How an Episode of House Hunters Becomes a Launchpad for Identity Theft

One night ended, as many of them do, with my wife and I falling asleep to an episode of House Hunters.

I loathe this show. It is quintessential “reality show” bad acting, the entire show is staged, the homes they view are never actually homes they are choosing between, or even homes that are for sale in some instances. It’s all a setup, and yet…sigh. We watch.

I pay sparse attention to this particular episode, and ultimately fall asleep.

The next morning I decided I would challenge myself. How much could I gather from the internet about last night’s show, based on what little I could remember?

  • I remembered that the house they bought was located in “Storrs Mansfield, Connecticut”
  • The house was yellow
  • I loosely remembered house much the house was worth; it was under [redacted]
  • I sort of remembered what the couple looked like; [redacted]
  • I might remember one or two rooms of the house if I saw a photo of them
Zillow.com was a fine place to start. There was little doubt that the home from last night’s show would be in here, somewhere.
It’s a trivial exercise to cull down Zillow’s enormous list of properties. In my case, I simply want to see “Recently Sold” homes. One click gets it done.
A minimal amount of treasure hunting ensues. I tab through the results until I see something that comes to mind. In this case, I not only recognized the fireplace in this listing photo from [redacted] Road, but the price aligned with what I remember being presented in the show
Upon reviewing the additional Zillow listing photos, I was certain to have located the house. The street address is never disclosed in the show itself, but in a short amount of time you can get there on your own.
The next logical step was to Google the street address of the house. This yields a fair amount of detail about the previous owners. It seems [redacted] had at least two previous owners or occupants who had passed away. One is demonstrated here.
[redacted obit]
[redacted obit]
This was where the research took a very interesting turn. I was able to locate the names of what appeared to be the current owners of [redacted] in a list of registered voters. I will not post the screenshot of that site for reasons I will get into in just a moment.
The full name of one of the current owners, which was located in the list of registered voters. This spawns a new path of research.
I immediately recognize [redacted]’s face from last night’s episode. Validation that we are well along the path of learning about the current owners of the property.
[redacted employment information]

At this point, it’s a trivial matter to go down a social media rabbithole, and unearth Twitter, Facebook, Pinterest, and similar profiles, if they exist. It’s not something I did, but one could of course go posting all matter of information found from these sources.

At this point however, I stopped. I stopped because the research I performed took a very interesting turn. There are a few websites I will not post screenshots from, because they took a direction I did not expect: they disclosed [redacted]’s complete date of birth.

Before I discuss DOB, here is a recap of the personally identifiable information I currently have for [redacted], all of which was obtained freely on the internet in a minimal amount of time:

  1. Full name
  2. Home address
  3. Occupation
  4. Employer
  5. Date of birth
  6. Voter ID number
  7. Work phone

In aggregate, this is very dangerous. This is now a jumping off point for any number of social engineering schemes, based on combinations of these pieces of data. The date of birth in particular is such a disappointing thing to have found, for two reasons:

[A] Individuals are increasingly averse to providing their social security numbers over the phone. Similarly, those who request social security numbers over the phone are not unfamiliar with the scenario of someone not willing to disclose their SSN. Where years ago this aversion may have come across as suspicious, its viewed today as more of an accepted, protective consumer tact. One simply needs to assert that they are unwilling to provide a social, then divulge a waterfall of other private information — and assert DOB in lieu of social — and they are likely to gain confidence with someone, somewhere. A public utility, a town hall, a DMV.

Then by inducing that organization to email or fax some piece of documentation, it’s a matter of time before the identity thief receives something that should have been redacted; some record that should have been undisclosed. Ultimately the identity thief will succeed, because the human element is the easiest measure to defeat, and it always will be.

[B] Everything I wrote in [A] was pure theory until I saw it in practice firsthand. Recently I was in a bicycle accident and suffered some injuries. As a result, I was required to make a number of phone calls to various doctors in an effort to receive records and place appointments. In every single instance, I was never requested to provide anything more than my full name and date of birth.

Transferring this to my research case, having theoretically authenticated on name and birth date, one could easily and without suspicion request for records to be faxed to phony specialists. There would be a challenge to locate a launchpad provider, but not much of one, as most individuals have been seen by their local hospital system at least once. In time, a SSN would be obtained, which would lead to all manner of predictable chaos.

***

It’s a disappointing state of affairs in the United States that personally identifiable information is so easily and freely obtained, and divulged. And of course, it’s hard to lobby for change when individuals are so willing to provide PII in the first place. We have, in essence, a culture of “privacy apathy”, fueled by a system of relatively weak consequences and no real will on the part of individuals to protect themselves. My suspicion is that only a small percentage of individuals truly take the matter seriously, and I suspect the larger percentage of that small percentage are only invested because they have been a victim of fraud.

The fundamental issue is one of awareness. We lack the culture of privacy required in order to influence the direction of PII handling in this country, and I hope this research piece serves as a catalyst for at least one person who can influence the direction of their organization. Or it simply induces you on an individual level to enroll in credit monitoring, or identity protection, or to enroll in two-factor authentication, or for you to simply buy a decent paper shredder and use it.

-cp

Security-minded and driven by a sense of responsibility to others and the community, Chris Plummer is an (ISC)2 Certified Information Systems Security Professional (CISSP) with a background in systems and information security, having devoted over a decade of support to the Department of Defense. More at: https://www.linkedin.com/in/cplummerc

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.