RSA Europe: Social networking is the key to stealing an identity

In a practical ID theft security exercise that he shared with delegates, Mr Honan explained how a colleague - Marie Boran - set him the challenge of stealing her ID, but subject to the same parameters that an online fraudster would be limited to.

These working parameters, he explained, included not being able to directly contact her friends and family, and only having access to internet resources.

In his presentation - entitled `Knowing me, knowing you, how to steal an identity using Google" - he stepped through the procedures of using online portals such as LinkedIn, Bebo, MySpace, Flicker and Twitter, to mention but a few, to start to assemble a data file on Ms Boran.

“Where she had set her social networking profiles to ‘private’, I managed to get in via her friends. I found her date of birth via pownce.com, which was the key to stealing her identity”.

All online identities have a route, explained Honan, “normally a username or email address”.

“I found a lot of her professional information on LinkedIn, found a photo of her desk on PhotoSynth; which revealed a lot about her, and combining all of the information I’d compiled from various social networking sites, was able to register as her online at the General Register Office, which meant I was able to receive a copy of her birth certificate in the post”. This, therefore, would enable Honan to apply for a passport, mortgage, or driving license under her identity.

While Honan admitted that the process took him numerous hours, “there are tools available that will automate this process”. Sites such as 123people.com, pipl.com, friendscall.me, and maltego, are available to the black hat community to make the process of stealing an identity even quicker.

What goes online, stays online

“You need multiple security layers to protect your identity”, said Honan, “we’re leaving our footsteps all over the internet”.

The lessons that need to be learnt, advised Honan, include:

  • Personal data can reside on servers in the EU
  • Sites might not have good privacy policies
  • Data is permanent
  • Beware of social networking sites
  • Your friends can leak your information
  • You may not own your data
  • Data matching provides a full picture
  • Always review privacy statements and terms and conditions
  • Virtual world can impact the real world
  • What you put online can be used to hurt you
  • What goes online, stays online
  • There are no ‘secret’ questions anymore
  • It’s important to identify remote users
  • Revise acceptable usage policies for social networking sites

In conclusion, Honan told his audience that social networking security awareness is key, and advised everyone to “try and steal your own identity online”, in order to see just how easy it might be.

 

What’s Hot on Infosecurity Magazine?