Claire Sellick approached a woman in London's tony theater district with a clipboard and a chance to win tickets to an upcoming show. All the woman had to do was answer a three-minute survey on locals' theater-going habits. Or so she thought.
The first question was easy. "What's your name?" Next came questions about her attitude towards the theater, with more personal inquiries interjected now and then. For instance, the survey company needed the woman's date of birth (to prove she was legally able to win the seats) and her mother's maiden name (for later verification) and her address, of course, to mail the tickets if she won the drawing. What about a phone number? Her pet's name? The name of the first school she attended?
At some point, the woman began connecting the dots. "I work for a bank and this information could be used to open a bank account."
"Yes," Sellick responded.
The event director for the Infosecurity Europe trade show recalled with incredulity what happened next. "She then proceeded to give me all her details!"
That encounter is recounted in the conference's annual pulse-taking of people's susceptibility to social engineering. The results typically are released a few weeks before Infosecurity Europe kicks off in London to drum up publicity and to track the public's propensity to easily divulge sensitive data. Last year, people at a transit station gladly gave up their passwords for a chocolate Easter egg. This year, they provided all the ingredients for their identities to be stolen for a chance to see a show. [Conference organizers did make good on their promise and sent ticket vouchers to three randomly drawn winners, then destroyed all the data they collected.]
"For the past 10 years, we have endeavored to highlight many of the common IT security concerns and vulnerabilities, such as information breaches via employees and consumers," Sellick said in a statement. "This survey showed how easy it is to steal a person's identity and breach a company's security. Security is only as good as the awareness of the people it protects."
It's difficult to say how many Americans would fall for the same ploy, given the recent non-stop news coverage of security breaches at college campuses and high-profile companies like data brokers Lexis-Nexis and ChoicePoint. Some high-profile cases involve hacking network servers; ChoicePoint's case had scam artists pose as customers to steal identities.
Regardless, the latest survey of 200 people at London High Streets does serve as yet another wake-up call that even the most hardened corporate networks can be breached by a loose-lipped employee. And that identity theft will continue to top the Federal Trade Commission's complaint list, as it has the last five years, so long as people are so easily conned.
Consider the following findings from the theater experiment:
100% provided their names upon request
94% provided pet's names (common passwords) and their mother's maiden name (common second form of authentication) when told actors frequently use both to create stage names.
98% gave their address in order to receive a winning voucher.
96% divulged the name of their first school. Combined with mother's maiden name, the two are key pieces of information used by banks for verification.
92% provided their date of birth and the same number supplied their home phone number.
There's always the possibility some gave bogus information. And it's promising that others did realize they gave away too much information, if belatedly.
One man "provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account," Sellick recalled. "We gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters, he would have been too late."