Attacks/Breaches
6/30/2008
09:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cracking Physical Identity Theft

Social engineering expert reveals brick-and-mortar identity theft risks in banks, ISPs, and other firms

A researcher performing social engineering exploits on behalf of several U.S. banks and other firms in the past year has “stolen” thousands of identities with a 100 percent success rate.

Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, says organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away." But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

During one recent social engineering caper for a large credit union with 15 locations, Perrymon and his team posed as federal investigators for the FDIC. They used their fake ID-making machine that spits out phony drivers’ licenses and official-looking badges and after two days of reconnaissance, they donned suits and their forged FDIC badges and went on-site at one of the credit union locations during its busiest and most hectic time of day, lunchtime. “I walked in with a camera around my neck that looks like a digital 35 millimeter, but the whole time it’s recording video, and with a clipboard. We walked right in, posing as federal auditors,” Perrymon recalls. “Ninety-eight percent of the time someone asks if I need anything or any help... At that point I sit them down and ask them thirty questions about their internal security procedures – dye bags, sound alarms, etc.”

Perrymon says he then walked around the individual offices and found one that was empty, and voila: “Most of the time customer data is right there on the desk, so I snatch that right up,” he says. “My favorite thing to do is open the credenza, take seven or eight folders and slide them right under the clipboard. Our goal is to be in and out in seven minutes.”

And that’s about how long it took him to steal -- unfettered -- sensitive identity information on seven of the credit union’s customers.

“We’ve also done [social engineering jobs] for secure hosting companies – we get into data centers and get to their drawings and internal sensitive documents,” he says. “We were able to bypass the RFID security at a hosting company.”

Another time, he posed by the door with a large vendor equipment box, and a helpful data center worker held the door for him and let him in. “I walked right in, opened the box and plugged right into the backbone of a big ISP,” he says.

And while Perrymon and his team have “drivers' licenses” and other phony IDs, they are rarely asked to present them. They even try to make the IDs somewhat inconsistent with legitimate ones to see if anyone notices -- typically no one does, he says. “What we want to see is if an employee says ‘that’s not a real badge,’” he says. “So we try not to make the IDs perfect... so they can pick up on [it]. But nine times out of ten, they’re really not going to question you.”

“Over the past five years, we have [had] a 100 percent success ratio of walking out of each engagement with at least five complete identities,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.