Identity theft – knowing me, knowing you

13 Oct 2008

It was National Identity Fraud Prevention Week last week – and frankly, like Jeremy Clarkson, I do not give a toss that millions of people can find odds and ends of information about me online. So now you know I like Kraftwerk and reside somewhere in Dublin? – that’s hardly the makings of the successful theft and abuse of someone’s identity.

I can imagine it now. Using a print-out of a picture of me found online, and armed with my name, city of residence and my job description, someone will procure a loan, bleed me dry and run off to Mexico. Whatever.

So I came up with a simple plan. I decided to approach Brian Honan of online security consultancy BH Consulting, challenge him to build a comprehensive profile from whatever he could find about me online and see if he had enough to do some damage in the real world.

A few minutes after agreeing to this and clicking send I sat there feeling quite smug, and when I got an email back a little while later with a few nuggets of information, I felt even better because I knew this was the result of a simple Google search. I was still in control.

Anyone who spends any amount of time online will find this to be the case, after all, it is part and parcel of living in a connected world. If everyone’s basic information is out there, then we’re all equal, right?

Wrong. Some are more equal than others. I make sure to keep my social networking profiles locked down so only my friends can see information such as date of birth, mobile number, family photos and the like, but this is not enough to protect yourself on these sites.

If your friend is taking the risk of leaving his or her profile open, then this is a great backdoor through to your information. This is actually how Honan found my date of birth – something I was not happy he was able to do. It wasn’t very obviously laid open, but accessible nonetheless, and as Honan pointed out, this was without doing anything illegal, just some snooping.

And here’s another thing – dated photos on some hosting service like Flickr with captions like ‘my birthday’ are obviously a good way of getting this information (this is how Honan double-checked my date of birth), but thankfully, while not a model student, I was not a complete dunce about protecting my identity.

“It did take a while to build up that information. You have kept your information well protected,” remarked Honan.

“Normally, in a case like this, most people would have a lot of information on their Bebo or Facebook or MySpace page. In your case, you keep your stuff private.”

Phew. So what would he normally do if he ran up against a brick wall like this?

“I’d try to become one of your friends on those sites, but I figured that would tip you off to what I was doing. But a real ID thief would have tried that route anyway.

“I could have set up a fake profile of someone who went to school/college or work with you, and then tried to become your friend that way. This would be time-consuming as it would require me to ensure I picked someone who would have been a distant colleague, but not someone you would have kept in touch with regularly.

“Normally this would be done by doing up a matrix of your online friends and cross-referencing the lists of your friends (from various sites/services) until I found a person on one of your friend’s lists but not on yours.

“Once I became one of your online buddies, then I would have access to whatever information you would have in your profile. If that was not informative enough for me, I could then use some social engineering-type games to get the information I need.”

This is pretty chilling stuff, but I think I would be too wary to become friends with someone unless I knew them better, so Honan was down on his luck for now.

“The biggest challenge was finding the time to trace through all the sites and links. There were many dead-ends that led nowhere and I had to retrace my steps. So if someone had the time and patience then yes, they could do what I done. It also helped that Boran is not a common name. I’m glad you’re not Marie Smith.”

I’m not. It seems like a mixture or patience, luck, circumstance and such that will get you this information, and we all have it out there, but I was still sceptical – what was the worst that could happen?

Actually Honan managed to get some information that I was definitely uncomfortable to have out there, and it resulted in me going back and erasing and/or tightening up my online security. As I already said though, you cannot control publicly available information on government sites, your friends’ social networking profiles and blogs and so on.

Also, I think nothing of casually mentioning on blogs or the like that I shopped here, ate there or holidayed in such a place, and Honan recommends against this: “Even something as simple as letting people know that they are going on holidays is information a criminal could use to target an empty house to break into.

“I think people are not aware enough that information they put on the internet is available to anyone, and what you may think is a private online conversation or interaction may not necessarily be so.”

Honan thinks that to some extent we are quite blasé about the information we put out on the web: “I am not sure whether that is a generational thing or lack of understanding of technology. For example, I know my parents’ generation would be more circumspect about information they would share with others than my generation, and equally my generation appears to be more circumspect about what we share with others than today’s teenagers and young adults are.

Honan thinks part of the problem is that people do not realise that when you are on the internet, the information you put up there remains there and can be viewed by anyone.

“Also, people engage with others on the internet from the safety of their office or home; this can lead to a false sense of security as you may feel that you are being private because you are not in public.”

Guilty as charged, but with this newly created profile, what could Honan theoretically have done?

“The information I got on you would allow me, providing I got a sex change, shed 10 stone and 20 years, to actually become you.

“I can then take out loans or mortgages in your name leaving you with a ruined credit rating and a lot of hassle trying to clean up the mess.”

Wait, hold the phone. Become me? I can honestly say that I was quite shocked and a bit angry with my ‘blasé’ attitude to my digital breadcrumbs. Here’s a few things Honan found that surprised me: he knew what shade of blusher I wore, my bus timetable and a fair bit about my education.

And before you go googling, yes, based on this, Honan could have done the same to you. And remember, this is without doing anything illegal – he is one of the nice guys.

By Marie Boran