How this one innocuous tweet could hack a bank account

How this one innocuous tweet could hack a bank account

Summary: One inane tweet from mid-2012 was enough to start a chain reaction of information-gathering that could have rivaled the work of a government intelligence agency. And with that dossier of data, a hacker could have ended up ruining one man's life.

SHARE:
TOPICS: Security
31
lewis-maps

Meet Alex.

I knew remarkably little about him when we first met. Alex is not his real name — it's a pseudonym to protect his identity. But everything else about him is very real. He travels to our New York newsroom and our San Francisco office from his home near Charlotte, NC, where he lives with his family.

Alex is one of a growing population of "privacy ambivalent" users. He keeps his Social Security number close to his chest, and rarely gives out his personal email address unless he has to. But he isn't clued up on the latest Facebook privacy options, and doesn't particularly mind who reads his tweets.

Because Alex is — like myself — a British expat, he and I chat now and then about the differences between life in the U.K. and here in the U.S. Last month, we fell into conversation about the “backward approach” of online banking security in America.

Both of our U.S. banks require an alarmingly vague offering of details to access our bank accounts over the phone, such as our home addresses, our dates of birth, and now and then the last four digits of our Social Security numbers. In contrast, British banks rarely ask for anything less than username, password, three-digit, variable drop-down boxes of codes, memorable names, iris scans, fingerprints, the exact weight of your first born child, and the name of your dog that you always forget even though he was your "best friend" growing up in the suburban bliss of outer London.

Sharing personal anecdotes of how lax U.S. banks appear to be with our life savings compared to British banks left us both a little shaken.

He asked me: "Wouldn't it be interesting to see how much information there was on me out there? Like, what you can find out from the Internet and try to get on the phone with my bank?"

Yes, Alex. Yes, it would.

Based on just his name and his employer, would that be enough to steal his identity and take over his life?

The bet was laid and the plan we formulated was simple enough: To gather enough intelligence about Alex to convince his call center operator at his bank that I was him. Like something out of a Mission Impossible film, I would have to bypass the automated phone system, steer through the security questions, and — armed with a fictional and empathy-driven sob story — socially engineer my way into his bank account.

And then, out of nowhere and in a chilling moment of awkwardness, I forgot his surname — despite the fact we'd met before and shared a pint in the pub over the road.

I was mortified.

But, being British and all, one doesn't beat about the bush. On the verge of asking him, I stumbled over my words — I admitted I didn't know, but also didn't want to know — stopping him as he was about to mutter, "Oh, it's…"

In just half an hour, I walked back into his office and read out a five-digit number.

"That's my house number... How the f**k did you get that?"

Because the less I knew, the better.

I took him up on his offer, and we agreed a strict set of rules.

For one, I would be acting the "civilian" hacker, rather than a journalist. (Journalists often have access to paid-for accounts that would churn out public records and other data.) Because of this, I was not allowed to use CBS' internal tools to find out any information on him, or strap down and waterboard our human resources director into handing over information.

I had nothing but the Web to use as my hacker's toolbox.

In as little as half-an-hour later, I walked back into his office and announced a five-digit number that made Alex’s smile loosen and his jaw drop.

"That's my house number," he said. His face was mixed with shock, terror, and awe. "How the f**k did you get that?"

One single innocuous tweet sent more than a year ago let him down.

I sat down at my desk after our bet first began and immediately turned to Google. No matter which social network you use, Google is a better engine for finding keywords — even keywords within those social networks. I knew his first name, and I knew the company he worked for. I bashed in "Alex" and "CBS Interactive," the owner of ZDNet and CNET, and behold, his LinkedIn page (and surname) landed at the top of the list.

His LinkedIn account confirmed his full name, his position, and his employer. I found his Twitter account on his LinkedIn profile, but the other top three Google search results also churned out his handle.

Surely there were Github or browser scripts that could have scraped his entire Twitter account, which confirmed in his profile that he lived in Charlotte, NC, along with more than 1,500 tweets and the occasional uploaded photo. But instead, I took the raw viewing approach, by scrolling down to his very first tweet and began to search through the stream. It was quick and lazy, but easily searchable within my browser

There were a few scatterings of location-based tweets. Some from New York, some from San Francisco, and a few others from places where we have offices around the world. A few search terms later, I found one single search term reference to "NC," or North Carolina. From just one tweet buried in the midst of innocuous tweets, a new tab opened and Google Maps pinpointed his suburban home address — at least, so I assumed — with ground-level Street View imagery on demand.

