RSA Europe: Identity theft is too easy and can even be automated says IT security expert

In a practical ID theft security exercise that he shared with delegates, Mr Honan explained how a colleague - Marie Boran - set him the challenge of stealing her ID, but subject to the same parameters that an online fraudster would be limited to.

These working parameters, he explained, including not being able to directly contact her friends and family, and only having access to internet resources.

In his presentation - entitled `Knowing me, knowing you, how to steal an identity using Google' - he stepped through the procedures of using online portals such as LinkedIn, Bebo, MySpace, Flicker and Twitter, to mention but a few, to start to assemble a data file on Ms Boran.

By cross-referencing personal data on the lady in question, he was able to work out her date of birth, plus her mother and father's name, as well other personal data.

By constantly cross-referencing and inputting this data on Google, he was able to refine the data set and eradicate any false leads, allowing a near-complete set of personal details for Ms Moran to be compiled.

"From there I was able to log into the Irish online register of births and deaths, and pin down where she was born. From there I was able to obtain a copy of her birth certificate", he said.

"At that point I could have obtained a duplicated passport, as well as a driving licence for her, since she didn't drive, and start opening bank accounts and credit cards", he added.

How easy was the process? It took, he told his audience, many evenings of intensive effort.

But the really bad news is that applications and services on the web now exist that automate the process. These apps and services, which include PIPL and Maltego, allow someone's name to be punched in and the software then goes away and does everything automatically.

The conclusion?

"Don't give any personal information away on sites like Facebook and Twitter. Whatever appears on these services stays online and can be accessed using historical data services. I ended up with 40 pages of Marie's Twitter data, which allowed me to work out the name of her mother and father, as well as where she was born," he said.

What’s hot on Infosecurity Magazine?