I was eavesdropping on the train……yes, I admit it. But isn’t it something all of us do from time to time? Don’t get me wrong, I’m not an avid or habitual eavesdropper. On the contrary, like many of my fellow passengers I will frequently be absorbed by some work on a laptop, or listening to my music, blissfully unaware of conversations going on in my immediate vicinity, or the incessant and annoying tannoy messages about ticket types and on board catering facilities. At other times however, like this morning, I overheard a lady sitting in front of me. Although I’ve often been surprised by what I’ve heard others speak of in similar circumstances, in this particular case, I was shocked. The lady in question was travelling with 2 teenage children and a man – an apparently ordinary, happy family. So far so normal. The lady then gets on her mobile – I’m going to call her Christine, (not her real name, and all other ‘personal’ details to follow have also been changed) – and says, “Hi, I’d like to book my car in for an MOT tomorrow please.” There followed some brief dialogue between Christine and the garage person to agree timings. Then Christine comes out with the following, more or less verbatim:
“LN48 GPS, it’s a Volkswagen Golf. No, it’s petrol. NE27 4LX. Number 8. Adams. 07532 697488.”
As I had a pencil in my hand, I paused from my Sudoku deliberations and noted down these details in the margin of my Times newspaper. I then mentally replayed the questions Christine had just been asked by the garage person: “Car registration and make? Is it a diesel? Post code? House number? Surname? And a contact telephone number?” An apparently innocuous and very brief conversation – it probably lasted less than 45 seconds – but in a very public place, and I now knew quite a lot about Christine. Trying not to dwell on it, I returned to my Sudoku. A few minutes later Christine is in conversation with the teenage boy about something Christine has purchased online (a scooter), and a problem over the payment. You might guess what then transpired. That’s right – Christine gets on her mobile again – explains the problem with the payment to the call centre person, whereupon after a few seconds, she states the following:
“Christine Adams. 5574 1187 3983 4490. 08/13. 446.” Destined never to complete my Sudoku, I again noted down the aforementioned details, and again mentally replayed the questions Christine had just been asked: “Full name as it appears on the card please? And the long number on the card? And the expiry? And the 3-digit security code on the back of the card?” Brilliant. I now have a more or less complete personal profile of Christine, and a valid credit or debit card in her name. I can also make certain assumptions about her and her family – relatively affluent for a start, given the iPad, and the way they are all dressed. Within minutes I can almost certainly identify social media sites that reference Christine and her family where there will undoubtedly be masses of ‘collateral’ information about her friends, work, pets (always good for guessing passwords), and schools for the kids and so on. All of this in a 30 minute period of a 2-hour train journey. There’s a name for what I’m describing – it’s called social engineering – and it’s an incredibly easy way to steal someone’s identity, commit fraud, enable stalking, and potentially make Christine and her family victims of some other very unpleasant crimes. Fortunately I’m one of the good guys – but what about the 20 or so other people who were probably close enough to Christine to hear exactly what I heard? But like the fool I am, I’ve just given myself a problem. Should I tell Christine what I’ve just heard, and noted down, so that she might learn the error of her ways, or keep quiet and try to complete my Sudoku? I did what I suspect most people would do – i.e. nothing, but in my defence I was really keen to finish the Sudoku…..
However, there is a serious point to make. Although my experience illustrates just how little some people think about their personal information and its value, and also how easy it is to engage in this type of social engineering, the professional criminal fraternity have largely left it behind as a means of gathering information, and that’s because there are much easier methods. Identity theft and credit card fraud is now fully industrialised and thriving on the Internet. The websites are very professional, (as is the hosting for the websites), modelled along the lines of Amazon or other major online retailers, complete with shopping baskets and check-out. Only the items for sale aren’t books or groceries – they’re guaranteed fully functional credit cards with set spending thresholds – purchase in bulk for discounts – and/or personal identity information. I won’t provide the URLs, but actually these sites are not difficult to find. So there is probably only a very small chance that you will ever be ‘socially engineered’ unless of course the guy sitting behind you on the train happens to be me..
– Steve Southern, KCOM
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Humber Business Resilience Forum , its directors, members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.