Identity Theft and Impersonation

Troy Hunt
@troyhunt | www.troyhunt.com

Overview
Identity theft has a huge social cost
Stolen identities are an openly
tradeable commodity
Identity theft frequently involves
impersonating the victim
We see impersonation risks every day

Identity Theft
Identity theft is the deliberate use of someone else's
identity, usually as a method to gain a financial
advantage or obtain credit and other benefits in the
other person's name

17.6 million

U.S. residents experienced

identity theft in 2014

Source: Bureau of Justice Statistics

$24.7 billion

Financial losses by impacted

U.S. citizens in 2012

Source: Unites States Department of Justice

Identity theft victims frequently

do not know where their
information was obtained from

Twitter accounts can cost more to purchase

than a stolen credit card because an
individuals account credentials potentially
have a greater yield

Juniper Networks

In the space of one hour, my entire

digital life was destroyed

Mat Honan

Mat Honans Epic Hacking

Password
reset
on
Twitter
Password
reset
on
Gmail
to
Amazon
Password
reset
on
Contact
AppleCare
Remote
wipes
Mats
devices
Add
an
email
address
to
Amazon
WHOIS
on
Mats
website
address
Add
aLogon
credit
card
toAmazon
Amazon
Gmail
account
recovery
Mats
Mats
Website
Twitter

Temporary
AppleID
password
Last
4 digits
of
Mats
original
card
Mats
recovery
email
address
Gmail
address
Mats
home
Website
address

Mats Twitter handle

Mats website address
Mats Gmail address
mn@me.com
Mats home address
Fake card on Amazon
Control of Mats Amazon

Password for Amazon

Last 4 digits of Mats card
Control of Mats AppleID
Control of Mats me.com address
Control of Mats iCloud backups
Control of Mats Gmail address
Control of Mats Twitter

What is one of your online passwords?

Its my dogs name and the year I
graduated from high school
Aw, what kind of dog do you have?
I have a papillon
And whats his name?
Jameison
And where did you go to school?
I went to school back in Greensburg Pennsylvania
What school?
Hatfield Area Senior High School
When did you graduate?
In 2009

Impersonation
Someone with
authority

Someone with
seniority

Someone whos
trusted

From: Greg
To: Jussi
Subject: need to ssh into rootkit
im in europe and need to ssh into the
server. can you drop open up firewall
and allow ssh through port 59022 or
something vague? and is our root
password still 88j4bb3rw0cky88 or did
we change to 88Scr3am3r88 ? thanks

From: Jussi
To: Greg
Subject: Re: need to ssh into rootkit
hi, do you have public ip? or should
i just drop fw?
and it is w0cky - tho no remote root
access allowed

From: Greg
To: Jussi
Subject: Re: need to ssh into rootkit
no i dont have the public ip with me
at the moment because im ready
for a small meeting and im in a rush.
if anything just reset my password to
changeme123 and give me public
ip and ill ssh in and reset my pw.

Id let them hear their own

advertisements, right, so subliminally
that built trust and credibility that I was
one of the in group

Kevin Mitnick

Id like to pick up a prescription for my wife

Im sorry, she needs to come in herself
Shes sick, cant you just call her?
It doesnt look like we have her number
Here, let me call her for you
Sure, thank you!

The phone rings theres a long pause

then a foreign accent on a VOIP connection
Hi, this is your bank, we need to verify were
speaking to the right person
Uh, ok, go for it
Could you please confirm your date of birth?
Sure, but first, I need to verify you
BUT WERE THE BANK!
I need to verify that, can I call you back?
Sure, let us give you the number

The phone rings

Hi, this is your credit card company, we need to
verify were speaking to the right person
Ok, but first, I need to verify you
Sure, call us back on the number on the back of
your credit card

Summary
Identity theft is big business
Its also a very healthy market
Attacks can be very well thought out and
exploit those human weaknesses
Impersonation is a risk to be aware of on a
daily basis