, I then asked one of my colleagues to call the college registrar’s office, posing as the secretary for the young man. She requested a transcript on behalf of the victim, and because we were listed as his new employer, the registrar’s office agreed and faxed over a form. We quickly completed it and faxed it back. Within a day--and without charging any fee--they faxed over his transcript, which included his Social Security number. At that point, all of the elements needed to start controlling the person’s identity were in motion. We had obtained his Social Security number, established a mailing address, and become his employer. We stopped our attack at that point -- we had no wish to hurt the person. However, if we had continued, we decided that establishing credit through a major retailer would be the easiest method. We confirmed our hypothesis by going to a large sporting goods store, which advertised a 10 percent discount to customers who used its "quick and easy" approval process to obtain one of its credit cards. When I asked the manager how the store can establish credit so quickly, he explained that they verified the person’s credit by asking for another credit card, then verifying credit through that company. If another card wasn’t available, they would simply contact the person’s employer as a financial reference. At that point, we knew we were in, because we had already established ourselves as the victim’s employer. This is just one example that shows how easy it is to gain a dangerous amount of access to personal information. There are lots of other exploits that we could have tried, and any one of them could have been just as effective. Many people are careful to protect their Social Security information, but end users really should be concerned about all of their data. Identity thieves can collect data from many sources, including trash and recycling bins, discarded mail, and Internet sites. Sites where users share personal information, such as MySpace and LinkedIn, can make the problem worse. Sites that deal with family reunions, genealogy, and sports statistics may seem harmless, but they can become great resources for valuable personal data. For IT and security people, however, the message is more complex. IT organizations should sanitize any online resources that contain personal data about their employees, maintaining only the bare minimum online. Personnel profiles or applications should never be kept on systems that are widely accessible over the Web. If there is a need to post personal information on a Web-accessible site, consider securing it with some sort of two-factor authentication, such as the technology offered by RSA Security. Finally, IT departments should constantly monitor themselves for vulnerabilities. If a pen tester hadn’t come and shown the college the flaws in its alumni system, how long would it have taken its IT folks to find and fix them? A vulnerability can often be found in a system that may seem peripheral to the business or relatively unimportant to the enterprise. Once that vulnerability is exploited, however, the consequences for users, customers, or employees could be disastrous. Steve Stasiukonis is VP and founder of Secure Network Technologies Inc.

Featured

Related

Identity Theft

Question: What recommendations should districts give employees regarding identity theft, and what steps should be taken if an employee suspects his/her identity has been stolen? The IT Guy says: "ID Theft,", a Website produced by the US Federal Trade Commission’s, is an excellent resource to share

Encrypt Your Data to Avoid Identity Theft

"They broke in and stole my computer and my USB external drive," the potential identity theft victim began, "and now I'm worried that my unencrypted bank account files, my social security number, my health information … my whole life is out there on the Internet being shared among

Image placeholder title

How It’s Done: Working Wikis

By Ellen Ullman In summer 2007, Randolph (NJ) Township Schools created a wiki on which administrators and supervisors could discuss Grant Wiggins’s Understanding by Design. “At first people rolled their eyes, but once they saw that it was a Web

How to Perform a Security Audit

Picture this scenario: a student logs in to your school's network using the password of a former teacher and "improves" his first-quarter grades and attendance along with those of his nine friends. This is just one real-life example of the many kinds of network security breaches occurring at schools across the

How automated scoring works

Knowledge Technologies has released a new white paper, “Pearson’s Automated Scoring of Writing, Speaking, and Mathematics: A White Paper.”

Identity and Safety promo image

Identity and Safety

One of the liberating aspects of the internet – but also one of the more dangerous ones – is that people can hide their identity or take on a different persona entirely.

Making Online Assessment Work

from School CIO How K-12 technologists are prepping their infrastructures and staffs for Web-based testing. A test can cause a student to lose sleep, but Dave Matt had a nightmare of his own during an online assessment at Orange County Public Schools in rural Virginia. A faulty local area network switch inside a