Channels ▼


How Identity Theft Works

There's been a lot of talk about identity theft in recent days, and a lot of technology is being thrown at the problem. But with all the technology that's out there, it's still pretty easy for a good social engineer to steal an identity and exploit it swiftly, even if they only have a single piece of personal information. In a recent project, my penetration testing firm was able to gain an alarming amount of access to personal information -- and even financial accounts -- with only a birth date to go on.

We were hired by a private college to assess the security of its network. After completing numerous tests for vulnerabilities in the primary systems, we started looking at the Internet sites for the various departments and schools within the college. We found a major flaw in the alumni site, so we asked for permission to exploit it. The college agreed, as long as we agreed to stop our attack before any of its alumni were actually robbed. We began the exploit immediately.

The alumni site contained a list of all of the college's past students, along with the year they had graduated. Each alum's name was hyperlinked to a profile page that the alum could access and edit, first authenticating themselves with a birth date.

We started our attack by looking at a recent year of graduates, focusing specifically on athletes. We found a male athlete whose name was also posted on the college's sports Website, which gave his statistics as well as a birth date. Using that birth date, we were authenticated into his alumni profile. We then edited his profile, indicating he was employed by a company we had created. We provided specifics in the profile, including a spurious job title, job description, a mailing address, and an email account that we controlled.

Using one of the world's oldest social engineering techniques, I then asked one of my colleagues to call the college registrar's office, posing as the secretary for the young man. She requested a transcript on behalf of the victim, and because we were listed as his new employer, the registrar's office agreed and faxed over a form. We quickly completed it and faxed it back. Within a day -- and without charging any fee -- they faxed over his transcript, which included his Social Security number.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.