https://www.scientificamerican.com/article/anatomy-of-a-social-hack/

1. We use cookies to provide you with a better onsite experience. By continuing to browse the site you are agreeing
to our use of cookies in accordance with our Cookie Policy.
T E C H
How I Stole Someone's Identity
The author asked some of his acquaintances for permission to break into their online
banking accounts. The goal was simple: get into their online accounts using the
information about them, their families and acquaintances that is freely available online
By Herbert H. Thompson on August 18, 2008
S U B S C R I B E
S H A R E L A T E S T

2. Credit: Courtesy of Herbert H. Thompson

3. As a professor, a software developer and an author I've spent a career in
software security. I decided to conduct an experiment to see how
vulnerable people's accounts are to mining the Web for information. I
asked some of my acquaintances, people I know only casually, if with
their permission and under their supervision I could break into their
online banking accounts. After a few uncomfortable pauses, some
agreed. The goal was simple: get into their online banking account by
using information about them, their hobbies, their families and their
lives freely available online. To be clear, this isn't hacking or exploiting
vulnerabilities, instead it's mining the Internet for nuggets of personal
data. Here's one case. I share it here because it represents some of the
common pitfalls and illustrates a pretty serious weakness that most of
us have online.
Setup: This is the case of one subject whom I'll call "Kim." She's a
friend of my wife, so just from previous conversations I already knew
her name, what state she was from, where she worked, and about how
old she was. But that's about all I knew. She then told me which bank
she used (although there are some pretty easy ways to find that out)
and what her user name was. (It turns out it was fairly predictable: her
first initial + last name.) Based on this information, my task was to gain
access to her account.
ADVE RT ISEM EN T

4. Step 1: Reconnaissance: Using her name and where she worked, I
found two things with a quick Google search: a blog and an old resume.
Her blog was a goldmine: information about grandparents, pets,
hometown, etcetera (although it turns out I didn't need to use most of
this). From the resume I got her old college e-mail address and from
her blog I got her G-mail address.
Step 2: Bank Password Recovery Feature: My next step was to try the
password recovery feature on her online banking site. The site didn't
ask any personal questions, instead it first sent an e-mail to her address
with a reset link which was bad news, because I didn't have access to
her e-mail accounts. So e-mail became my next target.
Step 3: G-mail: I tried to recover her G-mail password, blindly
guessing that this was where the bank would have sent its password-
reset e-mail. When I tried to reset the password on her G-mail account,
Google sent its password reset e-mail to her old college e-mail account.
Interestingly, G-mail actually tells you the domain (for example,
xxxxx.edu) where it sends the password reset e-mail to, so now I had to
get access to that…ugh.
A DVERT ISEM EN T

5. Step 4: College E-Mail Account: When I used the "forgot my
password" link on the college e-mail server, it asked me for some
information to reset the password: home address? (check—found it on
that old resume online); home zip code? (check—resume); home
country? (uh, okay, check—found it on the resume); and birth date?
(devastating—I didn't have this). I needed to get creative.
Step 5: Department of Motor Vehicles: Hoping she had gotten a
speeding ticket, I hit the state traffic courts' Web sites, because many
states allow you to search for violations and court appearances by
name. These records include a birth date (among other things). I played
around with this for about 30 minutes with no luck when I realized that
there was probably a much easier way to do this.
Step 6: Back to the Blog: In a rare moment of clarity I simply searched
her blog for "birthday." She made a reference to it on a post that gave
me the day and month but no year.

6. Step 7: Endgame (or How to Topple a House of Cards): I returned to
the college e-mail password recovery screen and typed in her birth date,
guessing on the year. Turns out that I was off on the year of birth but,
incredibly, the university password reset Web page gave me five
chances and even told me which field had inaccurate information! I
then changed her college e-mail password, which gave me access to her
G-mail password reset e-mail. After clicking the link, Google asked me
personal information that I easily found on her blog (birthplace,
father's middle name, etcetera). I changed the G-mail password, which
gave me access to the bank account reset e-mail, and I was also asked
for similar personal information (pet name, phone number and so
Reverse Email Address
Lookup
Enter Any Email Address and Find Out:
Enter Email
Search Now
A DVERT ISEM EN T

7. forth) that I had found on her blog. Once I reset the password, I had
access to her money (or at least I would have).
Needless to say, Kim was disturbed. Her whole digital identity sat
precariously on the foundation of her college e-mail account; once I had
access to it, the rest of the security defenses fell like a row of dominoes.
What's striking about Kim's case is how common it is. For many of us,
the abundance of personal information we put online combined with
the popular model of sending a password reset e-mail has our online
security resting unsteadily on the shoulders of one or two e-mail
accounts. In Kim's case some of that information came from a blog, but
it could just as easily have come from a MySpace page, a sibling's blog
(speaking of their birthday, mom's name, etcetera) or from any number
of places online.
Battling this threat requires us to make better choices about how we
prove who we are online and what we make available on the Internet.
Go and do a self-check. Try to reset you passwords and see what
questions are asked to verify your identity. Some questions are better
than others. Date of birth, for example, is bad. In addition to the DMV,
there is a wealth of public records available online where folks can track
down when you were born. Most account reset features give you a
choice of questions or methods to use. Go for questions that ask about
obscure things that you won't forget (or can at least look up), like your
favorite frequent flyer number. Avoid questions that are easy to guess,
such as which state you opened your bank account in. All of these are,

8. of course, stopgap measures until we find better ways to prove our
identities online.
It's also critical to remember that once you put data online, it's almost
impossible to delete it later. The more you blog about yourself, the
more details you put in your social networking profiles, the more
information about you is being archived, copied, backed up and
analyzed almost immediately. Think first, post later.
As for Kim, she's still blogging, but now she's a little more careful about
the information she volunteers and has cleaned house on her old
passwords and password reminder questions. Next time I do this, I'll
have to figure out the name of her favorite primary school teacher.
A DVERT ISEM EN T

9. Rights & Permissions
A B O UT THE AU T H O R ( S )
Herbert Thompson is the author of several popular books on IT security and is chief security
strategist at the security consultancy firm People Security in New York.
T E C H N O L O G Y A N D T H E
E M E R G I N G P O S T -
P R I V A C Y E R A
1
How Many Cell Phones Does It Take to Arouse a Supreme Court
Justice’s Suspicion?
2
How to Reconcile Big Data and Privacy
3
5 Techniques for Maintaining Web Confidentiality
4
A Survey Asks: How Much Does Your Privacy Online Matter?

10. N E W S L E T T E R
S I G N U P
Every Issue. Every Year.
1845 - Present
Neuroscience. Evolution. Health. Chemistry. Physics.
Technology.
S U B S C R I B E N O W !

11. FO L LOW US
Store
About
Press Room
More

12. Scientific American is part of Springer Nature, which owns or has commercial relations with thousands of
scientific publications (many of them can be found at www.springernature.com/us). Scientific American
maintains a strict policy of editorial independence in reporting developments in science to our readers.
© 2018 SCIENTIFIC AMERICAN, A DIVISION OF NATURE AMERICA, INC.
ALL RIGHTS RESERVED.