Most people think they have nothing worth stealing, but they'd be wrong. We talk to the founder of a company that helps organisations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons. He explains just how easy it is to commit ID fraud.

Chris Roberts, founder of One World Labs, too often meets people who assume they have nothing worth stealing.

His Colorado-based consultancy assists businesses with security assessments, including what Roberts calls "the human side of pen testing." In other words, he helps organisations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons.

"So many people look at themselves or the companies they work for and think, 'Why would somebody want something from me? I don't have any money or anything anyone would want,'?" he said. "While you may not, if I can assume your identity, you can pay my bills. Or I can commit crimes in your name. I always try to get people to understand that no matter who the heck you are, or who you represent, you have a value to a criminal."

As part of his penetration testing services, Roberts is sometimes called on to penetrate the identity of an individual to find out just how easy it is to get sensitive information. He explains how quickly it can be done by detailing a recent assignment.

"We conducted a test on a high-net-worth individual. We were engaged to see what their profile was like online and what we could find out about them. We were asked to do it by the physical security guards looking after that person," says Roberts.

This person travelled a lot in Hollywood circles, so there was a lot of media data out there about him, but it was well-controlled and well-looked-after data. Roberts then started looking for more. "Fairly quickly we found an email address. It was a somewhat obscured address, but not very well obscured."

"So we searched for the email address online were able to find a telephone number because he had posted in a public forum using both. On this forum, he was looking for concert tickets and had posted his telephone number on there to be contacted about buying tickets from a potential seller," Roberts said.

The phone number turned out to be an office number, so now Roberts has the office number and an email. Roberts easily figured out where the office was located and phoned up and used a bit of social engineering. "We posed as a publicist and said we needed to get a hold of him. Using some information we got on the web, we got the office to give us his personal mobile phone number," Roberts said.

So now he has a mobile phone number, an office number, and an e-mail address. "I managed to do some more research and got an address which corresponded to a very nice house. Now I know the house, so I can pull public records on the property."

Roberts said he found out who the mortgage was with and some of the mortgage data. "I call the mortgage company and, using some of the information I have, I get them to give me even more information."

NEXT PAGE: Finding out about your family

  1. Think you've got nothing worth stealing?
  2. Finding out about your family

Most people think they have nothing worth stealing, but they'd be wrong. We talk to the founder of a company that helps organisations find out which employees pose a security risk because they're likely to fall prey to social engineering traps and other cons. He explains just how easy it is to commit ID fraud.

Roberts then ran a LexisNexis report, and a few other reports, on this person and fairly quickly obtained their Social Security number. He is married and has kids.

"So we then did a lot of digging around at a few of the local schools pretending to be this person's secretary. We found out where the kids went to school."

From there, Roberts had one of his guys go around and do a Bluetooth assessment and see if any other information could be picked up. "We were able to pull a Bluetooth signal from the residence. Now we can drop some software on it, monitor where he is, match the GPS tracking, listen to his calls and conversations."

Roberts now knows his email, his office and mobile number, his home address, his mortgage information, his Social Security number, where his kids go to school and how to monitor his calls and comings and goings.

"It took us half a day to do this work and I essentially own this person. I own him and can do whatever I want with him. I could go open up bank account in his name, assume his identity or act on his behalf, say to reserve a suite at a hotel," Roberts said.

Once Roberts obtained his information, identity and bank account, he realised he could go on a spending spree. However, the two employees working on this account realised not only that they don't look like the person, but they were aware that his own security team knew them and where they were.

"We spent about 20 minutes laughing about buying an island somewhere in the middle of nowhere, having the Ferraris shipped out and getting a large stash of weaponry to defend our ill-gotten-gains!"

Roberts says thinking back, the first time he 'became an instant millionaire' by doing an assessment, it was a total rush, a cool feeling. But the honesty chip cuts in and the 'yay!' feeling is short-lived, because "you then spend 30 minutes debating how you could get away with it".

"That's when you realise there's others out there like me who are equally good at finding me. But it's always fun to work out how you could get away with it!"

The reaction from him and his team? Surprised, of course. Surprised, angry, annoyed.

"All of the reactions one might go through when you realise you are naked. There is an expectation of privacy with these kinds of people. This is an executive of a company who has put many layers between himself and his staff to get a level of protection and anonymity," Roberts says.

"When some guy passed him on the street and handed him a laptop that said 'I own you', it gave him a definite feeling of shock and horror."

See also: The 8 best privacy downloads for Firefox

  1. Think you've got nothing worth stealing?
  2. Finding out about your family