Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

No-Fail Identity Theft – Live and In Person

timothy posted more than 6 years ago | from the ma'am-I'm-going-to-need-to-ask-you-to-remove-that dept.

Security 214

ancientribe writes "A researcher performing social-engineering exploits on behalf of several US banks and other firms in the past year has 'stolen' thousands of identities with a 100 percent success rate. He and his team have posed as investigators for the FDIC (among other things), and numerous times have literally been able to walk out the door with pilfered identities. The reason: organizations are typically so focused on online ID theft that they've forgotten how easy it is for a criminal to socially engineer his way into a bank branch or office and physically hack it."

Sorry! There are no comments related to the filter you selected.

The biggest exploit for any system (5, Insightful)

NovaHorizon (1300173) | more than 6 years ago | (#24017285)

The human element.

Re:The biggest exploit for any system (3, Insightful)

arose (644256) | more than 6 years ago | (#24017399)

s/any system/any otherwise safe system/

Re:The biggest exploit for any system (3, Interesting)

Anonymous Coward | more than 6 years ago | (#24017659)

My favourite is the security guard who breaks all the rules for a big chested woman. Banks also have lots of bussiness cards with employees first and last names for the taking. Plus any bank employee who invites you into their office has business cards for sure and they always leave the room for some reason not that taking business cards on display wasn't their intended purpose but the employee isn't even there to observe. Banks often request people to speak their passwords/pin codes as a form of checking account ID - others can see and hear. That, of course, is leaving aside beers with anyone who doesn't control their tongue under the influence of alcohol. The other security failing is most buildings or offices have identity cards to open doors with or without a password and most people never look behind them to see who might enter and if they know them even though that is the standard. Forget all the cameras and sensors - they are after the fact!

Re:The biggest exploit for any system (4, Insightful)

jellomizer (103300) | more than 6 years ago | (#24017793)

Missmatch of values.
We as customers don't like to be treated criminals as most of us arn't. However good security requires to treat everyone like they are.
A bank or store with strict security will not last long as their customer service would be horrable. IDing people you know every single time. Not cashing checks with simple spelling mistakes in the names. Insuring the candy isn't in reflective wrap as they could use it to see what could possible be on the screen, by picking a grape lollypop (OK I am streaching here a bit)

We want friendly customer service this is in direct conflect with security.

Re:The biggest exploit for any system (5, Insightful)

globaljustin (574257) | more than 6 years ago | (#24018513)

However good security requires to treat everyone like they are...We want friendly customer service this is in direct conflect with security

false dichotomy...your 'either...or' is invalid. First, providing security IS good customer service...

More importantly, your ideas about what 'good security' requires are based on a flawed theory and definition of what it means to be 'secure.' Your operating definition implies that '100% secure' is an attainable goal. It's not. There is no golden procedure that will bring you out of Oz like Dorothy clicking her heels together three times.

Ham fisted, dumb tactics like making a teller ID some old lady that has been banking there for 30 years is the height of stupidity.

The best way to provide a secure environment is to first have educated, savvy personnel at all levels. Second, have smart, targeted policies that capitalize on your educated employees using higher brain functions.

A Counter-example: Instead of your "ID everyone all the time even if it's your grandma" approach...have a policy that says "ID everyone they have a 10 year + history and relationship with the bank, and you recognize them immediately"

Why? No teller is going to comply with your example because it is unworkable. Have targeted, specific policies and employees that can think analytically instead.

ps...for those of you with Asperberger's or OCD just itching to point out flaws in my example, remember, it's just an example. If you're so interested in what I'm saying, then look at my ideas instead of nitmpicking an admittedly imperfect example.

Re:The biggest exploit for any system (4, Insightful)

ArsonSmith (13997) | more than 6 years ago | (#24019571)

"The best way to provide a secure environment is to first have educated, savvy personnel at all levels. Second, have smart, targeted policies that capitalize on your educated employees using higher brain functions."

I think 100% security would be easier to achieve.

Re:The biggest exploit for any system (0)

Anonymous Coward | more than 6 years ago | (#24018623)

The answer isn't to treat everyone as a criminal but to check for appropriate identification and have appropriate processes in order to help maximize the correct identity and minimize the release of information to non-authorized users...

I like to think there is a difference--perhaps the lack of appropriate security (wherever we are) has made us think that increased security is treating everyone like criminals. Not sure that it is...

Re:The biggest exploit for any system (3, Funny)

Walt Dismal (534799) | more than 6 years ago | (#24017965)

Your mission, Mr. Phelps, is to find a pointy-hair boss too stupid to know better, and con him. Failing that, any sheeplike underling is okay too. If you or any or your Slashdot Impossible Mission Force (SIMF) is caught or killed, the secretary will disavow your actions. Oh, and before the mission, would you fill out this little insurance card? In case of your death, I get a new house.

Re:The biggest exploit for any system (4, Funny)

kalirion (728907) | more than 6 years ago | (#24018341)

The solutions is simple then - remove the human element.

Re:The biggest exploit for any system (4, Insightful)

fiendy (931228) | more than 6 years ago | (#24019173)

The solutions is simple then - remove the human element.

That's a great suggestion, but unfortunately, Diebold makes the ATM's for my bank. I don't particularly feel like trusting them either.

Re:The biggest exploit for any system (4, Interesting)

johneee (626549) | more than 6 years ago | (#24018415)

Hm, I actually just had the idea when reading this that you could probably get a good haul by grabbing a bunch of credit card applications, getting a folding table, dressing nicely and setting yourself up in a mall. Plus you'd have the advantage of not necessarily having as many cameras pointed at you. Not as many ids of course, but the info would be good and very little chance of being caught.

Re:The biggest exploit for any system (5, Interesting)

SydShamino (547793) | more than 6 years ago | (#24019519)

Better than that, I think any good university should take your (correctly modded) interesting suggestion and employ it for their own use.

1. On a weekend or another "off" time, the university hires someone to set up a table outside the UC, where credit card vendors often wallow.

