Most people think they have nothing worth stealing, but they'd be wrong. We talk to the founder of a company that helps organisations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons. He explains just how easy it is to commit ID fraud.
Chris Roberts, founder of One World Labs, too often meets people who assume they have nothing worth stealing.
His Colorado-based consultancy assists businesses with security assessments, including what Roberts calls "the human side of pen testing." In other words, he helps organisations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons.
"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal."
As part of his penetration testing services, Roberts is sometimes called on to penetrate the identity of an individual to find out just how easy it is to get sensitive information. He explains how quickly it can be done by detailing a recent assignment.
"We conducted a test on a high-net-worth individual. We were engaged to see what their profile was like online and what we could find out about them. We were asked to do it by the physical security guards looking after that person," says Roberts.
This person travelled a lot in Hollywood circles, so there was a lot of media data out there about him, but it was well-controlled and well-looked-after data. Roberts then started looking for more. "Fairly quickly we found an email address. It was a somewhat obscured address, but not very well obscured."
"So we searched for the email address online were able to find a telephone number because he had posted in a public forum using both. On this forum, he was looking for concert tickets and had posted his telephone number on there to be contacted about buying tickets from a potential seller," Roberts said.
The phone number turned out to be an office number, so now Roberts has the office number and an email. Roberts easily figured out where the office was located and phoned up and used a bit of social engineering. "We posed as a publicist and said we needed to get a hold of him. Using some information we got on the web, we got the office to give us his personal mobile phone number," Roberts said.
So now he has a mobile phone number, an office number, and an e-mail address. "I managed to do some more research and got an address which corresponded to a very nice house. Now I know the house, so I can pull public records on the property."
Roberts said he found out who the mortgage was with and some of the mortgage data. "I call the mortgage company and, using some of the information I have, I get them to give me even more information."
NEXT PAGE: Finding out about your family
- Think you've got nothing worth stealing?
- Finding out about your family