Slashdot Mirror
No-Fail Identity Theft – Live and In Person
ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."
The human element.
Defective Logic
Internet theft: Wholesale
in-person theft: Retail
We make up the difference in volume!
I'm not worried about Retail level theft. It's the wholesale one that is more worrisome.
if internet theft has a success rate of 1 in a thousand but puts millions of people at risk it's more worrisome.
Some drink at the fountain of knowledge. Others just gargle.
Step one, find a birth certificate for a person of the same gender as you, and around the same ago.
Register at your local university and obtain student card in the name of the person on the birth certificate, withdraw before you have to pay anything (this step may vary with your university, I know it is possible at the Uni that I attended).
Obtain utility bills in the name of the person on the birth certificate.
There you go, 100 points of ID!
Use to obtain other forms of ID etc. (If you're in the USA finding the social security number would probably be useful too.)
If the person isn't dead (to create a "new" id, make sure that the birth certificate is for a person who died quite young), then you can have a field day getting access to whatever.
Enjoy.
I wank in the shower.
People are much too obsessed with the image of a diabolical Cheetos-eating hacker without any social skills. The most effective criminals in the world are friendly, well-dressed, and outgoing. And usually only technologically-competent enough to get the job done.
Ever heard of mustard squirters? They squirt your back with mustard, then inform you of the fact you have mustard on your back. They proceed—presumably generously—to wash it off for you: In doing so, they take your wallet. No technology. Tremendous success rate.
Come on. Some people out there need to read the works of Frank Abagnale, or at least Kevin Mitnick.
"Insanity in individuals is something rare - but in groups, parties, nations and epochs, it is the rule."
Actually, that's not as good as telling them you're selling photocopiers. Don't remind people about security when you're trying to steal stuff; sometimes it jogs their memory to the boring security lectures they sat through during their first week of work.
The absolute best way to go about it is to be in a semi-authority position where you need information, and you have a right to information. If you need it, and you are perceived to have a right to it, then people will go out of their way to find it for you.
The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.
It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Duck tape?
Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
At risk of dating myself here, I will mention that during the whole Mitnick thing, (big press about social engineering "dark side hacker" back then) I wrote a paper in a sociology class, and proved it beyond my wildest dreams. (Granted the presentation was done to a batch of people with glazed eyes.) The topic? That despite all the hullabaloo, the vast majority of "the masses (tm)" are still just as brick/rock stupid or at least very ignorant, just as they were before social engineering was brought to the newsfront by over eager media people looking for someone to demonize.
Do not be upset. Stupid people are there so that intelligent or smart people are given a reason to shine. If everyone was smart, you'd be another drop in the bucket, but if you are, and they are not, then be happy you're stronger, smarter or better off, enjoy the advantage, help others if you want, or avoid helping them, all up to you.
All in all (back to my paper in question) I think I only had a few people turn me down for providing private info. It was then that I realized that "security" auditing was a joke for any company that is not so small that the employees and employer know and care about each other. Tall order in today's societal tendency for a lack of responsibility. Until people are held accountable for their actions by other people, regardless of the piece of paper they hide behind (be it a corporate charter or some other set of excuses for bringing harm to others), until people are held accountable by those whom they harm, nothing will change. Therefore, I wager nothing will EVER change, since the vast majority are cowards. The upside, is that this has created a veritable "garden of eden" for those of us that do not suffer from lack of courage or lack of vision.
If there truly is a God, he must be one sarcastic dude, because, as far as I can tell, he despises stupid, weak people, and does everything possible to give them a shock to wake them up. And, despite my dislike for Churchill, this quote is a classic "sometimes a man may trip over the truth, but sadly, very often he just picks himself up and goes on." So don't feel pissed that most employees don't care. Their entire social structure is built on irresponsibility, rudeness, and triviality. Why do you expect them to behave as exemplars of honor, honesty and integrity, when the very system they seek to be rewarded by, is not based on such ideas? (No, paying lip service to "honesty" does not make one honest, same thing with honor or integrity or a hundred or more other ideas one can name.)
