SECURITY EVANGELIST

This is a guest post by George Hari Popescu.

I was strolling on the alley that leads to the street where my home in Brussels is, and I was looking at the trash bags on the sidewalk. It was the white trash bags day (household waste), and I tend to look at it attentively, ever since a couple of glass containers saved me from taking the metro the day the Brussels terrorist attacks happened last month (because I stopped to drop them off at a glass container closer to the bus).

That’s when I saw a picture printed on a plastic rectangle, dropped between two neatly closed trash bags. I picked it up and noticed it was a slightly scratched MOBIB card, with a chip on the front and a magnetic band on the back.

It looked a bit like this:

mobib transport pass

I really don’t know more than you do



My first thought was to take it to a STIB center (the public transport company from Belgium’s capital), but I thought I’d conduct a quick experiment instead, since I had recently bought a transport pass from them myself.

So I created a new account on the STIB website. In the form, I put in the name and birth day on the card I had found. After I confirmed the account via email from an address I owned, I associated the card with that account.

At that point, I was asked for the card number, which was also printed on the plastic pass. Once the system verified the subscriber, it showed me the picture of the owner, which was exactly the same as the one on the card. But it also provided her national identification number.

From the same STIB account I found out that the card’s owner had an all-lines pass, valid until April 19, 2016, that she had lost another card, and this current pass was a duplicate for which she had paid 10 euros (the initial one costs 5 euros).

It struck me that, with all the data I had gathered up to that point, I could do all sorts of things with that person’s identity. Online, with a little effort, I could find out where she lived. Offline, I could use the card on public transport until it would expire. But I didn’t do any of this.

Facebook saves the day



Where do you start when you’re looking for someone? On Facebook, obviously.

I found a couple of results for the same name, but only one of them was not from the US or outside Europe, according to the public data provided by those users. The Facebook profile which was most likely to fit the owner had a single picture, with a figure that had been photographed from the back, so I wasn’t able to compare it with the picture on the transport pass. I took a chance and sent her a private message, asking her if she had lost a MOBIB card.

A couple of hours passed by before she replied and confirmed that she was the one who had lost the pass.

I asked for her date of birth so I could confirm her identity. But here’s the thing: she told me her birth date without being sure that I already know it, so knowing her name would’ve been enough for me to find out this piece of information. I told her the name of the street where I had found the card and she immediately shared that she lives on the street next to that and also gave me her house’s number. Again, I had all the basic information about her now, but she also had an idea of who I was.

I offered to leave the card in her mailbox. When I reached the address, the mailbox was one of those mailboxes attached to the door, so everything you put in would drop on the floor, in the hallway. So I put the card in an envelope with the UE logo on it and wrote her name on it too. She found the card and later confirmed, via Facebook, that the pass was once again in her possession. The whole thing unfolded in less than 24 hours.

Some thoughts on identity and privacy



It’s really not that difficult to find out everything about someone nowadays. It’s ridiculously easy actually.

The more people invest in their digital security, the more holes they leave open in their offline lives. We pay more attention to our online actions, but we don’t often make the connections between data bits and people.

The social engineering tactic that Kevin Mitnick turned into art still works (I strongly recommend you read his book – Ghost in the Wires: My Adventures as the World’s Most Wanted Hacker). So, rest assured that someone is always watching…

Personal note
: I do not condone social engineering and illegal practices. I am completely against identity theft. The story above is meant to make people more aware of their actions and more protective of their personal information, and it’s not intended to provide instructions for malicious actors.

About the author

George Hari Popescu is a Trainee at the Directorate-General for Innovation and Technological Support at the European Parliament, EVOPARL (Linkedin). For 15+ years, he has been a university teacher and he often writes on his blog at http://www.cyberculture.ro/ (in Romanian).

George Hari kindly agreed to share this personal story so that more people could become aware of the dangers of having their personal information exposed and harvested for malicious purposes, and take adequate measures to protect it.

Comments

[…] Knowing how malicious software behaves on a regular system may just prove to be the key element between staying safe and having your system wrecked or your online identity stolen. […]

[…] keep yourself safe from identity theft and data breach, we recommend using a specialized security program against this type of […]

[…] True stories: These stories will make you think twice about the “it can’t happen to me” prejudice: About the Time I Got Hacked and Lost All My Work, These True 12+ Internet Crime Stories Will Make You Care about Cybersecurity, What I Found Out About a Person After Having Accidentally Found Their Travel Card. […]

[…] data that goes through the router, such as emails, passwords, addresses, browsing history and even credit card […]

[…] & answer: You need to protect yourself against both online and offline threats if you really want peace of mind. It’s all about choosing the right […]

[…] your social media security settings is a good first step in preventing an identity […]

[…] way you protect your online privacy and your sensitive data from online criminals, Internet scams, identity theft, phishing attempts and malicious threats. To stay safe on public and free wireless networks, we […]

[…] keep yourself safe from identity theft and data breach, we recommend using a specialized security program against this type of […]

[…] Knowing how malicious software behaves on a regular system may just prove to be the key element between staying safe and having your system wrecked or your online identity stolen. […]

[…] on the system or the victim is sent to a login page from a fake website in order to operate identity theft or retrieve the banking […]

[…] is, many people believe that simple common sense is enough to stay safe from malware, phishing, identity theft and so […]

[…] And one more thing related to this step: Do not use your name or your family name in order to avoid being identified as the owner of the network. This is another detail that could give an advantage for a potential hacker or for an online criminal that might attempt an identity theft operation. […]

[…] attackers can use phishing techniques to withdraw money from you, steal your identity (here’s a true story you should read), open credit card accounts in your name and much more. Not even the strongest antivirus will […]

[…] software vulnerability can be translated into a human vulnerability to security exploits and identity theft attempts operated by online […]

[…] and Technological Support at the European Parliament, who lives in Brussels. It’s a true story about the time he accidentally found someone else’s travel pass and what insane amount of data he found out about that […]

[…] blurred and without understanding our security and privacy settings correctly, we may become victims to identity theft or malicious actions from online […]

[…] Knowing how malicious software behaves on a regular system may just prove to be the key element between staying safe and having your system wrecked or your online identity stolen. […]

[…] keep yourself safe from identity theft and data breach, we recommend using a specialized security program against this type of […]

[…] At the same time, make sure you don’t offer valuable information to cyber-criminals, such as your location. This kind of data becomes very important for a hacker who wants access to your private files or needs to create a persona for you, in order to proceed to identity theft attacks. […]

[…] Collecting private data from an user’s account will help the potential cyber-criminals organize and imagine an online identity for their target before they can deploy an identity theft operation. […]

[…] If you want to throw it away, make sure you destroy it totally, so that any possible identity thief won’t be able to find any little information about you. […]

[…] Identity theft is not related only to online dangers (here’s an example). […]

[…] got a call one day from his bank, who informed him that he had been a victim of identity theft. He was also made aware that all his personal information had been compromised, from his name and […]

[…] A tactic used by cyber criminals to gather information about you so they can gain access to your bank account or steal your identity. […]

[…] case of identity theft, it will prevent any openings of new accounts in your name. However, you will have to lift it every […]

[…] about you can be either leaked online, used for blackmailing, identity theft, financial damages, sold to third parties, and I could go on with this list forever, but I think […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP