Friday, 24.08.2012 - 15:06 UTC
A few days ago I went to see The Bourne Legacy with my brother, which I enjoyed very much. On the bus coming back from the cinema I just happened to see a letter on the floor, and thus chanced upon a great opportunity to open discussion on the very real dangers of leaving documents that contain personal information around. Of course the best thing to do with this information is to destroy them if we don’t need it, however this person had either never been told this or had failed to uphold his vigilance this time. Luckily for him, it was me who picked it up instead of an identity defrauder! Originally I was going to merely take it and burn it to protect his identity, however I noticed just how much personal information was on there when I was about to, and so I took the opportunity to make this post. Of course, I have removed all of the information itself from these images to protect his identity and have destroyed the original document.
So let’s take a closer look. After all, you might think a simple letter (or printed email in this case, strictly speaking) probably wouldn’t have too much information on and so wouldn’t be overly important – what’s the worst that could happen, right? I’ve gone through and labelled the relevant sections A-S (including repetitions). Let’s have a quick run through and look at them. One aspect of the psychological side of self-protection which is extremely useful and powerful is to cultivate the ability, through research and the ensuing logical thought processes, to see things from a criminal perspective. The classic example is to look at a crowd and identify victims from various criminal perspectives. Here we will be using this technique to identify how these various pieces of information could potentially be seen from a criminal perspective.
A – Name and address: Here not only do we have his gender and full name, but his full address with a postcode below. This alone is not good to throw around. Simple as it is, you should remember that this simple information tells a criminal a lot about you. More than merely where you live, we need to see this in more depth. With this information, the criminal can find a spot to watch you from and easily build up a profile of your habits – the times you leave for work, the times you get back, the arrival and departure times for other regular activities (gym, regular social meetups, etc) and the routes you take whether driving or on foot. The postcode makes it quick and easy to search for your address, and even with the simple usage of Google Earth’s Street View they can see what your house looks like, identify weaknesses, hiding places, escape routes, etc from the comfort of their own homes. With this an attack or stalking can be planned with ease.
B – National Insurance number: The top one of the blurred pieces here is simply his National Insurance number. This of course is just another piece of information that a criminal could potentially use when building up their profile of personal details with which to make changes to your accounts or it could be a security question they could be asked when attempting to get into an account, or when requesting information, etc.
C – Date: This may seem unimportant, but often when making banking inquiries you are asked for details of the specific message/s that you have pertaining to whatever you’re discussing. One of these is often simply the date of the correspondence, which in this case is helpfully left here.
D – Name: The mention of such a repetition here may seem irrelevant, but it is not. In a physical hard copy of a document such as this, it is essential from a criminal’s point of view. If the document is damaged, even mildly, obscuring any information then having it repeated is essential to verify or fill in missing bits that could be smudged, burnt, partially shredded, torn or simply worn off. In either hard (physical) or soft (electronic) documents, repetition is also important as it serves as a quick and easy verification: if an unusual name is there, it may well have been mis-typed, particularly if it seems an unusual spelling of a common name. In this case, a repetition of the name can offer some verification as to whether it was a typo or just an unusual name. This is of course important as the criminal wants to minimise the risk of making any mistakes and thus minimise the risk of sounding the alarm and getting caught out.
E – List of the documents attached to the email: This in itself of course is not personal information, however it would help someone making enquiries using this person’s identity sound more believable, for example making an enquiry about losing their ‘Give Me Some Money Please Pack’ (fictional and not on the actual list). In addition, they can give further ideas of the document’s context and the nature of the situation in general.
F – Sender’s name and position: Again, while this isn’t personal information to the recipient of this message it is useful for a criminal. When making an enquiry, it sounds much more believable to be able to casually say ‘I’ve just got a question about something in an email I had from Mrs Whatsherface, your Customer Relations Manager’ as opposed to something less specific.