2. The person sits at the table and offer credit card applications to students. He gives them lollipops or something equally stupid as reward, or just promises them a T-shirt in the mail once their application has been approved.

3. He packs up and leaves in 30-45 minutes.

About a week later, the university contacts anyone who filled out an application, explains to them that the person was posing as a ID theft criminal posing as a credit card salesman, and that, had it been an actual criminal, their credit would already be trashed.

That could be a sober lesson for many naive young college kids. I bet the local police would be happy to orchestrate something like this.

Re:The biggest exploit for any system (1)

Gilmoure (18428) | more than 6 years ago | (#24018877)

So... Skynet is the answer.

Cool!

Lifelock Ad (3, Funny)

oahazmatt (868057) | more than 6 years ago | (#24017291)

I love the ad for LifeLock at the top of the page. Didn't the CEO just fall victim to identity theft?

Re:Lifelock Ad (0)

Anonymous Coward | more than 6 years ago | (#24017615)

No. It wasn't recent, and in fact was a reasonable example of their implementation working (it was a small loan at a place that doesn't check anything, as soon as it popped up in the system the lender got stuck with it since it was identified as fraud).

Of course the service they offer isn't worth what they charge for it (well unless you enter 1=1 in the web form...)

Re:Lifelock Ad (0)

Anonymous Coward | more than 6 years ago | (#24018577)

It wasn't recent, and in fact was a reasonable example of their implementation working

Last I heard, there were 25 different drivers licenses applied for with his SSN.

If that's their system 'working', I'd rather not have their system at all.

Re:Lifelock Ad (2, Informative)

Actually, I do RTFA (1058596) | more than 6 years ago | (#24017755)

Didn't the CEO just fall victim to identity theft?

There has been one confirmed case of a $500 loan via ID-theft of their CEO. There are 25 other disputed cases. According to the company, as of last month 105 of Lifelock's customers have been victims of identity theft. Which is 0.01% of their customers.

Re:Lifelock Ad (0)

Anonymous Coward | more than 6 years ago | (#24018527)

Well yeah, but the guy put his SS# on the side of a truck and drove around TX for a month.
One successful theft for that much opportunity - that says something good. Sort of.

I wonder if Lifelock will become a target themselves for social engineering attacks.
That would be interesting.

A Wise Man (4, Interesting)

TheSubAtomic (1305939) | more than 6 years ago | (#24017303)

A wise man once told me, "There is no security patch for human stupidity." I guess he was right...

Re:A Wise Man (5, Funny)

clone53421 (1310749) | more than 6 years ago | (#24017791)

Duck tape?

Re:A Wise Man (0)

Anonymous Coward | more than 6 years ago | (#24018873)

you mean duct tape.

Re:A Wise Man (2, Informative)

clone53421 (1310749) | more than 6 years ago | (#24018929)

Duck tape is the brand name, duct tape is the product. I realize that, and I didn't really feel like clarifying in my original post.

Re:A Wise Man (5, Insightful)

DaedalusHKX (660194) | more than 6 years ago | (#24017865)

At risk of dating myself here, I will mention that during the whole Mitnick thing, (big press about social engineering "dark side hacker" back then) I wrote a paper in a sociology class, and proved it beyond my wildest dreams. (Granted the presentation was done to a batch of people with glazed eyes.) The topic? That despite all the hullabaloo, the vast majority of "the masses (tm)" are still just as brick/rock stupid or at least very ignorant, just as they were before social engineering was brought to the newsfront by over eager media people looking for someone to demonize.

Do not be upset. Stupid people are there so that intelligent or smart people are given a reason to shine. If everyone was smart, you'd be another drop in the bucket, but if you are, and they are not, then be happy you're stronger, smarter or better off, enjoy the advantage, help others if you want, or avoid helping them, all up to you.

All in all (back to my paper in question) I think I only had a few people turn me down for providing private info. It was then that I realized that "security" auditing was a joke for any company that is not so small that the employees and employer know and care about each other. Tall order in today's societal tendency for a lack of responsibility. Until people are held accountable for their actions by other people, regardless of the piece of paper they hide behind (be it a corporate charter or some other set of excuses for bringing harm to others), until people are held accountable by those whom they harm, nothing will change. Therefore, I wager nothing will EVER change, since the vast majority are cowards. The upside, is that this has created a veritable "garden of eden" for those of us that do not suffer from lack of courage or lack of vision.

If there truly is a God, he must be one sarcastic dude, because, as far as I can tell, he despises stupid, weak people, and does everything possible to give them a shock to wake them up. And, despite my dislike for Churchill, this quote is a classic "sometimes a man may trip over the truth, but sadly, very often he just picks himself up and goes on." So don't feel pissed that most employees don't care. Their entire social structure is built on irresponsibility, rudeness, and triviality. Why do you expect them to behave as exemplars of honor, honesty and integrity, when the very system they seek to be rewarded by, is not based on such ideas? (No, paying lip service to "honesty" does not make one honest, same thing with honor or integrity or a hundred or more other ideas one can name.)

Re:A Wise Man (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24018175)

Dude, are you going to pass that along or just smoke it all yourself?

Re:A Wise Man (1)

D Ninja (825055) | more than 6 years ago | (#24019293)

Stupid people are there so that intelligent or smart people are given a reason to shine. If everyone was smart, you'd be another drop in the bucket, but if you are, and they are not, then be happy you're stronger, smarter or better off, enjoy the advantage, help others if you want, or avoid helping them, all up to you.

Except social engineering has only partly to do with stupidity. It also has to do with trust. A smart person can easily be exploited if he trusts someone. It may take longer to gain that trust, but, arguably, if a smart person is exploited, the consequences could be that much worse.

And then, of course, there's the argument that even a smart person has a bad day every once in awhile. You could easily be caught off guard. Why do you think *true* high security places always have more than one guard in place at any time?

Re:A Wise Man (1)

snowgirl (978879) | more than 6 years ago | (#24019613)

I agree with just about everything you say. Actually, I'd say that the majority of people are average intelligence, if everyone were as smart as Einstein, well, then that would be the average intelligence.

