The researchers presented the survey as research into theatre going habits, telling pedestrians that if they took part in the survey they would be entered into a draw for theatre ticket vouchers worth £20. To put the public at ease, they were asked seemingly innocent questions about their attitudes to going to the theatre, which were interspersed with questions to find out the details needed to steal their identities, such as date of birth and mothers maiden name.
The survey of 200 people on High streets across London was carried out as a "wake up call" to highlight how easy it is for fraudsters to use social engineering to carry out identity theft. The intention is to raise awareness of the need to be very careful about the information people give to complete strangers, either face-to-face, by post or online, as it could easily be used to open a bank account or even steal their identity.
The first question researchers asked was, "What is your name?", which seems reasonable enough if someone is potentially going to send you some vouchers, 100% of those surveyed gave their names. They were then asked a series of questions about their views on the theatre in London. People were then asked if they knew how actors came up with their stage name. They were then told it was a combination of their pets name and mothers maiden name and were asked what they thought their stage name would be. Ninety four percent (94%) of respondees then went on to give their mothers maiden name and pet's name. To obtain the address and post code, researchers asked for their address details in order to post them the vouchers if they won, 98% gave their address and post code. To find out the name of their first school the question was asked, "Did you get involved in acting in plays at school?" and then "What was the name of your first school?". Ninety six percent (96%) gave the name of their first school, this answer along with mother's maiden name are key pieces of identity information used by banks.
In order to find out date of birth researchers said that in order to prove they had carried out the survey they needed their date of birth, 92% gave their date of birth and 92% also gave their home phone number in case there was a problem delivering the vouchers. At the end of a 3 minute survey, the researchers were armed with sufficient information to open bank accounts, credit cards, or even to start stealing their victim's identity. The researchers did not give any verification of their identity, their only tool was a clipboard and the offer of the chance to win a voucher for theatre tickets.
Claire Sellick Event Director for Infosecurity Europe who took part in the research said, "For the past 10 years we have endeavoured to highlight many of the common IT security concerns and vulnerabilities - such as information breaches via employees and consumers. This survey showed how easy it is to steal a person's identity and breach a company's security - security is only as good as the awareness of the people it protects. One lady I surveyed said, "I work for a bank and this information could be used to open a bank account", I replied "yes", she then proceeded to give me all her details! Another man provided all his information without question, but returned 5 minutes later asking for it back, as he thought that we could use it to gain access to his on-line bank account, we gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters he would have been too late."
All the information collected by the researchers was destroyed by the organisers of Infosecurity Europe. Three winners were selected at random and sent theatre ticket vouchers. Luckily for them that will be all they receive. If the survey had been carried out by fraudsters they may have been sent some nasty credit card bills or worse instead!
Detective Inspector, Chris Simpson Head of Scotland Yard's Computer Crime Unit commented. "The results of the survey are disturbing to say the least, however they do highlight the need to raise public awareness of identity theft, what it actually means, how it can happen and the potential consequences. Preventing the theft of your own identity is relatively simple, but it relies on the individual taking steps to protect themselves i.e. restricting the people to whom you reveal sensitive personal data (whether in the physical or virtual context); shredding or destroying personal correspondence before disposing of it and never sharing passwords to access computer systems."
Detective Inspector, Chris Simpson is speaking in a keynote session on, 'Law Enforcement - Cybercrime and International Co-Operation, Prevention, Detection and Punishment,' at Infosecurity Europe 2005 - Olympia, London, UK 26th-28th April. www.infosec.co.uk
According to the Home Office Identity theft may support criminal activity, which could involve fraud, deception, or obtaining benefits and services in the victim's name. More than 100,000 people are affected in the UK every year. Last year Home Office Minister Des Browne said, "Having your identity stolen is very traumatic - it can take some victims up to 300 hours to put their records and their lives straight. ID fraud costs the country more than £1.3 billion per year. Multiple or false identities are used in more than a third of terrorist related activity and in organised crime and money laundering."
For more information on information security visit www.infosec.co.uk Infosecurity Europe, running for its 10th year in 2005, is Europe's number one Information Security event. Featuring over 250 exhibitors, new products and services, an unrivalled education programme and visitors from every segment of the industry, it is the most important date in the calendar for Information Security professionals across Europe. Organised by Reed Exhibitions, the world's largest tradeshow organiser, Infosecurity Europe is one of ten Infosecurity events around the world with events also running in the USA, Belgium, Netherlands, Scandinavia, Italy, Russia, Spain, France and Canada. Infosecurity Europe runs from the 26th - 28th April 2005, The Grand Hall, Olympia, London. For further information please visit the website, www.infosec.co.uk Notes for editors For further press information please contact Neil Stinchcombe on (0)20 8449 1007 or email firstname.lastname@example.org Footnote: DI Chris Simpson currently heads Scotland Yard's Computer Crime Unit, he can be contacted through the following address email@example.com. For details of the home office quote see: http://www.homeoffice.gov.uk/pageprint.asp?item_id=1004
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.