G – URL: If an email has been printed by hitting File –> Print from an Internet browser, by default it’ll have the URL of the file you’re printing in the footer. URLs can include a lot of personal information, which varies between different websites. One example is what I have noticed with my university’s in-browser email access system: the URL for my inbox has my full university email address in it, which is simply my university username followed by ‘@student.staffs.ac.uk’. This is assumedly true of all Microsoft Office Outlook Web Access setups by default, but regardless the important thing to remember here is that URLs can hold a lot of information. Even if it looks like a random bunch of letters and numbers to you, to someone who knows what they’re looking for there could be useful clues hidden away in there.
H – Date: Again, this is another repetition of information which can be useful for verification.
I – Name: You get the idea.
J – National Insurance number: Once again, another repetition here of a key piece of information.
K – Date: Yet again, you get the idea by now.
L – Name: I know. I’ve mentioned this before.
M – Date of interview: This is crucial information. With this, a criminally-minded attacker could have known what his or her target would be doing on a particular day. A few ideas to take away from this: beforehand the recipient of this message is likely to be in a rush and they won’t be at home for a while on the day in question. Perfect. That’s bad enough, but let’s look further…
N – Time of interview: Now not only does the criminal have the date but the exact time that their target will be away from home, so they could use this as a time to attack them while they’re likely to be distracted and in a rush or they could simply take advantage of knowing that their house would be unoccupied at the time in question (or at least that this person specifically wouldn’t be at home – with their previous stalking opportunities they could have ascertained whether they live alone which adds other elements to this information’s usefulness). With the added knowledge of the duration of the interview, and that the target has to see someone else beforehand, they can work out a considerable window of opportunity.
O – Place of interview: This is even worse than the other information – now the criminal knows exactly where and when their target will be, so setting up any number of situations is rendered easy for them. What makes this worse, however, is the addition of the next piece of information:
P – Documents: Here the criminal reading this message finds out what his or her target will have on him when he attends the interview – more personal information. The claim form mentioned will undoubtedly have a wealth of personal information in it, and the other information will almost invariably include a form of photographic ID such as a driver’s licence or passport. Through mugging or subtler methods of theft, these documents could potentially be taken and copied. It may sound far-fetched, but it is far from impossible.
Q – Sender: Again, the name and position of the sender here. More verification.
R – URL: See above (G).
S – Date: Once more, just a repetition useful for verification. This is the date the document was printed of course, not necessarily the date it was sent or received.
Some Important Things to Remember:
Let’s keep this simple:
Documents contain information, and sometimes this can be useful to people who don’t hold your best interests at heart.
This information can be used to stalk you and build up a profile of your habits. This is useful for a criminal who wants to attack you, attack someone you live with, steal from/damage your property or use your identity for other reasons. That’s not an exhaustive list by any means – just a few ideas.
What we need to remember here is that simply put the information in these kinds of documents, or indeed potentially any other, can be used for criminal activities against you. I’m by no means an expert on this – I haven’t got a degree in criminology and I’ve had no experience of dealing with identity fraud – however I do know what to look for in terms of security holes and how criminals could exploit them.
The simple solution to this is to do everything you can to not leave any holes for them to exploit – this concept extends to all aspects of your life but let’s keep to the example of documents and information for now. When you don’t need these documents any more, burn or shred them. Better yet, shred and burn them! It’s not impossible for shredded paper to be put together by a committed individual, especially if you only shred one document at once. Shred documents along with random pages from an old magazine, or off-prints of unimportant things from when the printer last played up – anything to throw confusion into the heap. If you burn your sensitive information, make sure it’s fully burnt before you throw away the ashes! We’ve seen here from even a fairly cursory glance at the information in this letter how much can be gained from even an address.
The simple rule: if you wouldn’t shout it from your roof, tell it to a random person in the street or post it online publicly, then it’s sensitive information. Don’t leave it for the wrong people to find.
You can find more information on fraud and how to protect yourself and others against it at http://www.direct.gov.uk/en/CrimeJusticeAndTheLaw/Typesofcrime/DG_181626.
Josh Nixon, ESP