Hi folks,
I’ve been doing computer security for a looooong time, and not much scares me. But this does.
This week, I had occasion to visit London for a couple of days on biz. Trip went well, and Thursday morning, I fronted up to the hotel desk to check out.
To ensure I was ready to do my expense account paperwork, I asked the young lady for a fresh copy of my bill, and she said “I’m sorry sir… your card has been declined.”
Me: Blink, blink… “No… I just want a copy of my bill”
Her: “Your card has been declined, sir.”
Me: Pause… blink…”Declined?”
Her: “Yes sir. Do you have another card to use?”
Me: “But there’s lots of money on that card… could you retry it, please?”
Anyway, the conversation went on like that for a while, and eventually it became clear I’d have to call my bank, so I did. Of course, I had the usual struggle to get to speak to a human, but eventually someone explained that because I hadn’t told them I would be traveling, they had decided that the transactions were “Unusual” and had suspended the card, and I’d have to speak to the Fraud Department to un-suspend it.
Ok, so that’s a pain, but at least they’re looking out for me, so I answered all the questions… “Last four of social, please”… “What accounts do you have with us?”… “Mother’s maiden name?” etc.
Here’s the scary bit… The guy says, “And now, sir, just a couple more questions, please. This is from publically available information. What age-range would best describe this person?”, and he proceeded to ask me about my _daughter-in-law_.... Using her maiden name, and she’s been married for nine years!!!!!
Now I answered the question correctly, and they un-suspended the card. I paid the bill, and headed for the airport.
I had one question thundering through my mind.
How did the bank associate me with her??????????????????????
I _refuse_ to believe it was “publically available information”.
We have no connection on _any_ bank accounts, or legal documents.
She hasn’t used her maiden name for nine years. I’d have been less suspicious if they’d asked me about her married name.
She’s _not_ a big computer user.
The _only_ place we connect as far as I’m _aware_ is that she’s a friend on Facebook!!!!!!!!!!
Now, I’m not accusing Facebook of _anything_, but one wonders…. I can’t believe Facebook would sell our data, so … is someone “harvesting” it?
Not long ago, we found some Facebook apps that had been hacked, and were reaching to attack sites in Russia, and while investigating that, we found a site that looked very similar but wasn’t actually attacking. We’re not mentioning the name of this company, because we can’t yet figure out whether they’re good or bad, but they look really suspicious. Their webpage shows no “Contact us” details… just a crudely-drawn graphic. When we did a whois to see who they were, we found that the ownership was hidden behind Privacy Protector.
They had written a cancer support group application that had over 250k members. _All_ of these applications require a user to allow access to their profile, their contacts, and their pictures “In order to work”.
This means that 250k women had ponied up their details to an at-best shadowy organization, who doesn’t want us to know who they are. Googling for their name reveals that they make many “surveys” and game-type apps for many social media properties… not just Facebook.
I’m _not_ accusing Facebook of anything (I like Facebook) , but _someone_ other than the government, has a honking-great database on me. And that probably means that they have a similar amount of data on _you_, Dear Reader.
_Someone_ is _seriously_ invading our privacy.
L
Roger
Share | |
Interesting because I just got "verified" by my bank the same way, asking "public records database" and they asked where my dad's ex-girlfriend (who apparently shared our address for a brief time while I was at college..20 yrs ago) is now living a gave me multiply choice answers...like how am I supposed to know where that woman is living now? since I didn't know the answer I answered it "incorrectly" and could not be verified. It as either answer the location or state I did not know the woman in which case there was no correct answer since I did know her but they dated for 2 months. I really want to know which company pulls this info and who is controlling how it is used. I failed the verification system for this reason. Ridiculous.
Posted by: laura B. | April 06, 2010 at 12:43 AM
Almost every database company that sells "publicly available" data about you would -- without a doubt -- have a list of both 2nd and 3rd degree relatives. If you and your son are in any way linked through shared residences or other public data, and your son and his wife are linked, then there you go. Her name, including her maiden name (whether she has used it recently or not) would show up. Because of the potential that your card was stolen and being used fraudulently, the laws permit the credit card company to access this type of information. I would say there is no reason what-so-ever to assume the credit card company got the info from Facebook, if for no other reason than they simply would not need to.
Posted by: HSR | February 11, 2010 at 08:23 PM
Facebook collects sensitive information about its users and shares it without their permission.
Posted by: BackDoor.Spy.Facebook | February 10, 2010 at 09:20 PM
Yes it is scary, especially when you take a guess at where the scary path may be leading us to.
Posted by: festplatte | February 10, 2010 at 05:30 PM
That's the reason electoral votes, for start, have to be expressed on paper. Computer's data can be ALWAYS manipulated.
Second, what happened is a violation of privacy, but I believe this is common in US, isn't it?
Posted by: Cassa | January 30, 2010 at 08:11 PM
I guess you missed the whole voter fraud thing in Florida two elections ago. Florida had prepaid a company to go over their voter lists and determine whether or not folks on the list were eligible to vote - It's hard to determine if a particular "John Smith" is law-abiding John Smith or convicted felon John Smith - who is ineligible to vote.
