BreachExchange mailing list archives
How to hack your own bank account using information on the Internet
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 2 Oct 2013 01:05:30 -0600
http://pandodaily.com/2013/10/01/how-to-hack-your-own-bank-account-using-information-on-the-internet/ Identity theft is one of those things that you think you’ll never experience personally. Excuse the grim analogy, but it’s a bit like death. It always happens to someone else. But identity theft is rampant, and given our ever-increasing propensity to put all sorts of information online, the chances of it happening to either ourselves or someone we know is relatively high. According to The US National Institute of Justice estimates there were 9 million incidents of identity theft in 2011 alone in the US, almost 3 percent of the population. Clearly, there are lots of people out there who make a living stealing people’s identities. And just to show you how easy it is, and why it’s so commonplace, I decided to conduct an experiment: Would it be possible to check the balance of my credit card account using only information I can find on the Internet? The first step is to call my bank to establish what information they require to make sure I am the real account owner. The bank employee asked me for my name, date of birth, address, and my personal identification number. Just to be sure he also asked me about my email address and some digits of my credit card and its expiration date. You might think this would put off an identity thief. After all, it’s a lot of information to discover. But there’s so much information online, it’s not really that hard. The first thing I need to discover is my name. This is easy; my Facebook account displays it for all to see. The next thing is date of birth. I didn’t complete this field for my Facebook account (but most people do). Even thought it is unlisted on Facebook, it’s not hard to discover. By looking through the pictures I’ve posted I find the hint I need. It’s a photo, saying: “Today is my birthday, let’s party!” And there slap bang in the middle of my lovely birthday cake is a figure that says how old I am. The next bits of required information are home address and personal identification number. This seems like a real challenge. But it’s not. These details are posted on the Internet as part of an official document. You just need to know where to look. And the clever identity thief will certainly know where to look. My email address is very easy to find – it’s all over the Internet. Up until this point finding the relevant information has been relatively easy. Now, it’s time for the difficult bit, to find out the credit card details such as the card number and expiration date. The first thing to do is check the Facebook photos again. There’s a photo that’s very interesting – a beautiful and welcoming hotel where I spent my great vacation this year. It’s a great opportunity to find the details for my credit card. I find the hotel’s number and call them impersonating someone from the bank. Armed with the information I’ve already collected, I say there’s a problem with the credit card payment used to make the payment for the room, and I need to check the card details. The person on the phone willingly obliges by providing the number and expiry date to help me double check. After all, he thinks I’m calling from the bank. And that’s it. I’ve got all the information I need to call the bank and access the account details to check the balance, or transfer some money to another account, or make a payment for something, or… It really is as straightforward as that. And for lots of people discovering this sort of information is a way of life. The Internet simply makes it a lot easier. So take care and be sure to practice good identity theft protection – because identity theft doesn’t just happen to other people.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: # OWASP http://www.appsecusa.org # Builders, Breakers and Defenders # Time Square, NYC 20-21 Nov o()xxxx[{::::::::::::::::::::::::::::::::::::::::> Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security offers security intelligence, risk management services and customized security solutions. The YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Current thread:
- How to hack your own bank account using information on the Internet Audrey McNeil (Oct 11)