The researchers presented the survey as research into the
significance of Easter, telling commuters that if they took part in
the survey they would be entered into a draw for an Easter egg
bonanza worth £60. To put the public at ease, they were asked
questions about their knowledge of Easter and Easter egg
consumption. Seemingly innocent questions were inserted into the
conversation to find out the details needed to steal their
identities, such as date of birth and mother's maiden name.
Organisers of the annual information security event have been
running a survey of this kind for a few years. Each time, the
result is the same: whether the incentive is free theatre tickets
or a free pen, people fall far too easily for these simple tricks
of social engineering.
The first question researchers asked was, "What is your name?"
Everyone surveyed gave their names. They were then asked a series
of questions about Easter and the tradition of giving Easter eggs.
They were also asked if they gave any of their Easter eggs to their
pets (89% said they had) and when asked what their pets name was
86% of respondents then went on to give their pet's name.
When asked if there was a tradition of giving Easter eggs in
their family, 76% said there was and when asked for the names of
their mother's and father's families, 80% revealed their mother's
maiden name. All of the commuters gave their address and post code
so that the Easter egg feast could be sent to them if they won.
Mother's maiden name and first school are key pieces of identity
information used by banks and utility companies in their identity
checking procedures.
The survey found that 59% of people knew what Easter celebrated,
15% go to church on Easter Sunday. On average they give six Easter
eggs and they expect to consume three, they had spent on average
£30 on their chocolate eggs. Three quarters of commuters said that
they had a tradition of giving Easter eggs and 60% celebrated
Easter at school.
Finding out the date of birth was also fairly easy with 82%
giving this information, as the researchers pointed out it was
needed to establish their age group for survey demographics and to
prove they had participated in the survey, and 90% gave their home
phone number in case there was a problem delivering the
chocolate.
At the end of a two-minute survey, the researchers were armed
with sufficient information to start stealing their victim's
identity. The researchers did not give any verification of their
identity; their only tool was a clipboard and the offer of the
chance to gorge on chocolate.
All the information collected by the researchers was
destroyed.
