SECURITY EVANGELIST

This is a guest post by George Hari Popescu.

I was strolling on the alley that leads to the street where my home in Brussels is, and I was looking at the trash bags on the sidewalk. It was the white trash bags day (household waste), and I tend to look at it attentively, ever since a couple of glass containers saved me from taking the metro the day the Brussels terrorist attacks happened last month (because I stopped to drop them off at a glass container closer to the bus).

That’s when I saw a picture printed on a plastic rectangle, dropped between two neatly closed trash bags. I picked it up and noticed it was a slightly scratched MOBIB card, with a chip on the front and a magnetic band on the back.

It looked a bit like this:

mobib transport pass

I really don’t know more than you do



My first thought was to take it to a STIB center (the public transport company from Belgium’s capital), but I thought I’d conduct a quick experiment instead, since I had recently bought a transport pass from them myself.

So I created a new account on the STIB website. In the form, I put in the name and birth day on the card I had found. After I confirmed the account via email from an address I owned, I associated the card with that account.

At that point, I was asked for the card number, which was also printed on the plastic pass. Once the system verified the subscriber, it showed me the picture of the owner, which was exactly the same as the one on the card. But it also provided her national identification number.

From the same STIB account I found out that the card’s owner had an all-lines pass, valid until April 19, 2016, that she had lost another card, and this current pass was a duplicate for which she had paid 10 euros (the initial one costs 5 euros).

It struck me that, with all the data I had gathered up to that point, I could do all sorts of things with that person’s identity. Online, with a little effort, I could find out where she lived. Offline, I could use the card on public transport until it would expire. But I didn’t do any of this.

Facebook saves the day



Where do you start when you’re looking for someone? On Facebook, obviously.

I found a couple of results for the same name, but only one of them was not from the US or outside Europe, according to the public data provided by those users. The Facebook profile which was most likely to fit the owner had a single picture, with a figure that had been photographed from the back, so I wasn’t able to compare it with the picture on the transport pass. I took a chance and sent her a private message, asking her if she had lost a MOBIB card.

A couple of hours passed by before she replied and confirmed that she was the one who had lost the pass.

I asked for her date of birth so I could confirm her identity. But here’s the thing: she told me her birth date without being sure that I already know it, so knowing her name would’ve been enough for me to find out this piece of information. I told her the name of the street where I had found the card and she immediately shared that she lives on the street next to that and also gave me her house’s number. Again, I had all the basic information about her now, but she also had an idea of who I was.

I offered to leave the card in her mailbox. When I reached the address, the mailbox was one of those mailboxes attached to the door, so everything you put in would drop on the floor, in the hallway. So I put the card in an envelope with the UE logo on it and wrote her name on it too. She found the card and later confirmed, via Facebook, that the pass was once again in her possession. The whole thing unfolded in less than 24 hours.

Some thoughts on identity and privacy



It’s really not that difficult to find out everything about someone nowadays. It’s ridiculously easy actually.

The more people invest in their digital security, the more holes they leave open in their offline lives. We pay more attention to our online actions, but we don’t often make the connections between data bits and people.

The social engineering tactic that Kevin Mitnick turned into art still works (I strongly recommend you read his book – Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker). So, rest assured that someone is always watching…

Personal note
: I do not condone social engineering and illegal practices. I am completely against identity theft. The story above is meant to make people more aware of their actions and more protective of their personal information, and it’s not intended to provide instructions for malicious actors.

About the author

George Hari Popescu is a Trainee at the Directorate-General for Innovation and Technological Support at the European Parliament, EVOPARL (Linkedin). For 15+ years, he has been a university teacher and he often writes on his blog at http://www.cyberculture.ro/ (in Romanian).

George Hari kindly agreed to share this personal story so that more people could become aware of the dangers of having their personal information exposed and harvested for malicious purposes, and take adequate measures to protect it.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
145 queries in 3.326 seconds