Business Boost | 30 August 2016 - by KCOM
Loose lips sink ships: could casual conversations be putting you at risk of identity fraud?
Many of us will be travelling for holidays at this time of the year and wherever you may be headed, personal security is probably the last thing on your mind, although recent incidents such as those in Nice and Rouen are hard to ignore.
We should all be aware of our local surroundings, especially when we are in new or unfamiliar places, and it’s worth remembering that even the conversations we are having can be of interest to others who may be close enough to listen in. You might be talking about the hotel you are staying in, chatting about the holiday photos you are posting on Facebook, or making a reservation for dinner at a local restaurant – all of which may be of interest to anyone who wants to know who you are and what your plans might be. This also applies to business travellers in a broader context; you don’t want to reveal sensitive information about your business for obvious reasons.
The following is a true account from our Head of Cyber Risk, Steve Southern, in which he highlights some of the issues.
I was eavesdropping on the train...
...yes, I admit it. But isn't it something all of us do from time to time? Don't get me wrong, I'm not an avid or habitual eavesdropper. On the contrary, like many of my fellow passengers I will frequently be absorbed by some work on a laptop, or listening to my music, blissfully unaware of conversations going on in my immediate vicinity, or the incessant and annoying tannoy messages about ticket types and on board catering facilities. At other times however, like this morning, I overheard a lady sitting in front of me.
Although I've often been surprised by what I've heard others speak of in similar circumstances, in this particular case, I was shocked. The lady in question was travelling with two teenage children and a man – an apparently ordinary, happy family. So far, so normal. The lady (I'm going to call her Christine – not her real name, and all other 'personal' details to follow have also been changed) then gets on her mobile and says, "Hi, I'd like to book my car in for an MOT tomorrow please." There followed some brief dialogue between Christine and the garage person to agree timings.
Then Christine comes out with the following, more or less verbatim:
"LN48 GPS, it's a Volkswagen Golf. No, it's petrol. NE27 4LX. Number 8. Adams. 07532 697488."
As I had a pencil in my hand, I paused from my Sudoku deliberations and noted down these details in the margin of my Times newspaper. I then mentally replayed the questions Christine had just been asked by the garage person:
- "Car registration and make?
- Is it a diesel?
- Post code?
- House number?
- And a contact telephone number?"
An apparently innocuous and very brief conversation – it probably lasted less than 45 seconds – but in a very public place, and I now knew quite a lot about Christine. Trying not to dwell on it, I returned to my Sudoku.
The next stage...
A few minutes later Christine is in conversation with the teenage boy about something she has purchased online (a scooter), and a problem over the payment. You might guess what then transpired. That's right – Christine gets on her mobile again and explains the problem with the payment to the call centre person, whereupon after a few seconds, she states the following:
"Christine Adams. 5574 1187 3983 4490. 08/13. 446."
Destined never to complete my Sudoku, I again noted down the aforementioned details, and again mentally replayed the questions Christine had just been asked:
- "Full name as it appears on the card please?
- And the long number on the card?
- And the expiry?
- And the 3-digit security code on the back of the card?"
Brilliant. I now have a more or less complete personal profile of Christine, and a valid credit or debit card in her name.
I can also make certain assumptions about her and her family – relatively affluent for a start, given the iPads that the children are using and the way they are all dressed. Within minutes I can almost certainly identify social media sites that reference Christine and her family (take a look at www.pipl.com), where there will undoubtedly be masses of 'collateral' information about her friends, work, pets, (always good for guessing passwords), and schools for the kids and so on.
All of this in a 30 minute period of a two hour train journey.
There's a name for what I'm describing – it's called social engineering, and it's an incredibly easy way to steal someone's identity, commit fraud, enable stalking, and potentially make Christine and her family victims of some other very unpleasant crimes. Fortunately I'm one of the good guys – but what about the 20 or so other people who were probably close enough to Christine to hear exactly what I heard? But like the fool I am, I've just given myself a problem. Should I tell Christine what I've just heard, and noted down, so that she might learn the error of her ways, or do I keep quiet and try to complete my Sudoku? I did what I suspect most people would do - i.e. nothing – but in my defence, I was really keen to finish that Sudoku…
Learning to protect yourself
However, there is a serious point to make. Although my experience illustrates just how little some people think about their personal information and its value, and also how easy it is to engage in this type of social engineering, the professional criminal fraternity have largely left it behind as a means of gathering information, and that's because there are much easier methods.
A growing threat
Identity theft and credit card fraud are now fully industrialised and thriving on the Internet. The websites are very professional, modelled along the lines of Amazon or other major online retailers, complete with shopping baskets and check-out.
Only the items for sale aren't books or groceries – they're guaranteed, fully functional credit cards with set spending thresholds and/or personal identity information. I won't provide the URLs, but actually these sites are not difficult to find. So there is probably only a very small chance that you will ever be 'socially engineered' – unless of course the guy sitting behind you on the train happens to be me...
Interested in boosting your security defence?