No-Fail Identity Theft – Live and In Person 214
ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."
A Wise Man (Score:3, Interesting)
Re:Wholesale versus Retail (Score:3, Interesting)
Comment removed (Score:4, Interesting)
Re:Social Engineering ftw (Score:3, Interesting)
I've read stories (here on Slashdot) where black hats have admitted that social engineering is one of their most successful methods of "hacking". Why bother with a brute force or even a dictionary attack? You can just ask the user for their password and they'll give it to you.
When you think about it, phishing is just another form of social engineering.
There may be technological protection to try to prevent these things, but the best protection will always be procedural. Unfortunately, no one wants to follow procedures because it's bothersome, inconvenient, and sometimes expensive.
I'm afraid these security holes will always exist, except maybe in places where procedures are strictly enforced. Still, it only takes one lax personality in the right place, and all your other security measures won't protect you.
Re:Wholesale versus Retail (Score:4, Interesting)
True.. but if you have physical access you can "bug" the system thereby getting true wholesale with greater effect, and less chance of detection.
Yes but the list of suspects it too small to be comfortable. With the internet you can sit on your Nigerian internet cafe all day long and have no fear of prosecution.
Re:The biggest exploit for any system (Score:3, Interesting)
My favourite is the security guard who breaks all the rules for a big chested woman. Banks also have lots of bussiness cards with employees first and last names for the taking. Plus any bank employee who invites you into their office has business cards for sure and they always leave the room for some reason not that taking business cards on display wasn't their intended purpose but the employee isn't even there to observe. Banks often request people to speak their passwords/pin codes as a form of checking account ID - others can see and hear. That, of course, is leaving aside beers with anyone who doesn't control their tongue under the influence of alcohol. The other security failing is most buildings or offices have identity cards to open doors with or without a password and most people never look behind them to see who might enter and if they know them even though that is the standard. Forget all the cameras and sensors - they are after the fact!
Re:Socially engineering banks... (Score:5, Interesting)
actually I used to use this trick to take a break when I was a student nurse in the nineties.
I'd pick up an xray or some notes that I knew wouldn't be needed, and go off walking around the hospital. No-one on my ward would question why I was gone, because I was just the student, I got sent places all the time. I found I could go round any department without being challenged, people just assumed I was meant to be there.
Incidentally, student nurse uniforms are easy to buy.
It worked for two years, then I got busy, what with exams and all, so I stopped doing it. I never got caught though.
Works for other things... (Score:5, Interesting)
Re:Socially engineering banks... (Score:5, Interesting)
The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.
Sad but true: someone dressed up like a technician, walked into my company's office and started puttering around with a desktop computer. After a while, he disconnected the computer and walked out with it.
Everyone assumed that someone else had called him to come in and fix the "malfunctioning" computer, and when he left with it, presumed that he was taking it elsewhere for a more serious repair effort.
Re:Yeah, but ... (Score:3, Interesting)
OTOH, that "higher risk factor" helps the rationalization of "if they're in here, they must be legit", because anyone else would supposedly be stupid to try.
As for the "calm" factor, you may have something, but OTOH, I would expect that a successful social engineer has worked their way through a fair amount of less-dangerous situations to build up their in-character cool. If you're smart, you don't start at the "These? Backup tapes? Whatever are you implying?" level. You start with "Sorry... where's the bathroom?"-grade infiltration and work your way up.
Then again, I tend to give the criminal mind too much credit, so perhaps I'm wrong.
Re:The biggest exploit for any system (Score:5, Interesting)
Hm, I actually just had the idea when reading this that you could probably get a good haul by grabbing a bunch of credit card applications, getting a folding table, dressing nicely and setting yourself up in a mall. Plus you'd have the advantage of not necessarily having as many cameras pointed at you. Not as many ids of course, but the info would be good and very little chance of being caught.
I guess some places are just lax (Score:5, Interesting)
None of that crap would pan out where I work. [irs.gov]
Need help getting through a door? Sure, people will let you through a door if you're lugging a load. Then they'll see you don't have your badge on, offer to help you find the office and person you're looking for, and if you don't know what name or location to give, they'll stick right with you until you figure it out or security comes along to help.
Selling copiers? "Oh, man, dude, nobody on this floor has the authority to buy anything! Lemme walk you over to the facilities guy that you *must* have an appointment with. He'll get you a temp badge or an escort if you need to look around."
New hire? "Gee, ya know, I hate to be a pain about this but you really do have to keep your badge on in the building. Lemme hold your box while you find it."
Lost your badge? "Gee, ya know, you're gonna get hassled a bunch without it. Do you know where Kathy's office is? Let me show you; she can issue you a temp badge for the day."
Lugging in a server or anything that looks remotely computer-like? The security guard will have you sign in and call down someone from IT to escort you.