" What luck for rulers that men do not think" - Adolf Hitler
actually I used to use this trick to take a break when I was a student nurse in the nineties.
I'd pick up an xray or some notes that I knew wouldn't be needed, and go off walking around the hospital. No-one on my ward would question why I was gone, because I was just the student, I got sent places all the time. I found I could go round any department without being challenged, people just assumed I was meant to be there.
Incidentally, student nurse uniforms are easy to buy.
It worked for two years, then I got busy, what with exams and all, so I stopped doing it. I never got caught though.
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
Banks make money by borrowing your money (at a low interest rate) and loaning it out to someone else (at a higher interest rate). If your identity is stolen in a big way, then any fees you pay to reverse bad transactions or identity-protection services you take part in are going to be outweighed by the fact that your money is quickly dissapearing (and thus no longer available to be loaned out by the bank).
It's in the best interest of the bank to keep your money in their vault; identity theft typically results in the exact opposite.
Identity theft (at the scale we see it now) is relatively young, and so it's understandable that banks and credit unions don't really have a developed, effective strategy to protect the customer... but as the parent says, given the shroud of secrecy that surrounds much of the banking and credit industries, a little transparency might go a long way to illuminate danger areas, so we don't have to rely on proof-by-egg-on-face as in TFA.
This is how I used to get my furniture : put on a work uniform w/ a few friends doing the same, show up to a motel w/ a shipping/receiving invoice, get a desk clerk to sign it, and carry a couch or whatever out. Almost 100% success rate at chain motels.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?
And let's remember that this applies to emergencies as well. If you see someone in a crowd who needs medical help, go help him, and call for assistance if he needs it. Don't assume somebody else will do it; everybody else is going to assume that too! If you're the one who needs medical assistance, or you're with that person, don't shout out "call 911." Pick a person out of the crowd, point to him, and say, "You, call 911."
If you mod me Overrated, you are admitting that you have no penis.
The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.
Sad but true: someone dressed up like a technician, walked into my company's office and started puttering around with a desktop computer. After a while, he disconnected the computer and walked out with it.
Everyone assumed that someone else had called him to come in and fix the "malfunctioning" computer, and when he left with it, presumed that he was taking it elsewhere for a more serious repair effort.
What annoys me are banks/companies in the UK who do this:
Me: Hello?
Them: Hello, this is LloydsTSB/BT/some other company. Is this <My Name>?
Me: Yes
Them: OK, for security, I have to ask you some questions. What is your date of birth?
Me: I'm not giving that sort of information out to some random on the phone - how do I know you're who you say you are?
Them: I'm ringing on behalf of LloydsTSB/BT/some other company.
Me: Sure, you said that. Tell me what my account number is then
Them: I can't do that until you've identified yourself.
Me: Bit of an impasse then, isn't it?
Sure, they know my name and number. I'm guessing it's not that hard to find that out though.
Get your own free personal location tracker
None of that crap would pan out where I work.
Need help getting through a door? Sure, people will let you through a door if you're lugging a load. Then they'll see you don't have your badge on, offer to help you find the office and person you're looking for, and if you don't know what name or location to give, they'll stick right with you until you figure it out or security comes along to help.
Selling copiers? "Oh, man, dude, nobody on this floor has the authority to buy anything! Lemme walk you over to the facilities guy that you *must* have an appointment with. He'll get you a temp badge or an escort if you need to look around."
New hire? "Gee, ya know, I hate to be a pain about this but you really do have to keep your badge on in the building. Lemme hold your box while you find it."
Lost your badge? "Gee, ya know, you're gonna get hassled a bunch without it. Do you know where Kathy's office is? Let me show you; she can issue you a temp badge for the day."
Lugging in a server or anything that looks remotely computer-like? The security guard will have you sign in and call down someone from IT to escort you.
Visiting executive? Unless you're the commish, in which case you'll be covered by a phalanx of security, even the lowliest of the low in this place will give you a friendly wave, say hi, and offer you a lanyard for your badge while you're in the building. "Oh, that's OK, I can wait till you find your badge. Do you want me to show you where you're going/where to get a temp badge/to security?" In fact, this is one of the few times a data input operator can pull rank on the highest executive in the organization and you'd better believe that no office lacks for people who would relish the opportunity.
