People who have been the victim of identify theft know it can take months or even years to clean up the mess. It is one of the most stressful experiences one can have. The story I am about to share is very real. A close friend of mine was a victim of such a crime and the fact that someone was able to reset that person’s email password was all they needed to gain their personal information. Ironically, this person didn’t use simple passwords, yet it was still done. Still, make your passwords and security questions unique and don’t use the same information for multiple accounts. In fact, make the answers to your questions incorrect – just random information that isn’t even true. You may have to write down this information since all of us have so many accounts – making it impossible to remember everything. But, this minor inconvenience sure beats the major nightmare you will live if your identity is even stolen.
Herbert Thompson seems like just another smart academic software developer who loves formulas and geeking out. But he’s also stolen the identities of several casual acquaintances. In fact, in one case he gained access to a bank account in seven shockingly simple steps. He didn’t use any programming tricks, just a little sleuth work.
As part of an experiment and with the permission of some people he barely knew, Thompson stole identities to show the public how easy it is to get access to personal data and banking information. He proved it only requires some simple surfing for freely available personal data. What the following steps show is how vulnerable we all are to security breach.
The victim: He knew her name was Kim, where she was from, where she worked and roughly her age. He also knew the name of her bank and her username, although as Thompson says, this was easy to guess—it was her first initial and last name.
Seven Steps:
1) He googles her and finds a blog and a resume. (Thompson called her blog a “goldmine.”) He gets information about grandparents, pets, hometown. Most important he gets her college email address and current gmail address.
2) Next stop: Password recovery feature on her bank’s web site. He attempts to reset her bank password, but the bank sends a reset link to her email. He now needs to gain access to her gmail account.
3) Gmail access: He attempts to reset her gmail password but gmail sends this to her college email address. Gmail tells you this address’ domain (at least it did in 2008 when Thompson conducted the experiments) so he knew he had to get access to that specific address.
4) College email account page: Thompson clicks the “forgot password” link on this page and winds up facing a few questions. Home address, home zip code and home country? No problem, Thompson has it all from her resume. The same resume found from the simple google search done earlier. Then came a stumbling block – the college wanted her birthday. But he only had a rough idea of her age, no actual birth date.
5) State traffic court web site: Apparently you can search for violations and court appearances by name! And such records include a birth date. (Facebook also makes this piece of data very easy to get even if people do not note their birth year…remember Thompson knew roughly how old Kim was.) Thompson he had no luck with the Department of Motor Vehicles.
6) Thompson goes back to the blog and does a search for “birthday.” He gets a date but no year.
7) Finally, Thompson attempts the college reset password again. He fills in her birth date, and simply guesses the year. He gets it wrong. But the site gives him five chances, and tells him which field has the error. So he continues to guess. He gets access in under five guesses. He changes her college password. This gives him access to her gmail password reset email. Google requires some personal information which he is able to get easily from her blog, e.g., father’s middle name. Thompson changes the gmail password and that gives him access to the bank account reset password email. Here again he is asked for personal information but nothing that he could not learn from Kim’s blog, e.g., pet name and phone number. He resets the bank password and bingo; he has immediate access to all her records and money.
From Thompson:
Needless to say, Kim was disturbed. Her whole digital ID sat precariously on the foundation of her college e-mail account; once I had access to it, the rest of the security defenses fell like a row of dominoes. What’s striking about Kim’s case is how common it is. For many of us, the abundance of personal information we put online combined with the popular model of sending a password reset e-mail has our online security unsteadily resting on the shoulders of one or two e-mail accounts.
In this case, the personal information came from her blog, but it could have easily come from a Facebook page or other online community pages.
Thompson provides good advice on Scientific American:
Go and do a self-check. Try to reset your passwords and see what questions are asked to verify your identity. Some questions are better than others. Date of birth, for example, is bad. In addition to the DMV, there are a wealth of public records available online where folks can track down when you were born. Most account reset features give you a choice of questions or methods to use. Go for questions that ask about obscure things that you won’t forget (or can at least look up), like your favorite frequent flyer number. Avoid questions that are easy to guess, such as – in which state did you open your bank account?
It’s also critical to remember that once you put data online, it’s almost impossible to delete it later. The more you blog about yourself, the more details you put in your social networking profiles, the more information about you is being archived, copied, backed up, and analyzed almost immediately. Think first, post later.
Read story@ smartplanet