Slashdot Mirror
ID Theft Made Easy
chiagoo writes "You may remember that 70% of the time, people will reveal their passwords for chocolate. Well, at this year's Infosecurity Europe, it was revealed that 92% of the 200 attendees surveyed would gladly trade enough information to steal their identities for a chance to win theater tickets. Social engineering at its best. Why spend time writing bots and rootkits when people will give you what you want for a piece of candy or a ticket to see The Pacifier?"
No matter how many privacy "protections" there are, it won't stop people from volunteering their own personal information.
The IT Guy surely give you his boss email password if you give him a new and most wanted PSP.
http://www.michel.eti.br
But you wouldn't be getting theater tickets now would you, seeing as how they need a real address to mail the tickets to.
-dave
http://millionnumbers.com/ - own the number of your dreams
Personally I think that most people are not aware that the information that they are giving could be used in that way. The problem is that our personal information has become more and more frequently asked. I remember back years ago when you could actually refuse to give your SSN but now your SSN has become a more Unified Personal ID number. This in itself is a shame. People need to be educated about what information should be given. With the article there I am sure there are quite a bit of people who actually use social engeneering to gain what they seek. But there are the other ones who would rather do things anon. What have you all done/given to win things? I know that when i refure to give out my information they usually say they cant give me what I won. It really makes you question what this information they gain is being used for when you win something. I am sure it goes into some marketing DB somewhere that the company uses. But one can never be sure or safe. My X Wife one time had identity theft happen to her and it was a major hastle for us to sort it out. Though we have no idea how the information was gained. Let me tell you tracking down where the information was gained is close to impossible.
string sig = llGetSig("dimentox"); llSay(0,sig);
I'll make the obligatory comment: Biometrics! The sooner the price comes down on these and the reliability goes up, they will be much better than passwords. I think today, two factor authentication is enough of a hurdle.
I know fingerprints can be foiled with rubber or BREATHING, but if you combine that with voice print or retinal scan, it should be pretty secure, even today. Add in facial recognition, and you've got a secure environment.
All authentication mechanisms are just hurdles. You have to hope your hurdles are high enough to obstruct the level of cracker that is after your information.
I have convinced people at work that making people change their passwords every month totally backfires; it causes utter INsecurity when the people can't remember the password because they have to change it all the time. They end up putting it on post-it notes in drawers next to the desk. I understand the motive, to increase the time it takes to brute-force the password, but when the users are going to do this in reaction to this because they have so many to remember, then you have zero security.
In short, we NEED biometrics, and we need them widely available and cheap.
that these innocuous pieces of information are -sufficient- to steal one's identity, open bank accounts, etc. Too bad the banking industry has no incentive to make it harder.
On the bright side, in the US at least, I think your SSN would also be needed, and I suspect at least some Americans are bright enough to guard that.
TFA: Last year, people at a transit station gladly gave up their passwords for a chocolate Easter egg.
What passwords? Did they check them? This doesn't sound too credible.
Tsunami -- You can't bring a good wave down!
How about the gas station that writes down your license plate information when you purchase gas w/o paying at the pump. It's just for their economic safety they say. Do you know how much information you can get on the owner of a car from their license plate?
They can get very little, actually, without access to police computers. Even if they could, it's no different from just driving around. You proudly display your license plate to hundreds of people each day. In light of this, it's not very easy to get much information from them, and it requires police cooperation. That gas station doesn't punch in the plate and go vigilante on you, they call the police and give the plate numbers to the police.
The gas station writing down your information is totally different from someone scanning your ID. Scanning your ID is a much more private process, and it requires your cooperation. However, anyone can write down a plate number. It's not even remotely the same, and it's definately not a security risk.
Computers need to explode more often.
and other personal data, just for a bit of candy. Heck, I'd do it for free. I just wouldn't give them the correct password. I'd also make sure that the personal data I gave them was total BS.
So how do we know that the seemingly credulous participants in the survey weren't lying?
In this society, we use various forms of identification for various reasons. Go ahead and get mad at a gas station clerk if you want. If they arn't writing it down then your plate is on tape. Privacy is one thing, but your licence plate is there to PUBLICLY IDENTIFY you. That is its purpose. The poor guy would lose his job if you drove away without paying for your gas, not to mention that everyone would have to pay more for theirs.
A driver's license it there to privatly identify to those you show it to, a choice you make.
Your social security number should not be used for identification except to services (taxes, social security) that require it.
If you are mad that too much information is available to someone just by your license plate, fight to change what information is linked to it, don't get pissed at some schmuck for writing down a number that is plastered on both ends of the outside of your car!
Not necessarily divulged information. These studies are worthless because they ignore the very blatant fact that people can and most likely do give false information.