I was even able to tell him what color his front door was. He slumped back in his chair, clearly taken back.

But I didn't stop there. He authorized me to look further.

What I was ultimately after were possible or even specific security questions that a bank might ask for. Armed with those, I could — in theory — take over almost every aspect of his life.

Public records showed how much he paid for his home and when. This gave me the very first personal data reference, which could be a PIN code or security question that I may use later. There were also North Carolina public records, which churned out tax receipts and other information that pointed me to his wife's name, who we shall call Sarah.

The amount of information available from their mercilessly open Facebook pages was nothing short a hacker's dream. From photos, status updates, the "about" page, and other check-in and location data, I was able to determine intimate details of his family — his child's name and date-of-birth, and the anniversary of his marriage to Sarah — which I saw as the second, third, and fourth personal data references.

I was a little sickened with how much data I had collected on this man's life and family by this point. I was already bordering on what felt like the side of unethical behavior — the fact he had authorized me to keep going was the only thing that encouraged me to continue.

A few more further keyword searches yielded Alex's birthday, a date in mid-June, from a written confirmation from one of his tweets — something he likely thought nothing about at the time. I could guess his age, but it wasn't enough for a fifth data reference that could be used as a security question or code.

Facebook would once again hold the answer, or at least part of it. What came next took logic and variable plugging.

I knew his personal username from his Facebook account URL, but the hacker in me — admittedly with the restraint of a saint — could have garnered even more personal and sensitive information if I were to access his personal email account without his authorization. At least, that was the assumption I was going with.

By opening an incognito window, removing my own cookies and Facebook account from the equation, I plugged his information into the site's password reset facility.

Thrown back at me was: a*****9@g*********.com.

I tested with my own account. Facebook masks the exact number of characters from any email addresses provided. It took a smidge common sense guess to identify he had a legacy Gmail account with a @googlemail.com address. The next step in determining his email address would not be easy, and would take multiple attempts and plugging in possible variables, but Facebook's password reset facility would be enough to fill in the blanks based on at least two hours worth of guesswork.

Read this

IT security is not an optional extra

IT security is not an optional extra

In this special feature, ZDNet provides a broad overview of the security threats to businesses, and some of the ways to mitigate them that should simply not be optional.

With the first and last character — the first being the letter "A" and the latter being a number — I assumed it was his full first name, with space for the first letter of his surname, perhaps, the last two digits of his year of birth.

After about three hours, I plugged in multiple combinations, unmasked the asterisks, and on my screen was his Facebook account. And yes, as I suspected, 1979 was his birth year. I now had his full date-of-birth, which tied in with the rough timing of his academic history from his LinkedIn account.

Armed with his full personal email address, I next hit Gmail's password reset facility. Although Google's security and validation system for inaccessible email accounts is better than most email providers, Alex's own security questions let him down. Often the weakest link in the security chain is the person in question.

I was already walking on thin ice. Though I had uncovered his security question, I refrained from attempting to answer it. Suffice to say, I probably could have.

By this point, I had already discovered at least five pieces of data that could be used as a security answer or code with his bank. But in order to get access to his checking or savings account, I would almost certainly require his Social Security number. Many banks require a full bank account, or credit or debit card number. Accessing his physical cards would be nigh on impossible. When no card details are given, a Social Security number is almost always used as a fallback.

But how would I get his Social Security number? Two hours of searching some of the Web’s darker hacker forums was leading me nowhere.

Alex is a British expat, likely in the country on a visa or a green card. When he married Sarah, a U.S. citizen based on her Facebook profile, it's possible that he had obtained permanent legal residency through a marriage-acquired green card. But, that was based on assumptions. Even if he submitted a green card application at the time he was married, would he have even received it by now? I was guessing, and going down this path of thinking likely wouldn't yield any definitive answers.

I needed his Social Security number, but my options were fading fast.

Hours later, my eyes lit up. What is one of the first things you get if you relocate to a foreign country? A cell service plan.

Most cell service providers — AT&T, Verizon, and Sprint, among others — require you to present certain forms of identification, often including a Social Security number, before you can sign up.

In theory, the next challenge seemed easy enough. In reality, I would rely on sheer luck.

If I could find his cell phone number, and if he used a cell provider that required a Social Security number, I could then, in theory, acquire at least a few of those golden government digits from his cell provider through similar social engineering techniques I would reserve for his bank.

It turned out that sooner rather than later, I would have to use those very techniques directly on my target.

