In the middle of teaching his Journalism class at NYU, Adam Penenberg’s laptop stops but it’s not frozen. A grey screen appears and directs him to dial a number to unlock his computer. Bemused, as the lecture grinds to a halt, he reaches for his phone. It won’t accept his PIN code. He’s been hacked.
You might not be aware that hijacking somebody’s life – full-scale identity theft – doesn’t require any hacking expertise. Just criminal intent and some spare time.
Adam Penenberg writes for PandoDaily, where he explains the simplicity of the crime: there were no lines of malicious code or nefarious wire-taps. He actually hired a consultant to test his personal security so, unlike most people, he knows exactly how he was compromised. The answer is frighteningly simple.
“It began with my base identifiers: full name, date of birth, social security number, home address – which he obtained from my credit report,” Penenberg writes. These relatively minor details were all the criminal needed to gain access to Penenberg’s entire online life.
October 2013 – Most damaging month on record?
This past October may very well turn out to be the biggest month in history for personal information theft. Security researcher Brian Krebs has exposed a number of easy-to-use websites where anyone with criminal proclivities can purchase “fulls” – identity theft slang for a full set of base identifiers. As Penenberg found out, these identifiers can be used as the basis for all sorts of highly sophisticated attacks.
Shady info brokers do the hacking so you don’t have to.
Organized identity thieves, such as a group calling themselves “SSNDOB,” have hacked the world’s largest credit check agencies and now have unfettered access to millions of records containing your personal data. Breached firms so far include:
- Adobe – Usernames, passwords and encrypted credit card information for “over 38 million active users.”
- PR NewsWire – Usernames and encrypted passwords, including those of senior executives at the world’s largest brands
- CorporateCarOnline – Usernames, passwords, journey notes and plain text credit card details for VIP, celebrity and high-net-worth customers.
- Kroll Background America – Sensitive drug, health and immigration status information, intended only for use in legitimate employee background checks.
- Dunn and Bradstreet – “Business information and current business credit reports” on major international companies.
- LexisNexis – HealthCare credentials, insurance and credit score reports, lawsuits, liens and judgments and vital records (including birth, death, marriage and divorce certificates).
Protection is the responsibility of the firm
With the information available through SSNDOB (and other similar groups) it only takes a few clicks and a bit of dedication for a criminal to build a complete dossier on nearly anyone. The possibilities are varied and endless – extortion, financial fraud, document counterfeiting. It’s not surprising that more people are asking how they can protect themselves.
“Unfortunately, the weak link in the security chain isn’t always the user. We are seeing more and more attacks focusing on large PII brokers. In these cases, there is nothing the user can do to protect their identity” says Christopher Bailey, CTO of NuData Security.
“Basic security precautions can certainly help, but until the companies that house your data use better security challenges than asking users for the name of the street they grew up on, the unsettling reality is that we all run the risk of becoming victims.”