Visiting executive? Unless you're the commish, in which case you'll be covered by a phalanx of security, even the lowliest of the low in this place will give you a friendly wave, say hi, and offer you a lanyard for your badge while you're in the building. "Oh, that's OK, I can wait till you find your badge. Do you want me to show you where you're going/where to get a temp badge/to security?" In fact, this is one of the few times a data input operator can pull rank on the highest executive in the organization and you'd better believe that no office lacks for people who would relish the opportunity.
Bluff your way past security and take an elevator ride to an upper floor, looking for something? Big deal. All the doors are on card keys and if you knock, the person who answers is going to lead you right back through the "Gee, I hate to be a pain about this but you really have to wear your badge in the building" routine.
Walking around in the hall looking semi-lost because you got in but realize you can't get through any of the doors? You'll be directly challenged by someone who will walk you directly to your manager (if you can provide a name and location) or directly to security.
If by some total breakdown (say, you've got a decent fake badge and you piggyback on someone to get through a door) you get into the work area and plop down in a conference room, you're gonna get caught in short order. Plug in your laptop? If you haven't pre-reserved the room, you'll trip port security, that port on the router will shut down, the telecomm lady will get an automatic page and head up to that conference room to see who's screwing around by plugging in an unregistered MAC. Just turning on a laptop with wireless enabled chances setting off the scanner that's sometimes running in every building; in that case, you get a quick visit from scary men with badges and guns. You're a contractor on site and you plug in a wireless access point? See the sentences immediately previous, plus you get tossed out, fired if you're a sub, lose your individual security clearance, and the overall contract holder gets in seriously hot water. Just sit there and try to look important? The conference room reservations are controlled by the nearest secretary. As soon as s/he sees you in the room, you'll get asked to do a formal reservation. "If the room is free, you can have it, but I need your name and badge number for the log book. By the way, where's your badge?" In offices where the conference rooms aren't tightly controlled, people get used to dropping in so if you're sitting there without a badge, you're going to get questioned. If you don't know the right jargon, the right person to say you're working with, the right organizational attributes to assign to yourself, you're going to be questioned. Even the most tim
Re:I guess some places are just lax (Score:1, Interesting)
None of that is burdensome? I used to work on a military base as a contractor with similar rules and holy fuck was it annoying as hell. Maybe it's "part of the culture" but low pay and little room for growth coupled with security that gets in your way of doing your job led to massively low morale among the employees. They had to keep installing more security to stop people from stealing computers and flatscreen TVs out of the break rooms.
1950's Chenoa,IL (Score:3, Interesting)
That's what we get for living in a safe country (Score:1, Interesting)
I come from a country with a very high criminality rate. As a result, every system I run across there is way more secure than the ones here in the US. People there simply don't trust each other so every system (e.g., even checking a book back into the library) has plenty of checks along the way. People here in the US say that such a trend would hurt our economy by making it harder and slower to do certain things like getting credit. This is rubbish. Businesses don't want that to happen so they will figure out ways to use technology to expedite such processes. This is what I see back home. A lot of technology is applied to make sure that people can perform any transaction safely swiftly. Do you know those secure id cards that have a digital display and a different token is generated every so often? Banks are now offering them for free back home to validate any transaction you do on the web.
In short, solutions do exist. We just don't bother looking for that because the US is a safe enough place. If we were forced to (like we do back home), we would find them.
Re:The biggest exploit for any system (Score:5, Interesting)
Better than that, I think any good university should take your (correctly modded) interesting suggestion and employ it for their own use.
1. On a weekend or another "off" time, the university hires someone to set up a table outside the UC, where credit card vendors often wallow.
2. The person sits at the table and offer credit card applications to students. He gives them lollipops or something equally stupid as reward, or just promises them a T-shirt in the mail once their application has been approved.
3. He packs up and leaves in 30-45 minutes.
About a week later, the university contacts anyone who filled out an application, explains to them that the person was posing as a ID theft criminal posing as a credit card salesman, and that, had it been an actual criminal, their credit would already be trashed.
That could be a sober lesson for many naive young college kids. I bet the local police would be happy to orchestrate something like this.
Inside vs. outside badges (Score:5, Interesting)
Operations serious about security do a badge exchange when you enter the facility. You present your "outside" badge, which is validated at the security checkpoint, and exchange it for your "inside" badge, which never leaves the facility. This forces the security people to really check your outside badge, and makes the inside badges harder to copy, since they're not seen outside the facility. Information about what areas you're allowed to access appears only on inside badges. Outside badges won't open anything; inside badges may also be keys.
Genovese Effect (Score:2, Interesting)
Bystander Effect (Genovese Effect) [wikipedia.org]
"The bystander effect (also known as bystander apathy, Genovese syndrome, diffused responsibility or bystander intervention) is a psychological phenomenon in which someone is less likely to intervene in an emergency situation when other people are present and able to help than when he or she is alone."
Orgs Are Not Focused on ID Security (Score:3, Interesting)
But orgs are not not so focused on online ID theft that they're stopping it. So really they're unfocused on online ID theft, and even more unfocused on in-person ID theft.
Because they don't pay the costs. Any focus on ID theft is an extra cost that doesn't save them any money, because the theft doesn't cost them as much.