You're right though, when I worked for a big company that wanted to protect its assets and required people to use key-cards to enter, almost no one actually followed the rule, "if they don't have a badge, don't let them in." Once, there was a guy who wanted to follow me in, and I kept telling him, "no, you need to go to the front office", after he finally trudged off, I realized that I even knew who the guy was. I was just so entrained with security protocol, that I wasn't going to let him in without a badge... no matter who he was.

Of course, that's also because he might not be working for the company anymore... people get fired, and disappear from a company pretty much overnight sometimes.

education (1)

globaljustin (574257) | more than 6 years ago | (#24018157)

There is no security patch for human stupidity

Education and knowledge are the patch for human stupidity. The whole point of the article was that because people are so focused on online security threats, they are becoming lax with old-school threats.

If people just understood the "online" part of "online security threats" this would not be an issue. I am genuinely disappointed that your everyday American is so ignorant about what the internet actually DOES.

Make technology classes mandatory as part of literacy education.

a few caveats:

1. sometimes, education as a "patch" takes years, but it does work
2. yes, education depends on the motivation of the learner, but if rewards (like having a job, pay, etc.) are tied to internet literacy, then learners will be sufficiently motivated
3. no exceptions...everyone, including John McCain, must learn the basics

Re:education (2, Insightful)

niiler (716140) | more than 6 years ago | (#24019215)

The problem with this is two-fold:

First, the folks in control of implementing such technology classes would do the usual (let's memorize IE8 and Office 2008) in order to make people more "productive" instead of teaching people the overall context of DRM, net neutrality, black-box voting, and the like.

Second, even if you could get reasonable content in the class, most students wouldn't give a damn. "But I can use my iPhone (see: I'm using it now!)- therefore, I am tech saavy and this class is stupid."

Until the powers that be in education see the pervasiveness of technology in our lives, they will ignore the larger issues of being informed about our digital commons.

Wholesale versus Retail (4, Insightful)

goombah99 (560566) | more than 6 years ago | (#24017319)

Internet theft: Wholesale
in-person theft: Retail

We make up the difference in volume!

I'm not worried about Retail level theft. It's the wholesale one that is more worrisome.

if internet theft has a success rate of 1 in a thousand but puts millions of people at risk it's more worrisome.

Re:Wholesale versus Retail (3, Interesting)

Pvt_Ryan (1102363) | more than 6 years ago | (#24017411)

True.. but if you have physical access you can "bug" the system thereby getting true wholesale with greater effect, and less chance of detection.

Re:Wholesale versus Retail (3, Interesting)

goombah99 (560566) | more than 6 years ago | (#24017589)

True.. but if you have physical access you can "bug" the system thereby getting true wholesale with greater effect, and less chance of detection.

Yes but the list of suspects it too small to be comfortable. With the internet you can sit on your Nigerian internet cafe all day long and have no fear of prosecution.

Re:Wholesale versus Retail (4, Informative)

Kingston (1256054) | more than 6 years ago | (#24017531)

Yes, unless the "in-person" thief can pocket a couple of CDs [bbc.co.uk] with the personal details of almost all the families in the UK on it.

Re:Wholesale versus Retail (1)

Amouth (879122) | more than 6 years ago | (#24017581)

while Wholesale does efffect more people.

i would personaly be more worried if i was hit bythe reatail version.. as that has more chance to screw me over

Re:Wholesale versus Retail (2, Insightful)

MozeeToby (1163751) | more than 6 years ago | (#24017673)

My wife works for a small investment advisor firm, they probably have 1500-2000 clients with all their information on file. If a criminal went for their backup tapes rather than whatever loose paperwork happened to be floating around they could have every single one of them. Their security basically consists of the Admin Assistants asking people who they are there to see, I doubt they even have a lock on the server room door.

Re:Wholesale versus Retail (0)

Anonymous Coward | more than 6 years ago | (#24018187)

Address please?

Re:Wholesale versus Retail (0)

Anonymous Coward | more than 6 years ago | (#24018767)

If you are smart enough, you wouldn't steal thousands... All you need is that unique person that is worth as much as all those thousands.

In other words, for that kind of man/woman, in-person theft is much more dangerous. And that is the kind of people banks and other companies want as their client.

Therefor, physical security needs improvement, in the view of that potential victim and their banks/companies.

Re:Wholesale versus Retail (1)

Builder (103701) | more than 6 years ago | (#24018859)

You might want to rethink that... non-internet related loss recently led to the potential release of quarter of the UK population's details into the wild. That's names, national insurance numbers, addresses and banking details - all on a couple of DVDs.

I don't know of a single internet heist that could net me all of that data in one go!

Re:Wholesale versus Retail (1)

mea37 (1201159) | more than 6 years ago | (#24019437)

I think you're playing a little loose with the numbers.

You're also not factoring in that in "retail theft" of personal information, every compromised account will probably be used in an act of fraud. In "wholesale theft", a small percentage of the stolen accounts will actually be used. The pool of potential victims may be much larger, but the number of actual, converted victims may not be.

More to the point -- an obsessive focus on the Threat of the Day is never a good idea. Make that one link as strong as you want, but the chain will still break.

This just in... (3, Insightful)

jockeys (753885) | more than 6 years ago | (#24017329)

people are the weakest link in any security system. Film at 11.

Re:This just in... (4, Insightful)

caluml (551744) | more than 6 years ago | (#24018329)

What annoys me are banks/companies in the UK who do this:

Me: Hello?
Them: Hello, this is LloydsTSB/BT/some other company. Is this <My Name>?
Me: Yes
Them: OK, for security, I have to ask you some questions. What is your date of birth?
Me: I'm not giving that sort of information out to some random on the phone - how do I know you're who you say you are?
Them: I'm ringing on behalf of LloydsTSB/BT/some other company.
Me: Sure, you said that. Tell me what my account number is then
Them: I can't do that until you've identified yourself.
Me: Bit of an impasse then, isn't it?

