At that point, all of the elements needed to start controlling the person's identity were in motion. We had obtained his Social Security number, established a mailing address, and become his employer. We stopped our attack at that point -- we had no wish to hurt the person. However, if we had continued, we decided that establishing credit through a major retailer would be the easiest method.
We confirmed our hypothesis by going to a large sporting goods store, which advertised a 10 percent discount to customers who used its "quick and easy" approval process to obtain one of its credit cards. When I asked the manager how the store can establish credit so quickly, he explained that they verified the person's credit by asking for another credit card, then verifying credit through that company. If another card wasn't available, they would simply contact the person's employer as a financial reference. At that point, we knew we were in, because we had already established ourselves as the victim's employer.
This is just one example that shows how easy it is to gain a dangerous amount of access to personal information. There are lots of other exploits that we could have tried, and any one of them could have been just as effective.
Many people are careful to protect their Social Security information, but end users really should be concerned about all of their data. Identity thieves can collect data from many sources, including trash and recycling bins, discarded mail, and Internet sites. Sites where users share personal information, such as MySpace and LinkedIn, can make the problem worse. Sites that deal with family reunions, genealogy, and sports statistics may seem harmless, but they can become great resources for valuable personal data.
For IT and security people, however, the message is more complex. IT organizations should sanitize any online resources that contain personal data about their employees, maintaining only the bare minimum online. Personnel profiles or applications should never be kept on systems that are widely accessible over the Web. If there is a need to post personal information on a Web-accessible site, consider securing it with some sort of two-factor authentication, such as the technology offered by RSA Security.
Finally, IT departments should constantly monitor themselves for vulnerabilities. If a pen tester hadn't come and shown the college the flaws in its alumni system, how long would it have taken its IT folks to find and fix them? A vulnerability can often be found in a system that may seem peripheral to the business or relatively unimportant to the enterprise. Once that vulnerability is exploited, however, the consequences for users, customers, or employees could be disastrous.
Steve Stasiukonis is VP and founder of Secure Network Technologies Inc. Special to Dark Reading.