How cautious are you about identity theft?
Do you worry about the pounds and hope that the pennies will look after themselves?
Ironically, there’s not a lot we can do about some of the big stuff, at least after we’ve submitted our information for processing – things like passport applications, for example, or tax returns.
On the other hand, even though it’s fairly easy to look after the “pennies” of our personally identifiable information (PII), some of us don’t seem to bother.
We probably assume that individual snippets of PII aren’t likely to yield much.
But that’s a big assumption. Building up an identity profile piece-by-piece from information that’s already published even has a name: OSINT, or open source intelligence.
Just as open source software is built from code that’s out there for the finding, so open source intelligence is compiled from information that’s already out there, waiting to be found and stitched together by anyone willing to look.
Cops love OSINT. It’s comparatively easy to collect. It avoids any of the contentious (and dangerous) aspects of intelligence gathering, such as surveillance and undercover work. And, best of all in today’s cash-strapped times, it’s free.
If you want to know just how far you can get using OSINT, take a look at this fascinating SophosLabs report:
The Koobface malware gang – exposed!
Sadly, of course, what’s good for the goose is good for the gander.
Cybercrooks can buy and sell information accumulated from all over, combining legally-acquired PII pennies with ill-gotten PII pounds until they have the level of detail they want for identity-related crime.
So here’s an amusing example of what not to do: don’t flash your corporate ID badge while you’re commuting to work.
The photo below was taken by a Naked Security fan in our very own neck of the woods, North Sydney, just round the corner from the office:
See the badge? Even at average mobile phone quality, snapped by a passenger who couldn’t get any closer and didn’t have a zoom lens, we were able to make out a fair bit of detail.
We’ve obliterated the significant details, but you can see the New South Wales Government logo bottom left (an instantly-recognisable red Waratah flower with the letters NSW underneath), and the name of the badge-holder and his department.
We figured out his work address from the name of the department where he works, which has an office well-placed for the lane he’s riding in and the turn he’s probably about to make.
But we couldn’t quite read his last name. We got close, but we ended up with two choices for each of the first three letters, leaving us to guess (name changed, of course) amongst:
Sam Phonera - Sam Phinera - Sam Peonera - Sam Peinera Sam Chonera - Sam Chinera - Sam Ceonera - Sam Ceinera
With only eight to choose from, we’re already close enough for mischief, but thanks to NSW Roads and Maritime Services, we were able to work out the exact name on the badge.
As we remarked in a tongue-in-cheek piece a week or two back, Roads and Maritime operate a website to let you customise your number plates.
If you want a new letter and number combination, you just type it in to see if it’s available. But if you want to restyle your existing plates in funkier colours, you have to type in your last name as well, presumably as some sort of confirmation that they’re really your plates. (By experimenting, you will find that only the first three characters of the name have to be correct.)
With just eight possibilities, it didn’t take us long to mount a brute force attack. Sam Chinera, we know where you work, what bike you drive, your route to work, the time you start, and what you look like.
OK. There’s no major cause for alarm here. As Steve Jobs once famously said, “Not that big of a deal.”
But it is the sort of data a social engineer or identity theft can abuse. Sam: you really didn’t need to reveal your badge like you did. Put the badge in your pocket or your top-box.
There’s a simple rule you should follow at all times when it comes to PII: if in doubt, don’t give it out.
PS. Sam, I know I’m giving you a load of unsolicited advice today. But here’s some more: I’d give serious consideration to some decent protective clothing. If you prang in work shoes and suit pants, it usually doesn’t end too well. And those gloves leave a fair bit to be desired. Just saying.
15 comments on “Flashing on the Queen’s highway can reveal your identity – a cautionary tale”
More likely than ID theft is the possibility of losing it…and who'd want to deal with all the paperwork that would generate.
Indeed! (I covered that in the article, though I was deliberately obscure about it. Put your mouse cursor over the picture of the scooter…then hold still for a moment 🙂
Paul, there's a 'c' in 'oscillations. Just saying.
I've noticed the alt tags on images in many of Duck's articles are often quite worth checking out. 🙂
I <3 the biker saftey bit at the end. 🙂 Im always preaching about that.
Someone on our Facebook page took me to task, saying he doesn't need protective clothing "because it's a moped, not a bike." Ignoring that with 150cc, 16" wheels and able to pull 60mph, it's quite some moped…
…it seems a bit like saying that security breaches (like losing confidential corporate data) hurt less if you leak the data from your mobile phone instead of from your laptop. After all, why take security seriously on a mobile phone? It's got just a fraction of the power and memory of your laptop, and it's just a fraction of the size.
It is when the power fraction is 98% of the computing power my Netbook has, plus constant internet connectivity, integrated social networking with social networking sites that have questionable data security policies, And nearly as much storage.
I reckon mobile phones are more of a risk.
Wait, that was sarcastic, wasn’t it… Herpy derp.
Well said. I'm still struggling to see how crashing a Bug Espresso 150 (as seen above) at 50mph on a crowded freeway is safer for you than pranging an R1 in the same situation.
Twenty years ago, some jerk was able to get a credit card using my name, address, and date of birth. That's all he needed. It took me eight years to clean up that mess. And that was before the Internet was the huge facet of everyday life it has become today.
I look at all the information people give out about themselves and I'm just gobsmacked by the epidemic of stupidity. Facebook has to be a field day for the bad guys, who are there to make certain that those who can't learn about security the easy way will have an opportunity to learn about it the hard way.
How much info do you have on your business card?
Name, date of birth, registration number, vehicle colour, licence number, list of demerits, Facebook password and CVV.
Only kidding. Name, fancy-sounding job title, employer, email address (guessable anyway) and website.
I take your point. However, I don't leave business cards or even any informal sort of ID in my car, though. Just seems a small precaution that costs no trouble and is worth taking.
Not wanting to derail the commentary, but I got clipped by a car at 25kph, broke all the bones in my hand, a few ribs, a lot of grazing and bruising on my arm and hip … and I was in all the right gear … just saying … 25kph!!!
That aside; have we thought about the PII revealed from those objects adorning the rear of your motor-vehicle? Things like “My Family” stickers, a personalised plate, any club/interest/membership stickers and maybe even a view of the back seat and/or boot contents?
Boy-o-boy, do I have a story for you …
It's not the speed. It's the change in speed and how long it takes 🙂
Your PII thoughts are intriguing…could make an interesting survey (if a rather long and tiring walk round the 'burbs of an evening or twelve).
I suspect I would like to hear the story, if it can be told without fear or favour (and without making me an accessory to something). You can always email it to me…duck at sophos dot com.
I used to work for a credit reference company in the UK, where we lived and breathed Identity fraud, car fraud, business risks etc day in day out.
One of my work colleagues signed up for Facebook when it first took off and without a second thought – completed his entire personal information and left it public!
I messaged him with a rather caustic comment about what he'd done bearing in mind his job, he rather sheepishly responded and cleared it all down.
BUT – that information was up there for a significant amount of time (days, possibly weeks), time enough certainly for it to be grabbed and stored on any number of bots, databases etc.
It's always worth remembering – once it's posted it can NEVER be 100% deleted.