No-Fail Identity Theft – Live and In Person 214
ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."
The biggest exploit for any system (Score:5, Insightful)
Wholesale versus Retail (Score:5, Insightful)
Internet theft: Wholesale
in-person theft: Retail
We make up the difference in volume!
I'm not worried about Retail level theft. It's the wholesale one that is more worrisome.
if internet theft has a success rate of 1 in a thousand but puts millions of people at risk it's more worrisome.
This just in... (Score:4, Insightful)
Social Engineering ftw (Score:4, Insightful)
I don't know if you can say it's related to online identity theft though; this sort of social engineering predated that by decades, and its always worked well.
So much of it is about knowing the right number to call, or the right person to approach.
People just need to be suspicious, but suspicious is massively unhelpful to people who legitimately need help. No one ever calls me for security credentials because I am the documentation gestapo; instead they approach one of the other people who can set them up, because they know that those people won't ask as many questions.
On the one hand, I know I don't need to be as thorough as I am, on the other hand I know that the one time I'm not, I'll give access to the wrong person.
Re:The biggest exploit for any system (Score:4, Insightful)
Here We Go Again... (Score:3, Insightful)
When someone from some esteemed institution of higher learning discovers this, then maybe the "identity theft" groupthink will end.
#1. Banks make money when your identity is stolen The profit comes in the form of transaction penalties when you start reversing the charges and possibly the bank's "identity theft services."
#2. No one seems to have any interest at all in shedding some light on the credit process. Why isn't it quite transparent to all consumers?
The entire "identity theft" scheme works is overwhelmingly favors the banking industry and it's no one's fault but ours.
Socially engineering banks... (Score:2, Insightful)
Pretend to be a researcher. Approach bank president. "Hi, I'm Bob Researcher from State U. I'd like to test your bank's security for you." [insert fear mongering as necessary]
If successful, yay! Free identities!
If unsuccessful, meh. You're legit!
Re:Social Engineering ftw (Score:4, Insightful)
The scary thing is that you can be as suspicious and careful as possible and still have your identity stolen because someone in another city whom you've never met wasn't suspicious and careful or because some company that you've dealt with directly or indirectly has a security breach of some sort. And when that happens the company responsible for your identity being stolen isn't out any significant (to them) money, but you need to spend a lot of your time and energy to restore your good credit.
Yes, I'm speaking from experience. I was lucky enough to find out about it early when the unrequested credit card was "accidentally" sent to me instead of to the ID thieves. So I got an "easier" time than I could have had. I still have to look over my credit report constantly, though, as my information is out there now.
Yeah, but ... (Score:2, Insightful)
While it may have a higher success rate, the fact of the matter is that "in-person" identity theft poses a much higher risk ratio for the would-be criminal.
I'm sure if the researcher were really going to jail for his "crimes", he might not be so cavalier (and calm) when committing them, and this might affect the 100% success rate.
Re:Socially engineering banks... (Score:5, Insightful)
Actually, that's not as good as telling them you're selling photocopiers. Don't remind people about security when you're trying to steal stuff; sometimes it jogs their memory to the boring security lectures they sat through during their first week of work.
The absolute best way to go about it is to be in a semi-authority position where you need information, and you have a right to information. If you need it, and you are perceived to have a right to it, then people will go out of their way to find it for you.
The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.
It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?
Re:Wholesale versus Retail (Score:3, Insightful)
My wife works for a small investment advisor firm, they probably have 1500-2000 clients with all their information on file. If a criminal went for their backup tapes rather than whatever loose paperwork happened to be floating around they could have every single one of them. Their security basically consists of the Admin Assistants asking people who they are there to see, I doubt they even have a lock on the server room door.
Re:Social Engineering ftw (Score:3, Insightful)
Yea. The best defense is limiting the harm that can be done on the network, defining everyones permissions, prohibiting full network access from unsecured rooms, etc.
But there is no good way to take people out of the loop.
Re:The biggest exploit for any system (Score:5, Insightful)
Missmatch of values.
We as customers don't like to be treated criminals as most of us arn't. However good security requires to treat everyone like they are.
A bank or store with strict security will not last long as their customer service would be horrable. IDing people you know every single time. Not cashing checks with simple spelling mistakes in the names. Insuring the candy isn't in reflective wrap as they could use it to see what could possible be on the screen, by picking a grape lollypop (OK I am streaching here a bit)
We want friendly customer service this is in direct conflect with security.
