Theres been a lot of talk about identity theft in recent days, and a lot of technology is being thrown at the problem. But with all the technology thats out there, its still pretty easy for a good social engineer to steal an identity and exploit it swiftly, even if they only have a single piece of personal information. In a recent project, my penetration testing firm was able to gain an alarming amount of access to personal information -- and even financial accounts -- with only a birth date to go on.
We were hired by a private college to assess the security of its network. After completing numerous tests for vulnerabilities in the primary systems, we started looking at the Internet sites for the various departments and schools within the college. We found a major flaw in the alumni site, so we asked for permission to exploit it. The college agreed, as long as we agreed to stop our attack before any of its alumni were actually robbed. We began the exploit immediately.
The alumni site contained a list of all of the colleges past students, along with the year they had graduated. Each alums name was hyperlinked to a profile page that the alum could access and edit, first authenticating themselves with a birth date.
We started our attack by looking at a recent year of graduates, focusing specifically on athletes. We found a male athlete whose name was also posted on the colleges sports Website, which gave his statistics as well as a birth date. Using that birth date, we were authenticated into his alumni profile. We then edited his profile, indicating he was employed by a company we had created. We provided specifics in the profile, including a spurious job title, job description, a mailing address, and an email account that we controlled.
Using one of the worlds oldest social engineering techniques, I then asked one of my colleagues to call the college registrars office, posing as the secretary for the young man. She requested a transcript on behalf of the victim, and because we were listed as his new employer, the registrars office agreed and faxed over a form. We quickly completed it and faxed it back. Within a day -- and without charging any fee -- they faxed over his transcript, which included his Social Security number.
At that point, all of the elements needed to start controlling the persons identity were in motion. We had obtained his Social Security number, established a mailing address, and become his employer. We stopped our attack at that point -- we had no wish to hurt the person. However, if we had continued, we decided that establishing credit through a major retailer would be the easiest method.
We confirmed our hypothesis by going to a large sporting goods store, which advertised a 10 percent discount to customers who used its "quick and easy" approval process to obtain one of its credit cards. When I asked the manager how the store can establish credit so quickly, he explained that they verified the persons credit by asking for another credit card, then verifying credit through that company. If another card wasnt available, they would simply contact the persons employer as a financial reference. At that point, we knew we were in, because we had already established ourselves as the victims employer.
This is just one example that shows how easy it is to gain a dangerous amount of access to personal information. There are lots of other exploits that we could have tried, and any one of them could have been just as effective.
Many people are careful to protect their Social Security information, but end users really should be concerned about all of their data. Identity thieves can collect data from many sources, including trash and recycling bins, discarded mail, and Internet sites. Sites where users share personal information, such as MySpace and LinkedIn, can make the problem worse. Sites that deal with family reunions, genealogy, and sports statistics may seem harmless, but they can become great resources for valuable personal data.
For IT and security people, however, the message is more complex. IT organizations should sanitize any online resources that contain personal data about their employees, maintaining only the bare minimum online. Personnel profiles or applications should never be kept on systems that are widely accessible over the Web. If there is a need to post personal information on a Web-accessible site, consider securing it with some sort of two-factor authentication, such as the technology offered by RSA Security.
Finally, IT departments should constantly monitor themselves for vulnerabilities. If a pen tester hadnt come and shown the college the flaws in its alumni system, how long would it have taken its IT folks to find and fix them? A vulnerability can often be found in a system that may seem peripheral to the business or relatively unimportant to the enterprise. Once that vulnerability is exploited, however, the consequences for users, customers, or employees could be disastrous.