Slashdot Mirror

← Back to Stories (view on slashdot.org)

No-Fail Identity Theft – Live and In Person

Posted by timothy on from the ma'am-I'm-going-to-need-to-ask-you-to-remove-that dept.

ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."

4 of 214 comments (clear)

  1. The biggest exploit for any system by NovaHorizon · · Score: 5, Insightful

    The human element.

    --
    Defective Logic
    1. Re:The biggest exploit for any system by globaljustin · · Score: 5, Insightful

      However good security requires to treat everyone like they are...We want friendly customer service this is in direct conflect with security

      false dichotomy...your 'either...or' is invalid. First, providing security IS good customer service...

      More importantly, your ideas about what 'good security' requires are based on a flawed theory and definition of what it means to be 'secure.' Your operating definition implies that '100% secure' is an attainable goal. It's not. There is no golden procedure that will bring you out of Oz like Dorothy clicking her heels together three times.

      Ham fisted, dumb tactics like making a teller ID some old lady that has been banking there for 30 years is the height of stupidity.

      The best way to provide a secure environment is to first have educated, savvy personnel at all levels. Second, have smart, targeted policies that capitalize on your educated employees using higher brain functions.

      A Counter-example: Instead of your "ID everyone all the time even if it's your grandma" approach...have a policy that says "ID everyone they have a 10 year + history and relationship with the bank, and you recognize them immediately"

      Why? No teller is going to comply with your example because it is unworkable. Have targeted, specific policies and employees that can think analytically instead.

      ps...for those of you with Asperberger's or OCD just itching to point out flaws in my example, remember, it's just an example. If you're so interested in what I'm saying, then look at my ideas instead of nitmpicking an admittedly imperfect example.
      --
      Thank you Dave Raggett
  2. Re:A Wise Man by DaedalusHKX · · Score: 5, Insightful

    At risk of dating myself here, I will mention that during the whole Mitnick thing, (big press about social engineering "dark side hacker" back then) I wrote a paper in a sociology class, and proved it beyond my wildest dreams. (Granted the presentation was done to a batch of people with glazed eyes.) The topic? That despite all the hullabaloo, the vast majority of "the masses (tm)" are still just as brick/rock stupid or at least very ignorant, just as they were before social engineering was brought to the newsfront by over eager media people looking for someone to demonize.

    Do not be upset. Stupid people are there so that intelligent or smart people are given a reason to shine. If everyone was smart, you'd be another drop in the bucket, but if you are, and they are not, then be happy you're stronger, smarter or better off, enjoy the advantage, help others if you want, or avoid helping them, all up to you.

    All in all (back to my paper in question) I think I only had a few people turn me down for providing private info. It was then that I realized that "security" auditing was a joke for any company that is not so small that the employees and employer know and care about each other. Tall order in today's societal tendency for a lack of responsibility. Until people are held accountable for their actions by other people, regardless of the piece of paper they hide behind (be it a corporate charter or some other set of excuses for bringing harm to others), until people are held accountable by those whom they harm, nothing will change. Therefore, I wager nothing will EVER change, since the vast majority are cowards. The upside, is that this has created a veritable "garden of eden" for those of us that do not suffer from lack of courage or lack of vision.

    If there truly is a God, he must be one sarcastic dude, because, as far as I can tell, he despises stupid, weak people, and does everything possible to give them a shock to wake them up. And, despite my dislike for Churchill, this quote is a classic "sometimes a man may trip over the truth, but sadly, very often he just picks himself up and goes on." So don't feel pissed that most employees don't care. Their entire social structure is built on irresponsibility, rudeness, and triviality. Why do you expect them to behave as exemplars of honor, honesty and integrity, when the very system they seek to be rewarded by, is not based on such ideas? (No, paying lip service to "honesty" does not make one honest, same thing with honor or integrity or a hundred or more other ideas one can name.)

    --
    " What luck for rulers that men do not think" - Adolf Hitler
  3. Re:This just in... by Duncan+Blackthorne · · Score: 5, Insightful

    Actually.. clue #1 is that someone called YOU and asked for personal information. My counter to that (assuming I ever am confronted by it)? Get their name and tell them I must call them back, then call back to that company's main number. Chances are that once I ask this scammer his name, he hangs up on me.