Re:How to dupe the public... (Score:4, Insightful)
Or maybe that is another thing that should make the people work at the credit union say "WTF is the FDIC doing at a credit union?"
Re:A Wise Man (Score:5, Insightful)
At risk of dating myself here, I will mention that during the whole Mitnick thing, (big press about social engineering "dark side hacker" back then) I wrote a paper in a sociology class, and proved it beyond my wildest dreams. (Granted the presentation was done to a batch of people with glazed eyes.) The topic? That despite all the hullabaloo, the vast majority of "the masses (tm)" are still just as brick/rock stupid or at least very ignorant, just as they were before social engineering was brought to the newsfront by over eager media people looking for someone to demonize.
Do not be upset. Stupid people are there so that intelligent or smart people are given a reason to shine. If everyone was smart, you'd be another drop in the bucket, but if you are, and they are not, then be happy you're stronger, smarter or better off, enjoy the advantage, help others if you want, or avoid helping them, all up to you.
All in all (back to my paper in question) I think I only had a few people turn me down for providing private info. It was then that I realized that "security" auditing was a joke for any company that is not so small that the employees and employer know and care about each other. Tall order in today's societal tendency for a lack of responsibility. Until people are held accountable for their actions by other people, regardless of the piece of paper they hide behind (be it a corporate charter or some other set of excuses for bringing harm to others), until people are held accountable by those whom they harm, nothing will change. Therefore, I wager nothing will EVER change, since the vast majority are cowards. The upside, is that this has created a veritable "garden of eden" for those of us that do not suffer from lack of courage or lack of vision.
If there truly is a God, he must be one sarcastic dude, because, as far as I can tell, he despises stupid, weak people, and does everything possible to give them a shock to wake them up. And, despite my dislike for Churchill, this quote is a classic "sometimes a man may trip over the truth, but sadly, very often he just picks himself up and goes on." So don't feel pissed that most employees don't care. Their entire social structure is built on irresponsibility, rudeness, and triviality. Why do you expect them to behave as exemplars of honor, honesty and integrity, when the very system they seek to be rewarded by, is not based on such ideas? (No, paying lip service to "honesty" does not make one honest, same thing with honor or integrity or a hundred or more other ideas one can name.)
Re: Here We Go Again... (Score:5, Insightful)
Banks make money by borrowing your money (at a low interest rate) and loaning it out to someone else (at a higher interest rate). If your identity is stolen in a big way, then any fees you pay to reverse bad transactions or identity-protection services you take part in are going to be outweighed by the fact that your money is quickly dissapearing (and thus no longer available to be loaned out by the bank).
It's in the best interest of the bank to keep your money in their vault; identity theft typically results in the exact opposite.
Identity theft (at the scale we see it now) is relatively young, and so it's understandable that banks and credit unions don't really have a developed, effective strategy to protect the customer... but as the parent says, given the shroud of secrecy that surrounds much of the banking and credit industries, a little transparency might go a long way to illuminate danger areas, so we don't have to rely on proof-by-egg-on-face as in TFA.
Re:Socially engineering banks... (Score:5, Insightful)
It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?
And let's remember that this applies to emergencies as well. If you see someone in a crowd who needs medical help, go help him, and call for assistance if he needs it. Don't assume somebody else will do it; everybody else is going to assume that too! If you're the one who needs medical assistance, or you're with that person, don't shout out "call 911." Pick a person out of the crowd, point to him, and say, "You, call 911."
Re:This just in... (Score:5, Insightful)
Me: Hello?
Them: Hello, this is LloydsTSB/BT/some other company. Is this <My Name>?
Me: Yes
Them: OK, for security, I have to ask you some questions. What is your date of birth?
Me: I'm not giving that sort of information out to some random on the phone - how do I know you're who you say you are?
Them: I'm ringing on behalf of LloydsTSB/BT/some other company.
Me: Sure, you said that. Tell me what my account number is then
Them: I can't do that until you've identified yourself.
Me: Bit of an impasse then, isn't it?
Sure, they know my name and number. I'm guessing it's not that hard to find that out though.
Re:The biggest exploit for any system (Score:5, Insightful)
false dichotomy...your 'either...or' is invalid. First, providing security IS good customer service...
