How an Episode of House Hunters Becomes a Launchpad for Identity Theft
One night ended, as many of them do, with my wife and I falling asleep to an episode of House Hunters.
I loathe this show. It is quintessential “reality show” bad acting, the entire show is staged, the homes they view are never actually homes they are choosing between, or even homes that are for sale in some instances. It’s all a setup, and yet…sigh. We watch.
I pay sparse attention to this particular episode, and ultimately fall asleep.
The next morning I decided I would challenge myself. How much could I gather from the internet about last night’s show, based on what little I could remember?
- I remembered that the house they bought was located in “Storrs Mansfield, Connecticut”
- The house was yellow
- I loosely remembered house much the house was worth; it was under [redacted]
- I sort of remembered what the couple looked like; [redacted]
- I might remember one or two rooms of the house if I saw a photo of them
At this point, it’s a trivial matter to go down a social media rabbithole, and unearth Twitter, Facebook, Pinterest, and similar profiles, if they exist. It’s not something I did, but one could of course go posting all matter of information found from these sources.
At this point however, I stopped. I stopped because the research I performed took a very interesting turn. There are a few websites I will not post screenshots from, because they took a direction I did not expect: they disclosed [redacted]’s complete date of birth.
Before I discuss DOB, here is a recap of the personally identifiable information I currently have for [redacted], all of which was obtained freely on the internet in a minimal amount of time:
- Full name
- Home address
- Date of birth
- Voter ID number
- Work phone
In aggregate, this is very dangerous. This is now a jumping off point for any number of social engineering schemes, based on combinations of these pieces of data. The date of birth in particular is such a disappointing thing to have found, for two reasons:
[A] Individuals are increasingly averse to providing their social security numbers over the phone. Similarly, those who request social security numbers over the phone are not unfamiliar with the scenario of someone not willing to disclose their SSN. Where years ago this aversion may have come across as suspicious, its viewed today as more of an accepted, protective consumer tact. One simply needs to assert that they are unwilling to provide a social, then divulge a waterfall of other private information — and assert DOB in lieu of social — and they are likely to gain confidence with someone, somewhere. A public utility, a town hall, a DMV.
Then by inducing that organization to email or fax some piece of documentation, it’s a matter of time before the identity thief receives something that should have been redacted; some record that should have been undisclosed. Ultimately the identity thief will succeed, because the human element is the easiest measure to defeat, and it always will be.
[B] Everything I wrote in [A] was pure theory until I saw it in practice firsthand. Recently I was in a bicycle accident and suffered some injuries. As a result, I was required to make a number of phone calls to various doctors in an effort to receive records and place appointments. In every single instance, I was never requested to provide anything more than my full name and date of birth.
Transferring this to my research case, having theoretically authenticated on name and birth date, one could easily and without suspicion request for records to be faxed to phony specialists. There would be a challenge to locate a launchpad provider, but not much of one, as most individuals have been seen by their local hospital system at least once. In time, a SSN would be obtained, which would lead to all manner of predictable chaos.
It’s a disappointing state of affairs in the United States that personally identifiable information is so easily and freely obtained, and divulged. And of course, it’s hard to lobby for change when individuals are so willing to provide PII in the first place. We have, in essence, a culture of “privacy apathy”, fueled by a system of relatively weak consequences and no real will on the part of individuals to protect themselves. My suspicion is that only a small percentage of individuals truly take the matter seriously, and I suspect the larger percentage of that small percentage are only invested because they have been a victim of fraud.
The fundamental issue is one of awareness. We lack the culture of privacy required in order to influence the direction of PII handling in this country, and I hope this research piece serves as a catalyst for at least one person who can influence the direction of their organization. Or it simply induces you on an individual level to enroll in credit monitoring, or identity protection, or to enroll in two-factor authentication, or for you to simply buy a decent paper shredder and use it.
Security-minded and driven by a sense of responsibility to others and the community, Chris Plummer is an (ISC)2 Certified Information Systems Security Professional (CISSP) with a background in systems and information security, having devoted over a decade of support to the Department of Defense. More at: https://www.linkedin.com/in/cplummerc