Sure, they know my name and number. I'm guessing it's not that hard to find that out though.

Re:This just in... (5, Insightful)

Duncan Blackthorne (1095849) | more than 6 years ago | (#24018793)

Actually.. clue #1 is that someone called YOU and asked for personal information. My counter to that (assuming I ever am confronted by it)? Get their name and tell them I must call them back, then call back to that company's main number. Chances are that once I ask this scammer his name, he hangs up on me.

Social Engineering ftw (3, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#24017365)

I don't know if you can say it's related to online identity theft though; this sort of social engineering predated that by decades, and its always worked well.

So much of it is about knowing the right number to call, or the right person to approach.

People just need to be suspicious, but suspicious is massively unhelpful to people who legitimately need help. No one ever calls me for security credentials because I am the documentation gestapo; instead they approach one of the other people who can set them up, because they know that those people won't ask as many questions.

On the one hand, I know I don't need to be as thorough as I am, on the other hand I know that the one time I'm not, I'll give access to the wrong person.

Re:Social Engineering ftw (3, Insightful)

Jason Levine (196982) | more than 6 years ago | (#24017475)

The scary thing is that you can be as suspicious and careful as possible and still have your identity stolen because someone in another city whom you've never met wasn't suspicious and careful or because some company that you've dealt with directly or indirectly has a security breach of some sort. And when that happens the company responsible for your identity being stolen isn't out any significant (to them) money, but you need to spend a lot of your time and energy to restore your good credit.

Yes, I'm speaking from experience. I was lucky enough to find out about it early when the unrequested credit card was "accidentally" sent to me instead of to the ID thieves. So I got an "easier" time than I could have had. I still have to look over my credit report constantly, though, as my information is out there now.

Re:Social Engineering ftw (2, Interesting)

nine-times (778537) | more than 6 years ago | (#24017525)

I've read stories (here on Slashdot) where black hats have admitted that social engineering is one of their most successful methods of "hacking". Why bother with a brute force or even a dictionary attack? You can just ask the user for their password and they'll give it to you.

When you think about it, phishing is just another form of social engineering.

There may be technological protection to try to prevent these things, but the best protection will always be procedural. Unfortunately, no one wants to follow procedures because it's bothersome, inconvenient, and sometimes expensive.

I'm afraid these security holes will always exist, except maybe in places where procedures are strictly enforced. Still, it only takes one lax personality in the right place, and all your other security measures won't protect you.

Re:Social Engineering ftw (2, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#24017751)

Yea. The best defense is limiting the harm that can be done on the network, defining everyones permissions, prohibiting full network access from unsecured rooms, etc.

But there is no good way to take people out of the loop.

Re:Social Engineering ftw (1)

es330td (964170) | more than 6 years ago | (#24018297)

I've had to exploit social engineering on occasion in the past for legitimate purposes. The beauty of convincing someone that you are a person they trust is that you not only get through security, you gain knowledge of process. You can make a simple request of them in English and they know what systems need to be accessed to make your requested change. Unfortunately, it is more likely that somebody will write a bug free Linux distribution on their first compile than employee awareness being raised to the level of preventing social engineering. As long as we have users that call IT when they make their Windows font white on a white background (yep, happened last month) social engineering will always work.

Let me be the first... (0)

Brandybuck (704397) | more than 6 years ago | (#24017369)

Let me be the first to say, "well duh!"

Why is this even news? This isn't social engineering, it's old fashioned fraud, the kind that has existing for thousands of years. Talk slick and carry fake documents, and you can make your way into the heart of most businesses. Even banks.

Re:Let me be the first... (0)

Anonymous Coward | more than 6 years ago | (#24017539)

Still, 100% is a pretty daunting statistic. I'd guess that would have been lower in the 80's.

Re:Let me be the first... (1)

Chas (5144) | more than 6 years ago | (#24017669)

"This isn't social engineering,"

"Talk slick and carry fake documents, and you can make your way into the heart of most businesses."

Pretty much the definition of social engineering.

How to "steal" an identity. (4, Informative)

apathy maybe (922212) | more than 6 years ago | (#24017417)

Step one, find a birth certificate for a person of the same gender as you, and around the same ago.

Register at your local university and obtain student card in the name of the person on the birth certificate, withdraw before you have to pay anything (this step may vary with your university, I know it is possible at the Uni that I attended).

Obtain utility bills in the name of the person on the birth certificate.

There you go, 100 points of ID!

Use to obtain other forms of ID etc. (If you're in the USA finding the social security number would probably be useful too.)

If the person isn't dead (to create a "new" id, make sure that the birth certificate is for a person who died quite young), then you can have a field day getting access to whatever.

Enjoy.

How to dupe the public... (2, Informative)

Anonymous Coward | more than 6 years ago | (#24017461)

I think this story is a fake. The FDIC does not audit or insure credit unions, the NCUA does. So either the author of the article got the initials wrong or the whole story is social engineering.

Re:How to dupe the public... (3, Insightful)

corsec67 (627446) | more than 6 years ago | (#24017857)

Or maybe that is another thing that should make the people work at the credit union say "WTF is the FDIC doing at a credit union?"

Re:How to dupe the public... (1)

caluml (551744) | more than 6 years ago | (#24018575)

If you're one of the approx 50% of people that read this site that aren't from the US, you might not know what the FDIC [wikipedia.org] is.

Re:How to dupe the public... (0, Troll)

bryce4president (1247134) | more than 6 years ago | (#24018073)

What part of "insured up to $100,000 by FDIC" have you misinterpreted at your local bank? Just because the AC made the claim doesn't mean its true or informative. Post a reference and then I'll question the banks sign.

Re:How to dupe the public... (0)

Anonymous Coward | more than 6 years ago | (#24018515)

TFA references "credit union". 4th paragraph, 1st sentence.

