Attacks/Breaches
6/30/2008
09:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cracking Physical Identity Theft

Social engineering expert reveals brick-and-mortar identity theft risks in banks, ISPs, and other firms

A researcher performing social engineering exploits on behalf of several U.S. banks and other firms in the past year has “stolen” thousands of identities with a 100 percent success rate.

Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, says organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away." But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

During one recent social engineering caper for a large credit union with 15 locations, Perrymon and his team posed as federal investigators for the FDIC. They used their fake ID-making machine that spits out phony drivers’ licenses and official-looking badges and after two days of reconnaissance, they donned suits and their forged FDIC badges and went on-site at one of the credit union locations during its busiest and most hectic time of day, lunchtime. “I walked in with a camera around my neck that looks like a digital 35 millimeter, but the whole time it’s recording video, and with a clipboard. We walked right in, posing as federal auditors,” Perrymon recalls. “Ninety-eight percent of the time someone asks if I need anything or any help... At that point I sit them down and ask them thirty questions about their internal security procedures – dye bags, sound alarms, etc.”

Perrymon says he then walked around the individual offices and found one that was empty, and voila: “Most of the time customer data is right there on the desk, so I snatch that right up,” he says. “My favorite thing to do is open the credenza, take seven or eight folders and slide them right under the clipboard. Our goal is to be in and out in seven minutes.”

And that’s about how long it took him to steal -- unfettered -- sensitive identity information on seven of the credit union’s customers.

“We’ve also done [social engineering jobs] for secure hosting companies – we get into data centers and get to their drawings and internal sensitive documents,” he says. “We were able to bypass the RFID security at a hosting company.”

Another time, he posed by the door with a large vendor equipment box, and a helpful data center worker held the door for him and let him in. “I walked right in, opened the box and plugged right into the backbone of a big ISP,” he says.

And while Perrymon and his team have “drivers' licenses” and other phony IDs, they are rarely asked to present them. They even try to make the IDs somewhat inconsistent with legitimate ones to see if anyone notices -- typically no one does, he says. “What we want to see is if an employee says ‘that’s not a real badge,’” he says. “So we try not to make the IDs perfect... so they can pick up on [it]. But nine times out of ten, they’re really not going to question you.”

“Over the past five years, we have [had] a 100 percent success ratio of walking out of each engagement with at least five complete identities,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.