From: Serg B. (sergicles@gmail.com)
Date: Tue Aug 01 2006 - 02:46:45 EDT
I am not sure if this is a suitable topic for this list but it iscertainly within the scope.
This article is not related to IT as such, but has a lot to do withsocial engineering and identity theft. I suppose this is an iffy areaof IT since the Internet has not only enabled perpetrators to realisemuch greater returns on their crimes but has became an indispensabletool in every arsenal.
Since I read The Art of Deception few years ago I started to noticereal life situations where an individual could easily get away withalmost anything (theft, scams, etc.) by carefully choosing their wordsand people they talk to. When I first read the book I thought itdidn't look like any of this could be possible. It was certainlyfascinating to read but not possible, not for me any way. As I workedthrough my young grasshopper IT career days I became more and moreexposed to the security side of the industry that in turn made itpossible for me to observe some of these tricks, or at least attemptsto do so, first hand. Soon after I realised that things are evensimpler then an average case study in the book. Especially if you arean insider, you have access to everything and anything. As long as youare confident and don't mind lying like there is no tomorrow the worldis yours.
Currently, every Australian resident is going through their Census(http://www.abs.gov.au/census) survey forms. Seems like a reasonablething to do, maybe not for the paranoid, but anyway… The form isaround 18 pages long and contains a fair amount of personal questionssuch as your name, surname, date of birth, address, employmentinformation, income bracket, etc. A sample can be found here:http://www.abs.gov.au/websitedbs/d3310114.nsf/4a256353001af3ed4b2562bb00121564/d14318a2e9282072ca25715d00177d17/$FILE/HHF%202006%20Sample%20only.pdf
It is delivered via a courier and is left near the front the door, andpick-up is very much the same. On the front cover of the form, one ofthe bullet points is "Your Collector will return between 9 August and28 August to collect your form".
Well this is certainly a great service, but how do I know that theso-called collector is indeed an authorized person to collect myCensus forms?
What safeguards have been implemented by the government or theAustralian Bureau of Statistics (http://www.abs.gov.au) to make surethat your friendly neighborhood hacker does not print herself a fakeidentification badge and go door to door collecting these forms?
I for one have no idea what identification to expect from "thecollector". Is it an ID card presented on request? Maybe it's anidentification badge and a t-shirt with ABS logo? No idea… And I amone of the paranoid ones! Most people would hand this information overwithout thinking twice.
Consequences of this are rather scary.
Obviously the worst case scenario could result in loss of money, or itcould be your best friend playing a joke on you and trying todisconnect your gas and electricity because you got on their nerves.
In either case the process is very simple. I am not going to go intogreat deal of details on the actual process but there is nothing tostop me from calling a few common telecommunications providers andposing as the victim. All information required for authenticatingyourself to your phone company is on the form. The same could be donewith any utility providers (gas, electricity, etc.). In fact we couldtake this one step further and ask your phone provider to send you oneof your old bills, since you lost it and now need it for invoicepurposes. Provide a new, once-off postage address (of course don'ttell them that) and your friendly neighborhood hacker just scored someidentification points to open a bank account under the victim's name.
Where to from here? Any local tafe or university will allow you toregister provided you supply valid information (such as that gatheredabove) for a short course, $200 – $300, not much considering thepotential return. And now a victim's name is on a fake Universityphoto ID. Of course this could even be taken further but I am going tostop here and leave you with my previous question:
What safe-guards have been implemented by the government or theAustralian Bureau of Statistics (http://www.abs.gov.au) to make surethat your friendly neighborhood hacker does not print herself a fakeidentification badge and go door to door collecting these forms?
Any feedback, thoughts, ideas?
Serg ubermonkey.wordpress.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:29 EDT