Penetration Testing mailing list archives
Valid/sufficient identification mechanisms/credentials for personal data collection.
From: "Serg B." <sergicles () gmail com>
Date: Tue, 1 Aug 2006 16:46:45 +1000
I am not sure if this is a suitable topic for this list but it is certainly within the scope. This article is not related to IT as such, but has a lot to do with social engineering and identity theft. I suppose this is an iffy area of IT since the Internet has not only enabled perpetrators to realise much greater returns on their crimes but has became an indispensable tool in every arsenal. Since I read The Art of Deception few years ago I started to notice real life situations where an individual could easily get away with almost anything (theft, scams, etc.) by carefully choosing their words and people they talk to. When I first read the book I thought it didn't look like any of this could be possible. It was certainly fascinating to read but not possible, not for me any way. As I worked through my young grasshopper IT career days I became more and more exposed to the security side of the industry that in turn made it possible for me to observe some of these tricks, or at least attempts to do so, first hand. Soon after I realised that things are even simpler then an average case study in the book. Especially if you are an insider, you have access to everything and anything. As long as you are confident and don't mind lying like there is no tomorrow the world is yours. Currently, every Australian resident is going through their Census (http://www.abs.gov.au/census) survey forms. Seems like a reasonable thing to do, maybe not for the paranoid, but anyway… The form is around 18 pages long and contains a fair amount of personal questions such as your name, surname, date of birth, address, employment information, income bracket, etc. A sample can be found here: http://www.abs.gov.au/websitedbs/d3310114.nsf/4a256353001af3ed4b2562bb00121564/d14318a2e9282072ca25715d00177d17/$FILE/HHF%202006%20Sample%20only.pdf It is delivered via a courier and is left near the front the door, and pick-up is very much the same. On the front cover of the form, one of the bullet points is "Your Collector will return between 9 August and 28 August to collect your form". Well this is certainly a great service, but how do I know that the so-called collector is indeed an authorized person to collect my Census forms? What safeguards have been implemented by the government or the Australian Bureau of Statistics (http://www.abs.gov.au) to make sure that your friendly neighborhood hacker does not print herself a fake identification badge and go door to door collecting these forms? I for one have no idea what identification to expect from "the collector". Is it an ID card presented on request? Maybe it's an identification badge and a t-shirt with ABS logo? No idea… And I am one of the paranoid ones! Most people would hand this information over without thinking twice. Consequences of this are rather scary. Obviously the worst case scenario could result in loss of money, or it could be your best friend playing a joke on you and trying to disconnect your gas and electricity because you got on their nerves. In either case the process is very simple. I am not going to go into great deal of details on the actual process but there is nothing to stop me from calling a few common telecommunications providers and posing as the victim. All information required for authenticating yourself to your phone company is on the form. The same could be done with any utility providers (gas, electricity, etc.). In fact we could take this one step further and ask your phone provider to send you one of your old bills, since you lost it and now need it for invoice purposes. Provide a new, once-off postage address (of course don't tell them that) and your friendly neighborhood hacker just scored some identification points to open a bank account under the victim's name. Where to from here? Any local tafe or university will allow you to register provided you supply valid information (such as that gathered above) for a short course, $200 – $300, not much considering the potential return. And now a victim's name is on a fake University photo ID. Of course this could even be taken further but I am going to stop here and leave you with my previous question: What safe-guards have been implemented by the government or the Australian Bureau of Statistics (http://www.abs.gov.au) to make sure that your friendly neighborhood hacker does not print herself a fake identification badge and go door to door collecting these forms? Any feedback, thoughts, ideas? Serg ubermonkey.wordpress.com
Current thread:
- Valid/sufficient identification mechanisms/credentials for personal data collection. Serg B. (Jul 31)