Credit union Federal regulatory agency: http://en.wikipedia.org/wiki/NCUA [wikipedia.org]

Bank Federal regulatory agency:
http://en.wikipedia.org/wiki/FDIC [wikipedia.org]
http://en.wikipedia.org/wiki/Office_of_the_Comptroller_of_the_Currency [wikipedia.org]

Re:How to "steal" an identity. (0)

Anonymous Coward | more than 6 years ago | (#24017799)

D'uh really, is that how it's done? (You *do* realise that you posted that on a geek website?)

Social Engineering... (4, Interesting)

The Crooked Elf (1042996) | more than 6 years ago | (#24017437)

People are much too obsessed with the image of a diabolical Cheetos-eating hacker without any social skills. The most effective criminals in the world are friendly, well-dressed, and outgoing. And usually only technologically-competent enough to get the job done.

Ever heard of mustard squirters? They squirt your back with mustard, then inform you of the fact you have mustard on your back. They proceed—presumably generously—to wash it off for you: In doing so, they take your wallet. No technology. Tremendous success rate.

Come on. Some people out there need to read the works of Frank Abagnale, or at least Kevin Mitnick.

Re:Social Engineering... (1, Flamebait)

pilgrim23 (716938) | more than 6 years ago | (#24017645)

This has happened before. in 64 AD the Great Fire in Rome melted roof tiles of lead which flowed into the treasury reducing the gold content of any coin with Nero's face on it to about 1/2 that of his predecessor...that was Nero's stoyy and he is sticking to it!

Identity theft is making peopel mistrust the banking system. Given what a shady thing it really is, this is a bad thing?

Re:Social Engineering... (0)

Anonymous Coward | more than 6 years ago | (#24018947)

The most effective criminals in the world are friendly, well-dressed, and outgoing. And usually only technologically-competent enough to get the job done. ... Come on. Some people out there need to read the works of Frank Abagnale, or at least Kevin Mitnick.

That group goes by the well known label of "politician". No one needs to read anything to know this truth.

Re:Social Engineering... (1)

dkleinsc (563838) | more than 6 years ago | (#24019067)

The most effective criminals in the world are friendly, well-dressed, and outgoing.

I thought we called those people "politicians".

Re:Social Engineering... (1)

JesseMcDonald (536341) | more than 6 years ago | (#24019171)

The most effective criminals in the world are friendly, well-dressed, and outgoing. And usually only technologically-competent enough to get the job done.

Such individuals are commonly known as "politicians".

Here We Go Again... (3, Insightful)

mpapet (761907) | more than 6 years ago | (#24017467)

When someone from some esteemed institution of higher learning discovers this, then maybe the "identity theft" groupthink will end.

#1. Banks make money when your identity is stolen The profit comes in the form of transaction penalties when you start reversing the charges and possibly the bank's "identity theft services."

#2. No one seems to have any interest at all in shedding some light on the credit process. Why isn't it quite transparent to all consumers?

The entire "identity theft" scheme works is overwhelmingly favors the banking industry and it's no one's fault but ours.

Re: Here We Go Again... (2, Informative)

Shados (741919) | more than 6 years ago | (#24017907)

Banks make money from it? Could have fooled me. Last time I got my cards stolen, the bank reimbursed EVERY LAST TIME i lost because of it. They took the entire blame and responsability, I lost -nothing-....

Re: Here We Go Again... (1)

FLEB (312391) | more than 6 years ago | (#24018051)

Are you sure it wasn't the merchant getting hit with those charges, though?

Re: Here We Go Again... (1)

Shados (741919) | more than 6 years ago | (#24018195)

Very, since there was no merchant involved. They had taken money straight from the account, and made purchases using debits, not credit.

Correction (2, Informative)

mpapet (761907) | more than 6 years ago | (#24019699)

made purchases using debits

And the merchant is on the hook for those transactions. They paid penalties for taking the bad card, plus the balance, plus the lost merchandise.

Debit/credit is pretty much the same from the average retailer's perspective, just another cost of doing business.

Re: Here We Go Again... (4, Insightful)

intx13 (808988) | more than 6 years ago | (#24017957)

Banks make money by borrowing your money (at a low interest rate) and loaning it out to someone else (at a higher interest rate). If your identity is stolen in a big way, then any fees you pay to reverse bad transactions or identity-protection services you take part in are going to be outweighed by the fact that your money is quickly dissapearing (and thus no longer available to be loaned out by the bank).

It's in the best interest of the bank to keep your money in their vault; identity theft typically results in the exact opposite.

Identity theft (at the scale we see it now) is relatively young, and so it's understandable that banks and credit unions don't really have a developed, effective strategy to protect the customer... but as the parent says, given the shroud of secrecy that surrounds much of the banking and credit industries, a little transparency might go a long way to illuminate danger areas, so we don't have to rely on proof-by-egg-on-face as in TFA.

Re: Here We Go Again... (3, Informative)

Wildclaw (15718) | more than 6 years ago | (#24019365)

Banks make money by borrowing your money (at a low interest rate) and loaning it out to someone else (at a higher interest rate). I

Not quite true. That is the school level illusion that most people live under. The current money system in most countries today is far more insidious than that, allowing banks to lawfully lend out money(debt) created from nothing. Yes, they need some money deposited, but it is far less than what is lent out.

You should really see the documentary "Money as debt" (just search on youtube). While it may be slightly preachy and biased at some moments, a large part of it is a good description of how the money system really works.

Still, your basis assumption and discussion point regarding them wanting your money is correct, because the bank do need it to be able to lend out these even larger amounts of money. Actually, it is even more important for them to get your money as they can lend out a multiple of it.

You can't be serious... (1)

ZxCv (6138) | more than 6 years ago | (#24018471)

You seriously think banks make money on identity theft? You're either deluded or confused, or perhaps, both.

 

#1. Banks make money when your identity is stolen The profit comes in the form of transaction penalties when you start reversing the charges and possibly the bank's "identity theft services."