There are at least five companies who maintain databases that track our every movement through use of credit cards and other transactions. They can differentiate between multiple John Smiths in the same home town.
(The scandal in the election was that Florida didn't send the list of mostly black voters to the company to be investigated; they just declared all of them ineligible felons, even though Florida had all ready paid for the service and despite repeated contact from the company).
The most dangerous thing about these companies is that they operate out of the limelight, and that if they make a mistake there is no oversight or mechanism in place to correct their errors.
Posted by: Marcus | December 20, 2009 at 11:26 PM
Yes it is scary, especially when you take a guess at where the scary path may be leading us to.
A.V.G is a consolation prize, safer from my point of view than the one I paid for previously, they answered complaints via a machine and diverted me to a call centre in Asia.
They failed to answer any questions at all; until I paid another £49.
"The smell of rodent again,"this was when I quit, and changed to A.V.G.
Scary? of course it is because the situation is completely out of control, the root cause being greed and corruption based on an easy way to commit fraudulent crimes without risk of punishment, not to mention M.P's expenses.
When I moved house; to avoid the constant flood of spam mail I deliberately gave no one except close contacts my new address.
Only two contacts were given my new address details, and yet within two weeks spam mail was flooding through the door again.
The two contacts being; my Bank and and the other one the local Council Tax Office, who had so many leading questions on their fishing form that I refused to answer them all, and put a bold line through them.
Posted by: Harold Philbin | December 20, 2009 at 08:21 AM
This info is also gathered by the credit agencies: Transunion, Equifax, and Experian. If you've ever put a fraud alert on your credit reports in order to lock them down, you would have been prompted with similar questions. That particular example has been in place for several years. I can easily see them selling a service like that to banks and such.
Posted by: rb | December 17, 2009 at 04:14 PM
why would a bank even use publicly available information to verify someone's identity?
Posted by: Rex | December 16, 2009 at 10:35 AM
Sites like Intelius can provide the info -
Posted by: Columbo | December 15, 2009 at 09:39 PM
http://www.techcrunch.com/2009/12/09/facebook-privacy/
So how many people still have their eyes wide shut?
Russell is spot on about Facebook and 3rd party apps. And we'd all better believe that the new Facebook "privacy" settings are geared towards sharing *more* information with those 3rd parties.
Of course, the bottom line as far as that goes remains the same: if *you* post information to the intarwebs, you should assume it is now public record. Seeing as how so much data is already out there (and more accessible than we realize, as Roger's experience illustrates), it remains a mystery to me why people voluntarily add to it. If I got doused with gasoline, I wouldn't say to myself "Well, gee, I'm already liable to go up with a spark, so I might as well play with some matches." But maybe that's just me.
Jim O., if you have a blog, I'd like to follow it. And if you don't - I think you should. :)
Posted by: Peg | December 15, 2009 at 06:47 PM
I should have blogged about this when it happened to me when I bought a Sprint phone. Sprint did a credit check and the person at Sprint doing their credit check and identity verification asked me all kinds of crazy questions that shocked me, such as:
1. When you lived in Denver, what was your address?
2. Before you lived in Boston, what other cities did you live in?
3. When you lived in Boston, who was your employer?
4. The last time you were on vacation in Paris, where did you stay?
What was kinda cool was that number 4 was a trick question because I have never been to Paris, so I answered that I had never been Paris, along with the other answers, and they gave me a phone. I just thought it was kinda of cool that they went to such extremes to identify the person trying to use my identity.
However, at this point, they are one step ahead of the evil-doers. As soon as the evil-doers compromise one of the DB's with all this data in it, we will all be in alot more trouble and identity theft will be alot harder to detect and stop.
Posted by: Jimmy Brown | December 15, 2009 at 05:06 PM
I'm kind of shocked that someone with your background in computer security research is shocked by what financial institutions are doing to prevent fraud. Fraud is costing these institutions billions of dollars, and these techniques are not new. As others have stated, many companies provide fee-based access to referential data on all of us. It's all public access data, but neccesarily easy to get, and harder to cross-reference so that questions may be created from it. Did your son live with your DIL prior to marraige, sharing an address and phone number during the same time period? That's just one other possibility. Bottom line - we live in Orwells society. You're every move (especially in London)is video-taped, and facial recognition SW can find you in it. Toll transponders in you vehicle track your movements (just because the account isn't debited doesn't mean your transponder didn't get scanned at one mile increments - your insurance company will soon base your rate on how fast you drive). Don't like it? Get off the grid, stop using ANY electronics, pay with cash and wear a ski mask. Otherwise, get used to it. My $.02.
Posted by: Kevin | December 15, 2009 at 02:31 PM
Private Note to Roger
Darn it! I hate cache servers! Should have refreshed. I see now that others have provided the same answer I did. Oh well, post it if you want or delete it.
