Home page logo
/

pen-test logo Penetration Testing mailing list archives

Valid/sufficient identification mechanisms/credentials for personal data collection.
From: "Serg B." <sergicles () gmail com>
Date: Tue, 1 Aug 2006 16:46:45 +1000

I am not sure if this is a suitable topic for this list but it is
certainly within the scope.

This article is not related to IT as such, but has a lot to do with
social engineering and identity theft. I suppose this is an iffy area
of IT since the Internet has not only enabled perpetrators to realise
much greater returns on their crimes but has became an indispensable
tool in every arsenal.

Since I read The Art of Deception few years ago I started to notice
real life situations where an individual could easily get away with
almost anything (theft, scams, etc.) by carefully choosing their words
and people they talk to. When I first read the book I thought it
didn't look like any of this could be possible. It was certainly
fascinating to read but not possible, not for me any way. As I worked
through my young grasshopper IT career days I became more and more
exposed to the security side of the industry that in turn made it
possible for me to observe some of these tricks, or at least attempts
to do so, first hand. Soon after I realised that things are even
simpler then an average case study in the book. Especially if you are
an insider, you have access to everything and anything. As long as you
are confident and don't mind lying like there is no tomorrow the world
is yours.

Currently, every Australian resident is going through their Census
(http://www.abs.gov.au/census) survey forms. Seems like a reasonable
thing to do, maybe not for the paranoid, but anyway… The form is
around 18 pages long and contains a fair amount of personal questions
such as your name, surname, date of birth, address, employment
information, income bracket, etc. A sample can be found here:
http://www.abs.gov.au/websitedbs/d3310114.nsf/4a256353001af3ed4b2562bb00121564/d14318a2e9282072ca25715d00177d17/$FILE/HHF%202006%20Sample%20only.pdf

It is delivered via a courier and is left near the front the door, and
pick-up is very much the same. On the front cover of the form, one of
the bullet points is "Your Collector will return between 9 August and
28 August to collect your form".

Well this is certainly a great service, but how do I know that the
so-called collector is indeed an authorized person to collect my
Census forms?

What safeguards have been implemented by the government or the
Australian Bureau of Statistics (http://www.abs.gov.au) to make sure
that your friendly neighborhood hacker does not print herself a fake
identification badge and go door to door collecting these forms?

I for one have no idea what identification to expect from "the
collector". Is it an ID card presented on request? Maybe it's an
identification badge and a t-shirt with ABS logo? No idea… And I am
one of the paranoid ones! Most people would hand this information over
without thinking twice.

Consequences of this are rather scary.

Obviously the worst case scenario could result in loss of money, or it
could be your best friend playing a joke on you and trying to
disconnect your gas and electricity because you got on their nerves.

In either case the process is very simple. I am not going to go into
great deal of details on the actual process but there is nothing to
stop me from calling a few common telecommunications providers and
posing as the victim. All information required for authenticating
yourself to your phone company is on the form. The same could be done
with any utility providers (gas, electricity, etc.). In fact we could
take this one step further and ask your phone provider to send you one
of your old bills, since you lost it and now need it for invoice
purposes. Provide a new, once-off postage address (of course don't
tell them that) and your friendly neighborhood hacker just scored some
identification points to open a bank account under the victim's name.

Where to from here? Any local tafe or university will allow you to
register provided you supply valid information (such as that gathered
above) for a short course, $200 – $300, not much considering the
potential return. And now a victim's name is on a fake University
photo ID. Of course this could even be taken further but I am going to
stop here and leave you with my previous question:

What safe-guards have been implemented by the government or the
Australian Bureau of Statistics (http://www.abs.gov.au) to make sure
that your friendly neighborhood hacker does not print herself a fake
identification badge and go door to door collecting these forms?


Any feedback, thoughts, ideas?

  Serg
  ubermonkey.wordpress.com

  By Date           By Thread  

Current thread:
  • Valid/sufficient identification mechanisms/credentials for personal data collection. Serg B. (Aug 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]