Cracking Physical Identity Theft

A researcher performing social engineering exploits on behalf of several U.S. banks and other firms in the past year has “stolen” thousands of identities with a 100 percent success rate.

Joshua Perrymon, hacking director for PacketFocus Security Solutions and CEO of RedFlag Security, says organizations typically are focused on online identity theft from their data resources, and don’t think about how the same data can literally walk out the door with a criminal posing as an auditor or a computer repairman. He once walked out of a client site carrying their U.S. mail tray with 500 customer statements inside it, he says.

“This is the forgotten and overlooked” security risk for identity theft, Perrymon says. “That’s why the first time we show [our clients] what we can do, it blows them away." But with the Federal Trade Commission’s (FTC) new identity theft regulations requiring banks, mortgage firms, credit unions, automobile dealerships, and other companies that provide credit to assess identity theft risks as well as add policies and procedures to pinpoint any “red flags” as of this November, Perrymon and his team are in hot demand to perform undercover social engineering exploits for banks and other firms to test their ID theft vulnerabilities.

During one recent social engineering caper for a large credit union with 15 locations, Perrymon and his team posed as federal investigators for the FDIC. They used their fake ID-making machine that spits out phony drivers’ licenses and official-looking badges and after two days of reconnaissance, they donned suits and their forged FDIC badges and went on-site at one of the credit union locations during its busiest and most hectic time of day, lunchtime. “I walked in with a camera around my neck that looks like a digital 35 millimeter, but the whole time it’s recording video, and with a clipboard. We walked right in, posing as federal auditors,” Perrymon recalls. “Ninety-eight percent of the time someone asks if I need anything or any help... At that point I sit them down and ask them thirty questions about their internal security procedures – dye bags, sound alarms, etc.”

Perrymon says he then walked around the individual offices and found one that was empty, and voila: “Most of the time customer data is right there on the desk, so I snatch that right up,” he says. “My favorite thing to do is open the credenza, take seven or eight folders and slide them right under the clipboard. Our goal is to be in and out in seven minutes.”

And that’s about how long it took him to steal -- unfettered -- sensitive identity information on seven of the credit union’s customers.

“We’ve also done [social engineering jobs] for secure hosting companies – we get into data centers and get to their drawings and internal sensitive documents,” he says. “We were able to bypass the RFID security at a hosting company.”

Another time, he posed by the door with a large vendor equipment box, and a helpful data center worker held the door for him and let him in. “I walked right in, opened the box and plugged right into the backbone of a big ISP,” he says.

And while Perrymon and his team have “drivers' licenses” and other phony IDs, they are rarely asked to present them. They even try to make the IDs somewhat inconsistent with legitimate ones to see if anyone notices -- typically no one does, he says. “What we want to see is if an employee says ‘that’s not a real badge,’” he says. “So we try not to make the IDs perfect... so they can pick up on [it]. But nine times out of ten, they’re really not going to question you.”

“Over the past five years, we have [had] a 100 percent success ratio of walking out of each engagement with at least five complete identities,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.