How exactly would I get his phone number? By asking for it — directly or indirectly — by sending him an email asking for it. Knowing his work and what he does for a living, I would need to throw out the "phishing" line by pretending to be a potential client. And for the purposes of this exercise, I would want to talk to him on the phone about it.

Though I already had his personal Gmail account, I needed to send him a note through his work email. I already had knowledge of his work's email address naming scheme, but after a few searches it was clear that it was, like many organizations, it followed the "firstname" dot "lastname" at the company's domain scheme.

In a matter of minutes, I created a full-name personal email address with Gmail, and, with knowledge of his work and expertise, carefully crafted an email that would not only get his attention, but also surely warrant a reply.

"Hi Alex. We're a B2B startup based in Mountain View, and we're looking to advertise. I'm traveling for the next couple of days, could you email me back letting me know how might be the best approach going forward?" — 'John' 

I sent the email, and waited. The next day, he replied. Behold, in his email signature, was his cell phone number. I didn't need to continue the thread any further. I plugged the phone number into a popular cell provider lookup website. His cell phone provider was Verizon.

I was unthinkably close to acquiring the golden goose: at very least the final 4-digits of his U.S. government-issued identifier, or at most the full 9-digit figure.

And that's where I stopped.

I geared back into "journalism mode," and set up a call with Alex to discuss my findings. Every shred of my being wanted to fight until the bitter end and see how far I could go. The thirst for this data reached such levels that I was uncomfortable in how I was acting. There was a line in the sand though that I would not cross. I would not impersonate him without him being physically there in our New York office — a place he rarely visited.

How I would have loved to have told you how I stood in his office with his phone on speaker, with him watching over me as I read aloud his personal and sensitive data, playfully chatting with a call center operator at his bank, joking along and chuckling about how my wife had "spent a bit too much on the kids again," and wanting to review my current checking account balance.

Alas, that call I had longed to make for days never came to fruition.

We discussed my findings at length. I explained that going any further would be unethical, and possibly illegal. Enough was enough, and my point was made.

I knew more about Alex than most of our other colleagues' did. I had his home address, date of birth, the date of his wedding anniversary, and his child's date of birth — all of which may have served as security answers to his various real-world accounts. I also had his personal and work email address, his cell phone number, his employment status and history, and even a good guess at his immigration status.

We agreed that this was a good time to stop.

The information I had would have, as it turns out, been enough to socially engineer my way through to the Verizon customer call center. Whether or not the operator would have divulged his Social Security number to someone they thought was in fact him, we will never know. But if that were the case, there would have been a strong possibility that I could have, with that 9-digit number, accessed his bank account.

But all that from a workplace wager and a single, innocuous tweet? It wasn't bad for just shy of two days of work.

Because the information I collected on Alex was so sensitive, it was inputted and stored on a locked-down computer. It was disconnected from the network and required a complex alphanumeric password to unlock it. That data was encrypted in a document that was also protected with a different, strong alphanumeric password. The information was subsequently obliterated with an erase tool once it was no longer needed.

Alex is not a chief executive, a rock star or a celebrity, or a government employee with access to state secrets. This was an authorized "vendetta." This was personal. I wanted to break into his life and crack it open to see what I could find. It's atypical from a black hat hacker who might scrape out personal information from a hack or data breach in order to siphon off money.

In that respect, it wasn't the average intelligence gathering exercise.

But it threw him off his privacy pedestal. And the results certainly put chills up and down my spine.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

31 comments
Log in or register to join the discussion
  • It's reasons like this

    Why I don't fiddle with REAL information on facebook!

    Unfortunately there are many website out there that capture your personal information and never let it go. Those are problems that Congress and the courts need to address now! Before google, bing and the rest of the search engines there was only AOL web search. It was slow and sometimes inaccurate. I think it was called webgrabber. But even back then I could type in my full name and it would show personal addresses and information that provate companies should NOT be allowed to archive and hold hostage! Now that same data has been passed around so much... who knows who has it and where it came from...
    SpankyFrost
  • if you want to become alarmed

    Call your bank or brokerage and pretend to have forgotten you account login. i.e. I must be having a senior moment... I used my account the other day but can't for the life of me remember it... or I haven't accessed this in a long time... you will be surprised at the questions they ask... all gleaned from decades of public records.

    From where you were born to Previous locations you lived, schools you attended, (where and when)... other accounts, employers, titles, properties bought or sold and prices... memberships, clubs, associations... its all there.

