I love the Internet. The fact you can read one article and find a more exciting article through it just exemplifies the power of the Internet. I am continually awe inspired.
For example, while reading an article on CIO Magazine’s site, the author referred to another article he had read – and article that was conveniently linked at the end of the article. The article is “How I Stole Someone’s Identity“.
The author Herbert Thompson walks the reader through how he was able to hack into a friend’s bank account. And, he didn’t use anything but the Internet. He didn’t try to hack through firewalls to get into the source of data. He just used the Internet to learn what he could about a friend so that it eventually led him to the login info to his friend’s bank account.
Let me say it another way – he basically did a Google Search knowing the person’s name & through it all – learned enough about her that he was able to get into her bank account.
Let me summarize how he did it – and see (without giving you specifics about me) how far someone would get with me.
Step 1: Reconnaissance: He basically uses Google to google her name. During this step, he finds an old resume as well as a blog that gives him a wealth of info like family info, names of pets, names of friends and family, etc.
My Results: This was rather interesting for me. Googling my name revealed in the first 10 results my Facebook page, a link to the electronic copy of my college Alumni report complete with my daughter’s full name and birth date. I also found myself on LinkedIn and several other professional sites. (Several I am going to go delete now.) Facebook revealed the most about me unfortunately. Not surprising, there was no direct connection to my blog, but it did show my email. This is a big deal – the email address.
Step 2: Bank Password Recovery Feature: He did have the name of her bank. So, he tries to recover her password and discovers her bank actually reveals to him the email account the password reset sends the link to. Also, it does so without requiring any questions to be answered beforehand. It just does it.
My Results: My bank requires a social security number before it will even start the password or username recovery process. It also requires you know what kind of account you are recovering for. A quick Google search verified that my SSN was not posted online anywhere. I would have been shocked if it were. Because the state I grew up in used to use SSN as driver license numbers, I went that route too. Didn’t find anything. And hell, I even had a ticket or two in that state.
I was actually somewhat relieved that I hit that end. When I read the article, I started thinking about my own password behaviors, how many different ways I have this blog and my email address attached to many different things. I realized quickly how I have information on the web scattered everywhere – and these are not islands of info that are unattached to other islands – no they are islands of info connected with bridges, ferries running every 20 minutes, and navigable with signs. Or so I thought.
While I do have lots of info I need to go clean-up, the info is not complete. And, thankfully, my bank is very secure even about resetting a password – a task that seems relatively innocent – they took seriously. Good!
Check out the article. See how far you could get using yourself as the guinea pig. Might be a bit eye opening.
(Oh, and I should mention as a note that I am not a security cop. I believe there has to be balance in your approach to information security – and what you are protecting as well as a risk assessment play huge roles into how overboard I go. I also do not scare easily. I knew some of this info – but didn’t even consider how signing up to check out a site like LinkedIn, for example, could expose info about you that could then be used against you. Am I going to go delete that info? No. I may start teasing apart email addresses and deleting profiles on sites that I do not frequent. Doing some personal data cleanup if you will. I am not going to go overboard and delete my presence online.)