Bluff your way past security and take an elevator ride to an upper floor, looking for something? Big deal. All the doors are on card keys and if you knock, the person who answers is going to lead you right back through the "Gee, I hate to be a pain about this but you really have to wear your badge in the building" routine.
Walking around in the hall looking semi-lost because you got in but realize you can't get through any of the doors? You'll be directly challenged by someone who will walk you directly to your manager (if you can provide a name and location) or directly to security.
If by some total breakdown (say, you've got a decent fake badge and you piggyback on someone to get through a door) you get into the work area and plop down in a conference room, you're gonna get caught in short order. Plug in your laptop? If you haven't pre-reserved the room, you'll trip port security, that port on the router will shut down, the telecomm lady will get an automatic page and head up to that conference room to see who's screwing around by plugging in an unregistered MAC. Just turning on a laptop with wireless enabled chances setting off the scanner that's sometimes running in every building; in that case, you get a quick visit from scary men with badges and guns. You're a contractor on site and you plug in a wireless access point? See the sentences immediately previous, plus you get tossed out, fired if you're a sub, lose your individual security clearance, and the overall contract holder gets in seriously hot water. Just sit there and try to look important? The conference room reservations are controlled by the nearest secretary. As soon as s/he sees you in the room, you'll get asked to do a formal reservation. "If the room is free, you can have it, but I need your name and badge number for the log book. By the way, where's your badge?" In offices where the conference rooms aren't tightly controlled, people get used to dropping in so if you're sitting there without a badge, you're going to get questioned. If you don't know the right jargon, the right person to say you're working with, the right organizational attributes to assign to yourself, you're going to be questioned. Even the most tim
Actually.. clue #1 is that someone called YOU and asked for personal information. My counter to that (assuming I ever am confronted by it)? Get their name and tell them I must call them back, then call back to that company's main number. Chances are that once I ask this scammer his name, he hangs up on me.
There are places with tight security like that, and I've been to some of them. The overhead is high. For bidding purposes at a major aerospace company, we used to estimate that running a project at SECRET doubled the bid, and running at TOP SECRET ran the price up by 4x or more. At the higher levels, computers are in metal rooms with welded seams raised off the floor (so Security can check underneath) and with RF-tight airlocks. Signing documents in and out of files takes a big chunk of staff resources and time. There's a big bureaucracy associated with accountability.
One of the serious side effects of running highly classified projects is that the people working on them become obsolete in place. They're so cut off from the outside world that they don't keep up, outside their very narrow area of expertise. That's why I left aerospace and went to the commercial world.
Operations serious about security do a badge exchange when you enter the facility. You present your "outside" badge, which is validated at the security checkpoint, and exchange it for your "inside" badge, which never leaves the facility. This forces the security people to really check your outside badge, and makes the inside badges harder to copy, since they're not seen outside the facility. Information about what areas you're allowed to access appears only on inside badges. Outside badges won't open anything; inside badges may also be keys.
Yeah. Once there was this high security project, and one of the people got a pass to go to the nearest city to see his wife, who was dying of cancer at the time. He used his pass to let another man at about his level drive him there, since person one didn't have access to his own car. Unknowingly, this let man two give away secrets from the project to a competitor, which used the info to jump-start their competing product.
Of course, the project was the Manhattan Engineering District, the man with the car was Klaus Fuchs, the competitor was the Soviet Union, the product was nuclear weapons, and the dupe was Richard Feynman. It doesn't take stupidity to be fooled, or genius to do the fooling, and it isn't because of a lack of responsibility. That's why the CIA could operate in the Soviet Union despite the KGB, and vice versa.
I was watching a professional thief turned consultant on TV a few years ago describe his best and easiest scam. He would get a rent-a-cop uniform and stand outside a bank branch somewhere at the night depository. When people came to the bank to make their night deposits, he explained that it was broken and the bank had hired him to collect the bags. He claimed that most people actually gave him their night deposit bags!