What it's like to steal someone's identity

By , CSO |  Security, identity theft, pen testing

Now I have a cell phone number, an office number, and an e-mail address. I managed to do some more research and got an address which corresponded to a very nice house. Now I know the house, so I can pull public records on the property. I found out who the mortgage was with and now I have some of the mortgage data. I call the mortgage company and, using some of the information I have, I get them to give me even more information.

We then ran a LexisNexis report, and a few other reports, on this person and fairly quickly we had their Social Security number. He is married and has kids. So we then did a lot of digging around at a few of the local schools pretending to be this person's secretary. We found out where the kids went to school.

From there we had one of our guys go around and do a Bluetooth assessment and see if you we could pick up any other information. We were able to pull a Bluetooth signal from the residence. Now we can drop some software on it, monitor where he is, match the GPS tracking, listen to his calls and conversations.

Now we know his e-mail, his office and cell number, his home address, his mortgage information, his Social Security number, where his kids go to school and how to monitor his calls and comings and goings. It took us half a day to do this work and I essentially own this person. I own him and can do whatever I want with him. I could go open up bank account in his name, assume his identity or act on his behalf, say to reserve a suite at a hotel.

Once we had their information, identity and bank account, we realized we could go on a spending spree. However, both of us working on this account realized not only that we didn't look like the person, but we also were aware that his own security team knew us and where we were. We spent about 20 minutes laughing about buying an island somewhere in the middle of nowhere, having the Ferraris shipped out and getting a large stash of weaponry to defend our ill-gotten-gains!

If I think back, the first time I 'became an instant millionaire' by doing an assessment, it was a total rush, a cool feeling. But the honesty chip cuts in and the "yay!" feeling is short-lived, because you then spend 30 minutes debating how you could get away with it. That's when you realize there's others out there like me who are equally good at finding me. But it's always fun to work out how you could get away with it!

For more social engineering awareness stories, read 9 dirty tricks: Social engineers' favorite pickup lines

Originally published on CSO |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question