Apologies to those that read this story over at haxorthematrix.com. I’m reposting it here, so that when I get to part two, those that missed this don’t feel left out. Eventually, Paul and I will work to make some of the better archive entries form haxorthematrix.com available here.
Without further ado:
I wanted to recount a tale that happened to yours truly at the recent Shmoocon 4 (2008), no how easy it can be to perform information gathering. I’ll start with a quick one at the airport…
I sit down at the gate waiting for my flight to arrive, and I’ve got plenty of time. I pull out the laptop and connect to the internet using my CDMA USB card, and plonk away chatting with the folks on IRC (at irc.freenode.net ‘#securityweekly’). A gentleman in his forties sits down two seats away from me, and also pops open this laptop, and he proceeds to connect to the t-mobile wireless network.
Now, I know what you are thinking! No, I didn’t decide to own him via wireless, or sniff his traffic or any of those type of attacks. It was better than that:
The gentleman was presented with the T-mobile captive portal to subscribe for an account for access. Out comes his wad of cash and credit cards in the money clip on to the seat between us. Out of the stack comes the AMEX, and he types in the required info. Fail. Sigh. Retype. Fail. Even bigger sigh. Now the cell phone comes out, and I look over. I can clearly read the numbers, first and last name on the card sitting on the seat next to me. So technically, he’s owned. But there is a snag; apparently his card has expired! Out comes his phone to call his wife, and apparently he has the main number, and has to ask to be transferred.
“Hello, may I speak to Carol please?” “This is her husband.” “Thank you.”
“Hi honey! I’m at the airport and trying to get on the internet, but it won’t take my AMEX. I think it is expired.” “Do you have your new one with you?” “Ok, can you read me the numbers?”
“Let me read them back to you: XXXX…”
“And the number on the back?” “YYY?” “Good.”
Now through my powers of observation, I have a first and last name, and AMEX number with CVV code. All I’m missing is the billing address, which I bet Google would have found for me with a few clicks. Some more unscrupulous places won’t even care that I don’t have it, or that it doesn’t match…
Credit card fraud, no computer needed.
Here’s the lesson: If you are going to read sensitive numbers over the phone or back to the person, do so in private. Heck, go somewhere out of the way in the airport, take your bags, and pack up your laptop, and even write it down. Seems like common sense to me.
– Larry “haxorthematrix” Pesce
larry /at/ securityweekly.com