I Hate Dialysis Message Board
Welcome, Guest. Please login or register.
November 23, 2024, 02:58:09 PM

Login with username, password and session length
Search:     Advanced search
532606 Posts in 33561 Topics by 12678 Members
Latest Member: astrobridge
* Home Help Search Login Register
+  I Hate Dialysis Message Board
|-+  Off-Topic
| |-+  Off-Topic: Talk about anything you want.
| | |-+  How I Stole Someone's Identity
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: How I Stole Someone's Identity  (Read 1707 times)
okarol
Administrator
Member for Life
*****
Offline Offline

Gender: Female
Posts: 100933


Photo is Jenna - after Disneyland - 1988

WWW
« on: September 05, 2008, 08:07:29 PM »

How I Stole Someone's Identity
The author asked some of his acquaintances for permission to break into their online banking accounts. The goal was simple: get into their online accounts using the information about them, their families and acquaintances that is freely available online

By Herbert H. Thompson
August 2008

As a professor, a software developer and an author I've spent a career in software security. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information. I asked some of my acquaintances, people I know only casually, if with their permission and under their supervision I could break into their online banking accounts. After a few uncomfortable pauses, some agreed. The goal was simple: get into their online banking account by using information about them, their hobbies, their families and their lives freely available online. To be clear, this isn't hacking or exploiting vulnerabilities, instead it's mining the Internet for nuggets of personal data. Here's one case. I share it here because it represents some of the common pitfalls and illustrates a pretty serious weakness that most of us have online.

Setup: This is the case of one subject whom I'll call "Kim." She's a friend of my wife, so just from previous conversations I already knew her name, what state she was from, where she worked, and about how old she was. But that's about all I knew. She then told me which bank she used (although there are some pretty easy ways to find that out) and what her user name was. (It turns out it was fairly predictable: her first initial + last name.) Based on this information, my task was to gain access to her account.

Step 1: Reconnaissance: Using her name and where she worked, I found two things with a quick Google search: a blog and an old resume. Her blog was a goldmine: information about grandparents, pets, hometown, etcetera (although it turns out I didn't need to use most of this). From the resume I got her old college e-mail address and from her blog I got her G-mail address.

Step 2: Bank Password Recovery Feature: My next step was to try the password recovery feature on her online banking site. The site didn't ask any personal questions, instead it first sent an e-mail to her address with a reset link which was bad news, because I didn't have access to her e-mail accounts. So e-mail became my next target.

Step 3: G-mail: I tried to recover her G-mail password, blindly guessing that this was where the bank would have sent its password-reset e-mail. When I tried to reset the password on her G-mail account, Google sent its password reset e-mail to her old college e-mail account. Interestingly, G-mail actually tells you the domain (for example, xxxxx.edu) where it sends the password reset e-mail to, so now I had to get access to that…ugh.

Step 4: College E-Mail Account: When I used the "forgot my password" link on the college e-mail server, it asked me for some information to reset the password: home address? (check—found it on that old resume online); home zip code? (check—resume); home country? (uh, okay, check—found it on the resume); and birth date? (devastating—I didn't have this). I needed to get creative.

Step 5: Department of Motor Vehicles: Hoping she had gotten a speeding ticket, I hit the state traffic courts' Web sites, because many states allow you to search for violations and court appearances by name. These records include a birth date (among other things). I played around with this for about 30 minutes with no luck when I realized that there was probably a much easier way to do this.

Step 6: Back to the Blog: In a rare moment of clarity I simply searched her blog for "birthday." She made a reference to it on a post that gave me the day and month but no year.

Step 7: Endgame (or How to Topple a House of Cards): I returned to the college e-mail password recovery screen and typed in her birth date, guessing on the year. Turns out that I was off on the year of birth but, incredibly, the university password reset Web page gave me five chances and even told me which field had inaccurate information! I then changed her college e-mail password, which gave me access to her G-mail password reset e-mail. After clicking the link, Google asked me personal information that I easily found on her blog (birthplace, father's middle name, etcetera). I changed the G-mail password, which gave me access to the bank account reset e-mail, and I was also asked for similar personal information (pet name, phone number and so forth) that I had found on her blog. Once I reset the password, I had access to her money (or at least I would have).

Needless to say, Kim was disturbed. Her whole digital identity sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What's striking about Kim's case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security resting unsteadily on the shoulders of one or two e-mail accounts. In Kim's case some of that information came from a blog, but it could just as easily have come from a MySpace page, a sibling's blog (speaking of their birthday, mom's name, etcetera) or from any number of places online.

Battling this threat requires us to make better choices about how we prove who we are online and what we make available on the Internet. Go and do a self-check. Try to reset you passwords and see what questions are asked to verify your identity. Some questions are better than others. Date of birth, for example, is bad. In addition to the DMV, there is a wealth of public records available online where folks can track down when you were born. Most account reset features give you a choice of questions or methods to use. Go for questions that ask about obscure things that you won't forget (or can at least look up), like your favorite frequent flyer number. Avoid questions that are easy to guess, such as which state you opened your bank account in. All of these are, of course, stopgap measures until we find better ways to prove our identities online.

It's also critical to remember that once you put data online, it's almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up and analyzed almost immediately. Think first, post later.

