How Easy is it to Steal an Identity?

I was surfing the web tonight and I came across an article on Scientific American.  The author asked some friends for permission to break into their bank accounts and then went to work trying to steal their identity.  The ease at which he was able to do so is startling.
He first used a variety of techniques to gather information including reading the target's blog and googling them and then he used that information to break into the user's email accounts via password resets.    Once he had access to the target's email he would be able to receive password reset emails from their bank accounts and he would then have access to their money. 
All of this work could be accomplished in a few hours and the entire security of the target's identity was hinged on an email account that asked only for the user's birth date (which the author was able to figure out.) In an age where there are countless tools to document your life, career and every waking moment online, this article is a great reminder to think before you post.
What can you do?
• Test the password reset functions on your email and bank accounts.  How do they authenticate the request?  Do they ask security questions?  Can those questions be easily learned on the web?
• Google yourself.  What can you learn?
• Do you blog?  Are you on Facebook or another social networking site?  What have you said about yourself?
• Does your family blog?  If your brother's blog mentions that he had you over for your birthday it could expose information that is useful to someone who has targeted you.
• In general, be aware of the trail of breadcrumbs you are leaving on the internet.  Think twice before you post personal information on a blog or social networking site.
• When choosing security questions, choose obscure ones that nobody is likely to know or be able to figure out.
Disinformation can also be your friend.  This strategy was used extensively (and to great success) by the Allies in World War II.  The principal is that you deliberately publish false information.  Maybe your birthday on your is intentionally wrong.  Anyone attacking your accounts will not have this information to use against you.
Similarly, when I create an account online and have to select and answer security questions I will put answers that are technically incorrect but are likely to be the first thing I think of when I see the question.
There is a lesson to be learned here for online service providers as well.  We need to be careful about what kind of information we disseminate when we assist users in resetting their passwords, and we need better ways to authenticate our users since we are living in a world where personal information is often trivial to find online.
Additional information and tips on protecting your identity can be found on the Norton Family Resource site.

Update: There's a great conference going on in Seattle, WA right now called Gnomedex. One of my colleagues is there and she's just let me know about a very relevant presentation delivered by search marketing pro Danny Sullivan entitled "Search Life Meets Real Life". In his presentation, Danny explores how search, the accessibility of web tools and all the bits of information we post online have the potential to collide with our real lives. He just posted his presentation to his blog, check it out here: www.daggle.com

Message Edited by Sondra_Magness on 01-19-2009 04:03 PM


Re: How Easy is it to Steal an Identity?

hey john,

thanks for the comment. It's true that not many email accounts use information like your birthday or address as means to regain access to an account. The account from the article was the target's old college account. The college was probably trying to make it easy for student to recover passwords without having to make a phone call to IT but they clearly didn't think through the security ramifications of what information they were using. It's a great example of what kind of account you should avoid.

Re: How Easy is it to Steal an Identity?

"All of this work could be accomplished in a few hours and the entire security of the target's identity was hinged on an email account that asked only for the user's birth date"

I don't think I've ever seen an email account that uses your birthday as a security question, and if you used this as a security measure, you deserve to be hacked. In any case, an interesting read Adam, and I am glad I am not as hyper-diligent as I thought I was when using high security measures to prevent these sorts of attacks.Message Edited by johna on 08-23-2008 07:47 PM