What it's like to steal someone's identity
Starting with just an e-mail address, a pen tester manages to get the goods on a high-net-worth executive in less than a day
By Joan Goodchild , Senior Editor
November 18, 2010 — CSO —
Chris Roberts, founder of One World Labs, too often meets people who assume they have nothing worth stealing. His Colorado-based consultancy assists businesses with security assessments, including what Roberts calls "the human side of pen testing." In other words, he helps organizations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons.
"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal."
As part of his penetration testing services, Roberts is sometimes called on to penetrate the identity of an individual to find out just how easy it is to get sensitive information. He explains how quickly it can be done by detailing a recent assignment.
Chris Roberts: We conducted a test on a high-net-worth individual. We were engaged to see what their profile was like online and what we could find out about them. We were asked to do it by the physical security guards looking after that person.
This person traveled a lot in Hollywood circles, so there was a lot of media data out there about him, but it was well-controlled and well-looked-after data. We started looking for more. Fairly quickly we found an e-mail address. It was a somewhat obscured address, but not very well obscured. So we searched for the e-mail address online were able to find a telephone number because he had posted in a public forum using both. On this forum, he was looking for concert tickets and had posted his telephone number on there to be contacted about buying tickets from a potential seller.
The phone number turned out to be an office number. Now we have the office number and an e-mail. We easily figured out where the office was located and phoned up and used a bit of social engineering. We posed as a publicist and said we needed to get a hold of him. Using some information we got on the Web, we got the office to give us his personal cell phone number.