    Or just pay 25-35$ for a background check on yourself.

    Now all that info organizations ask you to provide... what's the odds they will keep it private and secure or leak it at some point. I suspect 75% to 85% of all data will be compromised, hacked, leaked, exposed or just sold.

    every phone company, power company, doctor, dentist, state & locality, plus multiple Fed agencies and more companies or organizations... have much of your personal data. Why? and they will be unsuccessful in keeping it secure.
    greywolf7
  • still keeping Alex's information?

    Yes, you've locked it down, but why not delete it, and wipe it completely off your records? What's the reason for keeping it?
    sam8988378
    • You missed

      the sentence in the article

      "The information was subsequently obliterated with an erase tool once it was no longer needed."
      schultzycom
    • At the end of the paragraph:

      "The information was subsequently obliterated with an erase tool once it was no longer needed."
      Bill4
  • Scary

    The scary part is how much information is available online about most people without using anything more sophisticated than Google and time. Identity theft of anyone is possible. Also, if one is deemed worthy one will be a target of sphearphishing in an attempt to short circuit the process.
    Linux_Lurker
  • Do it again

    But this time use any congress critter's name and then send him/her the information.

    Repeat for all congress critters.

    Lay back and wait for a law with teeth to come onto the books.
    bart001fr
  • forgot something

    When you send them the information, make sure you do it ANONYMOUSLY!

    So you'll have less chance of a visit by the FBI.
    bart001fr
  • 2nd user hard drive

    It's not just the data held by various entities. I purchased a supposedly non-working external HD at a public auction, took it home, cracked open the case and removed the HD, which I then plugged into a docking cable.

    Lo and behold! The info on the HD was intact and contained so much personal and private data about an individual and his family, I was shocked. I called the previous owner at the phone number he provided on a scanned document and asked if he wanted his info putting on DVDs before I wiped the HD clean. The fellow came the next day, paid me full price and took away his old HD.

    Turns out the USB to SATA bridge had stopped working. He had returned the HD under the store's warrantee policy and had been assured the HD would be crushed and destroyed, yet it ended up at an auction.

    When my HDs stop working, I remove the platters and destroy them with a sledge hammer before disposing the pieces over a number of trash collections. When it comes to personal and private data, always be paranoid.
    sip01
    • Based on a recent experience

      I'm guessing that the hard drive inside was a _ _ Green model.
      bunkport
  • Zack, sorry to nitpick...

    ...but it's spelled "innocuous". And that's British English!
    jaykayess
  • 10digits?

    Zack, what's with your reference to a ten digit Social Security Number? Just trying to keep us on our toes?
    jayhinker@...
    • You're right -- I miscounted

      Nine it is. Should be live shortly.
      zwhittaker
  • grammatica error

    The phrase "who we shall call Sarah" should be "whom we shall call Sarah."

    Nice article. Thanks.
    bmeacham98@...
    • Logical error

      "...wife's name who we shall call Sarah"
      It's not the wife's name we shall call Sarah, it's the wife! It should have read
      "... wife's name which shall be Sarah for anonymity"
      Yes - I'm a bit of a nit-picker! ;-)
      JohnOfStony
      • lolz

        actually I believe that would be a syntax error lolz
        trefrog
  • Info (money) from a Bank (BMO)

    And here is a real life case regarding the Bank of Montreal (BMO)

    He asked me: "Wouldn't it be interesting to see how much information there was on me out there? Like, what you can find out from the Internet and try to get on the phone with my bank?"

    http://www.cbc.ca/news/canada/british-columbia/bmo-customer-s-account-emptied-of-87k-as-bank-falls-for-scam-1.2555647

    Scary, eh?
    NoSpark
  • For security questions

    I use fake information. I never put my actual high school name or any name of pets I've had. What I use may or may not even be a word. Choose the answer like you choose a password, as long as you choose passwords correctly.
    Sarah Palin's email account was hacked in 2008 using publicly-available information. Everybody knows she's from Wasilla.
    Garrett Williams
    • That's a really good idea!

      Thanks for that suggestion: made-up info as security question answers.

      I've always thought that mothers' maiden names are too public to be useful.

      What I like best are those (FEW) sites that allow you to compose your own security questions, rather than having to choose from a few that ask for info that's often publicly known.
      daniel1948x
  • YAH yah. Been there, done that

    I have more info on my 2 X-wives then I ever had when we were together.
    .
    .
    .
    OOPS, two much info. Delete that.
    .
    fm.usa