I haven't seen a major bank EVER charge for "transaction penalties" when it comes to cleaning up after fraud. And I only say "major" banks because I havent personally dealt with every little bank across the country. Even 10 years ago, before identity theft was even close to the problem it is today, the only cost incurred by consumers was typically the time to make the phone calls (and sometimes, write letters). Back then, many banks still had $50 fraud liability clauses, but even then they rarely enforced them. Today, it is quite common for banks to specifically advertise that they have a $0 fraud liability. And those "identity theft services" are never compulsory, and almost always just amount to saving you the effort of all the phone calls and letters you would have to otherwise take care of yourself.

 

#2. No one seems to have any interest at all in shedding some light on the credit process. Why isn't it quite transparent to all consumers?

Really? Have you been living under a rock for the last 5 years? The credit process is easier and more transparent today than it has ever been. The only consumers that it is not transparent to are the ones who are too lazy to do something as simple as obtaining their own credit report.

 

The entire "identity theft" scheme works is overwhelmingly favors the banking industry and it's no one's fault but ours.

Nevermind that fraud prevention and detection is the #1 security-related cost for any bank. I fail to see how a system where banks must spend millions of dollars a month and employ thousands of people favors those banks, when there is no back-end profit to make up for it.

Re:You can't be serious... (1)

mpapet (761907) | more than 6 years ago | (#24019559)

I think maybe you are viewing my post as a consumer, rather than as a merchant.

The credit process is easier and more transparent today than it has ever been.

Oh really? How is your score calculated? Where do the data points come from to calculate my score? How were they collected?

Nevermind that fraud prevention and detection is the #1 security-related cost for any bank

Anyone high-enough in the banking industry food chain would tell you otherwise.

Socially engineering banks... (1, Insightful)

Asmor (775910) | more than 6 years ago | (#24017469)

Pretend to be a researcher. Approach bank president. "Hi, I'm Bob Researcher from State U. I'd like to test your bank's security for you." [insert fear mongering as necessary]

If successful, yay! Free identities!

If unsuccessful, meh. You're legit!

Re:Socially engineering banks... (4, Insightful)

SatanicPuppy (611928) | more than 6 years ago | (#24017611)

Actually, that's not as good as telling them you're selling photocopiers. Don't remind people about security when you're trying to steal stuff; sometimes it jogs their memory to the boring security lectures they sat through during their first week of work.

The absolute best way to go about it is to be in a semi-authority position where you need information, and you have a right to information. If you need it, and you are perceived to have a right to it, then people will go out of their way to find it for you.

The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.

It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?

Re:Socially engineering banks... (4, Interesting)

thermian (1267986) | more than 6 years ago | (#24017945)

actually I used to use this trick to take a break when I was a student nurse in the nineties.

I'd pick up an xray or some notes that I knew wouldn't be needed, and go off walking around the hospital. No-one on my ward would question why I was gone, because I was just the student, I got sent places all the time. I found I could go round any department without being challenged, people just assumed I was meant to be there.

Incidentally, student nurse uniforms are easy to buy.

It worked for two years, then I got busy, what with exams and all, so I stopped doing it. I never got caught though.

Re:Socially engineering banks... (4, Insightful)

Free the Cowards (1280296) | more than 6 years ago | (#24018137)

It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?

And let's remember that this applies to emergencies as well. If you see someone in a crowd who needs medical help, go help him, and call for assistance if he needs it. Don't assume somebody else will do it; everybody else is going to assume that too! If you're the one who needs medical assistance, or you're with that person, don't shout out "call 911." Pick a person out of the crowd, point to him, and say, "You, call 911."

Re:Socially engineering banks... (4, Interesting)

ptbarnett (159784) | more than 6 years ago | (#24018205)

The "carrying a box of junk" thing works pretty well too; it's considered rude as hell to block someone when they're struggling under a heavy weight. Grab a big ass server and lug it into the building, and everyone will hold doors for you, then take it into a conference room, plug it in, and start looking for stuff. Bring a projector as well, and you can sit there all day, and people will assume you're there for a reason, or that someone else must know why you're there.

Sad but true: someone dressed up like a technician, walked into my company's office and started puttering around with a desktop computer. After a while, he disconnected the computer and walked out with it.

Everyone assumed that someone else had called him to come in and fix the "malfunctioning" computer, and when he left with it, presumed that he was taking it elsewhere for a more serious repair effort.

I guess some places are just lax (5, Interesting)

BenEnglishAtHome (449670) | more than 6 years ago | (#24018629)

None of that crap would pan out where I work. [irs.gov]

Need help getting through a door? Sure, people will let you through a door if you're lugging a load. Then they'll see you don't have your badge on, offer to help you find the office and person you're looking for, and if you don't know what name or location to give, they'll stick right with you until you figure it out or security comes along to help.

Selling copiers? "Oh, man, dude, nobody on this floor has the authority to buy anything! Lemme walk you over to the facilities guy that you *must* have an appointment with. He'll get you a temp badge or an escort if you need to look around."

New hire? "Gee, ya know, I hate to be a pain about this but you really do have to keep your badge on in the building. Lemme hold your box while you find it."

Lost your badge? "Gee, ya know, you're gonna get hassled a bunch without it. Do you know where Kathy's office is? Let me show you; she can issue you a temp badge for the day."

Lugging in a server or anything that looks remotely computer-like? The security guard will have you sign in and call down someone from IT to escort you.

Visiting executive? Unless you're the commish, in which case you'll be covered by a phalanx of security, even the lowliest of the low in this place will give you a friendly wave, say hi, and offer you a lanyard for your badge while you're in the building. "Oh, that's OK, I can wait till you find your badge. Do you want me to show you where you're going/where to get a temp badge/to security?" In fact, this is one of the few times a data input operator can pull rank on the highest executive in the organization and you'd better believe that no office lacks for people who would relish the opportunity.

Bluff your way past security and take an elevator ride to an upper floor, looking for something? Big deal. All the doors are on card keys and if you knock, the person who answers is going to lead you right back through the "Gee, I hate to be a pain about this but you really have to wear your badge in the building" routine.

Walking around in the hall looking semi-lost because you got in but realize you can't get through any of the doors? You'll be directly challenged by someone who will walk you directly to your manager (if you can provide a name and location) or directly to security.

If by some total breakdown (say, you've got a decent fake badge and you piggyback on someone to get through a door) you get into the work area and plop down in a conference room, you're gonna get caught in short order. Plug in your laptop? If you haven't pre-reserved the room, you'll trip port security, that port on the router will shut down, the telecomm lady will get an automatic page and head up to that conference room to see who's screwing around by plugging in an unregistered MAC. Just turning on a laptop with wireless enabled chances setting off the scanner that's sometimes running in every building; in that case, you get a quick visit from scary men with badges and guns. You're a contractor on site and you plug in a wireless access point? See the sentences immediately previous, plus you get tossed out, fired if you're a sub, lose your individual security clearance, and the overall contract holder gets in seriously hot water. Just sit there and try to look important? The conference room reservations are controlled by the nearest secretary. As soon as s/he sees you in the room, you'll get asked to do a formal reservation. "If the room is free, you can have it, but I need your name and badge number for the log book. By the way, where's your badge?" In offices where the conference rooms aren't tightly controlled, people get used to dropping in so if you're sitting there without a badge, you're going to get questioned. If you don't know the right jargon, the right person to say you're working with, the right organizational attributes to assign to yourself, you're going to be questioned. Even the most timid employee will seek out the person who supposedly controls access to that area and tell them that you're there; *that* person *will* get an explanation for your presence. Whatever name/org/explanation you give, it had better match the employee directory.

None of this is burdensome to us. It's just part of the culture. I find it hard to believe that any major operation would just let someone plop down in a conference room without interference.

Re:I guess some places are just lax (1)

SatanicPuppy (611928) | more than 6 years ago | (#24018997)

I would hope there aren't glaring security weaknesses at the IRS, but why steal from the IRS when you can hit the local tax assessors office and probably get information without being caught?

It's all very well to say, "This is how we do it" but the reality is, most people don't do it that way, and for the most part, that level of security would be problematic for smaller organizations.

deliberately anon (0)

Anonymous Coward | more than 6 years ago | (#24019021)

Second that. I've worked in the private sector, state government, and (currently) federal, and the federal government were the only ones that really paid attention to security.

Of course it took like three weeks between me getting hired and me getting a computer account due to all the background checks, but I know why they're there.

Re:I guess some places are just lax (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24019089)

None of that is burdensome? I used to work on a military base as a contractor with similar rules and holy fuck was it annoying as hell. Maybe it's "part of the culture" but low pay and little room for growth coupled with security that gets in your way of doing your job led to massively low morale among the employees. They had to keep installing more security to stop people from stealing computers and flatscreen TVs out of the break rooms.

Re:I guess some places are just lax (4, Insightful)

ShooterNeo (555040) | more than 6 years ago | (#24019165)

My gut feel, upon reading your description, is that no-one is that good. I would be very interested to know if any teams like the one in TFA have actually tried to break the security at the IRS.

Possible holes : everyone seems fixated on those ID badges. Precisely what is the security on those? RFID, or is it a magnetic strip?

Magnetic strips can be copied. RFID chips are more difficult and take serious hacking.

Other simple tricks : are the PCs at the IRS running windows? Would a simple trick like the "drop a few USB dongles in the employee smoking area" work?

Finally, there's insider information. Somehow, I doubt the IRS pays people very well. There must be all kind of employees with IT jobs who could physically copy from computers containing millions of tax records.

Information is inherently far, far more difficult to secure than a physical item. I would be greatly surprised if the security were as airtight as you make it out to be.

Re:I guess some places are just lax (1)

JesseMcDonald (536341) | more than 6 years ago | (#24019259)

Does anyone else find it ironic that the government organization responsible for collecting taxes is itself a perfect example of why the overhead for government "services" is so high? It's amazing they manage to get anything done at all with so much beaurocracy...

Re:I guess some places are just lax (1)

Monty845 (739787) | more than 6 years ago | (#24019473)

The ultimate test in an organization that prides itself on security like that is what happens when a person penetrates the primary layer of security. Say someone steals & alters a legit badge (which is then not reported promptly)... if the badge opens the doors, and looks legit will anyone question it? What about the person who has done thier research? Someone who has researched a paticular employee (who just left for vacation), ooops I forgot my badge, could you show me who is in charge of issuing the temp badge? Yeah I'm XXXX (who wont be around to notice). USB dongles in the parking lot (the suggestion of the break room would require more access)... There are lots of ways to penetrate the first line of defense, whether you have a real security culture is how many more lines of defense the average employee will enforce before accepting someone as legit.

The cost of this is quite high (4, Insightful)

Animats (122034) | more than 6 years ago | (#24019515)

There are places with tight security like that, and I've been to some of them. The overhead is high. For bidding purposes at a major aerospace company, we used to estimate that running a project at SECRET doubled the bid, and running at TOP SECRET ran the price up by 4x or more. At the higher levels, computers are in metal rooms with welded seams raised off the floor (so Security can check underneath) and with RF-tight airlocks. Signing documents in and out of files takes a big chunk of staff resources and time. There's a big bureaucracy associated with accountability.

One of the serious side effects of running highly classified projects is that the people working on them become obsolete in place. They're so cut off from the outside world that they don't keep up, outside their very narrow area of expertise. That's why I left aerospace and went to the commercial world.

Re:Socially engineering banks... (2)

caluml (551744) | more than 6 years ago | (#24018635)

I think the effect you're looking for is diffusion of responsibility [wikipedia.org] . Has a similar effect in riots/mobs. If everyone punches the policeman only once, it can't be *you* that killed him, right?

Re:Socially engineering banks... (1)

u8i9o0 (1057154) | more than 6 years ago | (#24019419)

It's a oddity of human nature that, the more people there are around, the more likely that people are to dismiss your presence because "someone must know them, and know what they're doing" otherwise someone would be acting, right?

