Attacks/Breaches

6/30/2008
09:50 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cracking Physical Identity Theft

Social engineering expert reveals brick-and-mortar identity theft risks in banks, ISPs, and other firms

A researcher performing social engineering exploits on behalf of several U.S. banks and other firms in the past year has “stolen” thousands of identities with a 100 percent success rate.

Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, says organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away." But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

During one recent social engineering caper for a large credit union with 15 locations, Perrymon and his team posed as federal investigators for the FDIC. They used their fake ID-making machine that spits out phony drivers’ licenses and official-looking badges and after two days of reconnaissance, they donned suits and their forged FDIC badges and went on-site at one of the credit union locations during its busiest and most hectic time of day, lunchtime. “I walked in with a camera around my neck that looks like a digital 35 millimeter, but the whole time it’s recording video, and with a clipboard. We walked right in, posing as federal auditors,” Perrymon recalls. “Ninety-eight percent of the time someone asks if I need anything or any help... At that point I sit them down and ask them thirty questions about their internal security procedures – dye bags, sound alarms, etc.”

Perrymon says he then walked around the individual offices and found one that was empty, and voila: “Most of the time customer data is right there on the desk, so I snatch that right up,” he says. “My favorite thing to do is open the credenza, take seven or eight folders and slide them right under the clipboard. Our goal is to be in and out in seven minutes.”

And that’s about how long it took him to steal -- unfettered -- sensitive identity information on seven of the credit union’s customers.

“We’ve also done [social engineering jobs] for secure hosting companies – we get into data centers and get to their drawings and internal sensitive documents,” he says. “We were able to bypass the RFID security at a hosting company.”

Another time, he posed by the door with a large vendor equipment box, and a helpful data center worker held the door for him and let him in. “I walked right in, opened the box and plugged right into the backbone of a big ISP,” he says.

And while Perrymon and his team have “drivers' licenses” and other phony IDs, they are rarely asked to present them. They even try to make the IDs somewhat inconsistent with legitimate ones to see if anyone notices -- typically no one does, he says. “What we want to see is if an employee says ‘that’s not a real badge,’” he says. “So we try not to make the IDs perfect... so they can pick up on [it]. But nine times out of ten, they’re really not going to question you.”

“Over the past five years, we have [had] a 100 percent success ratio of walking out of each engagement with at least five complete identities,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.
CVE-2018-18375
PUBLISHED: 2018-10-16
goform/getProfileList in Orange AirBox Y858_FL_01.16_04 allows attackers to extract APN data (name, number, username, and password) via the rand parameter.
CVE-2018-18376
PUBLISHED: 2018-10-16
goform/getWlanClientInfo in Orange AirBox Y858_FL_01.16_04 allows remote attackers to discover information about currently connected devices (hostnames, IP addresses, MAC addresses, and connection time) via the rand parameter.
CVE-2018-18377
PUBLISHED: 2018-10-16
goform/setReset on Orange AirBox Y858_FL_01.16_04 devices allows attackers to reset a router to factory settings, which can be used to login using the default admin:admin credentials.
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.