Author Jim Stickley has stolen credit cards, created fake ATMs, hacked social security numbers and robbed banks. But he's no criminal. Stickley was hired by companies to find their security flaws. In his book "the Truth About Identity Theft," Stickley writes about how vulnerable people can be having their identities stolen. In this excerpt, he warns that people should think twice about what they throw away.
Part II: The truth about trash
One man’s trash is another man’s identity
Through the years, I have broken into numerous banks through hundreds of different attacks. Though each was different, the main objective was often the same: to gain access to the cash or confidential information. I was once approached by a large financial institution that was not only concerned about the security of its physical locations and its network, but also had concerns about the risks associated with upper management. This institution asked that I also investigate whether its management team could be attacked in a way that might allow an identity thief greater access to its organization.
So each afternoon I waited in the parking lot and watched members of the management team get into their vehicle. Then I followed them home. Within a couple of weeks, I had each of their home addresses. Since I had no permission to break into their homes and poke through their personal belongings, I opted for the next best thing: their garbage.
Through the years, I have been amazed at the things you can find in the trash. There is big business for identity thieves in personal garbage. More importantly, once you put your garbage out on the street for trash pickup, it usually becomes open to the public. This means that if I am so inclined, I can take that garbage and bring it home, which is exactly what I did. Each week I would snap on my rubber gloves and go through every item of trash: grocery store shopping lists, sticky notes with phone numbers, a private invitation for a little girl to a friend’s birthday party, and much more. As I continued to go through the managers’ trash, I was able to compile a list of their service providers: water bill, phone bill, gas and electric, cable, and so on. I could use this information not only to gain access into their lives but, if I wanted, to take over their lives.
Ultimately, I decided to use the billing information for the bank managers’ Internet service providers as an access point for my attack. Using the information I gained from the bills, I contacted the managers and explained that I was from that company. I told them that we were updating our services and that, for them to continue to have Internet service, they would be required to install updated software. I explained that the software would be arriving within the next week.
Because I was also able to reference their past billing information during the call, the victims never suspected a thing. Within a week, they each received a package in the mail that contained “upgrade software” and instructions. One by one, the managers installed the software.
Of course, the software they had just installed was actually malicious and designed specifically to allow me to access their computer via the Internet from anywhere in the world. Shortly after they installed the software, I was on their computers going through all their files. Within a few short days, I had usernames and passwords to corporate systems and even VPN access, which allowed me to connect directly to the financial institution’s internal network.
When I submitted my report to the executives at the organization, they were obviously floored. None of them had ever suspected that I had targeted them at home, even though they had all signed waivers allowing me to do so. They said they were being cautious about emails that were being sent to them, as they were convinced that is how I was going to try to get in; but the idea that I would go through their trash and use that against them had never crossed their minds.
Now, you might be asking yourself what that story has to do with identity theft. Sure, I was able to gain access to that financial institution by attacking its employees at home, but technically the employee was never placed directly at risk, just the employer. In reality, those employees turned out to be far more vulnerable than I would have imagined. However, since I was not hired to test them personally, I just bypassed those opportunities and stayed focused on my primary target: the bank.
If you own a credit card, you are probably used to the clutter of junk mail that comes on behalf of the credit card company. While most of the junk included with your bill is harmless, the issue occurs when the credit card company decides to make it easier for you to spend money. Credit card checks have become a lucrative business for credit card companies. These checks can be used just like regular checks to pay anything from other credit card bills to buying food at the grocery store. Because you can use these checks in situations where credit cards would not have been accepted, they allow you a new freedom to continue to rack up credit card debt. These checks are often included with numerous other documents that are all stuffed into your monthly credit card statement.
While attacking the bank’s management team, I found many of these checks still inside the opened statement envelope, which had been dropped in the trash. All I had to do was take these checks and go on a shopping spree. (I didn’t, of course, but were I to have been a real thief, I would have just tapped into a veritable gold mine.)
There were other identity theft attack opportunities made available to me during these tests. Each bill that I found contained great information. For example, on the cable bill, the victim’s name, address, and account number were available. In addition, I could see the total of the current bill, the amount of the previous bill, and if they paid it. Using just this information, I could call the victim, explain that I was from the cable company, and say that we had not received a payment for this month’s bill. The victim, of course, would say he had paid it, and I would argue that he may have sent a check, but we had not received it, so it may be lost in the mail. I would explain that, though unfortunate, his service was being turned off and he would have to incur a fee to have it reenabled.
I would then offer the victim the ability to pay the bill via a credit card or check over the phone. I would explain that if his other payment did finally show up, it would be destroyed. Again, it is important to note that mentioning the victim’s previous payment amount and when it was received helped lend me credibility. The victim would relent and give his credit card number or checking account number and bank routing number. Once complete, I could’ve simply taken that information and gone on a buying spree.
