A hackers mind — What can i do with your SSN

Recently I had to authorize doing hard pull on my credit report with a company. The company found out that my credit was little low and gave me a copy of the report for further assessment on how can i increase my credit score. When i looked at my report, I was amazed at how much data a hard pull of credit report contains. In this post I am stepping into a shoes of an adversary and leverage your credit as a vehicle for causing further damage.As a security professional I aways knew that the security of SSN is very critical but that report drove the message home really well

Following is the information I, the adversary found very useful about myself by looking at the credit report.

  • My address
  • My Date of Birth
  • Balance on My mortage with my loan provider name and my monthly mortage
  • Number of credit cards I have, current balances, my trendlines of balances and payments
  • Number of other credit lines associated and its balance
  • My Trade Summary

Reconnaissance

Adversary now knows where I live, when i was born, what car and other vehicles I drive, how much do i owe, what is my financial health, what are possibly my interests, at what age did I get my first credit card

Attack Scenario #1

Social Engineer me by enticing me into an offer and affect me financially.

Attack Scenario #2

Find my social and work profile based on my location, date of birth and name.

Find my network and social engineer them by knowing information about them and compromise them financially

Attack Scenario #3

Find my weak points and make me do something against my wishes.

This scenario is very dangerous as it causes 2nd, 3rd, 4th order affects which I may not worry about so much. What if I was a worker having access to twitter admin console having considerable debt or low earnings and I was lured/threatened into compromising my credentials for an hour for a sum of money which will make my life better. We have read in the news what the multiple order effects of such a compromise can be (private data compromise, hate speech, false information, election manipulation, and many others)

Conclusion

Our financial history and status tell a lot about us and it very important to safeguard that information. It’s sad that all of that is dependent on a number which has been breached numerous times in many companies.

In order to protect ourselves, our family, our community and nation, its our right and moral duty to look for alternate ways where such sensitive information is not available freely to different adversaries.