Share

Related Links

  • BH Consulting
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

RSA Europe: Identity theft is too easy and can even be automated says IT security expert

21 October 2009

The realities of identity theft and the modus operandi of cybercriminals were explained to delegates at this week's RSA Security conference in London by Brian Honan, a principal security consultant with BH Consulting of Ireland.

In a practical ID theft security exercise that he shared with delegates, Mr Honan explained how a colleague - Marie Boran - set him the challenge of stealing her ID, but subject to the same parameters that an online fraudster would be limited to.

These working parameters, he explained, including not being able to directly contact her friends and family, and only having access to internet resources.

In his presentation - entitled `Knowing me, knowing you, how to steal an identity using Google' - he stepped through the procedures of using online portals such as LinkedIn, Bebo, MySpace, Flicker and Twitter, to mention but a few, to start to assemble a data file on Ms Boran.

By cross-referencing personal data on the lady in question, he was able to work out her date of birth, plus her mother and father's name, as well other personal data.

By constantly cross-referencing and inputting this data on Google, he was able to refine the data set and eradicate any false leads, allowing a near-complete set of personal details for Ms Moran to be compiled.

"From there I was able to log into the Irish online register of births and deaths, and pin down where she was born. From there I was able to obtain a copy of her birth certificate", he said.

"At that point I could have obtained a duplicated passport, as well as a driving licence for her, since she didn't drive, and start opening bank accounts and credit cards", he added.

How easy was the process? It took, he told his audience, many evenings of intensive effort.

But the really bad news is that applications and services on the web now exist that automate the process. These apps and services, which include PIPL and Maltego, allow someone's name to be punched in and the software then goes away and does everything automatically.

The conclusion?

"Don't give any personal information away on sites like Facebook and Twitter. Whatever appears on these services stays online and can be accessed using historical data services. I ended up with 40 pages of Marie's Twitter data, which allowed me to work out the name of her mother and father, as well as where she was born," he said.

This article is featured in:
Identity and Access Management  •  Internet and Network Security  •  IT Forensics

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×