Yup. [slashdot.org] From what I remember, a few in that group were casually sitting/reading/whatever nearby. This gave the impression to anyone encountering the scene that 'others' in the immediate area saw nothing wrong with the heist being committed. If anyone then talked to them, these people could reinforce the impression.

Re:Socially engineering banks... (1)

Koiu Lpoi (632570) | more than 6 years ago | (#24019683)

This is absolutely 100% true. I have a friend who is a tech for AT&T. With him, we've been able to get into many "restricted" areas, simply because he's a tech and I look like one. People go "oh, something's wrong with the lines? No, but you still need to do tests? Better let 'em through." Never asked for ID, nothing. People seem to have this implicit trust that "tech people" are there to help, and do not want to be bothered. While it's true, this privilege can be abused.

Yeah, but ... (2, Insightful)

Anonymous Coward | more than 6 years ago | (#24017489)

While it may have a higher success rate, the fact of the matter is that "in-person" identity theft poses a much higher risk ratio for the would-be criminal.
I'm sure if the researcher were really going to jail for his "crimes", he might not be so cavalier (and calm) when committing them, and this might affect the 100% success rate.

Re:Yeah, but ... (2, Interesting)

FLEB (312391) | more than 6 years ago | (#24018299)

OTOH, that "higher risk factor" helps the rationalization of "if they're in here, they must be legit", because anyone else would supposedly be stupid to try.

As for the "calm" factor, you may have something, but OTOH, I would expect that a successful social engineer has worked their way through a fair amount of less-dangerous situations to build up their in-character cool. If you're smart, you don't start at the "These? Backup tapes? Whatever are you implying?" level. You start with "Sorry... where's the bathroom?"-grade infiltration and work your way up.

Then again, I tend to give the criminal mind too much credit, so perhaps I'm wrong.

Absolutely.... (0)

Anonymous Coward | more than 6 years ago | (#24017491)

Epic NON-Fail

A change in your CV (1)

pzs (857406) | more than 6 years ago | (#24017635)

Gone are the days when IT security testing firms are looking for Unix expertise. Now they're looking for actors.

So.... (0)

Anonymous Coward | more than 6 years ago | (#24017823)

Posing as an official will get you inside. What next, they'll pose as cops? Next time, they should walk in with FBI badges and guns. Flash the badge and then have the FBI have a chat with them.

This "study" is so bogus. I hope the FDIC presses charges against these morons.

Risk is higher too... (1)

Iberian (533067) | more than 6 years ago | (#24017877)

Who cares if you get my spoofed IP address, but what happens when you run into a real member of the FDIC or whatever agency you are pretending to be from. He plays along and has you arrested. Or even if you pull off the fraud and obtain their information they still know what you look like at the least and may get some DNA or fingerprints to put on record.

Not to mention the whole issue of hitting up 100 people in a hour is a bit hard to pull off.

SNEAKERS! (1)

Tanman (90298) | more than 6 years ago | (#24017937)

But the pay sucks :(

Works for other things... (4, Interesting)

painehope (580569) | more than 6 years ago | (#24018067)

This is how I used to get my furniture : put on a work uniform w/ a few friends doing the same, show up to a motel w/ a shipping/receiving invoice, get a desk clerk to sign it, and carry a couch or whatever out. Almost 100% success rate at chain motels.

It works for system administrators too (1)

davidwr (791652) | more than 6 years ago | (#24018113)

I can't tell you the number of times I've had to call a client who has never heard my voice before and say "Hi, I'm the computer guy, I need you to let me do some stuff on your system" and have them volunteer their passwords. Um, HELLO? I could be an impostor.

Re:It works for system administrators too (1)

Bengie (1121981) | more than 6 years ago | (#24019117)

Reminds me of working remotely on peoples computer at my Uni. I had full remote admin priv and I'd send someone an email saaying something like "I need to work on your computer. I have restored your files, but I need to meet up with you so I can put them back in your profile". So instead of getting " works best for me", I'd get "Here's my password, do it whenever you want, I'm out for the day".

At which point I'd let them know that I'll do the work, but recommend them change their password immediately and to not give out their password so freely.

People are DUMB (1)

RobertLTux (260313) | more than 6 years ago | (#24018445)

Folks forget that "Hackers" include oh say Kevin Mitnick (not a code monkey but always up for a bit of SE)
and in the right outfit you could walk into most any business, park yourself in the lobby with an EEE PC with the BackTrack logo on the lid and then hack the place blind. Chances of getting caught??? near nil

Noone would do this because... (1)

KeepQuiet (992584) | more than 6 years ago | (#24018553)

No one would do this because there are cameras all over the place. Why would anyone want to be recorded while stealing identities? It happens online because no one sees them. No risks.

1950's Chenoa,IL (2, Interesting)

bigattichouse (527527) | more than 6 years ago | (#24019161)

In the 1950s in the town I live (Chenoa, IL), 2 "inspectors" came in to audit the books of the local bank. They stayed for 4 hours pouring over the materials, and appeared knowledgable and professional. They stayed through lunch, when the manager and several other big wigs went out to get a bite - the "inspectors" walked out with the entire cash reserve (since the vault was unlocked to allow them access to the ledgers) Never caught.

That's what we get for living in a safe country (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24019197)

I come from a country with a very high criminality rate. As a result, every system I run across there is way more secure than the ones here in the US. People there simply don't trust each other so every system (e.g., even checking a book back into the library) has plenty of checks along the way. People here in the US say that such a trend would hurt our economy by making it harder and slower to do certain things like getting credit. This is rubbish. Businesses don't want that to happen so they will figure out ways to use technology to expedite such processes. This is what I see back home. A lot of technology is applied to make sure that people can perform any transaction safely swiftly. Do you know those secure id cards that have a digital display and a different token is generated every so often? Banks are now offering them for free back home to validate any transaction you do on the web.

In short, solutions do exist. We just don't bother looking for that because the US is a safe enough place. If we were forced to (like we do back home), we would find them.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?