BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

How to hack your own bank account using information on the Internet

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 2 Oct 2013 01:05:30 -0600
http://pandodaily.com/2013/10/01/how-to-hack-your-own-bank-account-using-information-on-the-internet/

Identity theft is one of those things that you think you’ll never
experience personally. Excuse the grim analogy, but it’s a bit like death.
It always happens to someone else. But identity theft is rampant, and given
our ever-increasing propensity to put all sorts of information online, the
chances of it happening to either ourselves or someone we know is
relatively high.

According to The US National Institute of Justice estimates there were 9
million incidents of identity theft in 2011 alone in the US, almost 3
percent of the population. Clearly, there are lots of people out there who
make a living  stealing people’s identities.

And just to show you how easy it is, and why it’s so commonplace, I decided
to conduct an experiment: Would it be possible to check the balance of my
credit card account using only information I can find on the Internet?

The first step is to call my bank to establish what information they
require to make sure I am the real account owner. The bank employee asked
me for my name, date of birth, address, and my personal identification
number.  Just to be sure he also asked me about my email address and some
digits of my credit card and its expiration date.

You might think this would put off an identity thief. After all, it’s a lot
of information to discover. But there’s so much information online, it’s
not really that hard. The first thing I need to discover is my name. This
is easy; my Facebook account displays it for all to see.

The next thing is date of birth. I didn’t complete this field for my
Facebook account (but most people do). Even thought it is unlisted on
Facebook, it’s not hard to discover. By looking through the pictures I’ve
posted I find the hint I need. It’s a photo, saying: “Today is my birthday,
let’s party!” And there slap bang in the middle of my lovely birthday cake
is a figure that says how old I am.

The next bits of required information are home address and personal
identification number. This seems like a real challenge. But it’s not.
These details are posted on the Internet as part of an official document.
You just need to know where to look. And the clever identity thief will
certainly know where to look. My email address is very easy to find – it’s
all over the Internet.

Up until this point finding the relevant information has been relatively
easy. Now, it’s time for the difficult bit, to find out the credit card
details such as the card number and expiration date.

The first thing to do is check the Facebook photos again. There’s a photo
that’s very interesting – a beautiful and welcoming hotel where I spent my
great vacation this year. It’s a great opportunity to find the details for
my credit card.

I find the hotel’s number and call them impersonating someone from the
bank. Armed with the information I’ve already collected, I say there’s a
problem with the credit card payment used to make the payment for the room,
and I need to check the card details. The person on the phone willingly
obliges by providing the number and expiry date to help me double check.
After all, he thinks I’m calling from the bank.

And that’s it. I’ve got all the information I need to call the bank and
access the account details to check the balance, or transfer some money to
another account, or make a payment for something, or…

It really is as straightforward as that.  And for lots of people
discovering this sort of information is a way of life. The Internet simply
makes it a lot easier. So take care and be sure to practice good identity
theft protection – because identity theft doesn’t just happen to other
people.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: