FT.com / Technology - Security Matters: Identity theft is all too easy
Security Matters: Identity theft is all too easy
By Ken Munro
Published: December 5 2007 04:40 | Last updated: December 5 2007 04:40
Talking to Peter Whitehead, the Digital Business editor recently, I started ranting about social networking as a means of identity theft. He challenged me to prove my point, confident that his real identity would prove hard to crack.
For the purposes of the challenge, I was armed only with his name and occupation, a laptop and a broadband internet connection. Within three hours I had discovered his full name, date of birth, address, home telephone number, route taken to work, the schools and universities he attended, his career history and his long-harboured passion for rock music, golf and tennis.
Perhaps more worryingly I was also able to find out his daughters’ names, ages, dates of birth, the schools they attend, names and pictures of their friends, along with personal information on his wife and other family members.
I began by searching Peter’s own articles. A quick search of FT.com identified an extensive list, including some he had authored in a travel writing capacity. Reading these quickly established he has two daughters, their names, ages and a family interest in winter sports.
He also helpfully described his route into work – from the fact that he commutes into London via train to the same station every day right down to some of the buildings he passes on the way into the office.
It is, of course, true that only a small number of people are likely to have such information published in the media. But millions do so through social networking sites and blogs. Hence my next stop – Facebook, MySpace, etc.
To my disappointment, the target was not accessible on any of the currently popular social networking sites. But a search of Friends Reunited was more successful. There I learned he is married, the town and county where he lives, the schools and university he attended, along with dates he attended them (and therefore his likely year of birth) and publications he worked on prior to joining the FT.
Armed with this information, a few searches on 192.com yielded his full address, home telephone number and the full data from his daughters’ birth certificates including their dates and places of birth.
But it was only the results of a five-mile charity run that allowed me to make the link between Peter and his wife. Also a journalist, she writes under her maiden name but gives away no personal details in her writing.
A travel article on skiing by Peter yielded the fact that one of his daughters uses a shortened version of her full name. I was then able to go back to the social networking sites. A well-populated profile existed on one site which provided the school she attends, her friends’ names and photos and identified a couple of likely cousins.
Her mother and sister, however, proved much more elusive, neither apparently having succumbed to the lure of virtual socialising.
It is scary stuff for three hours’ surfing but what could you do with this information? I used only the tools any other person with a passing interest in genealogy or a curious streak would be aware of and would have access to and spent only the time I could assign in between running a business.
An attacker with malicious intent towards our target would have both time and a wide range of internet sites on the fringes of legality at their disposal which would, for example, very quickly and easily yield a date of birth and banking history. Or they could simply have hung around his house and raided his bins for non-shredded correspondence (even the day his bins are emptied is available on his local council’s website).
I did not find out bank account details, but I could have paid for and downloaded Peter’s credit report from a credit reference agency (this is unlawful, so I did not pursue this avenue, but a fraudster would have no such qualms). I could then open a bank account, take out a loan or mortgage using a correspondence address to cover my tracks and keep extending the credit for years. Or this information could be used to set up bogus social networking sites to incite others to disclose information.
These same methods can also be used to target businesses. By researching a senior executive using the techniques outlined above, an attack could crack system passwords more easily, gaining access to invaluable corporate data.
Passwords continue to be typically comprised of hobbies, loved ones’ names and dates of birth. Targeting a person in a specific role with a specific level of seniority is a fantastically efficient way of ensuring a good return on investment for an attacker.
It is not just individuals who are at risk. Organisations face industrial espionage or confidential information leaks and those responsible – from employees to suppliers to customers – may not even realise they are doing it. Management is often unaware of the risk. The main concern is over-use of the internet and the impact of social networking on productivity, rather than the security risk it poses.
Sensitive corporate information concerning security arrangements or impending merger or acquisition activity is frequently disclosed on blogs or social networking sites. If someone is targeting a specific organisation – for example for potential information to guide stock market decisions – they can decode references to long hours, management changes, upcoming restructures.
Similarly, any organisation involved in industrial action or complex employee or commercial litigation cases is at risk. Indeed, we consider this such a threat that we advise businesses on how to carry out a social networking audit in order to determine just how much information has already leaked.
Just as there are multiple motives for wanting to access information, there are infinite ways of extracting it if someone wants it badly enough. Much of what’s valuable is out there already, free.
Ken Munro is chief executive of SecureTest
Copyright The Financial Times Limited 2007
No comments:
Post a Comment