I'm about as close to paranoid about my personal information as anyone I know and my identity was stolen about 5 weeks ago. I give out practically nothing and it still happened. The part that drives you up the wall is how nobody seems to really give a crap about it. The police yawn, write the report, and leave. The stores all want an affidavit and then go away. Your bank gives you a new account and returns your money. Aside from the pile of paperwork I had, and am still having to deal with it doesn't seem to bother anyone that this happens. This money must have come from somewhere right?
I know I got all my cash back but I'd bring back roadside crucifixion in a heartbeat if I could get my hands on the guy who wrote $5K worth of checks using my info.
Appended to the end of comments you post. 120 chars.
My philosophy is, make my info a bit harder to get than the next guy's and I'm safe(er). So the fact that there are so many others out there whose info is so easy to get, just makes me feel safer. Just like putting the Club on my car. A thief can remove it w/o too much trouble, but it's still easier for him to just steal the car that doesn't have any theft-deterrent. What does worry me is companies not guarding the information that I give them for legitimate use.
But I don't display my CC # right next to it.
Nor do you display your credit card number right next to it at the gas station. You'll notice that parent specified when you drive off without paying. In this case, you have given the gas station no more than you give all the people you drive past during the day. If you're going to get upset about this, then you also need to yell at everyone who uses security cameras. Given the number of times security cameras have been used to solve crimes, I'm placated.
Computers need to explode more often.
The problem is not with the people. The information they give out _should_ be giveoutable. The problem is with the system that allows such simple information like a drivers license number allow someone to take your identity.
Its unreasonable to expect people to keep something private they are required to give out so frequently. It don't make sense.
But that's where it gets interesting. Take an American Social Security Number for instance. Technically, no one but the government can require you to give out the number. Workplaces, however, often ask for it, when applying, so that they can fill out government income tax forms. Health care facilities often ask for things like medic-aid and medicare.
;)
All someone has to do is convince you that they need that kind of information, regardless of the truth of the matter. There is a famous saying (that I'm about to butcher) in the security world: there should always be three factor identifcation - something you carry (like an id), something you know (like a password), and something you own/are (like a fingerprint or dna). While the first two are in place, with driver's licenses and maiden names and what not, there is no widespread biometric database. And we all know how keen slashdotters are on that
-dave
http://millionnumbers.com/ - own the number of your dreams
I still have a bag full of old receipts with full credit card numbers I'm trying to figure out how to dispose.
Wait until winter. Burn as fuel. Stir around the ashes. Easy-peasy-lemon-cheesy. No need for cross-cutting shredders.
Wait.. Wait, forget I said that. As luck has it, I have a "data destruction" company. I've got some really advanced cross-cutting shredders, right here, siree! Just fork over your metric loads of privacy-sensitive information, and a few hundred bucks for disposal, and go and have a good night's sleep. And if people from the credit-card company call, saying some-one's been using your cards out-of-state, just remember they're most likely identity thieves trying to scam you into giving them your personal information. After all, all your data was safely destroyed....
SCO employee? Check out the bounty
As a poster to the BBC article said, "I'd reveal my "password" to anybody if they were offering me free chocolate! My password is "givemefreechocolatenowplease"!"
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Think system wide and find the real
flaw here. Are people really stupid
to provide a handful of facts about
themselves? Or are the banks stupid
to accept a handful of facts as
evidence of authorization to access
an account?
Seems to me this whole "identity theft"
is an exercise in blaming people for the
banks' failures. I haven't had my
"identity stolen" -- whatever that's
supposed to mean. No, the bank has been
tricked, defrauded into giving up my
money to someone who happens to know my
mother's maiden name. That's the bank's
policies hurting the bank's ability to
do its job -- keep my money safe. That's
not my problem.
Calling it "identity theft" and holding
me responsible for preventing it is just
an attempt to turn the banks' problem into
my problem -- one they are happy to help
me solve for a fee of $10 a month.
No, thanks, I decline to pay a monthly
fee to do the bank's work for it.
Each and every slip had the full credit card number, the expiration date, and a copy of the cardholder's signature.
Many other stores, restaurants, etc simply store this information in the trash. I guess you can consider the new Walmart approach progress.
However, I don't care too much if my credit card info gets stolen, and being that the credit card people don't do anything to protect themselves from this kind of theft, I guess they don't either. There is, and always will be a balance between security and ease of use, and the level of security vs value of that being secured (nobody puts much of a lock on a piggy bank, Fort Knox has an entire Army base guarding it).
I really guess that most people are either just a) honest, or b) too stupid or lazy to be dishonest. I'm actually shocked that CC theft is not more of a problem, and have been for years.
If you assumed that these people are fraudsters, you wouldn't waste your time filling out their form with dud information.
I just called to see what it was. I figured anyone posting an 800# on Slashdot had a joke behind it.