There's been a lot of talk about identity theft in recent days, and a lot of technology is being thrown at the problem. But with all the technology that's out there, it's still pretty easy for a good social engineer to steal an identity and exploit it swiftly, even if they only have a single piece of personal information. In a recent project, my penetration testing firm was able to gain an alarming amount of access to personal information -- and even financial accounts -- with only a birth date to go on.
We were hired by a private college to assess the security of its network. After completing numerous tests for vulnerabilities in the primary systems, we started looking at the Internet sites for the various departments and schools within the college. We found a major flaw in the alumni site, so we asked for permission to exploit it. The college agreed, as long as we agreed to stop our attack before any of its alumni were actually robbed. We began the exploit immediately.
The alumni site contained a list of all of the college's past students, along with the year they had graduated. Each alum's name was hyperlinked to a profile page that the alum could access and edit, first authenticating themselves with a birth date.
We started our attack by looking at a recent year of graduates, focusing specifically on athletes. We found a male athlete whose name was also posted on the college's sports Website, which gave his statistics as well as a birth date. Using that birth date, we were authenticated into his alumni profile. We then edited his profile, indicating he was employed by a company we had created. We provided specifics in the profile, including a spurious job title, job description, a mailing address, and an email account that we controlled.
Using one of the world's oldest social engineering techniques, I then asked one of my colleagues to call the college registrar's office, posing as the secretary for the young man. She requested a transcript on behalf of the victim, and because we were listed as his new employer, the registrar's office agreed and faxed over a form. We quickly completed it and faxed it back. Within a day -- and without charging any fee -- they faxed over his transcript, which included his Social Security number.
