At DEF CON 2014, Ernestine Fu learned from security expert Kevin Mitnick how to steal an identity in three minutes or less. She authored this post, which was published by Forbes on August 15, 2014.
Last weekend, thousands of hackers joined security experts, federal agents, and general enthusiasts for the annual DEF CON conference in Las Vegas. They came to attend talks on hacking methods and compete with other hackers in contests, as well to get free mohawk haircuts and enjoy late-night parties.
Veteran attendees described the event as a non-stop hacker party and offered two bits of advice for newcomers:
* Turn off all electronics and don’t use credit cards unless you want to get hacked.
* Try to sleep at least an hour or two every night and don’t forget to eat.
The 16,000 attendees were easy to spot in the Vegas crowd: They were predominantly dressed in black, had blinking circuit board badges around their necks, and looked like a cross between Burning Man attendees and the hacker stereotype in popular media.
Some curious Vegas onlookers demanded, “Why don’t the feds just arrest them all?” And in fact, in 2001, a Russian security expert was arrested shortly after giving a talk at the conference. However these days, most speakers are “white hat” hackers. They search for security vulnerabilities in software and then disclose their exploits through “bounty programs” offered by the companies maintaining it.
Uncovering Social Security Numbers, Residential Addresses, and Credit Reports
If a well-known security expert and former hacker asked you to volunteer your name for a live demo, would you do it? How difficult is it for someone to access your private data?
Kevin Mitnick is the paragon of nefarious hacker turned white hat. Following his highly publicized arrest and five-year prison sentence, he started a world-famous security firm. Businesses now hire him to protect against hackers and to test their systems’ vulnerabilities to attack. Mitnick spoke at DEF CON’s Social Engineering Village and shared a few hacking tricks.
At DEF CON 2014, Mitnick prompted the audience for a volunteer. A few hands shot up, but quickly went down when he explained the rules of the game: He would spend three minutes searching for all of the volunteer’s private information, while projecting the process onto a screen for everyone to see. A brave conference attendee got up and stated his name.
To find a social security number, Mitnick first navigated to the website of a leading provider of billions of public records and typed in the volunteer’s name. Approximately 50 results came up with different ages and locations. He quickly narrowed the search down by age and a few simple questions such as “Which state do you live in?” The legal site sells access to its database. The volunteer’s entry cost 50 cents, and on purchase, prominently displayed the social security number in bold red font. The number was confirmed as correct while several attendees photographed the screen.
Obtaining additional personal information is easy once you have a social security number. Mitnick visited an online vital records database and typed in the social security number he purchased. This single search returned the volunteer’s phone number and past several home addresses. Mitnick was quick to point out that with this information, you can call up almost any company, claim that you lost your password, and demand a password reset.
Even scarier than resetting a single password is the fact that a full name, social security number, phone number, and addresses together is almost enough information to pass the security questions on credit report sites and pull a full credit report. A credit report is enough to completely steal a person’s identity. For those wondering what’s missing to obtain the credit report, there are a few extra multiple choice questions. For those, Mitnick suggests either using context cues to figure out the correct answer or selecting answer choice (D) “none of the above,” which tends to be correct the majority of the time.
Mitnick noted that equivalent databases and tools for finding personal information do not exist in Europe, because they have stricter digital data rights privacy laws than the United States.
Social Engineering and Faking Affiliation
Mitnick’s first approach to even the most complex technical systems is through “social engineering”: Pick up the phone and convince the HR representative on the other end that you are a coworker. Say that you need a particular file, or that you are performing a security audit and need to verify credentials. The goal is to use human weakness to con employees into giving you access to something they shouldn’t, then using that little bit of access to obtain additional information.
It is also easy to appear to be associated with any company that you claim to represent. When people want to quickly verify that you are who you claim to be, they typically search for your name and phone number on Google. Mitnick demonstrated live how he could use an online registry to associate his name and phone number with any company. Sure enough, an online search of his name and phone number led to the first result listing him as an employee of Microsoft.
Finally, many companies provide employees RFID-enabled HID cards to give them access to buildings and offices. The size of a small laptop, Mitnick demonstrated a HID card reader that can covertly read and record the information of access cards within several feet. He once found a nearby Starbucks frequented by company employees and spent a few hours stealing access data when employees walked by. Upon recording their access card information, Mitneck then used a small $100-card printer, which he demonstrated during the talk, to recreate employees’ access cards. This allowed him to enter the company’s building and stroll through freely, looking for any unattended computers.
What happened to Mitnick’s volunteer? Following the talk, a conference organizer told the people who took photos of the volunteer’s social security number that he would use all the resources at his disposal to make their lives difficult if the number ever surfaced. Given the nature of the conference, it’s not hard to imagine the consequences of crossing the line: revenge would be swift and painful.
View the post on Forbes.com here.