Make the orgs liable for mishandling the IDs. Make them indemnify all costs, including the victim's labor to recover and even just monitor for exploitation for years later.
And make them liable for copyright violations when they copy personal data without express permission for that transaction, and they won't be giving it away to risky people anymore, either.
Then you'll see them "focused" like a laser.
Re:This just in... (Score:2, Interesting)
Hey, here's a simple policy - just don't give out personal info on yourself unless you are sure it's required.
I made a doctor's appointment today, and the receptionist was taking my info - name, address, etc. Then she said "Social Security Number?" I simply said "I'd rather not give that out over the phone." She didn't skip a beat, and went to the next question.
Why didn't I give it to her? Because I'm not really sure she needed it to set up the appointment, and I'm trying to get into the habit of limiting my info output. Same with "Zip Code?" when I check out at a hardware store. If I cultivate the habit with triial things, it will be second nature when it REALLY matters.
I hope.
Re:A Wise Man (Score:5, Interesting)
Yeah. Once there was this high security project, and one of the people got a pass to go to the nearest city to see his wife, who was dying of cancer at the time. He used his pass to let another man at about his level drive him there, since person one didn't have access to his own car. Unknowingly, this let man two give away secrets from the project to a competitor, which used the info to jump-start their competing product.
Of course, the project was the Manhattan Engineering District, the man with the car was Klaus Fuchs, the competitor was the Soviet Union, the product was nuclear weapons, and the dupe was Richard Feynman. It doesn't take stupidity to be fooled, or genius to do the fooling, and it isn't because of a lack of responsibility. That's why the CIA could operate in the Soviet Union despite the KGB, and vice versa.
Others' human factor (Score:1, Interesting)
I used to be the sysadmin for a high school, and my ONLY serious student-related security breach was when I found a keylogger attached to my photo ID system. I locked the photo ID system in the server room and sawed the keylogger in half.
Faculty and staff breaches? Daily. Teachers gave passwords to coworkers, students, interns, and even their own children. Parents called me for students' online-grade-retrieval passwords, I'd refuse to issue it without ID, and they'd call a teacher and get it no questions asked. Principal ordered me to not lock my office during the day. A janitor yelled at me when I asked him to not unlock the library to get a student use the circulation desk phone after hours. Janitors would open any door for anybody, no questions asked. I even saw the principal try to prevent district maintenance personnel from installing a burglar alarm.
My screensaver timeout was 5 minutes. Everyone else's was 20 minutes, and after an avalanche of complaints, I made it 1 hour--and one teacher complained persistently about this to the principal--I lied and said that I can't make individual exemptions to the policy, lest I be forced to do it.
Turns out I had a pointy-haired principal who wanted nothing more than to make all the teachers and staff "happy" at the expense of security. If a teacher didn't want to have to type their password every morning, they shouldn't have to.
I don't work there anymore, and am currently in a private-sector company where security is given proper respect.
Funny but true story... (Score:5, Interesting)
Re:This just in... (Score:4, Interesting)
I have done that. A bank employee rang me and asked me for identifying information before trying to sell me some investment package.
I immediately refused to divulge identifying information to someone who calls me. The bank employee then gave me her identifying information, and I rang the bank to confirm the identity, which checked out as far as that went. When you ring the bank, they put you through to an enquiry person, you don't get a switchboard operator who can connect you to a specific employee. The enquiry person confirmed that the employee who rang me worked for the bank, but IIRC they were in another state where the investment branch of the bank was located.
But now *I* have her identifying information. I could get a female friend to ring up strangers posing as the real bank employee ("You can check with the bank that I work there if you want, and I will ring back tomorrow after you have checked").
So how do I know that the person who rang me really was a bank employee?
Fortunately she never called back and I had moved all my investment money somewhere else - I was no longer an interesting prospect for them.
Moral: if they give you their identifying information to check them out ... then there is a still a hole.
Re:A Wise Man (Score:1, Interesting)
http://www.duckproducts.com/ [duckproducts.com] disagrees with you.
Seriously, do your research before you spout off whatever you *thought* you knew. It just makes you look ignorant.
Since banks still think a CC is... (Score:2, Interesting)
Bank's have certainly outlived their usefulness. They are far too concerned about making money themselves than they are in keeping the money of their customers safe. Real security costs too much and security theater works just as good for public image and getting customers. For example, ID theft protection services. [zug.com] As a bonus this one actually makes the bank money too!
Something is seriously wrong when it's impossible to find a bank that will cash a US Treasury check (and in increasingly more cases a check drawn on their own bank) anymore unless you have an account with them.
Those that still do allow non-accountholders to cash a check drawn on them will require two random forms of ID (something they've made up to meet the law (reg. C? I think it is) on verifying ID, which is just ambiguous enough) a driver's license, CC, vehicle registration, etc. any of which could easily be forged and most of which are utterly useless for verifying that someone is who they say they are.
Pardon my LISP-like sentence structure, even though I haven't done any coding in LISP at all for years.