SAN FRANCISCO -- You can totally steal someone's identity after only 45 minutes of online research, a security expert said Wednesday (April 18) at the RSA Conference here.
Zee Abdelnabi, a cyber-risk manager with one of the Big Four accounting firms, demonstrated how she selected a target at random -- a middle-aged Midwestern man -- and decided to find out everything she could about him.
Within 45 minutes, Abdelnabi had learned where the man worked, his age, his date of birth, his wife's name, his previous wife's name, where he went to high school, where he lived and the names and ages of his children.
"Social media is an amazing tool for harvesting information," she said.
Abdelnabi learned what kinds of music the man liked and what kind of books he liked to read. She also learned that he wasn't happy at his job, didn't get along with his siblings, was angry at his ex-wife and had recently been injured at work.
"So I could send him a fake workers'-comp form and ask for his Social Security number," Abdelnabi said. "He'd believe it," she added, because she could make the email seem like it came from a government agency.
We're not naming the man because Abdelnabi didn't get his permission for this. She said she did reach out to him through Twitter, but instead of responding to her, he simply started following her.
(We did some Google searching of our own on this particular individual and got results that matched what Abdelnabi had found.)
Abdelnabi's point was that none of what she was doing was illegal. None of the information she found about this man was secret. None of it was hidden behind a password, or only found on the dark web, or available only to someone with special tools.
"I used Google hacking," Abdelnabi said, referring to using Google to search for specific file types and domain names. "I did not scan anybody's network."
Everything Abdelnabi found about him was a matter of public record, and all the methods she used to gather the information were available to anyone. Spies and security professionals refer to such collection of public information as "open-source intelligence," or "OSINT."
It helped that the man was a prolific social-media user and blogger. He had put his entire life online. He had active Tumblr, Instagram, Spotify and Google Plus accounts, several Twitter accounts concerning different topics, and discussed his family members and workplace colleagues on his blog.
"This guy is on social media every 5 minutes," Abdelnabi said.
He also had two default usernames, one old and one new. He used the old one to create Yahoo Mail and Gmail accounts, but the newer one for Instagram and Tumblr.
"He posted that his daughter was going to a dance," Abdelnabi said. "I could have made a fake call saying that she broke her leg and that I'm from the hospital and need her Social Security number."
Later, the girl, who appeared to be a teenager or in her early 20s, went on spring break and her father said that he was having trouble contacting her.
"I could have posed as a kidnapper and demanded ransom," Abdelnabi said.
Abdelnabi also found the man's Fitbit statistics online, so she knew how long he normally slept and when he usually got up. She also found out what kind of car he drove.
He posted a photo online of what he said was his house, and Abdelnabi correlated the hidden GPS data embedded in the image with that of another photo he'd posted of himself with family members at the same location.
After less than an hour of searching, Abdelnabi had everything she would have needed to impersonate this man online. She could also use what she learned about his workplace to attack that company.
"I Googled his company and looked at the images that came up," she said, displaying a page of Google image search results. "Right in the middle there is a photo of the company data center with the password written on a Post-It note."
Thousands, likely millions, of other people are just as vulnerable to identity theft as Abdelnabi's random target because of what they share online.
"Basic things that we post" -- she listed locations, employers, email addresses, home addresses, phone numbers, kids' pictures, travel tickets and even credit card numbers -- "are getting us owned."