As for Kim, she's still blogging, but now she's a little more careful about the information she volunteers and has cleaned house on her old passwords and password reminder questions. Next time I do this, I'll have to figure out the name of her favorite primary school teacher.
Logged


Admin for IHateDialysis 2008 - 2014, retired.
Jenna is our daughter, bad bladder damaged her kidneys.
Was on in-center hemodialysis 2003-2007.
7 yr transplant lost due to rejection.
She did PD Sept. 2013 - July 2017
Found a swap living donor using social media, friends, family.
New kidney in a paired donation swap July 26, 2017.
Her story ---> https://www.facebook.com/WantedKidneyDonor
Please watch her video: http://youtu.be/D9ZuVJ_s80Y
Living Donors Rock! http://www.livingdonorsonline.org -
News video: http://www.youtube.com/watch?v=J-7KvgQDWpU
Sluff
Member for Life
******
Offline Offline

Gender: Male
Posts: 43869


« Reply #1 on: September 05, 2008, 09:46:53 PM »

Seems like a lot of work if you don't know someone. Anyone tries to hack into my information is in for a surprise.  I couldn't borrow a quarter if my life depended on it. Nothing to lose here. ;D
Logged
pelagia
Elite Member
*****
Offline Offline

Gender: Female
Posts: 2991


« Reply #2 on: September 05, 2008, 10:12:04 PM »

This is a very interesting article.  Anyone have any additional tips for staying safe on the web?

I am having a huge problem at work right now that is web related.  Someone is using my e-mail address to send e-mails all over the world.  Between midnight and 7 PM tonight I had received more than 13,000 e-mail messages from servers that one way or another said my e-mail had bounced.  What a drag!  It seems to have finally slowed down as of about an hour ago, thank goodness.  Around noon I was getting 300-400 e-mails an hour.  Took me a little bit to figure out how to catch them with the junk mail filter.  The computer folks where I work tell us that there is almost no way to stop this sort of thing at their level, without filtering out some messages that someone will have wanted.   
Logged

As for me, I'll borrow this thought: "Having never experienced kidney disease, I had no idea how crucial kidney function is to the rest of the body." - KD
Chris
Member for Life
******
Offline Offline

Gender: Male
Posts: 9219


WWW
« Reply #3 on: September 06, 2008, 01:58:22 AM »

I'll have to comeback to read this one.
Logged

Diabetes -  age 7

Neuropathy in legs age 10

Eye impairments and blindness in one eye began in 95, major one during visit to the Indy 500 race of that year
   -glaucoma and surgery for that
     -cataract surgery twice on same eye (2000 - 2002). another one growing in good eye
     - vitrectomy in good eye post tx November 2003, totally blind for 4 months due to complications with meds and infection

Diagnosed with ESRD June 29, 1999
1st Dialysis - July 4, 1999
Last Dialysis - December 2, 2000

Kidney and Pancreas Transplant - December 3, 2000

Cataract Surgery on good eye - June 24, 2009
Knee Surgery 2010
2011/2012 in process of getting a guide dog
Guide Dog Training begins July 2, 2012 in NY
Guide Dog by end of July 2012
Next eye surgery late 2012 or 2013 if I feel like it
Home with Guide dog - July 27, 2012
Knee Surgery #2 - Oct 15, 2012
Eye Surgery - Nov 2012
Lifes Adventures -  Priceless

No two day's are the same, are they?
RichardMEL
Member for Life
******
Offline Offline

Gender: Male
Posts: 6154


« Reply #4 on: September 06, 2008, 08:33:45 PM »

This is a very interesting article.  Anyone have any additional tips for staying safe on the web?

I am having a huge problem at work right now that is web related.  Someone is using my e-mail address to send e-mails all over the world.  Between midnight and 7 PM tonight I had received more than 13,000 e-mail messages from servers that one way or another said my e-mail had bounced.  What a drag!  It seems to have finally slowed down as of about an hour ago, thank goodness.  Around noon I was getting 300-400 e-mails an hour.  Took me a little bit to figure out how to catch them with the junk mail filter.  The computer folks where I work tell us that there is almost no way to stop this sort of thing at their level, without filtering out some messages that someone will have wanted.   

oh dear the victim of a nasty spammer. These guys suck in several ways.

What they do is harvest legitimate email addresses - and if they don't SEND spam, what they do is forge email FROM your address. Two reasons to do that:

1. Hides their identiy

2. Because your address is legit this gets around the first main defence against spam. A lot of mail servers are configured to first off reject email that comes from a fake address - that is one where the domain doesn't exist etc. Using a real person's address defeats that because the mail servers will let it through, unless they use enough smart checks to realise it's forged (eg: doesn't come from where it should) - unfortunately even that is not fullproof, because with the way the world works now people on the road can send their email through 3rd party ISP's which is not forged. So it's very hard for the systems to work out what's fake and what's real.

The end result is that you get a ton of bounces and aggrevation (and I bet your ISP has it 10x worse because you can bet yours is not the only account name targeted there).

Very annoying and the fight against it continues.... sometimes it seems like a losing one.

This is the sort of field I work in so I know a little bit about it. Unfortunately there's very little you can do at this point :(
Logged



3/1993: Diagnosed with Kidney Failure (FSGS)
25/7/2006: Started hemo 3x/week 5 hour sessions :(
27/11/2010: Cadaveric kidney transplant from my wonderful donor!!! "Danny" currently settling in and working better every day!!! :)

BE POSITIVE * BE INFORMED * BE PROACTIVE * BE IN CONTROL * LIVE LIFE!
Pages: [1] Go Up Print 
« previous next »
 

Powered by MySQL Powered by PHP SMF 2.0.17 | SMF © 2019, Simple Machines | Terms and Policies Valid XHTML 1.0! Valid CSS!