There is a simple solution to avoiding this kind of attack: Shred everything. I mean it. Everything! If you are throwing away any paper that contains personal information, shred it first. Shredders come in a few different types, but I highly recommend that you spend a little extra to make sure that it does cross-cut shredding and can shred CDs and credit cards. This type of shredder runs faster and shreds more items at a time, allowing you to spend less time standing in front of it.
Remember: One man’s trash truly can be another man’s treasure. Unfortunately, one man’s treasure might actually be stolen from another man’s identity. So start shredding.
Dumpster diving for profit
In the previous Truth, I spoke about what people throw away when they are at home and the risks that come with it. However, those risks are nothing compared to what my coworkers and I have discovered while dumpster-diving throughout the years. While many states have started prosecuting companies for discarding consumers’ confidential information insecurely, it seems the majority of the world has simply not paid attention.
In early 2007, Radio Shack allegedly dumped more than 20 boxes containing private information for thousands of customers. A man rummaging through the dumpster found the boxes and reported it. In April, the State of Texas filed a civil law suit against Radio Shack for allegedly exposing its customers to identity theft. The suit claimed that the company “failed to safeguard the information by shredding, erasing, or other means, to make it unreadable or undecipherable before disposing of its business records.”
The fact that the data was discovered comes as no surprise. The simple fact is that throughout the hundreds of dumpsters that I have had the pleasure of “visiting,” it has been a rare day that I come away empty handed. Most often I leave with enough confidential information to keep the average identity thief in business for months, or even years. I have found social security numbers, copies of drivers’ licenses, credit applications, credit card numbers, complete names and addresses, and phone numbers — all in the trash. And those are just the obvious things.
A company we recently tested was actually throwing away the drug test documentation on all of its potential new hires. Each document included the name, address, social security number, and the results of the test. Not only was the company putting that person at risk of identity theft, but it was also a walking time bomb for a lawsuit. Imagine if one of those potential employees had failed that test and the information was made public? The fallout could have been devastating on all sides.
At another location, a financial institution was discarding confidential information, including copies of loan applications, social security numbers, banking account numbers, and more. But in this case, instead of placing the items in the trash dumpster, the institution was placing the information in bins located outside the facility designated for recycling. I have noticed that this seems to be part of a growing trend in confidential information leaks. In general, people are interested in the green movement, and instead of throwing items that need to be shredded into the appropriate designated shred areas, they are placing the documents into the recycle bin.
Recycling versus shredding
When I have spoken with employees who have been caught placing sensitive documents into recycling bins, their explanation has been that they thought recycling was different from trash and therefore somehow safe. When asked to explain further, employees generally tell me that, while trash ends up at the landfills where anyone could get his hands on it, recycling is taken to a place where it will be reused. They often tell me they feel that it’s safe to place confidential documents into a recycling bin since the document will be destroyed instead of being shipped to a landfill. Let me be perfectly clear: Recycling is no more secure than throwing the items into the trash. For those out there who are worried about being green, most major shredding companies do recycle once they have shredded the documents.
Recycling is no more secure than throwing the items into the trash.
What’s your company line?
I have found that the amount of confidential information I discover in the garbage is directly related to how much the organization preaches the virtues of shredding to its employees.
My personal theory is this: Walk up to an employee’s desk and stick your arm straight out like wings on an airplane. Now spin in a circle. Is there a place for the employee to place confidential documents that require shredding within your arm span? If not, I can promise you that the employees are probably not shredding everything they need to.
The problem is this: Often times an organization places a shred barrel on each floor of its facility. The employees are then expected to get up throughout the day and place any papers they have with confidential information on them into those bins. Of course, what ends up happening is that the employees begin to build a pile on their desks of questionable items. As the day goes on, the papers start to get in the way. Since the employees are busy and not willing to take the stack to the shred barrel, they often just put them in the trash or do what I refer to as the “poor man shred.” That is, they physically tear up the paper themselves. When I find documents that have been torn by hand, I take them home and give them to my 7-year-old son and tell him it’s a puzzle. He always puts them back together.
In other cases, if employees end up with only one document that needs shredded, they may not want to waste the trip to the shred barrel, so again, the document ends up in the trash.
Shredders for all
The best possible solution is to have a small shredder at each desk. This makes it easy for employees to shred every work paper, eliminating any confusion of what is and is not considered confidential. If that is not a feasible option, add a second trash can at each desk designated for shredding. If you choose this second option, be aware that it does come with additional risks. You must make certain that the recycling at each employee’s desk is removed at the end of each day. You do not want to be leaving an open box of confidential documents at each desk where the cleaning crew or other visitors may have access.
My last suggestion is the most important. I highly recommend that you get yourself some rubber gloves and a couple of empty trash bags and head out to your own dumpster. Find out for yourself what is ending up in your trash. You will probably be amazed and possibly even a little concerned about what you find.