More importantly, your ideas about what 'good security' requires are based on a flawed theory and definition of what it means to be 'secure.' Your operating definition implies that '100% secure' is an attainable goal. It's not. There is no golden procedure that will bring you out of Oz like Dorothy clicking her heels together three times.
Ham fisted, dumb tactics like making a teller ID some old lady that has been banking there for 30 years is the height of stupidity.
The best way to provide a secure environment is to first have educated, savvy personnel at all levels. Second, have smart, targeted policies that capitalize on your educated employees using higher brain functions.
A Counter-example: Instead of your "ID everyone all the time even if it's your grandma" approach...have a policy that says "ID everyone they have a 10 year + history and relationship with the bank, and you recognize them immediately"
Why? No teller is going to comply with your example because it is unworkable. Have targeted, specific policies and employees that can think analytically instead.
ps...for those of you with Asperberger's or OCD just itching to point out flaws in my example, remember, it's just an example. If you're so interested in what I'm saying, then look at my ideas instead of nitmpicking an admittedly imperfect example.Re:This just in... (Score:5, Insightful)
Re:I guess some places are just lax (Score:5, Insightful)
My gut feel, upon reading your description, is that no-one is that good. I would be very interested to know if any teams like the one in TFA have actually tried to break the security at the IRS.
Possible holes : everyone seems fixated on those ID badges. Precisely what is the security on those? RFID, or is it a magnetic strip?
Magnetic strips can be copied. RFID chips are more difficult and take serious hacking.
Other simple tricks : are the PCs at the IRS running windows? Would a simple trick like the "drop a few USB dongles in the employee smoking area" work?
Finally, there's insider information. Somehow, I doubt the IRS pays people very well. There must be all kind of employees with IT jobs who could physically copy from computers containing millions of tax records.
Information is inherently far, far more difficult to secure than a physical item. I would be greatly surprised if the security were as airtight as you make it out to be.
Re:The biggest exploit for any system (Score:4, Insightful)
The solutions is simple then - remove the human element.
That's a great suggestion, but unfortunately, Diebold makes the ATM's for my bank. I don't particularly feel like trusting them either.
Re:education (Score:3, Insightful)
The problem with this is two-fold:
First, the folks in control of implementing such technology classes would do the usual (let's memorize IE8 and Office 2008) in order to make people more "productive" instead of teaching people the overall context of DRM, net neutrality, black-box voting, and the like.
Second, even if you could get reasonable content in the class, most students wouldn't give a damn. "But I can use my iPhone (see: I'm using it now!)- therefore, I am tech saavy and this class is stupid."
Until the powers that be in education see the pervasiveness of technology in our lives, they will ignore the larger issues of being informed about our digital commons.
The cost of this is quite high (Score:5, Insightful)
There are places with tight security like that, and I've been to some of them. The overhead is high. For bidding purposes at a major aerospace company, we used to estimate that running a project at SECRET doubled the bid, and running at TOP SECRET ran the price up by 4x or more. At the higher levels, computers are in metal rooms with welded seams raised off the floor (so Security can check underneath) and with RF-tight airlocks. Signing documents in and out of files takes a big chunk of staff resources and time. There's a big bureaucracy associated with accountability.
One of the serious side effects of running highly classified projects is that the people working on them become obsolete in place. They're so cut off from the outside world that they don't keep up, outside their very narrow area of expertise. That's why I left aerospace and went to the commercial world.
Re:The biggest exploit for any system (Score:5, Insightful)
"The best way to provide a secure environment is to first have educated, savvy personnel at all levels. Second, have smart, targeted policies that capitalize on your educated employees using higher brain functions."
I think 100% security would be easier to achieve.
Re:I guess some places are just lax (Score:3, Insightful)
Umm, I'm sure there are ways. See numerous movies for a method. Or buy a badge from a fired employee. I mean, since EVERY employee has an ID badge, they probably follow the same template. It would be the work of a few days to create a near-perfect fake. The "look" of the badge itself secures nothing, there are numerous websites out there explaining in great detail how to replicate virtually any badge or ID card.
The CODES on it are the only security : to pass those electronic locks, you would need a badge that has either an internal chip or a magnetic strips. Mag strips are trivial to copy. The internal RFID chips are the only secure thing on any of those badges.
But backing away from specific methods, since I am not a criminal, my main point is that it's the government. It can't possibly be as secure as you think it is, the government is generally incompetent.