Posted by: Jim Okamura | December 15, 2009 at 07:50 AM
Roger,
They know about your daughter-in-law's maiden name because sites like Ancestry.com sell this information. From birth records they know who your son is, and from marriage records who he married. Now they have your daughter-in-law's maiden name and can look up her birth record - tada! - now they know her age. Public information.
I'd be interested to know if a bank can be compelled to reveal the source of its public information, and whether that source can be then be forced to show you what they have on you. Might be a very interesting read.
MB,
Several years ago my significant other and I booked a room through a travel agency using a credit card over the phone. That weekend while we were enjoying our vacation, the card number was used to make two Western Union wire transfers to individuals in the same Philippine city were the call center that processed our booking is located. This being the only thing the card was used for in a month, it was pretty easy to figure out where we were compromised.
So how did they pull it off? Western Union's web site asks personal questions to verify your identity before they let you make a transfer - those "Public Information" questions. But not public enough that someone could just punch our names into the web and come up with the answers. I tried that. Someone with access to that database must be providing the crooks with the answers.
So there it is: Proof that the bad guys can get the answers to the questions your financial institution asks you. No problemo.
One solution to this type of identity theft is to use hardware instead of questions. Most people I know have cell phones. Why can't the bank's computer just call your phone for purchases over a certain limit and have you press 1 to accept or 2 to decline? Then the crook needs your card number AND your cell phone. Complicate it further with a PIN, and I think we could say goodbye to this form of theft.
Another feature I'd like to see is a text message from my bank every time I use my credit card. Why is this so hard to implement? Not everyone has to participate, but you should get a lower interest rate if you do, because you're now helping the card companies prevent losses and protect their bottom line.
- Jim
Posted by: Jim Okamura | December 15, 2009 at 07:44 AM
Your son's marriage certificate is a public record. Since many marriage certificates list the parents of the celebrants, the marriage certificate alone probably connects you, but if not, just add in a birth certificate, also a public record. Likewise any real estate records are public. Did you co-sign a loan secured by property with your son and DIL? Public record. Car loan? Could be a UCC filing. Did she at some point list your address as her own, maybe on a driver's license, title or voter registration card? Public. Some services even connect the dots -- she lives with someone who used to live with you. This isn't rocket science or backhanded dealing. It's just lots and lots (and lots and lots) of data.
Mb -- the bank doesn't have the information. They use services like VerID (Google it). And contrary to your assertion, there is no law requiring that banks explain how they use all information they retain (not that they retained this), or how it is disclosed to others (although they are required to disclose that information may be disclosed, and if shared for marketing purposes, give the option to opt out of such sharing).
Posted by: baltassoc | December 15, 2009 at 03:23 AM
Had this happen to me recently. Asked me about my first wife, from whom I have been divorcded for 18 years! They wanted to know what county she owned property, and how old her daughter was! That would be stalking in most people's books.
Posted by: R Meseck | December 15, 2009 at 02:51 AM
The service that links people, locations, info and knows about the daughter-in-law is called FastData. There is a PDF here: https://www.firstdata.com/downloads/marketing-fs/fd_fastdatasuite_ss.pdf
See the linking information on page 2. This has nothing to do with Facebook, those accounts are too easy to fake.
Posted by: Mark | December 14, 2009 at 11:01 PM
Um...they probably just looked you up on Facebook (or other soical networking site...linked in? Twitter? 17 other sites?) to see if you mentioned anything about vacationing. Maybe you didn't (or they couldn't see because your profile was private), so they did a random friend check for the "public data" question, picked somebody, and looked them up.
It would be interesting if this is now S.O.P. because databases are so expensive to maintain! "Just let the cloud maintain all the info we'll ever need on anybody, and we'll spend 5 minutes looking it up." 5 minutes per lookup probably costs less than database maintenance... :-(
Posted by: Bill | December 14, 2009 at 09:10 PM
Don't forget that "publically available" information also includes public records, including birth and marriage records. I know that RSA owns a company named Verid that uses this type of information to establish relationships.
Posted by: Troy | December 14, 2009 at 07:11 PM
Been following your blog a while now and this was so scary I had to point people to it in my Internet safety blog www.spikedsecurity.com. Thanks
Posted by: Russell | December 14, 2009 at 04:29 PM
I agree with MB. You should immediately call your bank and ask them where they got the information or what information they used to make the connection between you and her. I bet once you go poking around into this, the recording of the phone call you made to them "for quality assurance purposes" will mysteriously disappear.
But I don't think Facebook is to blame here. At best, they are a medium for third-party Facebook apps. Look to the publisher of the third-party app as a place to lay blame, not Facebook.
Posted by: Jason D. Kozdra | December 14, 2009 at 01:17 PM
It seems illogical that the bank is asking you a question "based on public information". What does answering one of those prove? Presumably a hacker has access to the same public information.
If this happened to me I would demand that my bank explain precisely where they got that tidbit. Public or not, there are legal limits on what information a bank can collect about you. They are required by law to explain what each database item they retain is used for and how it is disclosed to others.
If they refuse to give a satisfactory answer, I would change banks.
Posted by: Mb | December 14, 2009 at 11:53 AM