Identity Theft 101
Filed Under (Reflections) by DK on 6 May 2008

I phoned my bank to activate my card the other day. The automated voice required a date of birth and the number of digits in my Mother’s maiden name. Lets assume an attacker can get this information, lets be realistic, what could really happen?

Lets explore some ideas of what an attacker could do with enough information about you:

  • apply for a credit card in your name;
  • open a bank or building society account in your name;
  • apply for other financial services in your name;
  • run up debts (e.g. use your credit/debit card details to make purchase) or obtain a loan in your name;
  • apply for any benefits in your name (e.g. housing benefit, new tax credits, income support, job seeker’s allowance, child benefit);
  • apply for a driving licence in your name;
  • register a vehicle in your name;
  • apply for a passport in your name; or
  • apply for a mobile phone contract in your name.

The latest estimate is that identity fraud costs the UK economy £1.7 billion. Thats billion NOT million.

More information is available at Home Office Identity Theft web site.

   
Enjoy the article? Please take a second to: Digg it! | StumbleUpon it!

Read and Contribute to BlogSec News!

Comments

Bipin Upadhyay on 7 May, 2008 at 10:05 am #

DK,
It reminds me of a couple of logical flaws I discovered in my Banking/CC portal a couple of weeks ago.

1. As per the PCI-DSS guidelines, they need to maintain TFA. My bank requires another password and your mobile (for sms) as the second factor of T-FA.
2. Once you have the longin password (or you are able to take highjack the session somehow), you can change the password as well as the mobile number.
3. Caught in any trouble doing that (or to bypass the time delay for the change to take place), call customer care, tell them your dDOB and Mother’s maiden name (as you mentioned) and you are in. :|
4. You can even change the user id. :)
5. The Captcha (which is linked to the card number) takes the digit positions from the client’s page. So if you know any three digits, you can bypass it. No need to bruteforce.

There were a few more specific flaws, but then what the hell! They have SSL & firewall & IDS & … :)

I had to change my Mother’s maiden name for my other CC account. My mom is not going to forgive me. Ever :(


DK on 7 May, 2008 at 11:02 am #

heh, Bipin, alot of work is needed in this area. I think more of us will need to do the unforgivable in the future and change our Mother’s maiden names before it gets better ;)


Cynthia Armistead on 7 May, 2008 at 3:48 pm #

I haven’t given anyone my mother’s actual maiden name in years, because the information is so insecure. I use a variety of other responses, including a couple of roleplaying characters’ mothers’ maiden names. I don’t know why more people don’t do something like that.


John on 10 May, 2008 at 5:42 pm #

It’s daft using them for security really as DoB and mothers maiden name are actually available from public records (in the UK).


Comment
Name:
Email:
Website:
Message: