Presenting a survey on theatre-going habits, researchers told
pedestrians that if they took part in the survey they would be
entered into a draw for theatre ticket vouchers worth £20. To put
the public at ease, they were asked seemingly innocent questions
about their attitudes to going to the theatre, which were
interspersed with questions to find out the details needed to steal
their identities, such as date of birth and mother's maiden
name.
The survey of 200 people on High Streets across London was
carried out as a "wake up call" to highlight how easy it is for
fraudsters to use social engineering to carry out identity theft.
The intention is to raise awareness of the need to be very careful
about the information people give to complete strangers, either
face-to-face, by post or on-line, as it could easily be used to
open a bank account or even steal their identity.
The first question researchers asked was, "What is your name?",
which seems reasonable enough if someone is potentially going to
send you some vouchers. All respondents gave their names. They were
then asked a series of questions about their views on the theatre
in London.
People were then asked if they knew how actors came up with
their stage name. They were then told it was a combination of a
pet's name and their mother's maiden name and were asked what they
thought their stage name would be. Ninety-four percent (94%) of
respondents gave their mother's maiden name and pet's name.
To obtain the address and post code, researchers asked for their
address details in order to post them the vouchers if they won.
Ninety-eight percent gave their address and post code.
To find out the name of their first school the question was
asked, "Did you get involved in acting in plays at school?" and
then "What was the name of your first school?". Ninety-six percent
(96%) gave the name of their first school.
This answer, along with mother's maiden name, are key pieces of
identity information used by banks.
In order to find out date of birth, researchers said that in
order to prove they had carried out the survey they needed their
date of birth. Ninety-two percent gave their date of birth and 92%
also gave their home phone number in case there was a problem
delivering the vouchers.
At the end of a three minute survey, the researchers were armed
with sufficient information to open bank accounts, credit cards, or
even to start stealing their victim's identity.
The researchers did not give any verification of their identity;
their only tool was a clipboard and the offer of the chance to win
a voucher for theatre tickets.
Claire Sellick, Event Director for Infosecurity Europe, who took
part in the research said: "This survey showed how easy it is to
steal a person's identity and breach a company's security –
security is only as good as the awareness of the people it
protects."
Detective Inspector Chris Simpson, Head of Scotland Yard's
Computer Crime Unit, said: "The results of the survey are
disturbing to say the least, however they do highlight the need to
raise public awareness of identity theft, what it actually means,
how it can happen and the potential consequences."
He continued: "Preventing the theft of your own identity is
relatively simple, but it relies on the individual taking steps to
protect themselves i.e. restricting the people to whom you reveal
sensitive personal data (whether in the physical or virtual
context); shredding or destroying personal correspondence before
disposing of it and never sharing passwords to access computer
systems."
All the information collected by the researchers was destroyed
by the organisers of Infosecurity Europe. Three winners were
selected at random and sent theatre ticket vouchers.
Detective Inspector Chris Simpson is speaking in a keynote
session on, 'Law Enforcement - Cybercrime and International
Co-Operation, Prevention, Detection and Punishment,' at
Infosecurity Europe 2005, Olympia, London, 26th-28th
April.
