Information Disclosure 101 - Part 1

Updated: Aug 26



Despite all the warnings, it’s amazing how much personal information people give away every single day without giving the consequences a second thought.


After two recent phone conversations, I overheard on public transport, I have put together a series of articles to show just how easy it is to leverage the information that we give away every day and how someone could maliciously make use of it.


We will explore the use of information gathering, profiling and how to use Open Source

Intelligence (OSINT) and social engineering to gather even more information on the victim.


I am by no means an expert in the field of social engineering and there are more knowledgeable people than me that do this for a living but I do have my own range of personal experiences.


My aim with these articles is to raise awareness of how much information we give away, without even thinking and the consequences of doing so,


We all know the risks of posting online and in particular posting too much but it doesn’t stop people who really should know better, from putting themselves at risk on a regular basis.


Now is the time that most people forget the risk as they share every minute of their holiday online. So we know when they went, where they’re staying and what they’re eating. But, what they have forgotten is that now everyone knows that they’re thousands of miles from home, meaning it’s empty and ripe for a break-in.



We all do it, a friend of mine even posted a photo of the outside of their house, with the car parked outside (registration plated included) as they left for the airport to say goodbye to the rain!!


One thing to remember though is that you might not be covered for any losses if you are the victim of a break-in if you have shared your holiday details online – it’s worth checking your insurance policy.


Social media is just one area where information disclosure is happening in a daily basis so, in this series of articles, I will be exploring the others and highlighting how you can make sure you keep your own data safe.


Despite the spending on both the awareness of cybersecurity issues and the actual security increasing, breaches have been both bigger in size and impact, since the start of 2018.

Let’s take a look at just a few:


  • Facebook - (Cambridge analytical case) Facebook admitted that around 50 million users were compromised by the security breach. The breach cost to Facebook was never disclosed but the stock market price fell substantially, as did the confidence in the platform. They were fined $5 billion for privacy violations in July but after announcing revenue of $56 billion last year, it’s unlikely to make a dent.

  • FIFA - Football Leaks organisation leaked around 3.4 terabytes of data and 70 million documents to German magazine Der Spiegel. The leak came less than 12 months after they were hacked by Kremlin Hackers who stole and made public information about failed drug tests.

  • Google+ - At the beginning of 2018, Google identified a vulnerability in a Google+ API, which gave third-party app developers access to data from the friends of the app users. Data from 52.5 million users was exposed and as a result, the platform was closed in April.

  • UBER - They were fined $148m for a data breach which they first discovered in 2016 but kept it a secret. The break saw cybercriminals access the personal details of 57m users and roughly 600,000 drivers in the US.

  • British Airways – A cybersecurity breach affected around 500,000 customers when of British Airways' website were diverted to a fraudulent site. They face a record fine of £183m.

It’s not just online


Even if you are super cybersecurity aware it doesn’t mean you are not at risk of falling foul of the criminals as information disclosure can happen in so many different ways.


I spend most of my life keeping people, and myself safe online but I was the victim of this type of scam, which is what first prompted me to write the article to make you realise just how easy it is!



The case of the forgotten letter


There are so many things to do when you move house and we all know it can be a stressful time. But if you don’t forget to redirect your post it could become even more of a worry.


We’ve all received mail for previous tenants or owners and for most of us it’s just something that happens, but for a small minority, it’s an opportunity – especially if the mail is from a bank.


This one is by far the most dangerous case of information disclosure I’ve ever seen and believed me I’ve seen a lot!

One day I actually received a bank statement for a previous tenant. The one above is obviously just an example, but it shows just how much information I could glean from one piece of post.

  • Full name of the account holder

  • Where they spent their money and who they have all their accounts with

  • Account details

With this information, I could easily have called the bank and pretended to be the account holder and even have got round the modern security


More worryingly though, I could have found the previous tenants and acted on behalf of the bank.


I had enough information from the statement to lure the tenant and convince them.

The Bills


A bank statement is enough on its own to allow fraudsters to react but even a utility bill can be dangerous in the wrong hands.


Take a look at sample one above and you’ll see that there is still plenty of information that you don’t want falling into the wrong hands.



Such as:

  • Full name and title of the bill payers

  • Customer number

  • Details on your account usage

I know the above information only gives me a partial profile of the former tenant but it’s still enough to cause some havoc.


  • I could potentially create a new account in their name, especially if I also had their bank statement and they could keep on paying the bills.

  • If this was the only information I had I could call the couple and find out some additional information impersonating British Gas

  • I could call the couple and ask for credit card details in order to fix a settlement.

Conclusion


With the bank statement and the bill, I probably had enough information to open a new credit line such as a credit card consequently ruin their credit score.


Solution:


  1. Make a list of all the letters you receive and make a checklist of who to tell when you change address

  2. Have all correspondence delivered in electronic format. This is by far the safest method although there obviously the risk if someone gets access to your email account.

© 2020 by NSC42 LTD

  • White LinkedIn Icon
  • YouTube - White Circle
  • White Twitter Icon
  • medium logo
  • White LinkedIn Icon