One of the things I have never done on here is talk about
work, it’s pretty much just Florence, and how kick ass it is to be on the side
of Science! However I have recently been
involved with a project that has genuinely taught me a few things, and I do like
to share. I’m a network engineer by
trade, but this is not going to be an article about IP sub-netting, there are
plenty of people writing articles that no one reads on that subject; I’m
talking about our online identities.
This project has taught me about ID theft, fraud, and how criminal
hackers make their money.
The project I have been involved with is www.hasmyidentitybeenstolen.com,
a database of stolen identities that are currently been sold online. We have, without giving too much away,
developed a method of finding, and capturing this information from criminal
websites on the dark web.
When people see dark web, they sometimes become rather
worried, or suspicious, thinking it is some sinister corner of the online
world, overflowing with hackers and terrorists, and that everything which
emerges from it, our site included, must be a threat. In truth, dark web simply means not on
Google, and constitutes about 70 – 90% of all webpages, most of which are benign,
or plain old junk, but some pose a risk to ordinary web users.
There is a massive industry selling personal details, on
secret websites. Cheap bulk lists of
email addresses get passed on to individuals who add more information before
selling them on. Some of this data is
the result of very sophisticated hacks, much of it just leaks out of our day to
day lives. That it is of value to
someone never occurred to me before.
The bones of your identity are your name, a date of birth
is great, your address, and your email.
From this point you can start to build more information, and gain more
access to a person’s online activity. These
basic blocks of personal details are available for pennies. We have hundreds of millions of them in our
database, go and look, you might be there, and it’s free to use during this
launch period.
Florence will never use her mother’s maiden name for an
online signup; I will teach her not to.
Here is a scenario, and it involves no technical hacks at all. She is a young adult, and someone gets her
details. The electoral role, which is
free to access, will give you her date of birth and who else lives at the same
address, which would be me. My date of
birth is three decades before her, but same family name, so I’m a parent. Search for me, and you’ll find other
addresses I’ve lived at. Eventually you
find a woman, similar age to me, but with two different surnames. Oh look.
Mother’s maiden name; that was easy.
The more information you have, the easier it is to craft
a phishing attack, or a social engineering attack and gain more information. If I have your date or birth and mother’s
maiden name how many security questions can I correctly answer? The email password is what you need. Once you have that the gates really
open. In a person’s emails you can see
who they bank with, what credit cards they have, where they shop online.
Have you ever had an email telling you to click here to
reset your password, maybe from Amazon, or eBay? You didn't ask to reset your password, so you
know it’s fake and ignore it. Maybe you were
not the intended recipient?
We have records where the criminal is claiming to have
Amazon passwords; there was an increase in eBay accounts for sale before news
of a wide spread hack came out in May.
The more information your profile has, the more valuable
it becomes. There are millions of
profiles that include credit card, bank card, or bank account numbers.
Think how many times you have filled in your address on a
random form, or a website, without really knowing where it’s going? How many websites use your email as the
username, and do you use the same password on more than one? If someone gained control of your Facebook
account, even temporarily, how much could they learn about you?
It’s worth thinking about, but please don’t panic.
Reducing the risk is just a matter of been sensible; behave
online like you would in the physical world.
Use a different password on each website, a practice I have been doing
since I started online, and yes, it is annoying sometimes, but never that
annoying. Change passwords periodically,
which does make the previous policy more annoying, but there are tools to help
you manage and store all of these passwords.
And be vigilant; don’t click on links people send you,
don’t agree downloads you didn’t deliberately start. A lot of basic attacks are incredibly badly crafted,
and written, and clearly don’t make sense given even a few moments
consideration. Laugh at the grammar,
then bin them.
And, since it doesn’t cost anything, have a look at our
site. It only needs an email address to
search against, it will tell you if that address is part of a profile for sale,
and how many fields the profile contains.
Hopefully some of you will find the ideas behind the
project as interesting as I did.
No comments:
Post a Comment