Your used computer is worth its weight in gold
Several years ago, I was working for a company that had sales reps located throughout the U.S. One day I received a call from a coworker who was extremely upset about a telephone call he had just received. A man in Las Vegas had called to inform him that he was looking at the files for a number of our corporate clients. In addition, he had access to several months’ worth of corporate email and numerous other memos and proprietary information. While it sounded as if this man was trying to threaten our company, it turned out that he was just irritated at such a ridiculous breach in security and felt obligated to call and tell someone.
Several months earlier, another sales rep who had lived in Las Vegas purchased a personal laptop. While he actually owned the laptop, he used it to telecommute from home to the corporate office. Being a sales rep, he had access to numerous corporate files, email, customer accounts, and so on. After a couple of months, he decided that the laptop was no longer adequate. So he went back to the store where he purchased it and demanded a refund. Unbelievably, he got the refund and returned the computer to the store with all the confidential files still on it. All usernames and passwords saved on the system were left behind[md]emails, memos, files, documents, everything.
Now, one might think that this laptop would have been reformatted and returned to factory specs before being resold. It was clear that it had been used for several months. Unfortunately, however, the laptop was sold to another customer, still containing all the sales rep’s confidential files.
I can only imagine the second owner’s shock when he opened Outlook and it automatically logged into the corporate network and started downloading the sales rep’s latest emails. Fortunately, the second buyer turned out to be honest, and the data on the system was ultimately destroyed. However, not everyone is so lucky and, more importantly, not every situation is quite so obvious.
Each day, thousands of computers containing sensitive data end up being thrown in the trash or donated to individuals and organizations. The problem is that often the computers are simply turned off and boxed up without any thought for the existing data still on the hard drives. These computers often don’t end up in landfills. Instead, they get bundled together with other computers, placed on a pallet, and then sold in bulk at auctions for pennies on the dollar.
Identity thieves have been well aware of these practices for years and seek out auctions where these pallets of computers are being offered. They then take the computers home and, one by one, go through all the data located on the hard drives. Some people do realize the risks related to their hard drives and delete any confidential files before they turn them in. Unfortunately, thieves expect this, so in addition to just looking at the existing data, they run undelete software that goes through the hard drive and finds files that had previously been deleted.
While the thieves are not guaranteed to gain confidential information in this manner, the risk-to-reward payoff is definitely in their favor. Even if just one computer contains just one person’s confidential information, the identity thief will make far more than the small investment he paid for that pallet of computers.
Of course, it’s not just computers that you give away. In other cases, thieves purchase old laptops and computers via sites such as eBay. These computers are often offered by both home users and large corporations. Again, the goal of the thief is to undelete any files on the computer when it arrives with the hopes of gaining information he can use to commit identity theft.
While identity theft is of major concern, there are also the legal issues that can come from data being left on the computer. For example, a lawyer leaving confidential case information on the hard drive could be worth its weight in gold to an identity thief. Again, just deleting the information doesn’t mean that it’s gone. If it were to end up in the wrong hands, the costs could be millions or even billions to the affected corporation.
Destroy your data before retiring a computer
While my suggestion is to simply destroy the hard drive (opening the drive and taking a hammer to the drive platters will do the trick) before disposing of a computer, you won’t necessarily have this option if you are selling the computer. If you are selling a computer with the hard drive(s) still installed, the next best option is to reformat the hard drive using software designed to securely delete the data.
When you delete a file from a computer’s hard drive, the file technically does not go away. Instead, the pointer record that shows where the file is located is removed, but the file itself remains. Over time, some or all of the files will be overwritten as newer programs are saved in its place. With small drives, this can happen quickly, but with large drives, this may take a much longer period of time. Numerous software applications have been designed to locate and undelete your deleted files. These programs are extremely easy to use and take just a few minutes to track down hundreds of previously deleted files.
There is software, however, that has been designed to securely wipe the selected files from the hard drive. In most cases, the software flags where the file was on the hard drive and then writes new data to that location multiple times. The more times it writes data to the previous file’s location, the less likely someone can undelete the original file. Both free and corporate versions of these programs are available to permanently erase your data and software applications. While the free versions may not be quite as user friendly, they are generally just as secure.
It is easy for me to say that you should erase anything that is confidential; ultimately, that may prove harder than you think. Often, operating systems save data, including backups of what you are typing, while you are working on them. Even if you delete the primary file, the backup may still exist hidden away on your drive but easily found by the “undelete” software. For that reason, when possible, I suggest never giving your old computer with the hard drives still installed and intact to anyone who you cannot completely trust. And be sure you destroy your drives before tossing them into the trash.
Excerpted from "The Truth About Identity Theft" by Jim Stickley. Copyright (c) 2008 by Pearson Education. Reprinted with permission from Pearson.