Flashing on the Queen’s highway can reveal your identity – a cautionary tale

How cautious are you about identity theft?

Do you worry about the pounds and hope that the pennies will look after themselves?

Ironically, there’s not a lot we can do about some of the big stuff, at least after we’ve submitted our information for processing – things like passport applications, for example, or tax returns.

On the other hand, even though it’s fairly easy to look after the “pennies” of our personally identifiable information (PII), some of us don’t seem to bother.

We probably assume that individual snippets of PII aren’t likely to yield much.

But that’s a big assumption. Building up an identity profile piece-by-piece from information that’s already published even has a name: OSINT, or open source intelligence.

Just as open source software is built from code that’s out there for the finding, so open source intelligence is compiled from information that’s already out there, waiting to be found and stitched together by anyone willing to look.

Cops love OSINT. It’s comparatively easy to collect. It avoids any of the contentious (and dangerous) aspects of intelligence gathering, such as surveillance and undercover work. And, best of all in today’s cash-strapped times, it’s free.

If you want to know just how far you can get using OSINT, take a look at this fascinating SophosLabs report:
The Koobface malware gang – exposed!

Sadly, of course, what’s good for the goose is good for the gander.

Cybercrooks can buy and sell information accumulated from all over, combining legally-acquired PII pennies with ill-gotten PII pounds until they have the level of detail they want for identity-related crime.

So here’s an amusing example of what not to do: don’t flash your corporate ID badge while you’re commuting to work.

The photo below was taken by a Naked Security fan in our very own neck of the woods, North Sydney, just round the corner from the office:

See the badge? Even at average mobile phone quality, snapped by a passenger who couldn’t get any closer and didn’t have a zoom lens, we were able to make out a fair bit of detail.

We’ve obliterated the significant details, but you can see the New South Wales Government logo bottom left (an instantly-recognisable red Waratah flower with the letters NSW underneath), and the name of the badge-holder and his department.

We figured out his work address from the name of the department where he works, which has an office well-placed for the lane he’s riding in and the turn he’s probably about to make.

But we couldn’t quite read his last name. We got close, but we ended up with two choices for each of the first three letters, leaving us to guess (name changed, of course) amongst:

Sam Phonera - Sam Phinera - Sam Peonera - Sam Peinera
Sam Chonera - Sam Chinera - Sam Ceonera - Sam Ceinera

With only eight to choose from, we’re already close enough for mischief, but thanks to NSW Roads and Maritime Services, we were able to work out the exact name on the badge.

As we remarked in a tongue-in-cheek piece a week or two back, Roads and Maritime operate a website to let you customise your number plates.

If you want a new letter and number combination, you just type it in to see if it’s available. But if you want to restyle your existing plates in funkier colours, you have to type in your last name as well, presumably as some sort of confirmation that they’re really your plates. (By experimenting, you will find that only the first three characters of the name have to be correct.)

With just eight possibilities, it didn’t take us long to mount a brute force attack. Sam Chinera, we know where you work, what bike you drive, your route to work, the time you start, and what you look like.

OK. There’s no major cause for alarm here. As Steve Jobs once famously said, “Not that big of a deal.”

But it is the sort of data a social engineer or identity theft can abuse. Sam: you really didn’t need to reveal your badge like you did. Put the badge in your pocket or your top-box.

There’s a simple rule you should follow at all times when it comes to PII: if in doubt, don’t give it out.

PS. Sam, I know I’m giving you a load of unsolicited advice today. But here’s some more: I’d give serious consideration to some decent protective clothing. If you prang in work shoes and suit pants, it usually doesn’t end too well. And those gloves leave a fair bit to be desired. Just saying.